Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Activities
  4. Agreeing a security controls set for your service

Agreeing a security controls set for your service

When building a digital service you should leverage appropriate security control frameworks as a blueprint to select controls from as part of security risk management. Your organisation may already have preferred security control frameworks which should be used across digital services.

Frameworks provide good practice technical and procedural controls to help delivery teams manage security risks, reduce vulnerabilities and meet security obligations.

Agreeing the right frameworks for your service will allow you to:

This activity should be conducted taking into account your service assets and security risk assessment. Before attempting to respond to and mitigate risks you should have identified the relevant security control frameworks, and continue to revisit them whenever new functionality or components are added.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach and make changes securely.

Who is involved

This activity should be led by technical and security architects in collaboration with the security team in the organisation who have a good understanding of security frameworks and how to interpret them.

How to agree the security control set for your service

The steps below describe how to agree on an appropriate security controls set for your service.

Your organisation’s security team may already maintain a security controls taxonomy which will provide a baseline for your project. Engage with them to understand the recommended frameworks and how they could be applied to your service.

An example taxonomy is available if your organisation does not have an agreed set of controls.

Example Secure by Design Controls Taxonomy (ALPHA)

This template shows how project teams can map appropriate security controls from recognised industry security standards and frameworks to NCSC Cyber Assessment Framework (CAF) outcomes and Indicators of Good Practice (IGP).

It provides a starting point that should be adapted by security experts within your organisation to suit the scope, characteristics and regulatory requirements of your digital service.

The example is available in the following formats:

Step 1. Establish what needs protecting

When performing a security risk assessment you should have determined which service assets are in scope. This information along with the service design, technical architecture and vulnerabilities of your service should form a list of what needs protecting and be the basis of your research to shortlist appropriate security frameworks.

Step 2: Research and shortlist relevant security control frameworks

Security professionals with support from the technical architect within your project and organisation’s security team should work together to research and agree security control frameworks based on the assets you need to protect.

Below are examples of some of the common cyber security frameworks and best practice guidance that should be considered. These are not exhaustive lists. You should source the controls that meet the specific cyber security objectives of your service.

Many recognised security frameworks are provided by international organisations, reflecting the global nature of cyber threats. When reviewing these, consider how they can be applied by organisations based in the UK.

Security control frameworks

Security control guidelines

Different sets of frameworks will be applicable to different projects. For example, if you are building Software as a Service (SaaS), you should consider the NCSC: Cloud Security Principles and Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). For networks you should consider Center for Internet Security (CIS): Critical Security Controls and for web services you should consider OWASP Top 10.

This activity is separate to understanding your cyber security obligations. Follow the steps within that guidance to make sure your service meets the necessary legal and regulatory requirements.

Step 3: Agree and share the security controls set

Using the shortlisted frameworks from your research, generate a security controls set which reflects what needs protecting as well as security obligations you are aiming to meet. This will allow you to put proportionate controls in place that map to the specific characteristics of your service and the environment it operates in.

If your research determines there are security needs for your service that sit outside of standard security controls, you may need to add your own custom processes alongside the recognised frameworks. If you need to do this, consult with security professionals within your organisation who can advise on the appropriate way to integrate your unique needs into a controls set.

You should ensure that key changes in the service over its lifecycle are fed into the selection of appropriate security frameworks and share the security controls set with the delivery team to use when responding to and mitigating security risks.

Further reading

This activity is part of the ‘Manage cyber security risks’ stage of Secure by Design, which also includes:

Read the Secure by Design activities

The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.

Last update: 7 May 2024