Join Today

Empowering Business Resilience: Unveiling the UK’s Cyber Governance Revolution

Read this blog by ScotlandIS Board Member, David Stubley, taking a look at the new Cyber Governance Code of Practice that UK Government are seeking to implement.

The UK Government are looking to establish a Cyber Governance Code of Practice, which will support directors to drive greater cyber resilience. They have released a draft version which can be found here.

For those who don’t have the time to read the entire document, here are my key takeaways from the document in two styles, firstly the TL;DR and then a slightly more structured summary:


The document highlights the increasing cyber security risks for UK organizations due to digital reliance. It emphasizes the need for strong cyber governance, aligning it with overall business resilience. The proposed solution is a voluntary Cyber Governance Code of Practice for directors, addressing risk management, cyber strategy, people, incident planning, and assurance. Challenges include declining board engagement, and the document seeks input on the code’s design, uptake strategies, and potential assurance mechanisms. Overall, the focus is on improving cyber resilience and aligning cyber risk management with broader business practices.

More structured summary

Overview of Cyber Security Risks:

  • The document emphasises the increasing reliance on digital technologies by organisations in the UK.
  • It highlights the growing cyber security risks associated with the digital economy, posing threats to business continuity and resilience.

Dynamic Risk Environment:

  • The cyber security risk environment is described as dynamic and fast-moving, influenced by the pace of digitisation, interconnected digital supply chains, evolving threat landscapes, and changing regulatory frameworks.

Importance of Cyber Governance:

  • Cyber risk is positioned as a critical vulnerability that should be given the same prominence as financial or legal risks.
  • The government encourages organisations to integrate cyber risk management with overall business resilience and risk management practices.

Governance in a Technology Age:

  • The role of governance in technology strategies is highlighted, with an emphasis on the need for clear leadership and understanding of technology-related risks.

International Approaches to Cyber Governance:

  • Global trends in cyber governance are discussed, including efforts by countries like the US to drive greater engagement and action from directors regarding cyber security.

Standards and Guidance Landscape:

  • Existing resources, such as the National Cyber Security Centre’s Cyber Security Toolkit for Boards, are mentioned, but board engagement is noted to have declined.
  • The document highlights a lack of specific standards targeting directors and a focus on outcomes that may be challenging for directors to interpret.

Regulatory Environment:

  • Various regulations, including the Network and Information Systems Regulations and the UK General Data Protection Regulation (GDPR), are outlined as part of the government’s efforts to create a balanced regulatory framework for cyber security.

Current UK Cyber Governance:

  • The Cyber Security Breaches Survey 2023 indicates that while cyber security is a priority, board engagement and ownership of cyber risk at the senior level are lacking.
  • Insufficient director involvement is illustrated by the absence of formal incident response plans in some organisations.

Proposed Approach — Cyber Governance Code of Practice:

  • The government proposes the creation of a voluntary Cyber Governance Code of Practice to formalise expectations for directors in governing cyber risk.
  • The document seeks input on the design of the code, strategies for driving uptake, and the potential demand for an assurance process against the code.

Code of Practice Principles:

  • The proposed Code of Practice includes principles related to risk management, cyber strategy, people, incident planning and response, and assurance and oversight.

These key takeaways provide an overview of the document’s focus on the need for enhanced cyber governance, the current challenges in the UK cyber governance landscape, and the proposed measures to address these challenges.

View the full article on Medium.

Scroll to top