The UK Government’s Cyber Governance Code of Practice, published in April 2025, offers a structured framework to assist boards and directors in effectively managing cyber security risks.
Developed collaboratively by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC), the Code is designed to integrate cyber risk management into broader business governance practices. The Code aims to elevate cyber security to a board-level concern, emphasising that it is a critical business risk rather than solely an IT issue. It is primarily targeted at medium and large organisations across both public and private sectors. While small businesses are not the primary audience, they are encouraged to adopt the Code’s principles to enhance their cyber resilience.
The Code is structured around five key principles, each encompassing specific actions for directors which include:
1. Risk Management
- Identify and prioritise critical digital assets and services.
- Conduct regular risk assessments, considering changes in the internal and external environment
- Integrate cyber security risks into the organisation’s broader risk management and internal control activities
- Assess and manage risks associated with suppliers and business partners
2. Cyber Strategy
- Develop and monitor a cyber resilience strategy aligned with the organisation’s risk appetite, business objectives and legal obligations
- Allocate appropriate resources and investments to manage cyber threats effectively
3. People
- Promote a positive cyber security culture through clear policies and communications
- Ensure board members and staff receive adequate training to maintain cyber literacy
- Implement effective cyber security training, education and awareness programs with measurable outcomes
4. Incident Planning and Response
- Establish and regularly test a comprehensive incident response plan
- Ensure plans are updated based on lessons learned from tests and actual incidents
- Define clear roles and responsibilities for regulatory obligations and external communications during incidents
- Conduct post-incident reviews to improve future response and recovery efforts
5. Assurance and Oversight
- Establish a governance structure with defined roles and responsibilities for cyber resilience at both executive and non-executive director levels
- Implement regular monitoring and reporting mechanisms to assess cyber resilience
- Maintain ongoing dialogue with senior executives, including the Chief Information Security Officer (CISO) or relevant risk owners
- Integrate cyber resilience strategies into existing internal and external assurance processes
Read the full Cyber Governance Code of Practice published by the UK Government.
Griffiths & Armour strongly recommends that organisations review their cyber security approach in light of this new code or practice.
Further cyber risk and cyber incident response guidance supplemented by template policies and plan documentation and e-learning is available via RMworks, which is available to all Griffiths & Armour clients. If you have any questions about the contents of this article, please get in touch.