Government and Regulatory Affairs

Introduction

Welcome to this webpage dedicated to the Government and Regulatory Affairs (GRA) portfolio of the ISACA London Chapter (ILC).   The London GRA informs its Members of regulatory and legal developments related to IT, governance, audit, information/cyber security, and privacy, among topics of ISACA certifications and certificates. The GRA Team provides a summary of such information as published in:

  • the GRA section of London Chapter Newsletters (1-2 issues per month),
  • submissions made by ISACA / ILC to public consultations.

Public consultations have a wealth of background policy and research papers – these are hidden gems of bodies of knowledge that the GRA Team also draws attention to in ILC Newsletters. This means Members can see policy and law-making in real-time while also having resources to draw upon as needed for work or study.

The GRA Team is interested in your comments and suggestions – please contact admin@isaca-london.org.

GRA features in ILC Newsletters

    1. The UK Government orchestrated the UK AI Safety Summit at the beginning of November 2023, along with the associated AI Fringe. The successes have been widely reported but include a new consensus on AI safety risks, creation of the AI Safety Institutes, inclusion of China, commitment and momentum from government and the AI industry, scientific basis established, and continuity of follow-on summits. The less well reported concerns include the voluntary nature of the commitments, the lack of substantiation around rules and the measurements of risks, reluctance of UK Government to regulate, to what extent are the ongoing bodies (safety institutes) being funded, and the additional work that is required. 

     

    1. The portfolio of AI assurance techniques was launched in mid-2023 by the Department for Science, Innovation & Technology (DSIT). ISACA, led by ISACA London Chapter members, submitted in November 2023 an AI assurance techniques case study to the Centre for Data Ethics and Innovation (CDEI), based on the beta version of the ISACA Digital Trust Ecosystem Framework (DTEF). ISACA developed the DTEF as a holistic, dynamic approach for designing, implementing, and managing best practices to achieve and maintain the desired level of digital trust within an enterprise.

     

    1. There are imminent regulation and standards that are about to be enacted and released that affect our environment, such as:
      1. EU AI Act that is due for enactment in early 2024, which focuses primarily on strengthening AI rules around data quality, transparency, human oversight, and accountability.
      2. US Presidential Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence was issued on 30th October, consisting of a set of guidelines as an attempt to address the risks surrounding AI, guided by eight principles and priorities and directing NIST to develop guidelines and best practices to promote consensus industry standards that help ensure the development and deployment of safe, secure, and trustworthy AI systems, including augmenting around the already released NIST AI RMF.
      3. ISO/IEC 42001:2023 the AI Management System international standard is due for publication in December 2023 providing requirements and guidance on establishing, implementing, maintaining, and continually improving an AI management system.
      4. NIST CSF v2.0 is slated to be released in February 2024 while being similar in breadth there are significant structural changes over v1.1 such as a new Function area of Governance and different categories and sub-categories.

     

    1. A Digital Policy Alliance (DPA) Skills round table was held in the House of Lords on 13 November 2023, where the evolving education marketplace, engagement, enablement, talent attraction, blending programmes to meet both employer and student need around modernising the recruitment and employment of digital professionals. There were four themes: Education as a Service; Enabling Further Education; Convergence of Employer Accredited Apprenticeships, Degrees, and other programmes; the modernisation of recruitment and employment practice.

     

    1. SASIG and the UK Cyber Security Council organised an event at the FCA on 16 November 2023 on Professionalism of the Cybersecurity Industry to identify and address the complex challenges surrounding the cybersecurity professional’s role and career and what the professionalisation of the cybersecurity industry’s current state is and what the progress is being made towards a more structured future.

    Legislation for national chapter governance

    ISACA chapters are created on the basis of regulations in their respective countries, for example, based on whether they are an association, society, private limited company, or other basis under  Attorney General Office guidance.  In the case of the London Chapter, it was created as an association and then in November 2004, it was incorporated as a private company limited by guarantee (https://find-and-update.company-information.service.gov.uk/company/05291214/filing-history). This means it is a non-profit company, compared to a private limited company limited by shares which is for profit.   

    In the UK, private limited companies have a status different from associations and charities: the London Chapter is bound by obligations to UK Companies House (https://www.gov.uk/government/organisations/companies-house ), and its Chapter leaders being UK directors under Companies House comply with director responsibilities (https://companieshouse.blog.gov.uk/2019/02/21/7-duties-of-a-company-director)under the UK Companies Act 2006 (https://www.legislation.gov.uk/ukpga/2006/46/contents).  Additionally, for most all types of entities in the UK, there are data privacy regulations under the UK Data Protection Act 2018  and the UK General Data Protection Regulation (GDPR) derived from the European Union's GDPR – see the UK Information Commissioner's Office, the independent supervisory body regarding UK data protection legislation (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr).

    Public consultations: ISACA / ILC submissions

    London Chapter members contributed to submissions by ISACA to the following public consultations from UK and international governmental entities. These align with ISACA Global's advocacy and government relations

    2023 Corporate Governance Code Consultation by the Financial Reporting Council Consultation was responded to by ISACA in September 2023. 

    Policy paper on AI regulation by the Department for Science, Innovation and Technology Consultation from June 2023 (outcomes still awaited).

    The Department for Science, Innovation & Technology (DSIT) Portfolio of AI Assurance Techniques consultation case study response, led by ISACA London Chapter members, was submitted in November 2023 to the Centre for Data Ethics and Innovation (CDEI).

     

     

    2023 Call for views on software resilience and security for businesses and organisations by the Department for Digital, Culture, Media and Sport

    ISACA responded in May 2023 to a UK Government call for views on software resilience and security for businesses and organisations; considering risks across the entire software lifecycle and where government should direct its resources to have the most impact.

     

    2023 Review of the Computer Misuse Act 1990: consultation and response to call for information by the Home Office

    ISACA responded in April 2023 to the Home Office's invitation to consult on three proposals to amend the Computer Misuse Act 1990 and introduce new powers to help tackle cybercrime, covering domain name and IP address takedown and seizure, power to preserve data, data copying.

    2021 Restoring trust in audit and corporate governance: proposals on reforms by the UK Business, Energy and Industrial Strategy

    Government response (consultation outcome)