The Cyber Governance Code of Practice has been published, aimed at assisting boards and directors of medium and large organisations understand their responsibilities in relation to managing cyber security risks.

The Code – developed by the Department of Science, Innovation and Technology alongside  the National Cyber Security Centre (“NCSC”) – is described as being “tailor-made for boards and directors of both public-sector and private organisations” and “should be the first point of reference for board members”.

It is structured around five overarching principles: (1) Risk Management; (2) Strategy; (3) People; (4) Incident Planning, Response and Recovery; and (5) Assurance and Oversight. For each Principle, a series of ‘Actions’ are set out which include matters such as completing risk assessments, monitoring and reviewing a cyber resilience strategy, testing plans to respond to and recover from cyber incidents, and establishing an appropriate governance structure.

Accompanying the Code is a helpful list of resources that are intended to support boards and directors in implementing the Code, broken down according to each of the five principles. In addition, there are links to training modules, prepared by the NCSC, which are designed to “support Boards and Directors in understanding the principles of the Code and putting its recommended actions into practice, helping to improve their organisation’s cyber resilience, without delving into the technical detail”.

To read the Code in full, click here.