Cyber Governance Code of Practice
This Code of Practice and wider governance package shows boards and directors how to manage digital risks and protect their businesses and organisations from cyber attacks.
Documents
Details
Effective management of cyber risks is critical to the operation of modern businesses.
This Cyber Governance Code of Practice shows how company boards and directors can build resilience to a wide range of cyber risks across their organisation. The Code, which has been co-designed with technical experts from the National Cyber Security Centre (NCSC) and a range of governance experts across industry, focuses on the actions senior leaders should take to govern cyber risks effectively within their organisation.
The Code forms part of the government’s free package of support on cyber governance and should be the first point of reference for board members. It is underpinned by Cyber Governance Training, which helps boards and directors to strengthen their understanding of how to govern cyber security risks, and the Cyber Security Toolkit for Boards, which supports boards and directors in implementing the actions set out in the Code.
There are also documents showing how the Code maps to cyber standards, such as the NCSC’s Cyber Assessment Framework (CAF).
A one-page summary of the Cyber Governance Code of Practice has also been provided to offer a concise view of the Code.
The Code of Practice was launched on 8 April 2025.
The government is monitoring uptake of this Code of Practice and seeking feedback. If you are using the Code of Practice, please fill out the monitoring and evaluation survey.
Why do we need the Cyber Governance Code of Practice?
Digital technologies are now firmly embedded within the vast majority of businesses and organisations across the UK, regardless of size. For most, critical business operations, such as payroll and invoicing, could not happen without digital technologies. However, directors and boards often have little to no meaningful oversight over how these technologies are used and managed, despite the business critical risks if something happened to them.
Cyber incidents can lead to major impacts on businesses and organisations whether that is direct loss of income due to disruption of services, damage to customer trust following theft of personal data or intellectual property, or costly remedial action following a ransomware attack.
Cyber risk is a material risk for almost all organisations and boards and directors need to be able to govern this risk effectively. Building and maintaining cyber resilience is therefore crucial to protecting organisations’ financial viability.
The Code of Practice shows how to manage cyber risks effectively and reduce the likelihood and impact of cyber attacks.
This code of practice was developed following an industry call for views in 2024 and a government response in January 2025.