Cyber incidents are on the rise. According to the Department for Science, Innovation and Technology’s (DSIT) Cyber Security Breaches Survey 2025, 74% of large businesses and 67% of medium-sized businesses in the UK alone suffered some form of cyber breach or attack in the past year.
Yet, despite increasingly sophisticated attacks placing organisations under constant pressure, many businesses are questioning their readiness, with our research finding that over half (58%) of European business and IT professionals believe that their organisation is likely to experience a cyberattack in the next year.
There’s no doubt that policy, regulation and guidance will play a critical role in supporting boards and their wider organisations to improve cyber readiness.
So, what’s already out there? And how can businesses use it to improve their digital resilience?
Unpacking the UK Cyber Governance Code of Practice
Against this backdrop, the UK Cyber Governance Code of Practice, published by DSIT, sets out clear principles for how boards should approach cyber risk.
The Code provides guidance on the actions that senior leaders should take to govern cyber risks effectively within their organisation, and forms part of the government’s free package of support on cyber governance. It is underpinned by Cyber Governance Training, designed to help boards and directors strengthen their understanding of cyber governance – and a Cyber Security Toolkit for Boards, which supports with implementing the Code’s recommendations.
While the Code is voluntary today, DSIT has signalled it will monitor uptake and evaluate effectiveness. Stronger levers, such as regulatory requirements or procurement rules, may be considered in the future. For now, the Code is an effective baseline for governance in the UK.
At ISACA, we take pride in working with the UK Government and supporting its endeavours to make using technology safe and empowering for users. For instance, we partnered with DSIT to design the Cyber Governance Code of Practice, and more recently our CMMI model was mapped with the Code. The model provides a prioritised pathway to build and implement new capabilities, working to help organisations in any industry develop and measure the current state of play and improve performance.
In practical terms, this means that CMMI aligns with the Code’s principles, and it can help organisations to understand the right actions they need to take to follow these guidelines.
Turning principles into practice: a challenge for boards
While regulation and voluntary codes are important for achieving cyber resilience, the challenge for boards lies in implementation. Recognising that cyber risk should be governed like any other enterprise risk is one thing; knowing how to measure progress, benchmark maturity, and set priorities is another.
That’s where the framework mappings recently published by DSIT come into play. As with CMMI and the Cyber Governance Code of Practice, framework mappings link a code or piece of regulation’s principles to well-established international frameworks, giving boards and CISOs clear direction and guidance to assess their maturity and resilience. Alongside CMMI, these include ISACA’s COBIT-19, as well as other recognised standards like ISO/IEC 27001, the NIST Cybersecurity Framework, and the NCSC Cyber Assessment Framework.
For boards, this means they do not need to start from scratch. Instead, they can use proven maturity models for audit purposes to benchmark their governance against the Code, identify gaps, and set measurable priorities for improvement. Policies like these can act as an enabler for cyber resilience – by implementing strategies that align with regulatory expectations, such as through training staff and having stringent cybersecurity measures in place, businesses are in the best position to remain best protected against cybercrime.
Hear from the experts
Ultimately, it’s a complex landscape, and regulation can be confusing and fast-evolving. Organisations often struggle to navigate policy change, understand how to apply frameworks in practice, and connect regulation to broader business priorities like innovation or resilience.
These themes will be explored at the ISACA Europe Conference 2025, taking place in London on 15th – 17th October. The three-day event is full of engaging keynotes and sessions from top thought leaders in the cybersecurity space and is a chance to network with likeminded professionals.
One of the highlights will be a fireside chat on Friday 17th October (taking place at 08:30 BST at the main stage) featuring a senior DSIT representative alongside Chris Dimitriadis, ISACA’s Chief Global Strategy Officer. The session, ‘Strengthening Cyber Resilience through Policy and Regulation’, will examine the UK’s evolving governance landscape, lessons learned from international approaches, and practical strategies for aligning business resilience with regulatory expectations.
In addition to mainstage discussions, attendees can visit the CMMI Institute stand to speak with experts about how frameworks such as CMMI V3.0 and COBIT-19 can support implementation of the Code. With over 350 senior professionals expected, the conference will be a unique opportunity to exchange experiences, ask questions, and connect policy to practice.
