The Government has launched a call for views on a proposed Cyber Governance Code of Practice which will “support directors to drive greater cyber resilience”. The Code focuses on “the most critical areas that leaders must engage with, forming simple, actions-focused guidance, making it easier for directors to understand what actions to take”.

The proposed Code

The proposed Code has been co-designed with experts from the National Cyber Security Centre, as well as wider industry experts. It is structured around five overarching principles, namely:

  1. Risk management
  2. Cyber strategy
  3. People
  4. Incident planning and response
  5. Assurance and oversight

Each principle is underpinned by a series of actions which are presented in accessible language to ensure that directors fully understand the steps which their businesses should be taking in order to strength their cyber governance regimes. 

For example, actions include “ensure the most important digital processes, information and services critical to the ongoing operation of the business and achieving business objectives have been identified, prioritised and agreed” and “ensure that the organisation has a plan to respond to and recover from a cyber incident impacting business critical processes, technology and services”.

Further guidance on implementation of these principles and actions is provided within the NCSC’s Cyber Security Toolkit for Boards which will sit alongside the Code in order to form a coherent set of guidance.

It is suggested that the proposed Code would be “launched as a voluntary tool, that is, without its own statutory footing. However, the Code of Practice would support and align with a number of existing regulatory obligations”, such as the GDPR and the NIS regulations. Accordingly, the Government acknowledges that “the promotion of the Code, whether it is published through a governance or a cyber security agency, and the broader interventions outlined here to stimulate uptake, are all critical aspects of embedding it in common practice across the UK economy”.

Call for views

The scope of the Government's call is focused around three key issues: 

  1. The design of the Code: the Government has launched this call for views in order to understand whether the principles and actions set out in the proposed Code are “explained in a way that is straightforward to understand and implement”, or whether any further guidance would be helpful.
  2. How the Government can drive uptake of use of, and compliance with, the Code: the Government also wishes to understand “where the Code may be best placed and promoted to ensure it reaches directors and forms a core aspect of their knowledge base on risk management in a digital age”, as well as the role which other bodies may play and any barriers to its implementation. 
  3. The merits and demand for an assurance process against the Code: finally, the Government seeks views on “the utility and risks of implementing either a self or independently assessed assurance process against the Code”. There are a number of benefits to implementing some form of assurance process, including providing organisations with a “badge” which can provide confidence to shareholders, customers, insurance firms, or business partners that the organisation is managing their cyber risks.

The call for views is open until 11.59 pm on Tuesday 19 March 2024.