Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. About Secure by Design

Author: Government Security Group

Last updated: 2 February 2026

About Secure by Design

Secure by Design aims to increase the government’s cyber resilience by incorporating cyber security practices into digital delivery from the start and consistently throughout the service life cycle.

The approach emphasises that everyone involved in the development of new systems and services should take cyber security risks seriously, and collaborate so that risks are identified and managed effectively.

Secure by Design’s core elements include its policy, principles and activities. Meeting the 10 principles is mandatory for government departments, arm’s length bodies (ALBs) and executive agencies whose services are subject to the digital and technology spend control process.

To support these principles, Secure by Design provides:

  • risk-driven activities for building appropriate and proportionate cyber security controls within digital services
  • clarity on roles and responsibilities to continuously manage security risks and improve security culture

Introduction to Secure by Design

How organisations show they’re implementing Secure by Design

While Secure by Design is not an assurance process, one of its principles is to continuously deliver effective security controls throughout the life of a service.

To achieve this, when taking part in the digital and technology spend controls approval process, delivery teams will need to complete a self assessment as evidence they’re meeting the Secure by Design principles.

Secure by Design’s wider context

Secure by Design is a strategic priority that is included as outcome 9 in the Government Cyber Action Plan. It’s a core requirement of the government Cyber Security Standard and was part of the transforming for a digital future roadmap: 2022 to 2025.

The Secure by Design policy has been developed by the Department for Science, Innovation and Technology (DSIT) and a cross-government working group in collaboration with:

  • the Government Security Group (GSG)
  • the National Cyber Security Centre (NCSC)
  • industry experts

The Service Standard Point 9 (Create a secure service which protects users’ privacy) advises service teams that they must follow the Secure by Design principles.

The Service Manual, which helps teams meet the Service Standard, also includes Secure by Design as an essential part of designing quality services.

Secure by Design for the defence industry

The Ministry of Defence (MoD) offers advice on how delivery teams and suppliers working on its systems and services can design for security from the start.

The MoD approach to Secure by Design shares the cross-government objective of making security an integral part of service design through effective risk management, collaboration and continuous improvement. This has been mapped to its specific environment and project management life cycle.

Further information

For more about Secure by Design:

Secure by Design Policy
Secure by Design Principles
Secure by Design Activities
Implementing Secure by Design

Subscribe to our newsletter

Subscribe

Want to receive the latest Secure by Design updates by email? Sign up now.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now