Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  6. Secure by Design Example Security Resources Plan

Author: Government Digital Service (DSIT)

Last updated: 2025-07-23

Secure by Design Example Security Resources Plan

Documenting a project’s required security resources helps you ensure security is embedded through each phase of digital delivery.

This plan is an example of an output of the Secure by Design activity Identifying security resources.

It is not an extensive list and is intended as a guide and a starting point. It names 11 possible security resources and, for each resource, provides a:

  • description
  • category
  • purpose
  • project phase
  • potential responsible department

Download the information on this page as a spreadsheet

These spreadsheets contain additional columns with dropdowns which allow you to record whether the resource is required for this project, available within the organisation already and whether additional money may be needed to secure it.

Example Security Resources Plan (Google Sheets)

Select 'Use Template' to create a copy

Example Security Resources Plan (Microsoft Excel)

This will download a file to your device

Example security resources

Security personnel or expert

Security personnel are skilled individuals within the organisation who specialise in cyber and information security.

They include people who have expertise in areas such as security operations, threat modelling, incident response and vulnerability management, like:

  • security analysts
  • security risk managers
  • security architects
  • consultants
  • incident responders

They play a crucial role in implementing and maintaining effective security measures.

Category: People

Purpose: The purpose of security personnel is to use their knowledge and skills to handle security-related tasks within the organisation.

During the delivery life cycle, they can provide guidance and expertise in areas like:

  • security risk management
  • threat modelling
  • cyber security requirements

They are responsible for:

  • monitoring security systems
  • responding to security incidents
  • conducting vulnerability assessments
  • implementing security controls

Their function is to safeguard the organisation’s assets, systems, and data from potential threats and attacks.

Project phase: Security personnel are involved in all phases of the project life cycle.

During the planning phase, they help define security requirements and contribute to risk assessments.

In the execution phase, they implement and monitor security controls.

In the maintenance phase, they continuously assess and respond to emerging security threats and incidents.

Potential responsible department: The information security team is responsible for managing security personnel, sometimes in collaboration with the IT team.

The security team oversees security operations, incident response and vulnerability management.

The IT department provides support and integration of security measures within the organisation’s infrastructure.

Information security technology resources

Security technology resources include a range of hardware and software solutions designed to safeguard systems and networks. This includes:

  • firewalls
  • intrusion detection or prevention systems (IDS or IPS)
  • antivirus software
  • other security tools

These technologies work together to protect against unauthorised access, detect security threats and mitigate potential risks.

You should identify the resources that are already available within the organisation to protect against unauthorised access, and detect and mitigate security threats.

Category: Tool or technology

Purpose: The purpose of information security technology resources is to establish and maintain a robust security posture within an organisation.

They provide protective and detective measures against various types of cyber threats, such as malware, unauthorised access attempts and network intrusions.

These technologies:

  • continuously monitor and analyse network traffic
  • identify suspicious activities
  • enforce security policies to mitigate risks effectively

Project phase: Security technologies are applicable in all phases of a project life cycle.

During the planning phase, they are considered when designing the security infrastructure.

In the execution phase, they are implemented to protect systems and networks.

In the maintenance phase, they are continuously updated and monitored to ensure ongoing protection against evolving threats.

Potential responsible department: The IT department, in collaboration with the information security team, is responsible for managing and implementing security technologies.

It oversees the technical deployment and integration of security technologies, while the security team provides guidance on configuration, monitoring and incident response related to these technologies.

Security policies and standards

Security policies and standards are a set of guidelines and directives that outline how an organisation should approach and manage security. They include policies on:

  • information security
  • access control
  • data classification

These policies serve as a foundation for establishing secure operations, access controls and data handling practices within an organisation.

Policies are usually mandatory, so you should identify policies that are relevant to your project.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security policies and standards is to provide clear and comprehensive guidance on security-related practices and procedures. They:

  • define the organisation’s expectations for security measures
  • establish controls
  • outline the responsibilities of employees, stakeholders and external third parties
  • enable consistent decision-making
  • enforce compliance with security standards
  • support a secure operating environment

Project phase: Security policies are relevant to all phases of a project life cycle.

During the planning phase, they assist in defining security requirements, risk management approaches and compliance obligations.

In the execution phase, they guide the implementation of security controls and ensure adherence to established policies.

In the maintenance phase, they provide a framework for ongoing policy updates, security awareness and enforcement.

Potential responsible department: The information security team is responsible for developing, reviewing and maintaining security policies.

The security team provides subject matter expertise on security requirements.

Security control frameworks

Security frameworks refer to established sets of guidelines, best practices and standards that organisations can adopt to establish and maintain effective security practices.

Frameworks provide comprehensive guidance and recommendations to address various aspects of security.

You should find out if your organisation has a security framework because it is likely to affect security decisions you make during delivery.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security frameworks is to help organisations implement a structured and systematic approach to security.

They allow teams to take a structured approach to:

  • risk management
  • security governance
  • control implementation
  • ongoing improvement

Security frameworks help organisations align with recognised standards and industry best practices to enhance their security posture.

Project phase: Security frameworks apply across all phases of a project life cycle.

During the planning phase, they provide guidance for assessing risks, defining security requirements and establishing security objectives.

In the execution phase, they aid in the selection and implementation of appropriate security controls.

In the maintenance phase, they assist in the continuous monitoring, evaluation and improvement of security practices.

Potential responsible department: The information security team is responsible for using and implementing security frameworks within the organisation.

The security team provides expertise in understanding and applying a framework’s principles and controls.

Security processes

Security processes refer to documented and well-defined procedures that guide the handling of security-related activities within an organisation.

These processes outline step-by-step instructions for effectively managing activities like:

  • security incidents
  • implementing change
  • addressing vulnerabilities

A few examples of the processes you need to identify are:

  • incident response processes
  • change management processes
  • vulnerability management processes

Category: Policies, procedures and control frameworks

Purpose: The purpose of security processes is to:

  • establish clear and consistent procedures for handling security-related events and activities
  • facilitate controlled and secure changes to the organisation’s systems and applications while managing vulnerabilities to minimise risks

Project phase: Security processes mainly apply during the execution and maintenance phases of a project life cycle.

During the execution phase, incident response processes help manage and mitigate security incidents as they arise.

Change management processes are followed to ensure that security is maintained during system changes. Vulnerability management processes help identify, assess and remediate vulnerabilities.

These processes are continually refined and maintained during the maintenance phase.

Potential responsible department: The information security team, in collaboration with the IT department, is responsible for developing, implementing and maintaining security processes.

The security team is primarily responsible for defining incident response procedures, vulnerability management processes and providing guidance on security-related changes.

The IT department plays a role in executing these processes within the technical infrastructure.

Security education and training

Security education and training activities teach security best practices by improving the knowledge, skills and awareness of individuals in the organisation.

They include:

  • security awareness programs
  • cybersecurity training
  • other educational initiatives aimed at promoting a security-conscious culture

They can also include technical security training such as secure coding, software development life cycle (SDLC) and so on.

Category: Awareness and training

Purpose: The purpose of security education and training is to educate members of the project team about:

  • security risks
  • best practices
  • their role in ensuring the delivery of a service that is secure

It aims to:

  • raise awareness
  • develop security-related skills
  • foster a security-conscious culture throughout the delivery life cycle

It helps:

  • reduce human error
  • improve incident response
  • enhance overall security posture

Project phase: Security education and training is relevant in all phases of a project life cycle.

During the planning phase, it helps define security training requirements and establish the foundations of a security-conscious environment.

In the execution phase, it ensures that the team members and stakeholders receive necessary training to handle security responsibilities effectively.

In the maintenance phase, ongoing training and awareness activities help reinforce security practices and address emerging threats.

Potential responsible department: The HR or training department, in collaboration with the information security team, is responsible for overseeing security education and training initiatives.

The HR or training department designs and delivers training programmes, while the information security team provides subject matter expertise and guidance on security-related topics.

Third-party supplier management

Third-party supplier management involves assessing and managing the security risks associated with external third-party suppliers who provide goods or services to the organisation.

This resource is required for activities such as third-party risk assessment and supplier security evaluation.

The objective is to ensure that third party suppliers meet the organisation’s security requirements and adhere to industry-standard security practices.

You should identify the resources that will perform this function.

Category: People

Purpose: The purpose of third-party supplier management is to:

  • mitigate security risks that may arise from engaging third-party third party suppliers or suppliers
  • establish processes and procedures to evaluate and monitor the security posture of third-party suppliers throughout the project life cycle

By conducting security evaluations of third-party suppliers, organisations can:

  • make informed decisions about third-party supplier selection
  • manage the associated security risks effectively

Project phase: Third-party supplier management is relevant during all phases of a project.

During the planning phase, you should establish security requirements and criteria for selecting third-party suppliers.

In the execution phase, you should conduct security assessments and evaluations on potential third-party suppliers.

In the maintenance phase, by continuing to monitor and evaluate third-party suppliers’ security practices, you can help ensure compliance continues and risks are mitigated.

Potential responsible department: The third-party supplier management resource is typically managed by the information security, vendor management, procurement and service delivery teams.

The information security team is responsible for assessing the security risks associated with vendors, while the the other teams oversee the overall vendor relationship and contractual agreements.

Security monitoring

Security monitoring is the practice of continuously monitoring network and system logs for security events, anomalies and suspicious activities.

It involves collecting, analysing and correlating security-related data using:

  • security information and event management (SIEM) systems
  • log-monitoring tools
  • other technologies

Security monitoring is an important element of Secure by Design, so you should identify security monitoring resources that are available within your organisation.

Category: Tool or technology

Purpose: The purpose of security monitoring is to detect, investigate and respond to potential security incidents in a timely manner.

It enables organisations to identify:

  • security threats
  • unauthorised access attempts
  • data breaches
  • other abnormal activities

By monitoring and analysing security logs, organisations can:

  • proactively address security risks
  • maintain the integrity and availability of their systems

Project phase: Security monitoring mainly applies during the execution and maintenance phases of a project life cycle.

In the execution phase, monitoring activities helps to identify potential security incidents so that appropriate action can be taken to mitigate them.

In the maintenance phase, continuous monitoring ensures teams are up to date and aware of a system’s security posture. This helps teams respond to incidents quickly and apply the necessary updates.

Potential responsible department: The information security team, in collaboration with the IT department, is responsible for implementing and managing security monitoring.

The security team oversees the configuration of SIEM systems, log monitoring and event correlation, while the IT department supports the technical aspects of log collection and analysis.

Security health check and penetration testing

A security health check and penetration testing involve comprehensive assessments of the security posture of systems, networks, services and applications.

These activities aim to identify vulnerabilities and test the effectiveness of security defenses through controlled testing. They provide valuable insights into potential weaknesses and areas for improvement.

It’s likely that external facing services will be required to undergo a security health check before they can go live.

Security health checks are usually performed by managed service providers or external vendors, so it is important to identify this resource at the start of the project.

Category: Tool or technology

Purpose: The purpose of a security health check and penetration testing is to:

  • assess the security measures and controls that have been put in place to secure your service
  • validate the effectiveness of existing controls
  • identify vulnerabilities that could be exploited by potential attackers
  • assess the impact of potential attacks
  • provide recommendations to strengthen the security posture of the service

Project phase: A security health check and penetration testing mainly apply during the execution and maintenance phases of a project life cycle.

In the execution phase, these activities help identify vulnerabilities and weaknesses in systems and applications before they go live.

In the maintenance phase, regular testing ensures that security controls remain effective and responsive to emerging threats.

Potential responsible department: The information security team, in collaboration with the IT department, is responsible for conducting a security health check and penetration testing.

The security team designs and executes the assessments, while the IT department provides support in terms of system access and technical expertise.

Security assurance

Security assurance involves conducting assessments to evaluate compliance with security policies, regulations and industry standards.

It can include activities such as:

  • security audits
  • compliance assessments
  • control validations

These activities help ensure adherence to established security requirements.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security assurance is to:

  • assess the effectiveness of security controls
  • identify gaps or non-compliance
  • check the organisation is adhering to security policies, regulations and industry standards

These assessments help:

  • identify vulnerabilities
  • provide insights for improvement
  • demonstrate the organisation’s commitment to maintaining a robust security posture

Project phase: Security auditing mainly applies during the execution and maintenance phases of a project life cycle.

In the execution phase, audits and assessments can provide baseline measurements and identify any initial non-compliance or weaknesses.

In the maintenance phase, regular audits ensure ongoing compliance, validate control effectiveness and address emerging security risks.

Potential responsible department: The information security team, in collaboration with the assurance team, is responsible for conducting security auditing.

The information security team provides subject matter expertise on security controls and requirements. The assurance team performs the actual audits and assessments.

Security incident management

Security incident management involves:

  • establishing incident response plans and incident handling processes to effectively detect, respond to and recover from security incidents
  • developing incident response playbooks
  • co-ordinating incident response efforts
  • carrying out post-incident analysis to prevent future incidents

Category: Tool or technology

Purpose: The purpose of security incident management is to:

  • minimise the impact of security incidents on the organisation’s systems, data and operations
  • promptly identify security incidents
  • contain and mitigate their effects
  • restore normal operations as quickly as possible

Incident management processes enable a structured and coordinated approach to incident response, ensuring a timely and effective response to security breaches.

Project phase: Security incident management applies mainly during the execution and maintenance phases of a project life cycle.

During the execution phase, incident response plans are implemented and incident handling processes are followed to address security incidents as they occur.

In the maintenance phase, incident management processes are continuously reviewed, updated and tested to improve response capabilities.

Potential responsible department: The information security team, in collaboration with the incident response team, is responsible for security incident management.

The information security team:

  • develops incident response plans
  • defines incident management processes
  • provides oversight for incident handling activities

The incident response team is made up of individuals with specific incident response roles and responsibilities, including incident handlers, investigators and communication coordinators.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now