Act no: N/A

Type: Principle-based Code

Purpose: To guide governing bodies toward ethical and effective leadership that achieves the four governance outcomes: Ethical Culture, Performance and Value Creation, Conformance and Prudent Control, and Legitimacy.

The King V principles are universally applicable to all organisations – regardless of size, sector, or ownership.
Organisations that claim application must follow the “apply and explain” approach, and disclose how each principle has been applied in practice.
Recommended practices should be applied proportionately to the organisation’s size, complexity, and impact.
Under the JSE Listings Requirements, all JSE-listed companies are obliged to apply King V and disclose their governance practices accordingly.

• JSE-listed companies (application and disclosure are compulsory under the JSE Listings Requirements).
• Boards and governing bodies responsible for ethical and effective leadership.
• Audit, risk, and compliance committees tasked with eversight of governance systems.
• Executive management accountable for implementation and resilience planning.
• Organisations handling sensitive data or critical technology infrastructure.

• Risk Governance:
  • The governing body must direct and oversee an organisation-wide risk management system that includes risk assessments, risk appetite definition, effective responses, and business-continuity arrangements – including the identification, assessment and monitoring of continuity risks – to ensure resilience under volatile conditions. [Principle 8]
• Data, Information and Technology Governance:
  • Boards must set the strategic direction and provide oversight for the ethical, effective and compliant management and control of data, information and technology throughout their lifecycle (acquisition, creation, use, dissemination and disposal). [Principle 10]
• Information Security and Privacy:
  • Information security and data protection must safeguard confidentiality, integrity and availability (CIA) and protect the privacy of personal data. [Principle 10]
• Cyber-Incident Oversight:
  • The governing body must be satisfied that arrangements for the prevention and detection of cyber-attacks and information-privacy breaches are effective, and that any significant incidents are properly investigated, remediated and disclosed where necessary. [Principle 10]
• Third-Party Risk Management:
  • Risks arising from outsourced and third-party technologies, digital service providers, supply-chain dependencies and cross-border data processing must be identified, classified and effectively controlled. [Principle 10]
• Technology Governance and Cyber Resilience:
  • Boards must provide oversight of the ethical and responsible governance of data, information and technology – including cybersecurity strategies, disaster-recovery testing, and responsible disposal of technology assets – to maintain operational continuity and stakeholder confidence. [Principle 10]
• Artificial Intelligence:
  • AI and automated technologies must uphold ethics, human-centric design, accountability, transparency, explainability, security, privacy, fairness and trustworthiness, with clearly defined human oversight and override mechanisms. [Principle 10]

N/A

N/A

King V applies an “apply and explain” disclosure regime for any organisation claiming application. The governing body must approve and publish disclosures in accordance with the King V Disclosure Framework. Failure to do so – or to provide adequate explanation – may invite scrutiny from the JSE (for listed entities), the IoDSA and other regulators, as well as from shareholders and stakeholders questioning governance quality and transparency. [King V Disclosure Framework Introduction]

Failure to apply and transparently explain the King V principles undermines organisational legitimacy and perceived governance quality. Weak governance or poor disclosure can erode trust among investors, clients, insurers and regulators, damaging stakeholder confidence and jeopardising access to business opportunities or insurance cover. [Conceptual Foundations – Governance Outcomes]

CyberProfiler: Your External Vulnerability Scan

Performs a safe, external scan of your public digital footprint to detect security weaknesses visible to attackers.

• Risk Discovery and Prioritisation:
  • Delivers actionable, independent evidence for Principle 8 risk assessments by revealing publicly exposed weaknesses that inform risk responses and business-continuity planning for organisational resilience. [Principle 8]
• Data, Information and Technology Governance:
  • Supports Principle 10 by helping the governing body be satisfied that arrangements for the prevention and detection of cyber-attacks are effective. CyberProfiler insights guide controls that safeguard the confidentiality, integrity and availability of data and systems, demonstrating ethical and effective governance of data, information and technology. [Principle 10]

DMARC: Stop Email Spoofing and Protect Your Brand

Enforces domain-based email authentication to block spoofing, stop phishing, and boost email deliverability.

• Information Security and Privacy:
  • Enforces authenticated email transmission to prevent spoofing and phishing, reducing the likelihood of cyber-attacks and information-privacy breaches. This supports the governing body’s obligation under Principle 10 to ensure arrangements for the prevention and detection of cyber-attacks and information-privacy breaches are effective, while safeguarding the confidentiality, integrity and availability of organisational communications. [Principle 10]
• Governance of Data, Information and Technology:
  • Assists boards in demonstrating ethical, compliant and effective management of information systems by securing one of the most common attack vectors — email. DMARC reporting provides objective data to evidence ongoing oversight of cyber risk within the organisation’s broader governance framework for data, information and technology. [Principle 10]

• IoDSA: [King V Code on Corporate Governance → https://iodsa.co/King-V-Code]
• IoDSA: [King V Disclosure Framework → https://iodsa.co/King-V-Disclosure-Framework]
• IoDSA: [King V Foundational Concepts → https://iodsa.co/King-V-Foundational-Concepts]
• Michalsons: [King V Code published for application → https://www.michalsons.com/blog/king-v-code-published/77283]

(Links verified and active as of November 2025)

Where appropriate, we link to Michalsons’ expertly maintained legal resources and plain-language explanations. We gratefully acknowledge their role in making South African legislation more accessible and understandable.