top of page
Search

PQC Planning: Govern, Assess, Migrate, Operationalise

  • Feb 12
  • 3 min read

Post‑Quantum Cryptography (PQC) is moving from “future concern” to board‑level planning topic. Not because anyone needs to predict the exact arrival date of a cryptographically relevant quantum computer — but because cryptographic change is slow, cross‑cutting, and hard to rush.


For executive teams, the question isn’t “Which algorithm should we pick?” It’s:

  • What’s our exposure? - Not just where are the keys

  • What’s the cost of delay?

  • Who owns the decision‑making and the risk?

  • How do we transition without breaking critical services or creating unmanaged exceptions?


The most important point: PQC is not a purely technical programme. It’s an enterprise risk and resilience change that needs clear governance and ownership at the top of the organisation.


Start at the top: Governance and ownership

If PQC is treated as “a crypto upgrade for the technical teams”, it will stall — or worse, it will progress in pockets with inconsistent standards, duplicated effort, and unclear accountability.


A successful transition needs executive sponsorship and a governance model that answers:

  • Who is accountable for PQC readiness (and residual risk) — board sponsor, executive owner, and named programme lead.

  • How decisions are made (e.g., risk acceptance, prioritisation, supplier requirements, architectural standards).

  • How progress is measured and reported (milestones, risk reduction, dependencies, exceptions).

  • How PQC becomes ‘business as usual’ after initial transition (ongoing crypto agility, lifecycle management, assurance).


In practical terms, PQC governance typically sits with the C‑Suite because it cuts across:

  • Enterprise risk management and regulatory posture

  • Technology strategy and architecture

  • Third‑party and supply‑chain dependencies

  • Business continuity and operational resilience

  • Data protection and long‑lived confidentiality requirements


Technical teams are essential — but they should be delivering within a framework set by leadership, not trying to create that framework themselves.


PQC Planning: Shape your migration roadmap

The G7 has stated that organisations should plan and execute an orderly transition to PQC. That guidance can be valuable because it frames PQC as a structured migration programme, not an ad‑hoc set of upgrades.


Timeline titled "PQC Roadmap - Key Milestones" from 2026 to 2035. Phases: Assess & Plan, Execute, Critical Systems, Remaining Systems.
G7 PQC Roadmap

If you want a practical, executive‑friendly way to interpret that direction into a deliverable plan, start here:


This roadmap is about sequencing and delivery: how you move from today’s cryptographic reality to a post‑quantum ready posture without operational disruption.


Before you migrate, you need an assessment

Most organisations don’t have a complete, reliable view of where cryptography is used across their estate — and that’s the first blocker.


A PQC assessment should give leadership the evidence to prioritise investment and reduce risk early. It should answer questions like:

  • Which systems protect long‑lived sensitive data that must remain confidential for years?

  • What are our biggest dependencies (legacy platforms, embedded devices, vendor roadmaps)?

  • Where are we using public‑key cryptography today (identity, certificates, VPNs, applications, cloud services)?

  • Where do we lack crypto agility (ability to change algorithms without major re‑engineering)?

  • What are the quickest risk‑reducing moves we can make in the next 3–6 months?


That’s why we created an assessment roadmap that reflects how we see this working in the real world: PQC Assessment Roadmap: https://www.icaconsultancy.co.uk/pqc-assessment-roadmap


The executive sequence that works

If you’re looking for a simple, board‑ready way to structure the programme, use this order:


  1. Establish governance and ownership (accountability, decision rights, reporting)

  2. Assess to create an evidence‑led view of exposure, priorities, and dependencies

  3. Migrate using a phased roadmap aligned to external direction

  4. Operationalise PQC as ongoing management, not a one‑off project


This approach avoids two common failure modes:

  • Starting migration without knowing what you’re migrating (incomplete inventory, hidden dependencies)

  • Treating PQC as a technical upgrade rather than an enterprise risk programme


What you can do this quarter

If you’re in the C‑Suite and want to move from “we should do something” to “we have control of this”, focus on three outcomes:

  • Named accountability and a governance cadence (who owns it, how it’s reported)

  • A scoped assessment that identifies where cryptography lives and what matters most

  • A phased migration plan that is realistic, measurable, and supplier‑aware


If you’d like, we can help you translate the assessment outputs into an executive‑level plan with clear governance, prioritisation, and measurable milestones — without fear tactics, grandstanding or hand‑waving.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page