Cyber strategy/policy good practice guides

What is the aim?

To help countries prepare their national strategies by making use of good practice guides that draw on experience from previous strategies and capacity building projects.

Why do it?

It is a zero-cost way to share and encourage good practice.

What are typical outputs?

The team drafting the strategy has access to global good practice and examples from other countries in the form of documents, meeting notes, website links and other media.

How is it delivered?

In its simplest form, the team preparing the strategy can be sent links to good practice guides and databases with strategies, which can be found on the Cybil Portal. To go further, an implementer could sit down with the team to discuss the guides and how they could be drawn upon to inform the local strategy preparation process.

How easily can a country do it themselves?

Very easily. They can access several tools and guidance documents on the Cybil Portal. Sometimes workshops are offered which help to use the good practice guides, e.g. by the ITU (see case study).

What good practice guidance is available?

Cybersecurity Strategies Evaluation Tool (ENISA, 2018)
Developing a National Strategy for Cybersecurity (Microsoft, 2013)
Good Practice Guide on National Cyber Security Strategies (ENISA, 2016)
Guide to Developing a National Cybersecurity Strategy (Commonwealth Cybercrime Initiative, CTO, Deloitte, GCSP, GCSCC, ITU, Microsoft, NATO CCDCOE, Potomac Institute for Policy Studies, World Bank, 2018)

  • Look at different good practice guides.
  • Have a look at existing NCS from the region or from countries with a similar set-up (size, GDP, culture, etc.).
  • Read lessons learnt publications (e.g. “National Strategies – Interviews behind the cover. Senegal, Mexico, Norway, GFCE 2018 (see activity 15 “Conversations with people who have drafted strategies in other countries”).


Using the Good Practice Guide – Nil; workshops – mostly offered free of charge. However, participants may need to pay for their travel and lodging.


Using the Good Practice Guide – documents can be accessed immediately. Some time would be required for reading and for a discussion with implementers about the guides, if that was part of the activity. Workshops – 1-3 days.

Using the Good Practice Guide: Kiribati drafted its NCS with support from the ITU using the Guide to Developing a National Cybersecurity Strategy.

From 2019-20, the International Telecommunication Union (ITU) , in cooperation with member states and partners such as the Oceania Cyber Security Centre (OCSC) and Deloitte, also conducted four “Regional Capacity-Building Workshop on National Cybersecurity Strategy” workshops in Jakarta/Indonesia, Skopje/North Macedonia, Tunis/Tunisia and Melbourne/Australia which helped countries to utilize the good practice guide.

The workshops were targeted at participants from the respective region, such as ministry representatives, policy makers (parliamentarians), individuals in the judiciary system, regulatory bodies, national security agencies, military establishment (the units in charge of information security and/or IT and ICT management), law enforcement agencies, critical infrastructure providers (water, energy, transport, etc.), central monetary agency and banks, telcos and ISPs, and academia. National research bodies and local industry (private sector) involved in security initiatives could also benefit from the workshop.

The workshops built upon the Guide to Developing a National Cybersecurity Strategy and covered topics such as lifecycle of national cybersecurity strategy common principles on National Strategies (what it is, mission, vision, etc.), national cybersecurity strategies worldwide, approaches, comparative analysis, and the establishment of a governance structure to develop/maintain NCS. The training was completed with an exercise.

Sometimes these workshops were organized in the context of other events to ensure that as many interested individuals from the governments were able to participate and to make the best use of travel time and efforts. For instance, the Melbourne workshop was co-organized with the OCSC in the context of its Annual Conference and the GFCE Pacific regional meeting.

Read further here.