Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Activities
  4. Understanding cyber security obligations

Understanding cyber security obligations

Delivery teams and risk owners for digital services need to be aware of the cyber security obligations they’re required to meet.

These include government policies, regulations, laws, and contracts, and will differ depending on the nature of the service and the type of data it handles.

By understanding and adhering to these responsibilities, you will be able to:

This should be done during the discovery or requirement gathering phase of a project so you can include the relevant information from the business case and incorporate requirements into the service design. Regular compliance monitoring that reflects the latest policies and regulations should continue throughout the project lifecycle.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach and embed continuous assurance.

Who is involved

The people establishing which regulations are relevant to the project should be your:

Your organisation’s legal, commercial and information management teams should be consulted to understand the relevant compliance requirements. Others within your team may also be able to provide information including your Chief Technology Officer (CTO), Chief Information Security Officer (CISO), technical architect and security advisor.

How to understand cyber security obligations

The following steps provide a guide for capturing and sharing your digital service’s security obligations profile.

Wherever possible, the focus of this activity should be on implementing the analysis of cyber security obligations already available within your organisation, rather than conducting your own research.

Step 1: Analyse cross-government and internal policies

Work with colleagues to assess:

A security policy framework is available for government departments planning to host OFFICIAL services or store data outside the UK. It outlines requirements to assess the risks that may arise from incompatible approaches to data protection.

Email to request this document.

Step 2: Review external laws and regulations

Work with colleagues in central department policy teams to confirm the cyber security and data protection laws and regulations that apply to your service. These could include:

This is not an exhaustive list and may not cover all the requirements that you might need to consider for your service. You should engage with your organisation’s legal and information assurance teams to understand what law and regulations might be relevant to your service.

For services classified as Critical National Infrastructure, the National Protective Security Authority (NPSA) and National Cyber Security Centre (NCSC) are able to provide advice on regulatory requirements.

Step 3: Check contracts with third parties

Consult with colleagues to identify cyber security clauses in contracts that apply to the digital service. These obligations could include responsibilities and requirements for:

This needs to be completed for existing contracts already in place and any new contracts that are adopted as part of the service.

All contracts have obligations for both the customer and provider of the service which you should be aware of. You are expected to use the product or service in the way it was intended, while they need to supply the level of service that has been agreed.

When signing up to use a digital service there will usually be a standard set of terms and conditions that should be assessed for security risks before accepting. If these do not meet your risk appetite but you still wish to use the service, consider whether it is practical or reasonable to work with the supplier to modify them. This won’t be possible for all contracts and you will need to decide whether to accept the risks, mitigate them, or explore alternative options.

For third party contracts where there’s a more collaborative relationship, there will be an opportunity to present them with your organisation’s terms and conditions provided by your legal team. Rather than using a standard contract that covers every conceivable security obligation from previous related contracts, make sure these are tailored to an efficient set of obligations that are non-duplicative and relevant to the service.

Step 4: Record your cyber security obligations

Collate a list containing all the relevant cyber security policy, legal, regulatory and contractual requirements from the previous three steps.

Assess them to establish:

This should become an integral part of ensuring security is managed effectively throughout the lifecycle of the project, providing the relevant information to feed into risk assessments and a checklist to go through when implementing security controls.

Relevant details should be made available to:

Further reading

This activity is part of the ‘Understand the security landscape’ stage of Secure by Design, which also includes:

Read the Secure by Design activities

The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.

Last update: 31 January 2024