Cybersecurity Confidence Starts Here: How 10 Steps Can Strengthen Any Organisation

In today’s digital-first world, cyber threats are no longer the domain of tech giants alone. Whether you’re a small startup or a large enterprise, attacks like ransomware, phishing, and data breaches can grind operations to a halt and cost your business dearly. The UK’s National Cyber Security Centre (NCSC) created the 10 Steps to Cyber Security as a powerful framework to help any organisation proactively build cyber resilience.

This in-depth guide explores what the 10 Steps are, why they matter, how they benefit businesses of all sizes, how they compare with other frameworks, how to implement them effectively, and how to use them to assess cybersecurity maturity and track meaningful performance metrics. While it may take up to 10 minutes to read, this resource is designed to give you a practical understanding of how to embed cybersecurity resilience across your organisation.

What are the NCSC 10 Steps to Cyber Security?

The NCSC 10 Steps is a strategic framework comprising ten key areas of cybersecurity best practice:

1. Risk Management – Understand and manage risks to systems, data, and services.

2. Engagement and Training – Educate and empower staff at every level.

3. Asset Management – Know what technology and data you hold and where they are.

4. Architecture and Configuration – Build systems securely from the ground up.

5. Vulnerability Management – Identify and patch known weaknesses.

6. Identity and Access Management – Ensure only the right people access the right systems.

7. Data Security – Protect information in storage and transit.

8. Logging and Monitoring – Track activity to spot and investigate incidents.

9. Incident Management – Prepare for and respond to cyber incidents effectively.

10. Supply Chain Security – Assess and manage risks from third-party providers.

It’s a coordinated, comprehensive approach to securing people, processes, and technology.

How It Will Benefit Small, Medium, and Large Organisations

1. Small Businesses

• Stop common attacks with strong passwords, regular updates, and backups.

• Win new contracts by proving security to larger clients.

• Improve cost-effectively using NCSC's free guidance and tools.

2. Medium-Sized Organisations

• Reduce exposure to ransomware and data loss.

• Create a security culture through structured training and awareness.

• Improve compliance and risk governance.

3. Large Enterprises

• Unite boardroom strategy with operational execution.

• Scale security controls consistently across teams and locations.

• Raise assurance standards for third-party providers.

Comparison with Other Frameworks

Why the 10 Steps Stand Out: Key Differentiators

1. Strategic and Practical – Combines board-level guidance with day-to-day actions.

2. Boardroom to Server Room – Makes cybersecurity everyone's responsibility.

3. No-Certification Barrier – Enables rapid uptake without bureaucracy.

4. Tailored to UK Risk Landscape – Reflects domestic threats and legal context.

5. Scalable and Adaptable – Suitable for any size, sector, or maturity level.

6. Strong Supply Chain Focus – Provides dedicated structure for third-party risk.

How to Implement the 10 Steps in an Organisation

1. Conduct a Gap Analysis – Highlight control gaps and prioritise based on risk.

2. Create a Cybersecurity Roadmap – Break work into achievable, phased milestones.

3. Gain Leadership Support – Align cybersecurity with business goals.

4. Quick Wins – Deploy MFA, secure backups, and run phishing awareness training.

5. Invest in Tools and Partners – Use NCSC tools (e.g., Logging Made Easy) and commercial platforms.

6. Evolve and Improve – Continuously reassess and update controls and strategy.

Using the 10 Steps to Assess Cyber Maturity and Collect Metrics

Assessing Organisational Maturity

Each step can be rated on a scale (e.g. 1–5) to:

• Establish a security baseline

• Highlight specific weaknesses

• Plan maturity goals and improvements

Example of controls:

• Risk Management – Do you have an active risk register? Is it regularly reviewed?

• Access Management – Is MFA enforced for all users? Are dormant accounts removed?

Collecting Cybersecurity Metrics

The NCSC 10 Steps framework provides a structure that organisations can use to define, collect, and analyse cybersecurity metrics. Each step represents a domain of security that can be measured using meaningful indicators:

1. Risk Management – Number of identified risks, treatment rate, review frequency

2. Engagement and Training – % staff trained, phishing test success rate

3. Asset Management – % of inventoried assets, frequency of updates

4. Architecture and Configuration – % of systems with secure configurations

5. Vulnerability Management – Patch latency, scan coverage

6. Identity and Access Management – % of MFA use, number of dormant accounts

7. Data Security – % of encrypted data, DLP events

8. Logging and Monitoring – % of systems monitored, alert response time

9. Incident Management – Mean time to detect and recover, exercise frequency

10. Supply Chain Security – % of suppliers assessed, % with contract clauses

These metrics support:

• Board-level reporting

• Cyber investment planning

• Strategic risk governance

Downloadable Template of the Controls (Coming Soon)

Download the NCSC 10 Steps Maturity Assessment Template:

• Benchmark your cybersecurity maturity

• Assign responsibilities and actions

• Track progress across all 10 Steps

Final Thoughts

The NCSC 10 Steps to Cyber Security is more than a framework—it's a roadmap for embedding security into the DNA of your organisation. It helps you move from reactive to proactive, from fragmented efforts to a unified strategy.

Whether you’re managing a team of 10 or 10,000, the 10 Steps offer scalable guidance backed by UK government expertise. Use them to build confidence with stakeholders, improve compliance, and stay ahead of evolving threats.

Subscribe to the Blog