The Role of CMMI in Supporting the UK Government’s Cyber-Governance and Software Security Codes of Practice
- Jonathan Dean
- Oct 20
- 5 min read
The risks to businesses from Cyber threats form a dynamic and continually evolving threat landscape that has the potential to cause significant harm and disruption to organizations caught out by malicious actors. In recent months, several high-profile organizations have experienced cyber-attacks which have hit the headlines but this is just the tip of the iceberg in terms of total cyber-crime across the country (and indeed, the world) :
To help combat this ever-increasing threat, the UK Government’s Department of Science, Innovation and Technology (DSIT) has recently published two voluntary Codes of Practice to help UK businesses to start to mitigate cyber threats.
In April of this year (2025), the Cyber Governance Code of Practice was issued, followed in May by the Software Security Code of Practice.
These two documents outline a (currently) voluntary set of guidelines intended to help UK organizations improve their resilience in the Cyber Security threat environment. Part of the problem is a lack of awareness as to the nature and magnitude of the threats that all organizations face, often coupled with a false sense of security that any provisions which may have been made will be sufficient to combat the current set of threats - threats which are continuously evolving. The Codes of Practice aim to raise awareness within the industry and to emphasise the need for a continuing and ongoing defensive response.
The Cyber Governance Code of Practice
The Cyber Governance Code of Practice is targeted at Board Members, Directors and CIOs and is intended to highlight the responsibilities these roles play in managing the Cyber Security threat to their organizations.
The degree of risk should not be underestimated. According to the Cyber Security Breaches Survey 2024, the percentage of large organizations within the UK that have been subject to some form of cyber attack or security breach in the last year is around 74%, with the average across all business sizes being as high as 50%. This represents a key business risk that demands clear leadership to address, and the Cyber Governance Code of Practice is designed to help inform leadership teams of the pivotal role they play in ensuring their organizations establish an effective response to the very real threats they face and develop an appropriate level of resilience.
The Cyber Governance Code of Practice identifies 5 key principles and sits alongside the Cyber Essentials certification scheme as a foundational component within the wider DSIT modular approach to Cyber Security Codes of Practice. The 5 principles relate to:
Risk Management
Strategy
People
Incident Planning Response and Recovery
Assurance and Oversight.
To establish how prepared an organization is against this Code of Practice, organizations need to undertake some form of assessment and one way to do this is to utilise an existing framework of best practice which covers the key elements of the CoP.
DSIT have published a number of mappings of established frameworks to the Cyber Governance Code of Practice and one of these maps the CoP to the Capability Maturity Model – Integration v3.0 (CMMI). This mapping demonstrates that the principles of the CoP and the associated recommended actions are potentially completely covered by the CMMI and consequently, adoption of CMMI best practice, and appraising against it, could effectively demonstrate adherence to the Cyber Governance Code of Practice. It draws a clear and definitive link between the new code and the CMMI model.
Of particular relevance to the mapping are the two practice areas within the new ‘Security’ Domain within the CMMI. CMMI Domains are areas of specialisation where specific practices related purely to that domain are identified and supported by the more general common ‘core’ practice areas.
The Security Domain contains the following specialist practice areas:
Enabling Security (ESEC): which provides a generalised approach to all elements of Security including, Physical, functional and cyber security.
Managing Security Threats and Vulnerabilities (MST): which provides a specialised form of Risk Management approach to managing specific individual security threats.
ISACA provides video summaries of these practice areas through their sequence of ‘Tech talk’ videos:
The Software Security Code of Practice
The Software Security Code of Practice provides specific guidance for software vendors and their customers in reducing the likelihood and impact of software supply-chain attacks and other software resilience threats. The foundational principles outlined in the Cyber Governance Code of Practice are of fundamental importance to this code of practice and the two should be implemented concurrently.
The essential premise underpinning this CoP is that most software security threats and vulnerabilities are caused by avoidable weaknesses in the software development and maintenance practices and that in many cases, the problems experienced are made worse through poor communication within organizations and between them and their software suppliers.
The CoP outlines 14 principles across 4 different themes:
1) Secure design and development
2) Build environment security
3) Secure deployment and maintenance
4) Communicate with customers
As with the Cyber-Governance CoP, the CMMI Framework provides a solid basis upon which to build your organization’s response to the Software Security CoP. CMMI provides best practice that fully and comprehensively covers the Software Security CoP and a mapping between the DSIT CoP and CMMI is being developed, similar to the one discussed above for the Cyber-Governance CoP.
How can CMMI Help?
Currently the Cyber-governance and Software Security Codes of Practice are voluntary, however it is clear that the UK government, as with most governments around the world, are increasingly concerned about the threats cyber-crime places on the national infrastructure at both a government and individual business level.
These Codes of Practice form an initial starting point for all organizations to start to understand and manage the threats they are likely to increasingly face over the coming years. As the threat level increases, there is every possibility that the voluntary codes may at some point become mandated so it is vital that all organization’s, no matter how small, need to start thinking and preparing a response to these very real threats.
CMMI provides a robust and time-tested framework around which to form a compliant response to the CoPs whilst at the same time helping organizations that use it to implement more generalised process improvement activities in order to evolve their general operational performance and capability. CMMI’s modular architecture enables organisations to focus on the model elements that align to their unique needs, and supports integration with other standards like ISO 27001, NIST, and ITIL, making it a unifying framework for performance improvement.
If you would like to learn more about CMMI and how it may help you formulate a response to the Cyber-governance and Software Security Codes of Practice, the introductory ‘Building Organizational Capability’ (BOC) course is a great place to start. Not only will you learn about the specific practice areas in CMMI that focus on Security issues, but you will gain a comprehensive insight into how the CMMI Framework can be used across your organization to establish continuous improvement based on tried and tested best practice from across the full range of industry sectors.
The BOC course leads to the CMMI Practitioner Certification exam enabling you to serve on CMMI appraisals looking at any of the 8 special interest areas including the Security domain that is of particular importance here.
You can book a place on one of our BOC courses here, or you can explore the other CMMI training options available to you by reading our blog post.
#CMMI #DSIT #CyberSecurity #Governance #SoftwareSecurity #CyberGovernance #CodeofPractice #BOC #ISACA
Comments