top of page
Search

Understanding Cyber Threats: The Importance of Cyber Governance and Software Security Codes of Practice

Updated: Nov 3

The risks to businesses from cyber threats form a dynamic and continually evolving landscape. This landscape has the potential to cause significant harm and disruption to organizations caught off guard by malicious actors. In recent months, several high-profile organizations have experienced cyber-attacks that made headlines. However, this is just the tip of the iceberg in terms of total cyber-crime across the country and the world.




To combat this ever-increasing threat, the UK Government’s Department of Science, Innovation and Technology (DSIT) has recently published two voluntary Codes of Practice. These are designed to help UK businesses mitigate cyber threats effectively.


In April of this year (2025), the Cyber Governance Code of Practice was issued, followed in May by the Software Security Code of Practice.


These two documents outline a currently voluntary set of guidelines intended to help UK organizations improve their resilience in the cyber security threat environment. A significant part of the problem is the lack of awareness regarding the nature and magnitude of the threats that all organizations face. This is often coupled with a false sense of security, where organizations believe that any provisions they have made will be sufficient to combat the current set of threats. These threats are continuously evolving. The Codes of Practice aim to raise awareness within the industry and emphasize the need for a continuous and ongoing defensive response.


The Cyber Governance Code of Practice



The Cyber Governance Code of Practice targets board members, directors, and CIOs. It highlights the responsibilities these roles play in managing the cyber security threat to their organizations.


The degree of risk should not be underestimated. According to the Cyber Security Breaches Survey 2024, approximately 74% of large organizations in the UK have experienced some form of cyber attack or security breach in the last year. The average across all business sizes is as high as 50%. This represents a key business risk that demands clear leadership to address. The Cyber Governance Code of Practice is designed to inform leadership teams of the pivotal role they play in ensuring their organizations establish an effective response to the very real threats they face and develop an appropriate level of resilience.


The Cyber Governance Code of Practice identifies five key principles and sits alongside the Cyber Essentials certification scheme as a foundational component within the wider DSIT modular approach to Cyber Security Codes of Practice. The five principles relate to:


  • Risk Management

  • Strategy

  • People

  • Incident Planning, Response, and Recovery

  • Assurance and Oversight


To establish how prepared an organization is against this Code of Practice, organizations need to undertake some form of assessment. One way to do this is to utilize an existing framework of best practice that covers the key elements of the Code of Practice.


DSIT has published several mappings of established frameworks to the Cyber Governance Code of Practice. One of these maps the Code of Practice to the Capability Maturity Model – Integration v3.0 (CMMI). This mapping demonstrates that the principles of the Code of Practice and the associated recommended actions are potentially covered by the CMMI. Consequently, adopting CMMI best practices and appraising against it could effectively demonstrate adherence to the Cyber Governance Code of Practice. It draws a clear and definitive link between the new code and the CMMI model.


Of particular relevance to the mapping are the two practice areas within the new ‘Security’ Domain within the CMMI. CMMI Domains are areas of specialization where specific practices related purely to that domain are identified and supported by the more general common ‘core’ practice areas.


The Security Domain contains the following specialist practice areas:


  • Enabling Security (ESEC): This provides a generalized approach to all elements of security, including physical, functional, and cyber security.


  • Managing Security Threats and Vulnerabilities (MST): This offers a specialized form of risk management approach to managing specific individual security threats.


ISACA provides video summaries of these practice areas through their sequence of ‘Tech Talk’ videos:


The Software Security Code of Practice


The Software Security Code of Practice helps organizations to defend against Cyber threats

The Software Security Code of Practice provides specific guidance for software vendors and their customers. It aims to reduce the likelihood and impact of software supply-chain attacks and other software resilience threats. The foundational principles outlined in the Cyber Governance Code of Practice are of fundamental importance to this code. Both should be implemented concurrently.


The essential premise underpinning this Code of Practice is that most software security threats and vulnerabilities arise from avoidable weaknesses in software development and maintenance practices. In many cases, the problems experienced are exacerbated by poor communication within organizations and between them and their software suppliers.


The Code of Practice outlines 14 principles across four different themes:


  1. Secure Design and Development

  2. Build Environment Security

  3. Secure Deployment and Maintenance

  4. Communicate with Customers


As with the Cyber Governance Code of Practice, the CMMI Framework provides a solid basis upon which to build your organization’s response to the Software Security Code of Practice. CMMI offers best practices that comprehensively cover the Software Security Code of Practice. A mapping between the DSIT Code of Practice and CMMI is being developed, similar to the one discussed above for the Cyber Governance Code of Practice.


How Can CMMI Help?


Currently, the Cyber Governance and Software Security Codes of Practice are voluntary. However, it is clear that the UK government, like many governments worldwide, is increasingly concerned about the threats cyber-crime poses to national infrastructure at both government and individual business levels.


These Codes of Practice form an initial starting point for all organizations to begin understanding and managing the threats they are likely to face in the coming years. As the threat level increases, there is a strong possibility that these voluntary codes may eventually become mandated. Therefore, it is vital for all organizations, no matter how small, to start thinking about and preparing a response to these very real threats.



CMMI provides a robust and time-tested framework around which to form a compliant response to the Codes of Practice. At the same time, it helps organizations implement more generalized process improvement activities to evolve their operational performance and capability. CMMI’s modular architecture enables organizations to focus on the model elements that align with their unique needs. It also supports integration with other standards like ISO 27001, NIST, and ITIL, making it a unifying framework for performance improvement.


If you would like to learn more about CMMI and how it may help you formulate a response to the Cyber Governance and Software Security Codes of Practice, the introductory ‘Building Organizational Capability’ (BOC) course is a great place to start. In this course, you will learn about the specific practice areas in CMMI that focus on security issues. You will also gain comprehensive insight into how the CMMI Framework can be used across your organization to establish continuous improvement based on tried and tested best practices from various industry sectors.


The BOC course leads to the CMMI Practitioner Certification exam, enabling you to serve on CMMI appraisals in any of the eight special interest areas, including the security domain, which is particularly important here.


You can book a place on one of our BOC courses here. Alternatively, you can explore other CMMI training options available to you by reading our blog post.


CMMI DSIT CyberSecurity Governance SoftwareSecurity CyberGovernance CodeofPractice BOC ISACA




References:


Recent high-profile UK cyber attacks:




DSIT Codes of Practice:



DSIT Cyber Security Breaches Survey 2024

 
 
 

Comments

bottom of page