This article argues that self-attestation has failed as a credible assurance mechanism, citing Cyber Essentials’ low uptake and ISO 27001’s limits. It warns that if DSIT builds the Cyber Governance Code of Practice on self-assessment, it will fail. To succeed, the Code must mandate independent, accredited assurance that directors, investors, and regulators can trust.
Contents
Introduction
In DSIT’s consultation on the proposed Cyber Governance Code of Practice (2024), directors were asked to comment on assurance: should organisations self-assess, face spot checks, or submit to independent audits?
On the surface, this seems like a technical choice. But in reality, it is the single biggest determinant of whether the Code succeeds or fails. Why? Because self-attestation has already been tried — and it has failed.
If the new Code is built on the same flawed foundation, it will collapse into the same compliance theatre that has dogged cyber policy for a decade.
The Problem with Self-Attestation
Self-attestation assumes that organisations can truthfully and reliably declare their cyber maturity. That assumption is wrong. Four structural flaws make it unfit for purpose:
- Conflict of interest
- Organisations have every incentive to overstate readiness, particularly when reporting to customers, regulators, or investors.
- The result is optimistic scoring, not honest assessment.
- Shallow assessments
- Tick-box forms cannot capture the complexity of resilience.
- They measure presence (“a policy exists”) rather than effectiveness (“the policy is followed, tested, and embedded”).
- False confidence
- Boards are lulled by certificates and dashboards into believing resilience exists where it does not.
- This creates dangerous gaps between perception and reality.
- Weak signalling to markets
- Investors, insurers, and partners discount self-attested claims because they carry no independent credibility.
- As a result, they fail to function as a meaningful governance signal.
Evidence from Practice
We don’t need hypotheticals — the failures are already visible.
- Cyber Essentials: fewer than 40,000 organisations certified in two years, out of ~12 million UK trading entities. That’s just 0.3% penetration. Even where achieved, it is often treated as a checkbox exercise by IT teams, invisible to boards.
- ISO 27001: despite external audits, the model is often document-heavy. Compliant paperwork is easy to produce; genuine resilience is harder. Breaches have occurred in “certified” organisations, undermining trust.
- Real-world breaches: From supply chain compromises to ransomware, high-profile incidents continue to hit organisations that were “compliant” on paper. Self-attestation has provided cover, not resilience.
What DSIT Needs to Hear
The consultation cannot duck this issue. If the Cyber Governance Code of Practice is to be credible, it must:
- Reject self-attestation as a primary assurance mechanism: useful as a starting point, but insufficient on its own.
- Mandate independent validation: directors need assurance equivalent to audited accounts, not just internal declarations.
- Accredit the assessors: government must create or endorse a register of credible assessors, so boards know who to trust.
- Align with market expectations: insurers, investors, and regulators must see Code compliance as reliable. That requires external assurance, not box-ticking.
Risks of Inaction
If DSIT defaults to self-attestation, the consequences are predictable:
- Boards disengage: Directors will dismiss the Code as another paperwork exercise.
- Markets distrust it: Investors and insurers will ignore it, undermining its credibility.
- Organisations are misled: False assurance will leave firms believing they are resilient, right up until the breach proves otherwise.
- The Code fails: Adoption may look good on paper, but real resilience will not improve.
Conclusion
Self-attestation has had a decade to prove itself. It has failed. The consultation is the government’s chance to learn from that failure.
If the Cyber Governance Code of Practice is to succeed, it must make assurance credible, independent, and professional. Directors cannot govern on the basis of hopeful paperwork; they need evidence they can trust.
If DSIT gets this wrong, the Code will not change behaviour. It will become one more tick-box scheme in a crowded field. If it gets it right, it could reshape the culture of cyber governance in the UK.
References
- Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
- Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
- From Practitioner to Professional Body: The IET Response on Cyber Governance
- Directors and Cyber Responsibility: Towards a New Company Law
- Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
- From Cyber Essentials to Corporate Governance: Raising the Bar
- Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
- Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
- Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
- Cyber Governance Code of Practice 2024: What Government Finally Published
- Did We Influence DSIT’s Cyber Governance Code of Practice?
- From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
- Cyber Governance Code of Practice – published 8th April 2025