Want to speak with sales?
If we’ve learned anything from the recent news cycle, it’s that large UK businesses need help. Attacks on M&S, The Co-op, and Harrods have left the country reeling and cybersecurity back at the top of the agenda. So, the release of the Department for Science, Innovation & Technology’s Cyber Governance Code of Practice for medium and large businesses feels timely.
But what is it? And should smaller businesses adopt its recommendations too? We answer these questions and more in this blog.
What is the Cyber Governance Code of Practice?
The Cyber Governance Code of Practice is a framework designed to guide boards and directors on effectively governing cyber risks. Primarily aimed at medium and large organisations, it aims to help business leaders build resilience within their organisations and defend against a wide range of cyber threats.
What does the code include?
Broadly speaking, the code sets out critical governance principles that every board (or director) should apply to their organisation. Think of it as a set of cybersecurity ‘dos’ for people in positions of authority.
More specifically, the code focuses on five fundamental principles. Much like Cyber Essentials and its five controls, these principles cover the key bases of effective cybersecurity. These principles are:
- Risk management
- Cyber strategy
- People (cyber-aware culture and training)
- Incident planning and response
- Assurance and oversight
Each principle is supported by a set of three to five actions directors are advised to take. For example, one of the actions for People is to “Undertake training to improve your own cyber literacy.” These actions help directors and business leaders gradually build cyber confidence throughout their organisation and, ultimately, better secure it against cyber threats.
How does it integrate with other frameworks?
The Code complements other resources like the National Cyber Security Centre’s (NCSC) Cyber Security Toolkit for Boards and the Cyber Assessment Framework (CAF).
Alongside this, the code is bolstered by free cyber governance training and a cybersecurity toolkit to help boards implement its recommendations.
Is the code voluntary?
While voluntary, the Code is positioned as the minimum level of board accountability expected within UK businesses. Plus, it likely won’t be voluntary for long. The upcoming Cyber Security and Resilience Bill is widely expected to reinforce these standards and possibly even create some form of legal responsibility for boards.
In other words, it’s well worth getting ahead of the legislation by adopting these measures now.
Why has the code been created?
Time for a brief history lesson. The code was co-designed by the NCSC and industry experts to address two things. Firstly, as we’ve seen illustrated by the attacks on some of the UK’s flagship retailers in the last few weeks, there’s a high prevalence of cyber incidents among large businesses. According to DSIT’s latest research, some 74% of large and 67% of medium-sized organisations reported cyber incidents in the past year.
Secondly, board-level responsibility for cybersecurity has seen a gradual decline since its high of 38% of UK organisations in 2021 (the figure is 25% in 2025). The code aims to put managing cyber risk back at the front and centre of boards’ thinking and give senior leaders a clear framework for how to do it.
More broadly, the frameworks fit with upcoming legislation to form a key part of the UK government's approach to improving national cyber resilience.
Who is the code for?
We mentioned earlier that the Cyber Governance Code of Practice was primarily aimed at medium to large businesses. This is because larger businesses typically have a formalised board and governance structures.
However, you shouldn’t take away the message that the framework isn’t useful if you’re a small business. Most obviously, because small businesses often do have boards or, at the very least, directors. More importantly, the framework has value for any organisation.
Regardless of your organisation’s size, adopting its recommendations will help you bolster your defences, mitigate risks, and gain cyber confidence.
Want a simple solution for meeting the Cyber Governance Code of Practice's staff training recommendation? Check out CyberSmart Learn.