Strengthening Leadership on Cyber Risk: A Practical Guide to the New UK Cyber Governance Code of Practice
What is the Cyber Governance Code of Practice?
The Code outlines the critical governance actions directors are responsible for. It is supported by free Cyber Governance Training and a Cyber Security Toolkit for Boards, providing a full package of resources.
The Code focuses on five key areas:
Risk Management
Strategy
People and Culture
Incident Planning, Response and Recovery
Assurance and Oversight
It complements existing frameworks like Cyber Essentials and should be treated as the foundational standard for any organisation taking cyber governance seriously.
Why it matters:
74% of large businesses and 70% of medium businesses have reported cyber breaches in the last 12 months (Cyber Security Breaches Survey 2024).
Cyber risk is a material risk that can threaten business continuity, reputation, and long-term viability.
Strong cyber governance enables businesses to embrace digital innovation safely and competitively.
First Steps Directors / Trustees Should Take:
Identify Critical Assets
Gain assurance that your organisation has clearly identified and prioritised the systems, information, and processes that are essential to achieving your objectives.
Establish Senior Ownership
Assign board-level accountability for cyber risk, making sure it is integrated into wider risk management.
Define Risk Appetite
Agree and document the level of cyber risk your organisation is willing to accept. Align your cyber strategy with this appetite.
Review Supply Chain Risks
Ensure that you regularly assess the cyber security of your suppliers and business partners.
Develop or Refresh Your Cyber Strategy
Confirm your cyber strategy is up to date, aligns with your business goals, and that adequate resources are in place to deliver it. If you are not sure where to start, a fractional CISO can do this for you.
Foster a Positive Cyber Security Culture
Promote cyber awareness at all levels, including board training to improve directors' cyber literacy.
Test Your Incident Response Plans
Regularly exercise your cyber incident response and recovery plans and update them based on lessons learned.
Implement Formal Governance Structures
Set clear roles and reporting requirements for cyber governance, ensuring it’s part of your existing governance and assurance frameworks. There is no need to re-invent the wheel, existing frameworks like IASME Cyber Assurance or ISO 27001 work well here.
Want to Dive Deeper?
Listen to Episode 10 of our podcast, the Business Leaders Cyber Briefing, where we explain the new Code of Practice in plain English, discuss what it means for your board, and share real-world tips on getting started. Listen Now
How Cool Waters Cyber Can Help
Navigating new governance responsibilities can feel overwhelming. Cool Waters Cyber is here to make it simple. We offer tailored support to help businesses and charities implement the Cyber Governance Code of Practice, including:
Board cyber governance training
Gap analysis and action planning
Ongoing compliance monitoring and reporting
Let us help you build stronger cyber resilience from the top down.
Read more about our Implementation Service to help you align with the Code of Practice
Fast Track compliance with IASME Cyber Assurance
Read how the IASME Cyber Assurance standard provides a ready made framework for compliance with the Cyber Governance Code of Practice, saving time and money and fast-tracking compliance:
Read: How to Implement the Cyber Governance Code with IASME Cyber Assurance
Speak to us today
Get in touch with Cool Waters Cyber today to start your journey towards effective cyber governance.
Download the Code of Practice
You can download the Cyber Governance Code of Practice here: https://www.gov.uk/government/publications/cyber-governance-code-of-practice