The UK Government’s Software Security Code of Practice marks an important step in strengthening the resilience of software supply chains. As ISACA joins the Ambassador Scheme, this piece outlines what the Code is, why it matters, and how it aligns with the frameworks, certifications and professional practices that define our community.
What is the UK’s new Software Security Code of Practice?
Software sits at the heart of our economy. It powers our businesses, public services and critical infrastructure. But as our resilience on software has grown, so too has the scale and sophistication of attacks targeting vulnerabilities in software and supply chains. It is against this backdrop that the UK Government introduced the Software Security Code of Practice – to strengthen the resilience of the software ecosystem and establish a clearer baseline for what good security should look like in practice.
The Code was developed by the UK Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC), in partnership with industry stakeholders including ISACA. It defines 14 voluntary principles designed to help software vendors secure software at every stage of its lifecycle, from design and development, through deployment, to ongoing maintenance. These principles are grouped under four key themes: secure design and development, build environment security, secure deployment and maintenance and communication with customers.
What I find particularly important is that the Code recognises security as a shared responsibility. It is not aimed solely at developers, instead, applying to software suppliers, buyers and organisations across the supply chain. Vendors can use it to strengthen their internal practices; buyers can use it to set clearly expectations in procurement and supplier management. Together, this creates a common language for software security.
While voluntary, the Code reflects internationally recognised practices and aligns with global approaches such as the US Secure Software Development Framework (SSDF) and complements evolving regulation such as the EU’s Cyber Resilience Act. Organisations can demonstrate alignment either through structured self-assessment or independent evaluation via the NCSC’s Cyber Resilience Test Facilities.
In short, it provides a practical baseline – one that raises expectations today, while helping prepare the market for the demands of tomorrow.
Why ISACA is Proud to Serve as an Ambassador
ISACA is proud to have a longstanding relationship with UK Government and policymakers, providing independent expertise to support the development of practical, effective cyber policy. Our involvement in the Software Security Code of Practice Ambassador Scheme is a natural extension of that partnership.
The Government’s new voluntary scheme brings together industry leaders to actively champion the Code and accelerate its adoption.
Following publication of the final Code at CyberUK 2025, ISACA was invited to join as an Expert Adviser – recognition of the role our global professional community plays in strengthening secure digital ecosystems. As an ambassador, we have committed to promoting uptake of the Code and embedding its principles into our professional engagement, thought leadership and member activity.
The Code itself reflects principles that our members already understand deeply: security by design, lifecycle accountability and supply chain integrity. Serving as an ambassador allows us to help translate these principles into practical, scalable adoption across sectors and geographies.
It also reinforces our commitment to championing collaborative, industry-led approaches that raise standards while strengthening operational resilience. We are proud to stand alongside Government and industry in advancing a shared baseline for secure software – one that supports innovation while building trust in the face of threat.
What This Means for Professionals
For ISACA members, the Code of Practice is more than a policy initiative – it is a professional opportunity.
It defines what ‘good’ looks like in software development across the lifecycle. For CISOs, auditors, governance professionals, risk leaders, developers and board advisers, it offers a practical framework to assess and strengthen practices within your organisations and across supply chains.
The Code complements ISACA’s frameworks, certifications and guidance. Its focus on secure design, lifecycle accountability and supply chain integrity reflects principles embedded in credentials such as CISM and CISA. It also aligns with maturity models like CMMI, helping organisations embed secure practices into culture, process and governance – not just technology. This reinforces a maturity-based approach to resilience, where security is institutionalised and continuously improved rather than applied reactively.
As regulators’ and businesses’ expectations evolve, professionals who understand recognised frameworks, and can demonstrate how they are applied in practice, will be in growing demand. Familiarity with the Code, and the ability to evidence alignment, positions you and your organisations at the forefront of secure digital transformation.
I encourage you to explore the Code, assess how its principles align with your current practices, and champion secure software development within your organisation and across your supply chain – advancing digital trust and that which is at the heart of ISACA’s mission.
