Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Principles

10 Secure by Design Principles

We welcome feedback on these principles, which are currently in ALPHA and open for consultation. You can email questions and comments to secure-by-design[at]

The following core principles are aimed at the digital and security communities delivering digital services. These cover the end-to-end digital service delivery life cycle addressing the challenges faced by government organisations. They are based on the NCSC’s Secure Design Principles, which focus on the design phase of cyber secure systems. The government principles take this basis and expand to cover the whole lifecycle, and are focussed on the needs of the public sector. Each principle is supplemented with an "intent" which illustrates the importance.

Principle 1 – Appoint a business risk owner

Appoint an appropriately senior risk owner, who has a clear reporting line to or is a member of the top management, to be accountable for owning the cyber security risks for the service throughout its life cycle and allocating security resources within the service delivery team.

Intent of principle 1

By engaging an appropriately senior risk owner (project sponsor), you can make sure that cyber security risks are escalated to top management and managed by the most senior stakeholders in the business in accordance with the organisation’s risk appetite.

Principle 2 - Perform security due diligence

Continually assess the security of products or open-source code for security vulnerabilities, and mitigate the risks to your environment.

Intent of principle 2

Performing security due diligence of technology products and open-source code allows you to make an informed business decision on the trade-offs between cyber security implications and efficiency. It enables sharing lessons-learnt with suppliers to help them improve the security of their products.

Principle 3 - Design risk-driven security

Continuously optimise security controls taking into account the risk appetite, situational awareness and supply chain shared responsibility model, not overlooking relevant good practice protections.

Intent of principle 3

Dynamically managing risks and designing proportionate safeguards means that you can respond to changes in the risk profile appropriately to always have a current defensible position of your controls and mitigations.

Principle 4 - Create usable security

Carry out ongoing user research to make sure security controls are appropriate for the environment your users are working in and are easy to use.

Intent of principle 4

Usable security allows users to effectively operate the security controls available to them. Unusable security forces users to work around it and adopt insecure practices to get things done.

Principle 5 - Design security considering detective and responding measures

Design and iterate security controls and processes to cover all stages of the services life cycle including capabilities to protect, detect, respond and recover from incidents.

Intent of principle 5

By designing for security capabilities expanding across all functions of the cyber security framework, you reduce the likelihood of weak points where compromise could occur and go undetected.

Principle 6 - Design flexible architectures

Implement new services and update legacy systems with flexible architectures that allow scaling and easy integration of new security controls in response to business requirements, changing threats and vulnerabilities.

Intent of principle 6

The use of flexible architectures allows services to readily adapt to meet new business requirements as well as respond quickly to changes in the security risk and threat landscape.

Principle 7 - Minimise the attack surface

Use only the required capabilities, software, data and hardware components necessary for the service to achieve its intended use.

Intent of principle 7

Minimising the attack surface reduces the opportunities for potential attackers to exploit vulnerabilities in the service without degrading the service.

Principle 8 - Defend in depth

Assume any part of the service could be compromised at any point in its life cycle and design services so they cannot be wholly compromised if a single control has either failed or been overcome by an attacker.

Intent of principle 8

By utilising layered controls effectively, it will increase the time and effort required by threat actors to fully compromise the service.

Principle 9 - Build and embed continuous assurance

Implement proportionate and evidence-based security assurance into the digital service life cycle to provide confidence in the effectiveness of the security controls.

Intent of principle 9

Continually assuring the security posture of digital services provides the risk owners with the level of confidence that services operate securely and as intended.

Principle 10 - Secure changes

Assess the security impact of proposed changes to digital services to ensure that their security and the way they work are not adversely affected.

Intent of principle 10

To ensure that changes cannot be made to an operational service without proper consideration of how a change might affect its security, and management of that change through a secure design, development and deployment process.