Question 1

What is the UK Cyber Governance Code of Practice?

Accepted Answer

It is the standard for board-level cyber governance published by the Department for Science, Innovation and Technology with the National Cyber Security Centre in April 2025. It sets out 22 actions across five principles (risk management, strategy, people, incident planning, and assurance and oversight) that directors are expected to own.

Question 2

Is the Cyber Governance Code mandatory?

Accepted Answer

The Code itself is voluntary, but it is the benchmark regulators, insurers and acquirers increasingly hold boards to, and the forthcoming Cyber Security and Resilience Bill raises the cost of ignoring it. Treating it as optional is a board decision with consequences.

Question 3

Who should complete this assessment?

Accepted Answer

Chairs, non-executive directors, CEOs, and audit or risk committee chairs. It needs no technical knowledge. It asks what your board could evidence today, not how your IT is configured.

Question 4

How is it scored?

Accepted Answer

Each of the 22 actions is rated against four behaviourally anchored levels, from absent to assured. You declare whether each answer rests on documents, knowledge or belief, and the tool grades the reliability of your own profile. Each principle is constrained by its weakest action, the way an assurance reviewer would read it.

Question 5

What do you get?

Accepted Answer

You answer all 22 actions and receive a principle-by-principle maturity profile, the exact gap to the Code's bar, the evidence artefact to create for each gap, and an honest grade of how defensible your answers are.

Question 6

Is this a substitute for an assurance review or audit?

Accepted Answer

No. It is a readiness signal based on what you tell it. An assurance review tests the artefacts themselves. Where your answers rest on belief rather than documents, treat them as the audit findings they would become.

73% of UK boards have nobody accountable for cyber. Yours has a name on it, or it does not.