Print Article

UK Publishes Cyber Governance Code of Practice for Consultation


On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience.

The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre.

The UK government is seeking views from organizations on the draft Code by 19 March 2024.

Cyber Governance Code of Practice

The UK government has acknowledged that there is more to be done with respect to frameworks and governance at a board level to make cyber resilience a priority, in particular in the context of business’ use of emerging technologies, such as AI, which pose “dynamic” and “fast-paced” risk.

The Cyber Security Breaches Survey 2023 found that while 71% of senior management see cybersecurity as high-priority, only 30% of businesses have board members explicitly responsible for cybersecurity as part of their job role.

The draft Code aims to assist directors and leadership strengthen the cyber resilience of their organizations at a senior level by adopting a “top-down” approach to give cyber risk the same prominence as e.g., financial, or legal risk.

Five Principles for Effective Cybersecurity Governance

Drawing on best practices, the draft Code focuses on the UK Government’s view of the most critical governance areas for senior management engagement and practical actions-focused guidance.

The draft Code proposes five overarching principles together with the relevant corresponding actions.

The principles and examples of some of the proposed actions are as follows:

  1. Risk management e.g., ensuring that the most important digital processes, information, and services critical to the ongoing operation of the business have been identified, prioritized, and agreed as well as establishing confidence to allow taking effective decisions on the level of risk;
  2. Cyber strategy e.g., monitoring and reviewing the organization’s cyber resilience strategy in accordance with the level of accepted cyber risk, and in the context of applicable legal and regulatory obligations;
  3. People e.g., developing a positive cybersecurity culture by implementing policies and sponsoring communications and training on the importance of cyber resilience to the business;
  4. Incident planning and response e.g., ensuring that the organization has a plan to respond to and recover from a cyber incident impacting business critical processes, technology and services, at least annual testing of response plans and ensuring that a post incident review process is in place; and
  5. Assurance and oversight e.g., establishing a governance structure by including a clear definition of roles and responsibilities, and ownership of cyber resilience at executive and non-executive director level, establishing formal reporting, and determining how internal assurance can be achieved.

Regulatory Framework and Next Steps

The draft Code is currently proposed as a voluntary tool and the UK government is exploring how the draft Code can assist with existing regulatory compliance obligations under e.g., the UK General Data Protection Regulation (the “UK GDPR”) and the Network and Information Systems (“NIS”) regulations.

The UK government is now seeking public feedback on the draft Code until 19 March 2024, including the design of the draft Code, how uptake can be driven and the demand for an assurance process against the draft Code. Following the end of this consultation period, the UK government will respond with a summary of views received to outline the conclusions and the next steps for the draft Code.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email