Download the newest edition of the “cyber-risk oversight handbook”

ISA, in conjunction with the NACD, is pleased to publish the third edition of the cyber-risk handbook for corporate boards. This third version of the handbook (first issued in 2014) builds on the success of the 2017 handbook. It outlines five “guiding principles” to enhance board oversight of cyber risk and includes tools which provide clear guidance on how best to oversee management of specific cybersecurity issues, including M&A due diligence, insider threats, supply chain management, incident response, personal security, model dashboards and metrics, engagement with the security team, and what to expect from the government.

2020 NACD ISA Cyber-Risk Oversight Handbook

In 2014 NACD published the first edition of the “Cyber-Risk Handbook” in conjunction with the ISA and AIG.

The Handbook has proven to be one of NACD’s most popular publications and was the first private-sector resource featured on the Department of Homeland Security’s C3 Voluntary Program’s Getting Started for Business website.

2017 edition of the "Cyber-Risk Oversight Handbook"

We issued a significantly updated version in 2017 that includes new information on the threat environment, legal developments, and current statistics on board-level cybersecurity oversight practices, along with expanded tools for directors.

This publication has been independently assessed by PricewaterhouseCoopers and shown to dramatically improve enterprise cybersecurity.

“Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts.
Boards appear to be listening to this advice. This year we saw a double-digit uptick in Board participation in most aspects of information security. Deepening Board involvement has improved cybersecurity practices in numerous ways. As more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals.”

-PricewaterhouseCoopers Global State of Information Security Survey 2016 (pdf)

Working together, NACD and ISA have produced a unique and successful program that addresses cybersecurity as a board level issue – not simply an IT operational issue.

Directors can leverage the handbook in a few ways:

  • Learn foundational principles for board-level cyber-risk oversight that have been vetted and praised by cybersecurity leaders in the public and private sectors.
  • Gain insight into issues such as how to allocate cyber-risk oversight responsibilities at the board level; the legal implications and considerations related to cybersecurity; how to set expectations with management about the organization’s cybersecurity processes; and ways to improve the dialogue between directors and management on cyber issues.
  • Use the tools in the nine appendices to improve and enhance boardroom practices.

Cyber-Risk Oversight Handbook

  • This field is for validation purposes and should be left unchanged.