Cyber Governance Code of Practice

📌 What’s Covered

1. Cyber Governance Code of Practice (the main Code):
Outlines 22 actions under 5 pillars:

• Risk Management – prioritisation of critical assets, assigning ownership, and risk appetite clarity.
• Strategy – integration of cyber into corporate strategy and effective delivery.
• People – leadership-driven culture, board training, and metrics-based awareness programmes.
• Incident Response – pre-planned playbooks, simulations, and lessons learned.
• Assurance – structured oversight, audits, and regulatory alignmentCyber Governance Code o….

2. Cyber Security Toolkit for Boards (supporting resource):
Breaks governance down into 9 modules with guidance and “indicators of success”:

• Embedding cyber across departments
• Building a strong culture
• Growing internal expertise
• Identifying critical assets
• Understanding threats
• Managing cyber risks
• Implementing defensive controls
• Securing the supply chain
• Planning for incidents

Each module includes clear examples, essential activities, board-level metrics, and relevant case studies (e.g., a ransomware case on p.42-43 shows the real-world value of incident prep)Cyber Governance Code o….

💡 Why It Matters?

This Code makes cybersecurity board-relevant without resorting to tech jargon. It’s one of the few frameworks that truly meets boards where they are—strategic, legal, financial—while giving them tangible governance responsibilities.
Especially valuable is the focus on:

• Cyber risk as a material board issue, not an IT silo
• Cultural change, not checkbox compliance
• Resilience through supply chain due diligence and real incident rehearsals
• Role-specific advice for directors, not just CISOs

💡 This isn't just about resilience—it’s a clear attempt to hardwire accountability into digital governance.

🚫 What’s Missing

• Small business adaptation: While acknowledged, the guidance still leans heavily toward larger orgs. A modular version tailored to SMEs would be helpful.
• Global interoperability: The UK-specific references (e.g. GDPR, NIS Directive, DSIT policy stack) may limit direct applicability in non-UK jurisdictions without mapping to global frameworks like NIST CSF or ISO 27005.
• More interactive elements: Boards unfamiliar with cyber could benefit from checklists or digital toolkits embedded in the PDF or linked externally.

👍 Best For

• Board members and non-executive directors needing clear, actionable steps
• CISOs or CIOs working to educate leadership on their cyber obligations
• Governance and risk professionals looking to integrate cyber into enterprise risk management
• Public-sector institutions aiming to meet baseline security expectations

📚 Source Details

• Title: Cyber Governance Code of Practice and Cyber Security Toolkit for Boards
• Publisher: Department for Science, Innovation and Technology (DSIT) & National Cyber Security Centre (NCSC), UK
• Date: 2025
• Licensing: Open Government Licence v3.0
• Length: 62 pages (Code and Toolkit combined)
• Access: www.ncsc.gov.uk | cybergovernance@dsit.gov.uk