Cyber Governance Code of Practice: UK Publishes Draft Code and Calls For Views In 2024.

Cyber Governance Code of Practice: UK Publishes Draft Code and Calls For Views In 2024.

Along with the digital revolution taking place all over the world, efforts are also being made to create cyber awareness among the people. Along with this, efforts are also being made by governments of various countries to control cybercriminals.

On 23 January 2024, the UK Government announced a call for views and requested feedback from businesses of all sizes in every sector on a draft of its Cyber ​​Governance Code of Practice called “Draft Code”. 

Cyber Governance Code of Practice
Image source: Freepik

Aimed at directors and other business leaders, the draft code sets out key cyber governance areas that organizations of all sizes should focus on to manage cyber risk in a better way.

The deadline to respond to the call for views is Tuesday 19 March 2024 at 11:59pm (UK).

The UK government is trying to cover respondents, including academics, organizations without formal boards, organizations purchasing or outsourcing cyber security and other interested parties.

The Draft Code:

The UK Government has announced that the draft code has been co-designed with the UK National Cyber ​​Security Center (NCSC) and a range of cyber and governance experts, including non-executive directors, auditors, consultants, chief information security officers and academics.

While the final approved code will be a voluntary instrument without its own statutory basis, the UK Government has said that it is working with regulators to determine how the final code can be embedded into the existing regulatory landscape in the UK such as working closely with UK GDPR and Network and Information Systems (NIS) regulations.

In a simple and concise format, the Code sets out the primary foundational actions that business leaders and their organizations should take to address cyber risk. The draft code includes five broad cyber governance principles, each complemented through specific action points.

Action points are “worded in the language used by directors” to provide clear expectations of what action they should take and why. There are following five broad principles:

  • Risk Management;
  • Cyber ​​Strategy;
  • People;
  • Incident planning and response
  • Assurance and Inspection.

Example of complementary action points under broader principles include:

Cyber ​​Strategy – Ensure appropriate resources and investments are allocated and used effectively to develop capabilities that manage cybersecurity threats and related business risks.

Incident planning and response – Ensure the organization has a plan to respond to and recover from a cyber incident that impacts business critical processes, technology and services.

Cyber Governance Code of Practice
Image source: Freepik

You can also like:

About Call For Views:

The call for ideas is open until 19 March 2024 at 11:59pm (UK) and is focused on three main areas:

  • Design of cyber governance codes of practice;
  • How can the government promote its use and compliance with the Code;
  • Merits and demands of an assurance process against draft codes.

Data collected from the call for ideas will be used to ensure that the draft code is easy to understand and implement, reaches business leaders and forms a core aspect of their risk management knowledge base, and Presents no obstacles to use.

 Additionally, the usefulness and risks of implementing the assurance process against the draft code will also be evaluated.

Alignment with the cyber governance landscape of UK:

Announcing the call for ideas, the UK Government commented generally on the current UK cyber governance landscape. Notably, the UK government acknowledged the results of the UK Cybersecurity Breach Survey 2023, which found that cybersecurity was seen as a high priority for senior management in 71% of businesses which is a decrease of 11% from 82% of the previous year.

The Cybersecurity Breach Survey 2023 also concluded that formal incident response plans are “not widespread”, with only 47% of medium-sized businesses and 64% of large businesses having a formal incident response plan.

These figures may be worrying in light of the regulatory obligations that businesses may need to comply with.

That’s a brief news on cyber awareness I thought to share with you! I hope this will be valuable for you. You can reach me through the emails given below. I will love your valuable comments and feedback.


Abhijit Ranjan

Leave a comment