Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Governance

Cyber Governance Code of Practice

A Guide for Boards and Directors

16 min read January 2026

A Guide for Boards and Directors

Understanding your responsibilities for cyber security governance

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • What Is The Cyber Governance Code of Practice?
  • Why This Matters For Boards
  • The Five Principles
  • Principle A: Risk Management
  • Principle B: Strategy
  • Principle C: People
  • Principle D: Incident Planning
  • Principle E: Assurance
  • Getting Started: First Steps For Boards
  • Questions Boards Should Ask
  • How a vCISO Can Help
  • Resources and Support

1. Executive Summary

The UK Government published the Cyber Governance Code of Practice in April 2025. It establishes clear expectations for how boards and directors should govern cyber security risk.

Key message: Cyber security is a board-level responsibility, not just an IT issue.

The five principles:

  • Risk Management - Understand and manage cyber risks to your organisation
  • Strategy - Ensure cyber security is embedded in organisational strategy
  • People - Build a security-aware culture with appropriate skills
  • Incident Planning - Prepare to respond to and recover from incidents
  • Assurance - Gain confidence that security measures are effective

Why it matters:

  • 70% of medium businesses experienced cyber breaches in the past year
  • Only 30% of UK businesses have board members responsible for cyber security
  • The Cyber Security and Resilience Bill will bring regulatory enforcement
  • Directors face increasing personal accountability for governance failures

What boards must do:

  • Take ownership of cyber risk at board level
  • Ensure cyber security is part of organisational strategy
  • Receive regular reporting on cyber security posture
  • Oversee incident response planning
  • Gain assurance that controls are effective

2. What Is The Cyber Governance Code of Practice?

Background

The Cyber Governance Code of Practice was published by the Department for Science, Innovation and Technology (DSIT) on 8 April 2025. It was developed in partnership with the National Cyber Security Centre (NCSC) and industry experts.

The Code responds to findings that:

  • Cyber security is often treated as a technical issue, not a governance issue
  • Boards frequently lack visibility of cyber risks
  • There is inconsistency in how organisations govern cyber security
  • Directors are uncertain about their responsibilities

Purpose

The Code aims to:

  • Provide clear, actionable guidance for boards and directors
  • Establish consistent expectations across sectors
  • Help boards integrate cyber security into existing governance
  • Support directors in fulfilling their responsibilities
  • Improve organisational resilience to cyber threats

Scope

Who it's for:

  • Boards and directors of medium and large organisations
  • Both private and public sector
  • Executive and non-executive directors

Who it's not for:

  • Day-to-day security operations (that's for your security team)
  • Small organisations (though principles still apply)
  • Technical implementation detail

Status

The Code is currently voluntary guidance, not law. However:

  • It represents Government expectations of good governance
  • It aligns with the forthcoming Cyber Security and Resilience Bill
  • Regulators will likely reference it in enforcement
  • It sets the benchmark against which boards will be judged
  • Legislation has not been ruled out if adoption is poor

Supporting Resources

The Code is part of a broader governance package:

  • Cyber Governance Training - Online training for board members
  • Cyber Security Toolkit for Boards - Practical implementation support
  • Governance Mapping Documents - How the Code maps to CAF, ISO 27001, and other standards

3. Why This Matters For Boards

The Changing Landscape

Cyber security has fundamentally changed:

From IT issue to business risk:

  • Cyber incidents can halt operations for weeks
  • Customer data breaches destroy trust
  • Ransomware can threaten business survival
  • Supply chain attacks affect entire ecosystems

From technical to strategic:

  • Digital transformation increases exposure
  • Regulatory requirements are expanding
  • Insurance requirements are tightening
  • Customer expectations are rising

From optional to mandatory:

  • The Cyber Security and Resilience Bill brings enforcement
  • Penalties can reach £17 million or 4% of turnover
  • Directors face personal accountability
  • "We didn't know" is not a defence

The Board's Role

Boards govern risk. Cyber is now a material risk for virtually every organisation.

What boards must do:

  • Set the tone from the top
  • Ensure appropriate resources are allocated
  • Oversee risk management
  • Receive and act on reporting
  • Hold management accountable

What boards should not do:

  • Manage day-to-day security operations
  • Make technical decisions
  • Conduct security assessments themselves
  • Ignore cyber because it's "too technical"

Personal Accountability

Directors should understand:

  • Duties under Companies Act 2006 include managing material risks
  • Cyber security failures can constitute governance failures
  • D&O insurance may not cover wilful neglect of cyber governance
  • Regulators increasingly focus on board accountability

The Code helps demonstrate that boards are fulfilling their duties.

The Business Case

Good cyber governance delivers:

  • Reduced risk of costly incidents
  • Competitive advantage in winning business
  • Lower insurance premiums with demonstrated controls
  • Regulatory compliance as requirements increase
  • Stakeholder confidence from investors, customers, partners

4. The Five Principles

The Code is structured around five principles:

Principle Focus
**A. Risk Management** Understanding and managing cyber risks
**B. Strategy** Embedding cyber in organisational strategy
**C. People** Culture, skills, and awareness
**D. Incident Planning** Preparing for incidents
**E. Assurance** Gaining confidence in security effectiveness

Each principle includes specific actions boards should take.

The principles are designed to:

  • Be applicable across sectors and organisation types
  • Integrate with existing governance structures
  • Be proportionate to organisational risk
  • Provide clear, measurable outcomes

5. Principle A: Risk Management

Objective: Ensure cyber security risks are understood, prioritised, and managed appropriately.

Actions for Boards

A1. Identify critical assets

Gain assurance that technology processes, information, and services critical to your organisation's objectives have been identified and prioritised.

What this means:

  • Know what systems and data are essential to operations
  • Understand what would happen if they were compromised
  • Prioritise protection of the most critical assets

A2. Integrate cyber risk

Agree senior ownership of cyber security risks and gain assurance they are integrated into wider enterprise risk management and internal controls.

What this means:

  • Cyber risk should be on the corporate risk register
  • Someone at senior level owns cyber risk
  • Cyber is treated like other material business risks
  • Internal controls address cyber risks

A3. Define risk appetite

Define and clearly communicate the organisation's cyber security risk appetite and gain assurance that there is an action plan to meet these expectations.

What this means:

  • Board defines how much cyber risk is acceptable
  • Risk appetite is communicated to management
  • Plans exist to bring risk within appetite
  • Progress is tracked and reported

A4. Manage supply chain risk

Gain assurance that the organisation is resilient to cyber security risks from its supply chain and business partners.

What this means:

  • Supply chain cyber risks are assessed
  • Critical suppliers are identified
  • Supplier security is monitored
  • Contingency plans exist for supplier failures

A5. Regular risk assessment

Gain assurance that risk assessments are conducted regularly and account for changes in the organisation, technology, regulations, or threat landscape.

What this means:

  • Risk assessments are not one-time exercises
  • Assessments are updated when things change
  • New threats are considered
  • Regulatory changes are tracked

Board Questions for Risk Management

  • What are our most critical systems and data?
  • Where does cyber risk sit on our corporate risk register?
  • Who owns cyber risk at executive level?
  • What is our cyber risk appetite and are we within it?
  • How do we manage supply chain cyber risk?

6. Principle B: Strategy

Objective: Ensure cyber security is embedded in organisational strategy and adequately resourced.

Actions for Boards

B1. Cyber strategy exists

Gain assurance that the organisation has a cyber strategy aligned with and embedded within wider organisational strategy.

What this means:

  • A documented cyber security strategy exists
  • It supports business objectives
  • It's not just an IT document
  • It's owned at appropriate level

B2. Strategy alignment

Gain assurance that the cyber strategy aligns with agreed risk appetite, meets regulatory obligations, and accounts for expected changes.

What this means:

  • Strategy addresses identified risks
  • Regulatory requirements are met
  • Future changes are anticipated
  • Strategy is reviewed and updated

B3. Resources allocated

Gain assurance that resources are allocated effectively to manage agreed cyber risks.

What this means:

  • Budget is appropriate for risk level
  • Skilled people are in place or engaged
  • Technology investments are prioritised
  • Resource constraints are understood and accepted

B4. Strategy delivery

Gain assurance that the cyber strategy is being delivered effectively and achieving intended outcomes.

What this means:

  • Progress is tracked against strategy
  • Milestones are met
  • Outcomes are measured
  • Adjustments are made when needed

Board Questions for Strategy

  • Do we have a cyber security strategy?
  • Does it align with our business strategy?
  • Are we adequately resourced for cyber security?
  • How do we know the strategy is being delivered?
  • When was the strategy last reviewed?

7. Principle C: People

Objective: Build a security-aware culture with appropriate skills at all levels.

Actions for Boards

C1. Promote security culture

Promote a cyber security culture that encourages positive behaviours and accountability across all levels, aligned with organisational strategy.

What this means:

  • Board sets the tone from the top
  • Security is everyone's responsibility
  • Good security behaviour is recognised
  • Poor behaviour is addressed

C2. Clear policies

Gain assurance that there are clear policies supporting a positive cyber security culture.

What this means:

  • Policies exist and are communicated
  • Policies are understandable and practical
  • Policies are enforced consistently
  • Policies are reviewed and updated

C3. Director training

Undertake training to improve your own cyber literacy and take responsibility for the security of the data and digital assets you access.

What this means:

  • Directors complete cyber governance training
  • Directors understand their responsibilities
  • Directors practice good security themselves
  • Directors can engage meaningfully with cyber topics

C4. Organisation-wide training

Gain assurance that the organisation has an effective cyber security training, education, and awareness programme.

What this means:

  • All staff receive security awareness training
  • Training is relevant and engaging
  • Completion is tracked
  • Effectiveness is measured

Board Questions for People

  • What training have board members completed?
  • Do we have a security awareness programme?
  • What is our training completion rate?
  • How do we measure security culture?
  • Do we have the cyber skills we need?

8. Principle D: Incident Planning

Objective: Ensure the organisation can respond to and recover from cyber incidents.

Actions for Boards

D1. Incident response plan

Gain assurance that the organisation has a plan to respond to and recover from cyber incidents impacting business-critical processes.

What this means:

  • Documented incident response plan exists
  • Plan covers likely incident scenarios
  • Roles and responsibilities are clear
  • Recovery procedures are defined

D2. Exercise the plan

Gain assurance that there is at least an annual exercise of the plan involving relevant stakeholders, and that lessons are reflected in the plan.

What this means:

  • Tabletop exercises are conducted
  • Key stakeholders participate (including board)
  • Lessons learned are captured
  • Plan is updated based on exercises

D3. External reporting

Gain assurance that the organisation understands its obligations for reporting significant cyber incidents to relevant authorities.

What this means:

  • Regulatory reporting requirements are known
  • Reporting processes are defined
  • Timeframes are understood (24 hours under new Bill)
  • Templates and contacts are prepared

D4. Board notification

Define the thresholds for cyber incidents that should be reported directly to the board, and how the board will be involved in the response.

What this means:

  • Clear escalation criteria exist
  • Board knows when they'll be informed
  • Board role in major incidents is defined
  • Communication channels are established

Board Questions for Incident Planning

  • Do we have an incident response plan?
  • When was it last tested?
  • Have board members participated in exercises?
  • What incidents would be escalated to the board?
  • Do we understand our reporting obligations?

9. Principle E: Assurance

Objective: Gain confidence that cyber security measures are effective and governance is working.

Actions for Boards

E1. Governance structure

Establish a cyber governance structure embedded within wider governance, with clear roles including ownership at executive and non-executive director level.

What this means:

  • Cyber governance roles are defined
  • Executive owner is designated
  • Non-executive oversight is in place
  • Reporting lines are clear

E2. Regular reporting

Require formal reporting on at least a quarterly basis, set suitable metrics, and agree tolerances for each.

What this means:

  • Board receives regular cyber reports
  • Metrics are defined and tracked
  • Tolerances/thresholds are agreed
  • Reports enable meaningful oversight

E3. Two-way dialogue

Establish regular two-way dialogue with relevant senior executives, including the CISO or equivalent.

What this means:

  • Board engages directly with security leadership
  • Communication flows both ways
  • Board can ask questions and challenge
  • Security leadership has board access

E4. Integration with audit

Gain assurance that cyber security is integrated with existing internal and external audit and assurance mechanisms.

What this means:

  • Internal audit covers cyber security
  • External audit considers cyber risks
  • Assurance activities are coordinated
  • Findings are reported to board

E5. Regulatory awareness

Gain assurance that senior executives are aware of relevant regulatory obligations and best practice.

What this means:

  • Regulatory requirements are tracked
  • Compliance status is known
  • Best practice is understood
  • Gaps are identified and addressed

Board Questions for Assurance

  • Who owns cyber security at executive level?
  • How often do we receive cyber reports?
  • What metrics do we track?
  • Does internal audit cover cyber security?
  • Are we compliant with regulatory requirements?

10. Getting Started: First Steps For Boards

If You're Starting From Scratch

Month 1: Foundation

  • Designate board-level ownership (executive and non-executive)
  • Complete NCSC Cyber Governance Training (all directors)
  • Request current state briefing from management/IT
  • Add cyber security to board agenda

Month 2: Understanding

  • Identify critical assets and systems
  • Review corporate risk register for cyber risks
  • Understand current security measures
  • Identify key gaps

Month 3: Action

  • Define risk appetite
  • Request/develop cyber strategy
  • Establish reporting requirements
  • Commission gap assessment if needed

Ongoing

  • Quarterly board reporting
  • Annual incident response exercise
  • Regular training updates
  • Strategy review

If You Have Some Foundation

Assess current state against the Code:

  • Which principles are well-addressed?
  • Where are the gaps?
  • What's the priority for improvement?

Fill the gaps:

  • Focus on highest-risk areas first
  • Assign clear ownership for each action
  • Set realistic timelines
  • Track progress

Quick Wins

  • Complete the NCSC Cyber Governance Training
  • Add cyber to the board agenda
  • Request a current-state briefing
  • Review the incident response plan
  • Schedule an incident exercise

11. Questions Boards Should Ask

Strategic Questions

  • What are the biggest cyber risks to our organisation?
  • How does cyber risk compare to other business risks?
  • Are we investing appropriately in cyber security?
  • How do we compare to our peers?
  • What would a major incident cost us?

Operational Questions

  • Do we have the right skills and resources?
  • Are our critical systems adequately protected?
  • How quickly would we know if we were breached?
  • Can we recover from a ransomware attack?
  • How secure is our supply chain?

Governance Questions

  • Who is accountable for cyber security?
  • How do we gain assurance that controls work?
  • Are we meeting our regulatory obligations?
  • When did we last test our incident response?
  • What training have board members completed?

Challenge Questions

  • What keeps you awake at night?
  • Where are we most vulnerable?
  • What would we do differently with more budget?
  • How confident are you in our security posture?
  • What aren't you telling me?

12. How a vCISO Can Help

Many organisations lack dedicated security leadership. A virtual CISO (vCISO) provides strategic security expertise without the cost of a full-time hire.

What a vCISO Does

Strategic leadership:

  • Develop and maintain cyber strategy
  • Advise on risk management
  • Guide security investments
  • Align security with business objectives

Board support:

  • Prepare board reports and metrics
  • Attend board meetings when needed
  • Translate technical to business language
  • Support directors in governance duties

Governance implementation:

  • Implement the Cyber Governance Code
  • Develop policies and procedures
  • Establish reporting frameworks
  • Coordinate assurance activities

Incident support:

  • Develop incident response plans
  • Lead or support incident response
  • Conduct exercises
  • Manage regulatory notification

When You Need a vCISO

You might benefit from a vCISO if:

  • You don't have dedicated security leadership
  • Your IT team lacks strategic security expertise
  • The board needs better security reporting
  • You face increasing compliance requirements
  • You can't justify a full-time CISO salary

DSC vCISO Services

Dead Simple Computing provides vCISO services for organisations that need strategic security leadership.

Service levels:

  • Essential: Monthly strategy, quarterly risk review
  • Professional: + Board reporting, incident coordination
  • Enterprise: + Weekly availability, regulatory liaison

What you get:

  • CISSP-qualified security leadership
  • Board-level reporting
  • Governance Code implementation
  • Regulatory compliance support
  • Incident response planning

13. Resources and Support

Official Resources

NCSC Cyber Governance Training

Free online training for board members

ncsc.gov.uk

Cyber Security Toolkit for Boards

Practical implementation guidance

ncsc.gov.uk

Cyber Governance Code of Practice

The full Code document

gov.uk

Governance Mapping Documents

How the Code maps to CAF, ISO 27001, WEF principles

gov.uk

Further Reading

Cyber Assessment Framework (CAF)

NCSC's framework for assessing cyber resilience

ncsc.gov.uk/collection/caf

10 Steps to Cyber Security

NCSC guidance for organisations

ncsc.gov.uk

Cyber Essentials

Baseline certification scheme

cyberessentials.ncsc.gov.uk

DSC Support

Board Briefings

We deliver board cyber briefings covering:

  • The Cyber Governance Code
  • Your responsibilities as directors
  • Current threat landscape
  • Your organisation's security posture

vCISO Services

Strategic security leadership

Board reporting and governance support

Contact us:

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 to help boards and directors understand and implement the Cyber Governance Code of Practice.

This guide is for informational purposes and does not constitute legal advice. Directors should seek appropriate professional advice for their specific circumstances.

About Dead Simple Computing

Dead Simple Computing is an MSP/MSSP providing managed IT, security services, and compliance support for regulated industries.

Credentials:

  • CISSP certified
  • ISO 27001 certified
  • Cyber Essentials Plus certified

Contact us:

© 2026 Dead Simple Computing Ltd. All rights reserved.