Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Principles

Secure by Design Principles

The foundations required for building secure digital services as part of digital delivery.

The following principles must be met by delivery teams with support from security professionals throughout the service lifecycle.

1. Create responsibility for cyber security risk
2. Source secure technology products
3. Adopt a risk-driven approach
4. Design usable security controls
5. Build in detect and respond security
6. Design flexible architectures
7. Minimise the attack surface
8. Defend in depth
9. Embed continuous assurance
10. Make changes securely

Recommended activities are provided to support implementation of these principles.

These principles are for government departments and arm's-length bodies (ALBs). Third party suppliers to these organisations should liaise with security contacts to understand the specific requirements that apply.


1. Create responsibility for cyber security risk

Assign risk owners to be accountable for managing cyber security risks for a service throughout its lifecycle. These must be senior stakeholders with the experience, knowledge and authority to lead on security activities.

Outcomes

Activities


2. Source secure technology products

Where third-party products are used, perform security due diligence by continually assessing platforms, software and code for security vulnerabilities. Mitigate risks and share findings with suppliers to help them improve product security.

Outcomes

Activities


3. Adopt a risk-driven approach

Establish the project’s risk appetite and maintain an assessment of cyber security risks to build protections appropriate to the evolving threat landscape.

Outcome

Activities


4. Design usable security controls

Perform regular user research and implement findings into service design to make sure security processes are fit for purpose and easy to understand.

Outcomes

Activities


5. Build in detect and respond security

Design for the inevitability of security vulnerabilities and incidents. Integrate appropriate security logging, monitoring, alerting and response capabilities. These must be continually tested and iterated.

Outcomes

Activities


6. Design flexible architectures

Implement digital services and update legacy components to allow for easier integration of new security controls in response to changes in business requirements, cyber threats and vulnerabilities.

Outcomes

Activities


7. Minimise the attack surface

Use only the capabilities, software, data and hardware components necessary for a service to mitigate cyber security risks while achieving its intended use.

Outcomes

Activities


8. Defend in depth

Create layered controls across a service so it’s harder for attackers to fully compromise the system if a single control fails or is overcome.

Outcomes

Activities


9. Embed continuous assurance

Implement continuous security assurance processes to create confidence in the effectiveness of security controls, both at the point of delivery and throughout the operational life of the service.

Outcomes

Activities


10. Make changes securely

Embed security into the design, development and deployment processes to ensure that the security impact of changes is considered alongside other factors.

Outcome

Activities


The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.


Last update: 31 January 2024

 

OFFICIAL