From the Boardroom: Implementing the UK Cyber Governance Code

Written by Louise Ralston
Apr 28, 2025 - 6 minute read

Learn how the UK Cyber Governance Code guides boards and directors in managing cyber risks to ensure business resilience and compliance.

Cyber Governance Code of Practice - a whistle-stop tour

What is it, and why is it important to you?

This publication, has been produced by the Department for Science, Innovation and Technology (DSIT) in collaboration with the National Cyber Security Centre (NCSC), it aims to help boards and directors of UK organisations effectively govern cyber risk as part of their broader responsibilities for business resilience, compliance, and operational continuity.

Here we take a glance at its key principles.

It has been designed to assist boards and directors in effectively managing cybersecurity risks. It outlines critical governance actions for leadership and is supported by additional resources:

  • Cyber Governance Training: Enhances understanding of cyber risk governance.​

  • Cyber Security Toolkit for Boards: Provides practical tools for implementing the Code's actions.

Who It's For

  • Primary audience: Boards, directors, and senior leaders of medium and large UK organisations

  • Also beneficial for: SMEs, public sector bodies, and charities

  • Applies across all sectors, recognising cyber threats as a growing national and organisational risk

Why It Matters

  • Over 50% of medium and 70% of large businesses report cyber breaches.

  • Growing legal and regulatory expectations (e.g., GDPR, NIS2)

  • Investors, regulators, insurers, and clients are demanding more visible governance

  • Cyber risk is now a board-level issuenot just an IT matter

 

The Five Principles of Cyber Governance

1. Risk Management

  • Identify and prioritise critical systems and data

  • Assign board-level responsibility for cyber risk

  • Set and monitor cyber risk appetite

  • Integrate cyber into enterprise risk frameworks

  • Assess and manage supply chain risks

2. Strategy

  • Define a cybersecurity strategy aligned to business goals

  • Allocate appropriate resources and capabilities

  • Monitor and review the delivery of the strategy

  • Ensure the strategy reflects current threats and legal requirements

3. People

  • Build a positive cybersecurity culture

  • Train the board and staff in cyber awareness

  • Establish clear policies and responsibilities

  • Evaluate the effectiveness of training and culture

4. Incident Planning, Response & Recovery

  • Have tested incident response and recovery plans

  • Assign clear roles for senior leaders during an incident

  • Learn from incidents and update plans accordingly

  • Ensure regulatory reporting and communications are understood

5. Assurance & Oversight

  • Embed cyber into wider governance structures

  • Use regular reporting and metrics to track cyber performance

  • Engage with cybersecurity and audit functions

  • Be informed about applicable standards and regulatory duties

Supporting Resources

  • Cyber Governance Training for Boards (Free, NCSC-backed)

  • Cyber Security Toolkit for Boards

  • Mapping Tools to standards like NIST, COBIT, ISO 27001, IASME Cyber Assurance

Conclusion

This Code elevates cyber risk governance from a siloed IT concern to a core boardroom responsibility. It helps organisations demonstrate due diligence, build trust, and ensure resilience in a complex and evolving threat landscape.

Full details and resources:
gov.uk - Cyber Governance Code of Practice

author

More by Louise Ralston