Considering security within the business case

When preparing a business case, cyber security requirements must be included so the appropriate funding, resources, skills and time can be allocated to effectively manage cyber security risks.

By including security within a business case you will:

• ensure the true cost and effort involved in protecting the service are clear from the start of the project
• reduce the potential of your project being rejected or delayed due to security risks
• put processes in place to deliver an appropriately secure service that protects user information
• create a foundation for adopting secure practices throughout digital delivery so you can achieve your GovAssure profile

As services develop from idea to implementation, different types of business cases may be required covering scoping, planning and procurement. Security considerations should be included at every stage, with steps taken to review and refine them as the project matures.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to create responsibility for cyber security risk, adopt a risk-driven approach, design usable security controls and embed continuous assurance.

Who is involved

The Senior Responsible Owner (SRO) and service owner should work together with a business analyst to agree on the service characteristics and understand the security considerations to be included in the business case.

To complete all sections of the business case, you should seek input from your Chief Technology Officer (CTO), Chief Information Security Officer (CISO) and technical security assurance teams.

How to include security within the business case

Government business cases consist of five elements, as explained in The Green Book. The outline below shows how Secure by Design principles should be applied within each to demonstrate you have considered and forecasted the relevant security requirements.

The security policies and standards that need to be included within a business case will depend on your organisation’s GovAssure profile, and whether the service is part of Critical National Infrastructure.

The Strategic Case

Where you demonstrate the need for change and show how the proposal fits with local, regional and national policies and targets. Cyber security elements should include:

• a statement outlining the project's security risk appetite
• an overview of the security obligations (policy, legal, regulatory and contractual) being met
• a summary of business and user needs, and the security controls required to satisfy them
• a high-level assessment of the threats that may compromise or disrupt your service - keep the sensitivity of these relevant to the classification of the business case

The Economic Case

Where you will explain how you are providing the best public value to society. Cyber security elements should include:

• information on the potential impact of security threats and details of how success factors used to assess resilience against security attacks will be substantiated
• details of how making security integral to a project’s scope, solution, service delivery and implementation represents good value for money

The Commercial Case

Where you outline the relationship between the public sector and service providers. Cyber security elements should include:

• details of support required from third-party products and the security due diligence that will be undertaken
• information on how security requirements will be incorporated into procurement contracts

The Financial Case

Where you set out the affordability and preferred funding model. Cyber security elements should include:

• projections for the appropriate security resources (people and technology) required over the full service lifecycle, including contingencies for changes to the threat landscape

The Management Case

Where you describe the delivery, monitoring and evaluation structure. Cyber security elements should include:

• an allocation of roles and responsibilities for security stakeholders and details of how security will be governed for the service
• processes for identifying, assessing and mitigating security risks, including those presented by third party products
• details of how the security impact of changes will be evaluated and managed
• plans for assessing the effectiveness of the security control design and operation throughout the delivery lifecycle

Further reading

• Business Case Guidance for Projects
• Business Case Guidance for Programmes
• Business Case Guidance for Agile and Digital IT Projects
• The Green Book: Templates and support material

Related Secure by Design activities

This activity is part of the ‘Prepare a secure service’ stage of Secure by Design, which also includes:

• Identifying security resources
• Agreeing roles and responsibilities
• Tracking Secure by Design progress
• Working out the project's security risk appetite

Read the Secure by Design activities

The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.

Last update: 31 January 2024