Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  6. Secure by Design Example Security Resources Plan

Author: Government Digital Service (DSIT)

Last updated: 2025-10-13

Secure by Design Example Security Resources Plan

Documenting a project’s required security resources helps you ensure security is embedded through each phase of digital delivery.

This plan is an example of an output of the Secure by Design activity Identifying security resources.

It is not an exhaustive list and is intended as a guide and a starting point. It names 10 possible security resources and, for each resource, provides a:

  • description
  • category
  • purpose
  • project phase
  • potential responsible department

Download the information on this page as a spreadsheet

These spreadsheets contain additional columns with dropdowns which allow you to record whether the resource is required for this project, available within the organisation already and whether additional money may be needed to secure it.

Example Security Resources Plan (Google Sheets)

Select 'Use Template' to create a copy

Example Security Resources Plan (Microsoft Excel)

This will download a file to your device

Example security resources

Security personnel or expert

Security personnel are skilled individuals within the organisation who specialise in cyber and information security.

They include people who have expertise in areas such as security operations, threat modelling, incident response and vulnerability management, like:

  • security analysts
  • security risk managers
  • security architects
  • consultants
  • incident responders

They play a crucial role in implementing and maintaining effective security measures.

Category: People

Purpose: The purpose of security personnel is to use their knowledge and skills to handle security-related tasks within the organisation.

During the delivery life cycle, they can provide guidance and expertise in areas like:

  • security risk management
  • threat modelling
  • cyber security requirements

They are responsible for:

  • monitoring security systems
  • responding to security incidents
  • conducting vulnerability assessments
  • implementing security controls

Their function is to safeguard the organisation’s assets, systems, and data from potential threats and attacks.

Project phase: Security personnel are involved in all phases of the project life cycle.

During the planning phase, they help define security requirements and contribute to risk assessments.

In the execution phase, they implement and monitor security controls. Planning may also identify additional skills needed to operate the system.

In the execution phase, they implement and monitor security controls.

In the maintenance phase, they continuously assess and respond to emerging security threats and incidents.

Potential responsible departments: The information security team is responsible for managing security personnel, sometimes in collaboration with the IT team.

The security team oversees security operations, incident response and vulnerability management.

The IT department provides support and integration of security measures within the organisation’s infrastructure.

Information security technology resources

Security technology resources include a range of hardware and software solutions designed to safeguard systems and networks. This includes:

  • firewalls
  • intrusion detection or prevention systems (IDS or IPS)
  • antivirus software
  • other security tools

These technologies work together to protect against unauthorised access, detect security threats and mitigate potential risks.

You should identify the resources that are already available within the organisation to protect against unauthorised access, and detect and mitigate security threats.

Category: Tool or technology

Purpose: The purpose of information security technology resources is to establish and maintain a robust security posture within an organisation.

They provide protective and detective measures against various types of cyber threats, such as malware, unauthorised access attempts and network intrusions.

These technologies:

  • continuously monitor and analyse network traffic
  • identify suspicious activities
  • enforce security policies to mitigate risks effectively

Project phase: Security technologies are applicable in all phases of a project life cycle.

During the planning phase, they are considered when designing the security infrastructure.

In the execution phase, they are implemented to protect systems and networks.

In the maintenance phase, they are continuously updated and monitored to ensure ongoing protection against evolving threats.

Potential responsible departments: The IT department, in collaboration with the information security team, is responsible for managing and implementing security technologies.

It oversees the technical deployment and integration of security technologies, while the security team provides guidance on configuration, monitoring and incident response related to these technologies.

Security policies and standards

Security policies and standards are a set of guidelines and directives that outline how an organisation should approach and manage security. They include policies on:

  • information security
  • access control
  • data classification

These policies serve as a foundation for establishing secure operations, access controls and data handling practices within an organisation.

Policies are usually mandatory, so you should identify policies that are relevant to your project.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security policies and standards is to provide clear and comprehensive guidance on security-related practices and procedures. They:

  • define the organisation’s expectations for security measures
  • establish controls
  • outline the responsibilities of employees, stakeholders and external third parties
  • enable consistent decision-making
  • enforce compliance with security standards
  • support a secure operating environment

Project phase: Security policies are relevant to all phases of a project life cycle.

During the planning phase, they assist in defining security requirements, risk management approaches and compliance obligations.

In the execution phase, they guide the implementation of security controls and ensure adherence to established policies.

In the maintenance phase, they provide a framework for ongoing policy updates, security awareness and enforcement.

Potential responsible departments: The information security team is responsible for developing, reviewing and maintaining security policies.

The security team provides subject matter expertise on security requirements.

Security control frameworks

Security frameworks refer to established sets of guidelines, best practices and standards that organisations can adopt to establish and maintain effective security practices.

Frameworks provide comprehensive guidance and recommendations to address various aspects of security.

You should find out if your organisation has a security framework because it is likely to affect security decisions you make during delivery.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security frameworks is to help organisations implement a regular and repeatable approach to security, which reflects priorities identified by industry experts.

Frameworks can assist with:

  • risk management
  • security governance
  • control implementation
  • ongoing improvement

They also help organisations align with recognised standards and industry best practices to enhance their security posture.

Project phase: Security frameworks apply across all phases of a project life cycle.

During the planning phase, they provide guidance for assessing risks, defining security requirements and establishing security objectives.

In the execution phase, they aid in the selection and implementation of appropriate security controls.

In the maintenance phase, they assist in the continuous monitoring, evaluation and improvement of security practices.

Potential responsible departments: The information security team is responsible for using and implementing security frameworks within the organisation.

The security team provides expertise in understanding and applying a framework’s principles and controls.

Security processes

Security processes refer to documented and well-defined procedures that guide the handling of security-related activities within an organisation.

These processes outline step-by-step instructions for effectively managing activities like:

  • security incidents
  • implementing change
  • addressing vulnerabilities

A few examples of the processes you need to identify are:

  • incident response processes
  • change management processes
  • vulnerability management processes

Category: Policies, procedures and control frameworks

Purpose: The purpose of security processes is to:

  • establish clear and consistent procedures for handling security-related events and activities
  • facilitate controlled and secure changes to the organisation’s systems and applications while managing vulnerabilities to minimise risks

Project phase: Security processes mainly apply during the execution and maintenance phases of a project life cycle.

During the execution phase, incident response processes help manage and mitigate security incidents as they arise.

Change management processes are followed to ensure that security is maintained during system changes. Vulnerability management processes help identify, assess and remediate vulnerabilities.

These processes are continually refined and maintained during the maintenance phase.

Potential responsible departments: The information security team, in collaboration with the IT department, is responsible for developing, implementing and maintaining security processes.

The security team is primarily responsible for defining incident response procedures, vulnerability management processes and providing guidance on security-related changes.

The IT department plays a role in executing these processes within the technical infrastructure.

Security education and training

Security education and training activities teach security best practices by improving the knowledge, skills and awareness of individuals in the organisation.

They include:

  • security awareness programs
  • cybersecurity training
  • other educational initiatives aimed at promoting a security-conscious culture

They can also include technical security training such as secure coding, software development life cycle (SDLC) and so on.

Category: Awareness and training

Purpose: The purpose of security education and training is to educate members of the project team about:

  • security risks
  • best practices
  • their role in ensuring the delivery of a service that is secure

It aims to:

  • raise awareness
  • develop security-related skills
  • foster a security-conscious culture throughout the delivery life cycle

It helps:

  • reduce human error
  • improve incident response
  • enhance overall security posture

Project phase: Security education and training is relevant in all phases of a project life cycle.

During the planning phase, it helps define security training requirements and establish the foundations of a security-conscious environment.

In the execution phase, it ensures that the team members and stakeholders receive necessary training to handle security responsibilities effectively.

In the maintenance phase, ongoing training and awareness activities help reinforce security practices and address emerging threats.

Potential responsible departments: The HR or training department, in collaboration with the information security team, is responsible for overseeing security education and training initiatives.

The HR or training department designs and delivers training programmes, while the information security team provides subject matter expertise and guidance on security-related topics.

Third-party supplier management

Third-party supplier management involves assessing and managing the security risks associated with external third-party suppliers who provide goods or services to the organisation.

This resource is required for activities such as third-party risk assessment and supplier security evaluation.

The objective is to ensure that third party suppliers meet the organisation’s security requirements and adhere to industry-standard security practices.

You should identify the resources that will perform this function.

Category: People

Purpose: The purpose of third-party supplier management is to:

  • mitigate security risks that may arise from engaging third-party third party suppliers or suppliers
  • establish processes and procedures to evaluate and monitor the security posture of third-party suppliers throughout the project life cycle

By conducting security evaluations of third-party suppliers, organisations can:

  • make informed decisions about third-party supplier selection
  • manage the associated security risks effectively

Project phase: Third-party supplier management is relevant during all phases of a project.

During the planning phase, you should establish security requirements and criteria for selecting third-party suppliers.

In the execution phase, you should conduct security assessments and evaluations on potential third-party suppliers.

In the maintenance phase, by continuing to monitor and evaluate third-party suppliers’ security practices, you can help ensure compliance continues and risks are mitigated.

Potential responsible departments: The third-party supplier management resource is typically managed by the information security, vendor management, procurement and service delivery teams.

The information security team is responsible for assessing the security risks associated with vendors, while the the other teams oversee the overall vendor relationship and contractual agreements.

Security monitoring and incident management

Security monitoring collects information about the systems and controls your organisation relies on. The process involves collating the data and using it to identify problems, including security incidents. You can use a security information and event management (SIEM) tool to manage this flow of data and find insights.

Incident management involves establishing incident response plans and processes, and using these to detect, respond and recover from security incidents. Incidents may be triggered by security monitoring or by issue reporting from another source. Incident management includes co-ordinating response efforts with other stakeholders and post-incident analysis to prevent future incidents.

Category: Tool or technology

Purpose: The purpose of security monitoring is to detect, investigate and respond to potential security incidents in a timely manner.

It enables organisations to identify:

  • security threats
  • unauthorised access attempts
  • data breaches
  • other abnormal activities

By collecting and monitoring security logs, organisations can:

  • proactively identify security events
  • take steps to maintain the security of their systems

The purpose of security incident management is to minimise the impact of security incidents on the organisation’s systems, data and operations.

It aims to:

  • promptly identify security incidents
  • contain and mitigate their effects
  • restore normal operations as quickly as possible
  • apply lessons learned to make them less likely to happen again

Project phase: Security monitoring and incident management are most relevant during the execution and maintenance phases of a project.

In the design phase, it is important to find ways to gather security events from a new digital system and ensure they can be monitored effectively.

In the execution phase, monitoring a system as it matures can provide valuable information about how a system might be hardened further or identify possible gaps in monitoring. Incident response plans and processes can be firmed up. During security testing, security monitoring should be able to identify the pentester’s activities. If it cannot, this may highlight another opportunity to reduce blind spots.

In the maintenance phase, continuous monitoring makes sure there’s a sustained awareness of a system’s security posture. This helps teams respond to incidents quickly and make necessary changes. Incident management processes should be continuously reviewed, updated and tested to improve response capabilities.

Potential responsible departments: The information security team, in collaboration with the IT department, is responsible for implementing and managing security monitoring, and for security incident management.

The security team oversees the configuration of SIEM systems, log monitoring and event correlation, while the IT department supports the technical aspects of onboarding, log collection, and analysis.

The information security team develops incident response plans, defines incident management processes and provides oversight for incident handling activities.

The incident response team is made up of individuals with specific incident response roles and responsibilities, including incident handlers, investigators and communication coordinators.

Security testing

Security testing involves comprehensive assessments of the security posture of a system and of the security controls it may depend on.

The test scope should include the whole range of technical changes made by the project. This needs careful planning. A test scope typically covers new or updated systems, but also analyses existing security controls, like authentication and logging.

Testing aims to identify vulnerabilities and test the effectiveness of security defences, providing valuable insights into potential weaknesses and areas for improvement.

Other test activities, like functional testing, may also have value for security. For example, a test of user enrolment can confirm that user-centric security controls are working as intended.

External-facing government services must usually undergo a security health check before they can go live. Security health checks are typically performed by managed service providers or external vendors. It is important to identify this resource at the start of the project.

Category: Tool or technology

Purpose: The purpose of security health checks and penetration testing is to:

  • assess the security measures and controls that have been put in place to secure your service
  • validate the effectiveness of existing controls
  • identify vulnerabilities that could be exploited by potential attackers
  • assess the impact of potential attacks
  • provide recommendations to strengthen the security posture of the service

Project phase: From the earliest stages, project planning must make sure that enough time is allowed for testing and remediation. Security testing can sometimes run more slowly than other tests, putting it on the critical path.

Security testing mainly happens during the execution and maintenance phases of a project life cycle. It requires a system with a realistic configuration, although it does not usually involve live data.

In the maintenance phase, regular testing makes sure security controls remain effective and responsive to emerging threats.

Potential responsible departments: The information security team, in collaboration with the IT department, is responsible for conducting security health checks and penetration testing.

The security team designs and executes the assessments, while the IT department provides support in terms of system access and technical expertise.

Security assurance

Security assurance involves conducting assessments to evaluate compliance with security policies, regulations and industry standards.

It can include activities such as:

  • security audits
  • compliance assessments
  • control validations

These activities help ensure adherence to established security requirements.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security assurance is to:

  • assess the effectiveness of security controls
  • identify gaps or non-compliance
  • check the organisation is adhering to security policies, regulations and industry standards

These assessments help:

  • identify vulnerabilities
  • provide insights for improvement
  • demonstrate the organisation’s commitment to maintaining a robust security posture

Project phase: Security auditing mainly applies during the execution and maintenance phases of a project life cycle.

In the execution phase, audits and assessments can provide baseline measurements and identify any initial non-compliance or weaknesses.

In the maintenance phase, regular audits ensure ongoing compliance, validate control effectiveness and address emerging security risks.

Potential responsible departments: The information security team, in collaboration with the assurance team, is responsible for conducting security auditing.

The information security team provides subject matter expertise on security controls and requirements. The assurance team performs the actual audits and assessments.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now