Government and Regulatory Affairs

Introduction

Welcome to this webpage dedicated to the Government and Regulatory Affairs (GRA) portfolio of the ISACA London Chapter (ILC). The London GRA informs its Members of regulatory and legal developments related to IT, governance, audit, information/cyber security, and privacy, among topics of ISACA certifications and certificates. The GRA Team provides a summary of such information as published in:

the GRA section of London Chapter Newsletters (1-2 issues per month),
submissions made by ISACA / ILC to public consultations.

Public consultations have a wealth of background policy and research papers – these are hidden gems of bodies of knowledge that the GRA Team also draws attention to in ILC Newsletters. This means Members can see policy and law-making in real-time while also having resources to draw upon as needed for work or study.

The GRA Team is interested in your comments and suggestions – please contact admin@isaca-london.org.

GRA features in ILC Newsletters

The following are selected features published in recent ILC Newsletters, with back issues below Repository_of_GRA_features_in_ILC_Newsletters_2021.pdf. More information on below among other topics can be found in newsletters January - May 2022.

1.UK Dept. of Business, Energy and Industrial Strategy (BEIS) ( published on 31 May 2022, the outcome of its major audit reform consultation -- Restoring trust in audit and corporate governance. With more than 600 responses received (including from ISACA), the outcome proposes improvements in the quality and accuracy of corporate information shared with stakeholders, and reforms in audit and corporate governance. Reforms reflect recommendations of the Kingman, CMA and Brydon reviews and include:

establishing a new regulator – the Audit, Reporting and Governance Authority (ARGA), to be a more empowered version of the current Financial Reporting Council (FRC), and to use the IESBA International Code of Ethics for Professional Accountants as the basis for enforcement action
introducing a new statutory regime for the oversight of accountancy
redefining public interest entities (PIE) so that reforms apply also to large private companies (with more than 750 employees and £750m annual turnover)
strengthening reporting of company internal controls through the UK Corporate Governance Code
making directors more accountable for failures in corporate reporting and audit related duties.

Reforms are expected to balance the need for action with time needed for proper preparation, and comprise higher-quality regulation for better markets and improved outcomes as well as lighter touch market-based solutions and non-regulatory options.

2. News from the UK Department for Digital, Culture, Media and Sport (DCMS):

2a) The UK Digital Strategy Policy paper, published 13 June 2022, presents government-wide digital programmes and activities (see Annex) underpinning improvements in the UK’s digital economy:

foundational infrastructure, data and regulation (eg, on smart data, secure digital identities, National Security and Investment Act, Online Safety Bill, data protection, connected devices)
innovation and intellectual property
digital skills and talent, including Global Talent and related visas
finance for digital growth, eg, through British Business Bank’s initiatives
technology sector tools and levelling up to support productivity, public services, and climate net zero
UK influence on global decisions on the digital world.

2b) In benefitting from data for the national interest, the Government is committed to creating a risk management framework to protect the storage and processing infrastructures on which data relies. The Policy paper Data storage and processing infrastructure security and resilience, published 26 May 2022, presents proposals in three areas for which DCMS seeks views by 24 July:

risks to UK data storage and processing infrastructure
security and resilience measures in particular for (third-party) data centres
the customer base of data centre operators, cloud platform providers and Managed Service Providers (MSPs) to inform risk impact assessments.

This Call for views does not include telecommunications infrastructure, already covered by the updated Telecommunications (Security) Act 2021, nor cloud computing services, already regulated by the Networks and Information Systems (NIS) Regulations 2018; a recent consultation considered adding MSPs to the NIS.

2c) The consultation outcome on Embedding standards and pathways across the cyber profession by 2025 was published 20 June 2022. The outcome reported on proposals to develop the cyber security profession and capabilities of the UK Cyber Security Council (CSC) to deliver accordingly, and included progress and challenges on:

alignment between the Council’s standards and government recruitment, procurement and schemes, such as NCSC’s CCP scheme, as well as internationally given the global nature of cyber security
launch of associate, principal and chartered standards for 16 cyber specialisms using the Cyber Security Body of Knowledge (CyBOK)
creation of a career route map
creation of a voluntary register of individuals accredited at associate, principal and chartered levels.

To learn more about the government response, readers who are not members of the UK CSC are invited to join a public webinar, 12 July 2022, 10am.

Legislation for national chapter governance

ISACA chapters are created on the basis of regulations in their respective countries, for example, based on whether they are an association, society, private limited company, or other basis under Attorney General Office guidance. In the case of the London Chapter, it was created as an association and then in November 2004, it was incorporated as a private company limited by guarantee (https://find-and-update.company-information.service.gov.uk/company/05291214/filing-history). This means it is a non-profit company, compared to a private limited company limited by shares which is for profit.

In the UK, private limited companies have a status different from associations and charities: the London Chapter is bound by obligations to UK Companies House (https://www.gov.uk/government/organisations/companies-house ), and its Chapter leaders being UK directors under Companies House comply with director responsibilities (https://companieshouse.blog.gov.uk/2019/02/21/7-duties-of-a-company-director)under the UK Companies Act 2006 (https://www.legislation.gov.uk/ukpga/2006/46/contents). Additionally, for most all types of entities in the UK, there are data privacy regulations under the UK Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR) derived from the European Union's GDPR – see the UK Information Commissioner's Office, the independent supervisory body regarding UK data protection legislation (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr).

Public consultations: ISACA / ILC submissions

London Chapter members contributed to submissions by ISACA to the following public consultations from UK and international governmental entities. These align with ISACA Global's advocacy and government relations.

2021 Restoring trust in audit and corporate governance:
proposals on reforms by UK Business, Energy and Industrial Strategy (BEIS)

Consultation (outcomes awaited)

2019-2020 Review of local authority financial reporting and external audit (aka Redmond Review)

by UK Ministry of Housing, Communities & Local Government (renamed 2 Feb 2022 to Dept for Levelling Up, Housing and Communities) Government Response Policy Paper

Independent report (consultation outcome)

(Annex 8 refers to ISACA submission)

Original Consultation

2017-19 Report on AI in the UK

by UK House of Lords Select Committee on Artificial Intelligence

Report and Government response

List of Witnesses and Evidence

ILC Written evidence (AIC0193) pp.734-745

2018 Cyber Lexicon

by Financial Stability Board

Publication of Lexicon

Public Responses