Skip to Content
Register

NCSC Risk Management Framework (RMF)
Foundation 


A clear and practical introduction to the National Cyber Security Centre (NCSC) Risk Management Framework (RMF), showing participants how to identify, assess, and manage cyber risks in line with modern threat conditions and regulatory expectations. We explain the core principles of informed risk ownership, proportional controls, and continuous assurance, grounding each element in real organisational contexts.


Learn More

MCSC RMF Training

Course Overview


The NCSC Risk Management Framework (RMF) Training Course provides organisations with a structured, practical, and repeatable approach to managing cyber security risk and opportunity in line with UK government guidance. Developed by the UK National Cyber Security Centre, the RMF enables organisations to take a clear, evidence based approach to cyber risk management that supports informed decision making, regulatory compliance, and long term organisational resilience.


The Eight NCSC RMF Steps

At the core of the framework are eight clearly defined steps that guide organisations through the complete cyber risk lifecycle. The RMF begins by establishing organisational context and objectives, ensuring that cyber security activity is aligned with business priorities, legal obligations, and risk appetite. It then focuses on identifying critical assets, systems, services, and data, enabling organisations to clearly understand what needs to be protected and why it matters.

  1. Establish context and objectives

    Define the organisational, regulatory, and operational context for risk management, clarify business objectives, risk appetite, and decision making authority, and ensure cyber risk is considered in line with organisational priorities.

  2. Identify assets, systems, and services

    Identify and document the assets, systems, services, and data that support critical business functions, including dependencies and ownership, to understand what needs to be protected and why it matters.

  3. Identify threats and vulnerabilities

    Assess credible threat sources, attack vectors, and existing vulnerabilities that could affect identified assets and services, taking into account both technical and non technical weaknesses.

  4. Assess risk and opportunity

    Evaluate the likelihood and impact of identified risks, alongside potential opportunities, to determine which risks are unacceptable, tolerable, or acceptable, and to distinguish between mandatory requirements and strategic improvements.

  5. Decide on risk treatment and control options

    Select proportionate risk treatment options, including mitigating, accepting, transferring, or avoiding risk, and identify appropriate security controls aligned to organisational risk appetite and business needs.

  6. Implement and assure controls

    Implement selected controls and establish assurance activities to confirm they are operating as intended, effective, and delivering the expected reduction in risk.

  7. Monitor risk and control effectiveness

    Continuously monitor risks, controls, and the threat environment, ensuring changes in business operations, technology, or threat landscape are reflected in ongoing risk assessments.

  8. Review and continuously improve

    Regularly review outcomes, lessons learned, and performance metrics to improve risk management processes, strengthen governance, and enhance organisational cyber resilience over time.

The framework supports the identification of credible threats and vulnerabilities, considering both technical and non technical factors that could impact organisational operations. From this, organisations are guided through assessing cyber risk and opportunity, helping them prioritise issues based on likelihood, impact, and strategic importance, while distinguishing between mandatory requirements and aspirational or strategic improvements.

Once risks are understood, the RMF provides a structured approach to selecting proportionate risk treatment options and security controls that are appropriate for the organisation’s size, sector, and operating environment. It then emphasises the importance of implementing those controls effectively and establishing assurance activities to confirm they are operating as intended and delivering meaningful risk reduction.

The final stages of the framework focus on monitoring risk and control effectiveness over time, recognising that cyber risk is dynamic and influenced by changes in technology, business operations, and the threat landscape. The RMF concludes with a strong emphasis on review and continuous improvement, embedding cyber risk management into governance processes and supporting ongoing maturity rather than one off compliance exercises.

By adopting the NCSC RMF, organisations are better positioned to manage increasingly complex cyber threats, reduce vulnerability exposure, improve resilience, and align security investment with real business risk and opportunity. The framework is deliberately flexible and scalable, making it suitable for organisations of all sizes and sectors, including public sector bodies, regulated industries, and organisations supporting critical or essential services.


Learning Outcomes


The course covers both foundational theory and practical considerations such as scoping assessments, mapping evidence, interpreting outcomes and identifying gaps. On completion of the NCSC Risk Management Framework Foundation Course, participants will be able to:

  • Understand the structure, purpose of intent of the NCSC RMF

  • Describe the Eight Steps contained within the NCSC RMF

  • Explain how the NCSC RMF enables effective cyber risk and opportunity management

  • Understand how the NCSC RMF enables improved cybersecurity risk management

  • Explain the link between risk management and secure by design

  • Explain similarities between the NCSC RMF and other commonly used business improvement, risk management and control frameworks

  • Understand considerations for the adoption of the NCSC RMF

  • Understand the application of risk management within UK govt agencies and supply chains


Prerequisites


There are no prerequisites for this Foundation level course. 

The course is suitable for professionals and employees of all experience levels. 
It is designed for security professionals, risk owners, governance leads, and decision makers responsible for managing cyber risk at organisational level. By the end of the programme, delegates will be equipped with the knowledge needed to support the RMF adoption within their organisation, contribute to internal assessments and guide continuous improvement efforts with confidence.


Course Package


This two day, instructor co-ordinated NCSC RMF Foundation training course provides participants with a thorough understanding of each of the eight RMF steps and how to apply them in real world organisational contexts. The course explores practical implementation, governance considerations, assurance approaches, and how the RMF aligns with other widely used cyber security and risk management frameworks. 

Participant numbers are capped.

Following successful completion, participants will receive:

  • DTP NCSC RMF Foundation Certificate of Completion.

  • DTP NCSC RMF Foundation courseware including links to further reading and resources.

  • DTP NCSC RMF Foundation Certificate blockchain digital badge for display on email, websites and  LinkedIn.


£1,795.00 +VAT per person

BOOK NOW