Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Activities
  4. Considering security within the business case

Considering security within the business case

When preparing a business case, cyber security requirements must be included so the appropriate funding, resources, skills and time can be allocated to effectively manage cyber security risks.

By including security within a business case you will:

As services develop from idea to implementation, different types of business cases may be required covering scoping, planning and procurement. Security considerations should be included at every stage, with steps taken to review and refine them as the project matures.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to create responsibility for cyber security risk, adopt a risk-driven approach, design usable security controls and embed continuous assurance.

Who is involved

The Senior Responsible Owner (SRO) and service owner should work together with a business analyst to agree on the service characteristics and understand the security considerations to be included in the business case.

To complete all sections of the business case, you should seek input from your Chief Technology Officer (CTO), Chief Information Security Officer (CISO) and technical security assurance teams.

How to include security within the business case

Government business cases consist of five elements, as explained in The Green Book. The outline below shows how Secure by Design principles should be applied within each to demonstrate you have considered and forecasted the relevant security requirements.

The security policies and standards that need to be included within a business case will depend on your organisation’s GovAssure profile, and whether the service is part of Critical National Infrastructure.

The Strategic Case

Where you demonstrate the need for change and show how the proposal fits with local, regional and national policies and targets. Cyber security elements should include:

The Economic Case

Where you will explain how you are providing the best public value to society. Cyber security elements should include:

The Commercial Case

Where you outline the relationship between the public sector and service providers. Cyber security elements should include:

The Financial Case

Where you set out the affordability and preferred funding model. Cyber security elements should include:

The Management Case

Where you describe the delivery, monitoring and evaluation structure. Cyber security elements should include:

Further reading

This activity is part of the ‘Prepare a secure service’ stage of Secure by Design, which also includes:

Read the Secure by Design activities

The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.

Last update: 31 January 2024