The UK Department for Science, Innovation and Technology (DSIT) has revealed what its future Cybersecurity Governance Code of Practice will look like and the five principals it will include.

While the document is undergoing final review, Jack Harrigan, head of cyber governance & accountability at DSIT, shared a glimpse of what final version during the ISACA London Conference 2024, held on February 28.

The idea of a Cybersecurity Governance Code of Practice was introduced on January 23, 2024.

It aims to support directors and business leaders in developing a cyber governance plan in order to drive greater cyber resilience.

This initiative aligns with the UK’s £2.6bn National Cybersecurity Strategy, introduced in 2022.

The UK government plans to make the Code of Practice its go-to cybersecurity guidance which will  support organizations across all sectors willing to put in place or improve a comprehensive set of cybersecurity measures.

On January 23, DSIT launched a call for views to get feedback from UK-based organizations on what should and should not be included in the Code and how to structure the document.

“We want to make sure the Code of Practice offers a coherent of cyber guidelines, that’s why we are currently trying to align the document with existing resources, including security principles provided by the National Cyber Security Centre (NCSC),” Harrigan said during the ISACA London Conference.

Five Principles and Practical Actions to Take

From these existing resources, DSIT and its partners have created a long list of principles, condensed them into five high-level principles, and tested them by getting feedback from within the government, from a Cyber Resilience Expert Advisory Group and from UK businesses.

The five final principles selected are the following:

• Risk management
• Cyber strategy
• People
• Incident planning and response
• Assurance and oversight

Each principle is broken down into a list of practical actions to take.

For example, some of these actions corresponding to the ‘Incident planning and response’ chapter include:

1. Ensure that the organization has a plan to respond to and recover from a cyber incident impacting business-critical processes, technology, and services.
2. Ensure that there is regular, at least annual, testing of the plan and associated training, which involves internal and external stakeholders.
3. In the event of an incident, take responsibility for individual regulatory obligations and support executives in critical decision-making and external communications.
4. Ensure that a post-incident review process is in place to incorporate lessons learned into future response and recovery plans.

For each of these actions, the document will provide a list of specific elements to include, indicators of success and some essential activities to undertake.

For instance, elements to include when undertaking the first action within the ‘incident planning and response’ chapter include:

• Key contacts to include in your plan
• Escalation criteria
• A Basic flowchart or processes corresponding to your organization
• Basic guidance of legal or regulatory requirements

For the same action, some indicators of success include questions like:

• How complete and up to date is your inventory?
• Do you have the assurance that changes are considered and recorded to keep the baseline up to date?
• Does the board have assurance that the critical assets are known, who is responsible for each asset, what it is used for and where it is stored?
• Have the priority objectives been clearly communicated and is there assurance that those priorities guide cybersecurity efforts?

Code of Practice Launch Planned for Later in 2024

The call for views on the Cyber Governance Code of Practice runs until March 19.

“We would be grateful for feedback on the design of the Code, how to drive uptake and what barriers exist that could affect the implementation of the Code,” Harrigan concluded.

The UK government will publish the response to the public consultation in the Summer of 2024.