Cyber security codes of practice
This page brings together the various codes of practice for cyber security. It explains who they are aimed at and how they link together.
On 15 May 2024, the government published two new voluntary codes of practice for consultation. The government has been working in these areas as part of our commitment under the National Cyber Strategy to increase software resilience and help secure Artificial Intelligence (AI) systems.
AI Cyber Security Code of Practice and International Standard
The AI Cyber Security Code of Practice advocates a secure-by-design approach to the cyber security of AI. The exploitation of vulnerabilities in AI could result in the loss of data and increased breaches within organisations, and therefore it is essential that cyber security and resilience is built into the design of AI throughout the technology’s lifecycle. The Government is proposing a two-part intervention in the form of a voluntary code of practice which is intended to form the basis of a future global standard.
The Code of Practice for Software Vendors
The Code of Practice for Software Vendors is the cornerstone component of an ambitious package of policy measures which take a secure by design approach to the development and maintenance of software. It ensures that organisations selling software, or products containing software, prioritise security and resilience in the design of their products. This can then be communicated effectively with business customers to facilitate risk management throughout supply chains.
Our consultations
The government is now seeking views from industry and the public on each of these codes of practice through two public consultations, each running between 15 May and 10 July 2024. Stakeholders are encouraged to submit feedback to help inform our future policy.
Call for views on the cyber security of AI
Call for views on the code of practice for software vendors
The modular approach: A new approach to cyber security voluntary codes of practice
To date and including the two new proposals, DSIT has published five codes of practice on cyber security*. The codes range from the provision of baseline cyber security measures for all organisations, to codes with scopes which address specific risks, such as AI.
We recognise the introduction of these codes, and the potential for further codes to be published, will create a layered landscape. DSIT has therefore developed a modular approach to implementing current and future codes.
Not only will it make accessing and understanding how the various codes fit together, but it will also help organisations easily identify which codes are relevant to them. This will mean that the complexity of the products or services provided by an organisation will determine the number of codes that they should consider.
DSIT’s codes of practice would be implemented by organisations using the following pathway:
| Who | Codes of practice to follow | Detail |
|---|---|---|
| All organisations | Cyber Governance Code of Practice | The Cyber Governance Code of Practice brings together the critical governance areas that directors and boards of all organisations need to take ownership of in one place. This, along with technical controls promoted by Cyber Essentials, bring together the two key aspects that organisations need to develop cyber resilience. Much of the contents of this code aligns with existing industry and government resources, including the Cyber Assessment Framework. Further guidance on implementation of these principles and actions is provided within the NCSC’s Cyber Security Toolkit for Boards, and the two work together to form a coherent set of guidance for boards, directors and their senior advisors. |
| Organisations selling digital products containing software | The Code of Practice for Software Vendors, AND The Cyber Governance Code of Practice | Software is a component of virtually all digital products and, as such, is an essential factor in the resilience of those products. The provisions in this code of practice provide the baseline expectations for manufacturers and suppliers of digital products and services containing software. |
| Organisations selling digital products containing software with further product-specific cyber security and resilience requirements | Product-specific codes of Practice such as: The Code of Practice for Apps/App Stores, OR The Consumer IoT Code of Practice / ETSI EN 303 645 / PSTI Act 2024, OR The AI Cyber Security Code of Practice, AND The Code of Practice for Software Vendors, AND The Cyber Governance Code of Practice | These codes are designed to address cyber resilience and security risks specific to certain technologies. The resilience of these technologies is dependent on the resilience of the software which underpins them, and of the organisation that develops them. As such, organisations adhering to these codes should also seek to adhere to both the Cyber Governance Code of Practice, and the Code of Practice for Software Vendors. It is possible that organisations providing a range of digital products and services would need to consider implementing more than one of these codes. This depends on the complexity of their business function. |
This pathway for implementation of our codes of practice will be updated regularly. We would encourage organisations to follow this to ensure they are taking the steps necessary to safeguard themselves from cyber risk.
Background
What is a Cyber Security Code of Practice?
Codes of Practice have been developed by the Department for Science, Innovation and Technology (DSIT) to set clear expectations for cyber security and resilience and should be considered voluntary. Codes outline what should be the baseline response to a given set of risks. They may act as stepping stones towards either further tailored guidance, or towards firmer interventions such as international standards or domestic regulation, if necessary.
Context
Our codes of practice are a part of a broader approach taken by government to ensure that citizens and businesses in the UK can use digital technologies safely.
Setting minimum cyber security expectations and incorporating them into the development of digital technologies from the start, is a crucial step towards safeguarding evolving cyber threats. This also provides consumers with confidence in the technologies that they depend on, and the UK government is committed to providing that certainty. Most notably, the UK produced the world’s first mandatory and enforceable security requirements for consumer technologies, the Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force in April 2024. The two codes are underpinned by those same principles.
A secure-by-design approach is only one of many steps required to achieve UK-wide cyber resilience. The UK government has also taken concrete steps to ensure that organisations across our economy are provided with the support and guidance that they require to protect themselves from cyber risks, including those affecting complex digital supply chains. This approach has been anchored around Cyber Essentials, a government scheme which certifies those organisations which implement the basic cyber security controls sufficient to protect against the most common cyber attacks. Our codes are complementary with these technical controls and seek to build on them, whether by seeking to address specific additional risks beyond these baseline controls, or by identifying broader, non-technical measures that support organisational resilience.
*DSIT’s other Codes are the ‘Cyber Governance Code of Practice’ which outlines the baseline responsibilities for senior leadership to promote strong organisational cyber security; and the ‘App Store Privacy and Security Code of Practice’, which is being implemented by all major app store operators across the world. The PSTI Act originated from a Code of Practice published in 2018.
Cyber security codes of practice
Cyber security codes of practice currently in use or in development.