Compliance

What the UK’s New Cyber Governance Code of Practice Means for Your Board — and Why Culture is the Key to Compliance

9 May 2025 · 3 min read

Published April 2025, the UK’s Cyber Governance Code of Practice signals a seismic shift in how cyber risk must be governed — not just managed. Here’s what it means for your organisation, and how SoSafe helps build the culture to make it stick.

What is the Cyber Governance Code of Practice?

Launched by the UK government in April 2025, the Cyber Governance Code of Practice is a new policy developed by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) to support boards and directors in governing cyber security risk. It is part of a wider modular approach to security governance, underpinned by tools like Cyber Essentials.

It’s structured around five key pillars:

Risk Management – Establishing ownership, identifying critical assets, setting a risk appetite, and integrating cyber into enterprise risk.
Strategy – Ensuring cyber security strategy is aligned to business objectives and sufficiently resourced.
People – Embedding secure behaviour through leadership, culture, and metrics-driven training.
Incident Response – Having tested, business-critical incident response plans in place.
Assurance & Oversight – Ensuring cyber is regularly reported on, reviewed and embedded into audit and board governance.

The Code is aimed at medium and large UK organisations, but small organisations are encouraged to adopt its principles and use the NCSC’s small business resources.

Read the full Code here: Cyber Governance Code of Practice – GOV.UK.

Practical Tools for Directors

To support this Code, the UK government and NCSC have published:

Free Cyber Governance Training: Tailored for non-technical directors to build cyber literacy. Access the training modules
The Cyber Security Toolkit for Boards: Including questions, checklists, and scenario-based tools. Explore the full Toolkit
Quick-Start Guide: For immediate boardroom conversations. Cyber Security 101 – Board Toolkit
Executive Summary: A concise overview of board responsibilities and how cyber supports business resilience. Toolkit Executive Summary

These are essential reads for any UK director in 2025.

Why It Matters More Than Ever

According to the 2024 Cyber Security Breaches Survey, 74% of large businesses and 70% of medium-sized firms faced a cyber incident in the last 12 months. Yet many boards still lack clarity on how to structure effective governance.

The Code doesn’t just ask leaders to be aware of cyber risks — it asks them to be accountable for managing them. That includes:

Setting the right tone from the top
Creating security-aware cultures
Understanding their role in incident response

This is not an IT problem. It’s a board-level responsibility.

Where SoSafe Comes In

SoSafe is Europe’s leading Human Risk Management platform, supporting organisations to reduce human risk and meet compliance with behaviour-first cyber training and tooling.

Here’s how SoSafe aligns with the Code’s expectations:

1. Risk & Strategy

SoSafe’s Human Risk OS provides real-time behavioural analytics and risk insights to support governance and strategic decision-making. It connects seamlessly with existing IT tools, providing boards with clear evidence of human risk posture.

2. People & Culture

The Code demands organisations foster a “cyber security culture that encourages positive behaviours and accountability”. SoSafe delivers exactly this — through:

Bite-sized microlearning personalised to user roles
Gamified training proven to double engagement
Real-time phishing simulations and reporting tools

This leads to high awareness, behavioural change, and visible metrics boards can track.

3. Incident Readiness

SoSafe’s AI Security Copilot (Sofie) offers 24/7 guidance, awareness alerts and instant support to users, helping organisations act fast in the face of phishing or ransomware attacks.

4. Assurance & Metrics

From training effectiveness to click rates and reporting activity, SoSafe provides actionable metrics that align with the Code’s requirement for quarterly board reporting and assurance reviews.

5. Simplifying Complexity

As NCSC guidance makes clear, cyber governance is not about technical depth — it’s about strategic insight and cultural leadership. SoSafe ensures board members understand their risks and how secure behaviours are being embedded every day.

Final Thought: From Policy to Practice

The Cyber Governance Code of Practice lays the foundation. The training and toolkit bring it to life. But culture makes it real.

With SoSafe, organisations don’t just comply — they transform. They turn security into a shared value, a human reflex, and a strategic enabler.

Want to understand how your board can lead the way on cyber governance?

Book a demo with SoSafe

For more board-level guidance, visit the full NCSC Board Toolkit and start building a resilient cyber culture today.

You might also be interested in:

11 min read

Human Risk Management, Compliance

Top 10 security tips for remote workers

Your home is probably the coziest place on Earth for you as it keeps you protected and secure against the world – at least offline. However, working from home has opened the gate for cybercriminals to enter our domains and wreak havoc on our computers. Read our top 10 tips to keep hackers at bay from your home office.

The Privacy Shield decision: What does the Schrems II ruling mean for your organization?

6 min read

Compliance

The Privacy Shield decision: What does the Schrems II ruling mean for your organization?

All it takes is one person to start the domino effect. This is what happened when one individual filed a case about his data being processed in another country. This re-opened the conversation about data privacy and the impact it has on companies and consumers. Are policies enough, especially if the control rests with the government?