When building a digital service you should leverage appropriate security control frameworks as a blueprint to select controls from as part of security risk management. Your organisation may already have preferred security control frameworks which should be used across digital services.
Frameworks provide good practice technical and procedural controls to help delivery teams manage security risks, reduce vulnerabilities and meet security obligations.
Agreeing the right frameworks for your service will allow you to:
This activity should be conducted taking into account your service assets and security risk assessment. Before attempting to respond to and mitigate risks you should have identified the relevant security control frameworks, and continue to revisit them whenever new functionality or components are added.
This activity should be led by technical and security architects in collaboration with the security team in the organisation who have a good understanding of security frameworks and how to interpret them.
Your organisation’s security team may already maintain a security controls taxonomy which will provide a baseline for your project. Engage with them to understand the recommended frameworks in the taxonomy and how they could be applied to your service.
The following steps describe how to agree an appropriate security controls set for your service, either using guidance from your organisation if available, or using the Secure by Design Controls Taxonomy (available from February 2024).
When performing a security risk assessment you should have determined which service assets are in scope. This information along with the service design, technical architecture and vulnerabilities of your service should form a list of what needs protecting and be the basis of your research to shortlist appropriate security frameworks.
Security professionals with support from the technical architect within your project and organisation’s security team should work together to research and agree security control frameworks based on the assets you need to protect.
Below are examples of some of the common cyber security frameworks and best practice guidance that should be considered. These are not exhaustive lists. You should source the controls that meet the specific cyber security objectives of your service.
Many recognised security frameworks are provided by international organisations, reflecting the global nature of cyber threats. When reviewing these, consider how they can be applied by organisations based in the UK.
Different sets of frameworks will be applicable to different projects. For example, if you are building Software as a Service (SaaS), you should consider the NCSC: Cloud Security Principles and Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). For networks you should consider Center for Internet Security (CIS): Critical Security Controls and web services you should consider OWASP Top 10.
This activity is separate to understanding your cyber security obligations. Follow the steps within that guidance to make sure your service meets the necessary legal and regulatory requirements.
Using the shortlisted frameworks from your research, generate a security controls set which reflects what needs protecting as well as security obligations you are aiming to meet. This will allow you to put proportionate controls in place that map to the specific characteristics of your service and the environment it operates in.
If your research determines there are security needs for your service that sit outside of standard security controls, you may need to add your own custom processes alongside the recognised frameworks. If you need to do this, consult with security professionals within your organisation who can advise on the appropriate way to integrate your unique needs into a controls set.
You should ensure that key changes in the service over its lifecycle are fed into the selection of appropriate security frameworks.
You should share the security controls set with the delivery team to use when responding to and mitigating security risks.
This activity is part of the ‘Manage cyber security risks’ stage of Secure by Design, which also includes:
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024