Created following extensive public and industry consultation, these Codes of Practice set out the fundamental security and resilience measures for U.K. organizations that develop and/or sell software to other organizations, as well as defining minimum viable principles and standards to secure AI systems.

The UK Department for Science, Innovation and Technology (DSIT) recently published a wide-ranging Software Security Code of Practice. While this is a voluntary code, it is a substantial resource to support software vendors and their customers in reducing the impact of software supply chain attacks and other software-related resilience incidents.

The Code has been co-developed with the National Cyber Security Centre (NCSC) and a group of industry and academic experts, as well as through extensive public consultation. As the creator of the CSSLP certification, ISC2 responded to the consultation phases of this initiative on behalf of members, ensuring that member concerns and considerations were part of the discussion process.  

What is the Software Security Code of Practice?

The Code of Practice sets out security and business resilience measures that should be a baseline expectation from all organizations that develop and/or sell software in or to the U.K. It covers the creation, testing, release and reasonable maintenance of software. It applies to both proprietary and open-source software developers, distributors, resellers and maintainers. It also has responsibility implications for organizations buying software, as well as senior leaders and technical specialists within software vendor organizations.

It contains 14 principles split across four themes:

Secure Design and Development – Ensuring that the software is appropriately secure when provided:

  • Following an established secure development framework
  • Understanding the composition of the software and assessing risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle
  • A clear process for testing software and software updates before distribution
  • Adherence to secure by design and secure by default principles throughout the development lifecycle of the software

Build Environment Security – Ensuring that the appropriate steps are taken to minimize the risk of build environments becoming compromised, to protect the integrity and quality of the software being developed:

  • Protecting the build environment against unauthorized access
  • Controlling and logging changes to the build environment

Secure Deployment and Maintenance – Taking steps to ensure the software remains secure throughout its lifetime, as well as minimizing the likelihood and impact of vulnerabilities:

  • Distributing software securely to customers
  • Implementing and publishing effective vulnerability disclosure processes
  • Processes and documentation for proactively detecting, prioritizing and managing vulnerabilities in software components
  • Reporting vulnerabilities to relevant parties as appropriate
  • Providing timely security updates, patches and notifications to customers

Communication With Customers – Ensure that vendor organizations provide sufficient information to customers to enable effective risk and incident management:

  • Providing information to the customer specifying the level of support and maintenance that will be provided for the software being sold
  • Providing at least one year’s notice to customers of end-of-life of a software application
  • Providing information to customers about notable incidents that may cause significant impact to their organizations

For organizations already using this Code, the government has launched an evaluation survey for users to provide feedback. The survey is open until December 2026.

Bringing a Code of Practice to AI Cybersecurity

In addition to this wide-ranging Software Security Code of Practice, DSIT in conjunction with the NCSC, has also published a voluntary Code of Practice for the Cyber Security of AI. Like the Software Security Code of Practice, the AI Code of Practice defines baseline expectations and requirements for the cybersecurity robustness and resilience of cybersecurity requirements for the lifecycle of AI. Again, the Code of Practice for the Cybersecurity of AI applies to developers, as well as system operators, data custodians and end users. It covers many comparable areas of baseline requirement as the Software Security Code of Practice, and is based on 13 principles:

  • Raising Awareness of AI Security Threats and Risks
  • Designing AI Systems for Security, Functionality and Performance
  • Evaluating Threats and Managing Risks to AI Systems
  • Enabling Human Responsibility for AI Systems
  • Identify, Track and Protect Assets
  • Securing Infrastructure
  • Securing Your Supply Chain
  • Documenting Data, Models and Prompts
  • Conducting Relevant Testing and Evaluation
  • Communicating Processes That Impact End Users and Affected Entities
  • Maintaining Regular Security Updates, Patches and Mitigations
  • Monitoring System Behavior
  • Ensuring Proper Data and Model Disposal

ISC2 has also been involved with providing responses to consultations and representing the views and interests of members during the development of the Code of Practice for the Cybersecurity of AI. ISC2 responded to the public consultation on Cybersecurity of AI in August 2024, along with hosting a series of virtual roundtables with U.K. members to feed into the U.K. Government’s AI Cyber Call for Views Response in relation to its efforts to develop an AI Cybersecurity Code of Practice and Implementation Guide.

The Code of Practice for the Cyber Security of AI has also had an impact in international guidance and standards, helping to inform the newly developed Baseline Cyber Security Requirements for AI Models and Systems from the European Telecommunications Standards Institute (ETSI). This is a precursor to a comprehensive European standard, expected before the end of 2025.

Related Insights