Published On: June 17, 2024
Chris Dimitriadis, Chief Global Strategy Officer, ISACA

A founder member of the UK Cyber Security Council, ISACA is an independent, non-for-profit, global professional association, engaging in the development, adoption and use of globally accepted, industry-leading knowledge and practices for the effective and safe, business and personal use of technology. ISACA has been established in the UK for over 35 years with over 10,000 members and has around 180,000 professional members worldwide in over 180 countries.


Launched in 2014, Cyber Essentials is the UK government’s central scheme setting out the fundamental controls that all organisations should implement to increase their cyber security. Importantly, the scheme is a prerequisite for central government contracts that require the handling of sensitive data and aims to mitigate the risks from many common internet-based threats. It offers a mechanism for organisations to demonstrate to customers, investors, insurers, and other stakeholders that they have taken essential precautions to secure their systems.

Now, a decade on from the scheme’s launch, the UK government is working to deliver a more comprehensive set of guidance measures that it suggests all organisations, including those using specific technologies, should follow to ensure a higher national baseline of cyber security in response to a changing threat landscape.

In consultation with industry leaders and technical experts, the Department for Science, Innovation and Technology (DSIT) is developing a series of voluntary cyber security codes of practice setting baseline expectations on organisations to ensure good cyber hygiene. To date, DSIT has published five final or draft cyber security codes of practice as part of an ambitious plan to create a wider modular system. The framework builds on existing codes of practice, specific to certain technology, and already implemented by the Department, including a Code for Consumer Internet of Things (IoT) Security , first published in 2018, and a Code for App Stores Operators and Developers , first published in 2022.

At the heart of DSIT’s proposed framework is a draft Cyber Governance Code of Practice , which the Department launched for public consultation in January 2024. The code brings together the critical governance domains that directors and boards of all organisations need to take ownership of, and seeks to provide business leaders with the knowledge and tools necessary to navigate the complexities of cyber threats. Existing guidance, standards, regulation and frameworks were considered in the development of this code, including ISO 27001, ISACA’s COBIT 2019, CMMI V3.0, and more.

In May 2024, DSIT published two further voluntary codes for public consultation, including a Code on AI Cyber Security and a Code for Software Vendors . The former sets baseline security requirements for all AI technologies and is intended to be used as the basis for the development of a global technical standard to promote international alignment on requirements for AI models and systems.

Action in this area is more urgent than ever as, increasingly, employees are turning to AI systems as a means to secure enhanced productivity gains, including by creating written content faster and automating repetitive tasks. ISACA’s latest AI Pulse Poll reveals that while the use of AI systems is on the rise, only a small portion (15% globally and 17% in Europe) of organisations have a formal policy governing the use of AI technology in their organisations. This is despite a growing awareness that AI systems carry multiple cyber security risks and inherent vulnerabilities throughout the system’s lifecycle – across design, development, deployment and maintenance.

Meanwhile, the proposed Code for Software Vendors sets out fundamental security and resilience measures that should be expected of all organisations that develop or sell software used by businesses and other organisations. Today, organisations are increasingly reliant on software to keep their day-to-day operations going. Yet, the widespread use of software has become an easy target for malicious actors, who effectively deploy ransomware tactics to access the personal details of employees and threaten to publish this data or block access to it unless a ransom is paid.

Starting with the broadest cyber security expectations in the Cyber Governance Code and moving towards more product-specific expectations such as in the AI Code, DSIT’s proposed modular system means organisations can select which codes and provisions are most relevant for them depending on their business functions and the types of technologies they use or manufacture.

The modular design of the framework also means the UK government can remain agile to an ever-changing threat landscape. As new risks emerge for specific technologies, the government can respond and introduce new codes, such as one for quantum technology, which is currently under consideration.

Where next?

The General Election and the persistent threat of cyber attacks on the UK’s democratic institutions, such as the recent data breach suffered by the Electoral Commission, has thrown into sharp perspective the importance of ensuring organisations of all sizes are supported and guided towards best practice security solutions (especially as they manage the growing range of cyber risks and seek to enhance their resilience and preparedness).

For its 2023 State of Cybersecurity report , ISACA surveyed thousands of cyber security professionals, 38% of whom indicated that their organisation is experiencing more cyber attacks than the year before. Reputational damage, customer data breaches, and supply chain disruption have all been identified as the top concerns of experts who are on the front lines of defending organisations from cyber attacks and building resilience for the long term.

The recently published McPartland Review of Cyber Security and Economic Growth recommends that the next government takes forward the Cyber Governance Code of Practice and cements this as a key operational resilience requirement for businesses. While it will be up to the incoming administration to decide on the codes’ continued value and purpose, consideration will need to be given to how they can be made a success and how to boost uptake from across the private sector should this work continue.

Historically, there has been low adoption of government cyber guidance, typically reflecting a board-level culture that regards investment in cyber resilience as a technical and non-essential issue. To incentivise organisations to implement the codes, an incoming government should consider devising an external assurance mechanism premised on organisations receiving ‘badges’ signifying they have received assurance from independent auditors in line with the standards and process improvement frameworks mapped against the code’s underlying actions. A cursory look to other jurisdictions such as Australia, where a similar approach has been taken, could provide an incoming administration with food for thought on how to generate demand for such a mechanism and support implementation.

Crucially, the success of this policy initiative will be contingent, not only on the extent to which these voluntary codes receive industry attention and uptake, but also on the improvements they deliver in organisational cyber security and broader national resilience. The next administration should carefully monitor organisational uptake of the various codes and assess the need for further interventions where appropriate. Such further action could include embedding the codes into the existing regulatory landscape so that the broader ecosystem of suppliers and partners adopt measures which are proportionate to their risk environment.

Share this story

Related posts