UK Launches Cyber Governance Code of Practice Consultation — January 23, 2024
The UK government and NCSC opened consultation on a voluntary Cyber Governance Code of Practice to raise board accountability for cyber risk management across the economy.
Executive briefing: On the UK Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) launched a consultation on a Cyber Governance Code of Practice. The proposed code outlines five core principles for directors and senior leaders to ensure cyber risk is embedded in governance, risk management, and resilience planning across UK organisations.
Code principles under consultation
- Risk ownership. Boards should assign clear accountability for cyber risk, integrating it with corporate governance and enterprise risk frameworks.
- Cyber strategy. Organisations must maintain a dynamic cyber strategy aligned to business objectives and threat intelligence.
- Incident preparedness. Leaders are expected to ensure response plans, exercising, and stakeholder communications are regularly tested.
Control alignment guidance
- UK Corporate Governance Code. Map cyber risk reporting to existing board assurance statements and audit committee responsibilities.
- NCSC Cyber Assessment Framework. Use CAF objectives to evidence maturity improvements aligned to the code’s principles.
- ISO/IEC 27014. Update information security governance metrics and dashboards presented to directors.
Operational recommendations
- Submit consultation responses by the deadline, highlighting sector-specific governance considerations.
- Refresh board training programmes to incorporate the draft principles and NCSC guidance on systemic risk oversight.
- Benchmark current governance artefacts—risk appetite statements, assurance reports, and crisis playbooks—against the proposed code to prioritise improvements.