White shape | Hexiosec Logo
Expert Insights & Advice

Software Security Code of Practice vs Cyber Essentials - What’s the Difference?

David Griffiths
6 July 2026
|
4 min Read
|
David Griffiths

Software Security Code of Practice vs Cyber Essentials: What’s the Difference?

If your organisation develops or sells software, you have probably heard of (and may have) Cyber Essentials, but now also need to consider the Software Security Code of Practice. This is not a successor to Cyber Essentials; they are quite different in both scope and approach, and most software businesses would benefit from doing both.

Here is how they differ and where they overlap.

Different audiences, different purposes

Cyber Essentials is a broad-based cyber security certification scheme aimed at any organisation. It covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It is a pass/fail assessment on a particular day. Once you pass, you hold the certification for 12 months.

The Software Security Code of Practice is specifically for organisations that develop, sell or buy software. It covers 14 principles across four themes: secure design and development, build environment security, secure deployment and maintenance, and communication with customers. It is not pass/fail. Instead, it is a continuous improvement framework that asks you to evidence how your practices meet each principle, and to be transparent about where they do not.

Put simply: Cyber Essentials asks whether your organisation has basic security controls in place. The Code of Practice asks whether the software you build and sell is being developed, deployed, and maintained securely.

Where they overlap

There is common ground. Both frameworks expect Multi Factor Authentication, access control, and patch management. If you have achieved Cyber Essentials, some of the evidence you gathered will be relevant to the Code of Practice self-assessment, particularly around access control and secure configuration.

But the Code of Practice goes much deeper into the software development lifecycle. It asks about your development framework, your dependency management, your build pipeline security, your vulnerability disclosure process, and how you communicate security information to customers. Cyber Essentials does not cover any of that.

Do you need both?

If you develop or sell software, almost certainly yes, and here is why.

Cyber Essentials is already a de facto requirement for public sector contracts. Many private sector organisations use it as a baseline in supplier due diligence. It is well understood, widely recognised, and straightforward to achieve.

The Code of Practice is newer and still voluntary. But it was developed by DSIT and the NCSC specifically because Cyber Essentials does not address software supply chain risk. With the Cyber Security and Resilience Bill progressing through Parliament, and with 59% of organisations reporting software supply chain attacks in the past year, the trajectory is clear. What is voluntary today will be expected in procurement frameworks within 12–18 months, with the NHS already an early adopter.

The two frameworks are complementary. Cyber Essentials gives you a baseline cyber security posture. The Code of Practice evidences that the software you produce is built securely. Together, they answer two different questions that customers and procurement teams are increasingly asking.

The practical difference in approach

Cyber Essentials is an annual assessment. You prepare, you pass, you hold the certificate. It is a snapshot.

The Code of Practice is ongoing. There is (currently) no certificate to collect. Instead, you produce a self-assessment that documents your practices, your evidence, and your improvement actions. You can share it with customers, use it in procurement responses, or submit it for independent audit through an NCSC-approved Cyber Resilience Test Facility.

At Hexiosec, we hold Cyber Essentials Plus and have completed the Code of Practice self-assessment. The Cyber Essentials process took a few days, and the steps to a “pass” were clear and mandatory. The Code of Practice assessment had a low barrier to entry. Our Engineering Team quickly assessed how closely aligned our processes were to the 14 principles. We then chose to evidence this and also tighten two areas where we felt we could improve to best practice. Both were worth doing, and the flexibility offered by the Code of Practice meant this wasn’t a drain on business resources.

Where to start

If you do not yet have Cyber Essentials, start there. It is the quicker win and the more widely recognised baseline.

If you already hold Cyber Essentials and you develop or sell software, the Code of Practice self-assessment should be your next step. We have written a practical guide to completing it based on our own experience.

As Ambassadors for the Department for Science Innovation & Technology for Software Security, we are passionate about ensuring software companies do their cyber security well.

As well as advocating for these standards, we also provide external attack surface scanning.If you want to see what your organisation’s external attack surface looks like right now - before you get into frameworks and assessments - start with a free scan.

Related Posts

About David Griffiths
David is Hexiosec's Chief Executive Officer, and one of our co-founders. He has 25 years' experience of leading, developing and architecting complex technical systems across the Defence, Government and Commercial sectors. David is a cyber security and cloud infrastructure specialist, with a rich background in agile methodology and modern software development technologies, covering a broad range of environments from embedded systems to web applications.
David Griffiths

See your real external attack surface - without the noise

Book a demo
Book a demo