Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  6. Guide to adopting Secure by Design – Operation

Author: Government Digital Service

Last updated: 2025-05-30

Guide to adopting Secure by Design – Operation

Once you've adopted Secure by Design across your organisation, it should be a continuous activity.

Your organisation’s Secure by Design responsibilities carry on after you’ve successfully implemented the approach. Your organisation is considered in operation when:

  • it has adopted the approach and digital and technology projects are routinely using the self assessment tracker
  • projects are ready to answer questions about Secure by Design as part of the digital and technology spend control process
  • the Secure by Design champion and chief digital information officer (CDIO) or equivalent have formally confirmed their go-live status with the Government Digital Service (GDS)

Team members have their own part to play in making sure Secure by Design is a continuous concern after it’s live. The next sections explain some of the different responsibilities across roles.

Chief digital information officers (CDIOs) or equivalent

As a CDIO or equivalent, you are accountable for making sure Secure by Design is embedded effectively within your organisation.

Here are some examples of how you might do this. You can:

  • act as a visible sponsor for Secure by Design by advocating for a culture of continuous improvement and security ownership across your organisation
  • ensure the Secure by Design policy is built into your governance frameworks and that your projects are following policy requirements
  • ensure all relevant teams are equipped and empowered to apply Secure by Design principles at each stage of the delivery life cycle
  • embed Secure by Design into your organisation’s induction and professional development processes so that staff, especially delivery, technical, and assurance teams, understand its importance and how to apply it in practice
  • regularly review Secure by Design maturity metrics and assurance outcomes to identify gaps, highlight progress, and guide further investment or support
  • subscribe to our newsletter so you’re aware of any updates or important changes to the Secure by Design approach

Secure by Design champions

As a champion, you play a key role in ensuring teams involved in digital delivery understand their Secure by Design responsibilities.

Here are some examples of how you might do this. You can:

  • explain how you have incorporated Secure by Design into digital delivery within your own organisation. Include governance processes and the role each team plays in delivering Secure by Design activities
  • keep awareness high by regularly using the Secure by Design communications toolkit to educate delivery, security, and supporting teams on their roles and the benefits of adopting Secure by Design practices
  • attend Secure by Design webinars and encourage your teams to join. Share key takeaways across your organisation to reinforce shared learning and continuous improvement
  • embed Secure by Design into your onboarding process to help new staff understand its importance from day one. Consider adding guidance to your organisation’s intranet or knowledge hub as a permanent reference

You can improve how Secure by Design is implemented within your organisation by:

  • reviewing and actioning feedback from projects and the spend control process
  • liaising with colleagues to update your internal processes and guidance based on what’s working well and where challenges have emerged
  • staying up to date with the latest Secure by Design developments by subscribing to our newsletter

You do not need to create your own resources from scratch. If you’re part of an arm’s length body (ALB), check with your parent organisation to see if they have resources you can use or adapt.

Finally, you can help GDS improve how we communicate the Secure by Design approach by:

  • continuing to attend and engage with us at surgeries, and on Slack and Teams
  • taking part in user research sessions organised by the Secure by Design team to help shape future guidance
  • providing feedback on our content by emailing us at secure-by-design@digital.cabinet-office.gov.uk

Senior responsible owners (SROs)

As an SRO, you should be ensuring that Secure by Design is effectively applied within the projects and services you’re responsible for.

Here are some examples of how you might do this. You can:

  • follow internal policies that incorporate Secure by Design. This may be either a standalone Secure by Design policy or part of a wider one
  • review and sign off on the self assessment tracker for any project or service within your remit that’s going through the digital and technology spend control process
  • have regular conversations with your delivery teams and in relevant governance forums about the security risks for your projects and services. Ensure these are being identified and managed appropriately

Delivery managers and programme or project managers

As a delivery manager or programme or project manager, you play a key role in demonstrating that in-scope projects are meeting Secure by Design principles.

Here are some examples of how you might do this. You can:

  • use the self assessment tracker at every delivery stage to evidence how security is being embedded throughout the life cycle
  • prepare your team to confidently answer questions about Secure by Design and the tracker when engaging with the spend control process
  • collaborate early and often with security, assurance, and technical colleagues to embed security from the start
  • engage regularly with your SRO to ensure that security risks are actively identified, discussed and managed as the project evolves

Commercial and procurement teams

As a commercial and procurement professional, you play a key role in making sure suppliers and vendors support your organisation’s Secure by Design goals.

You can do this by staying up to date with our guidance for commercial teams, which outlines how to embed Secure by Design into your digital and technology procurements. Make sure you actively apply this guidance when:

  • shaping requirements
  • evaluating suppliers
  • drafting contracts

This helps your organisation manage supply chain risks and hold vendors to the same high security standards you apply internally.

Project Management Office (PMO) teams

As a PMO professional, you play a key role in embedding Secure by Design principles across an organisation’s portfolio management, reporting and assurance processes. You also support delivery teams in planning for, tracking and evidencing cyber security activities at every stage of the project life cycle.

Here are some examples of how you might do this. You can:

  • ensure Secure by Design activities are part of your organisation’s government gate review life cycle so that security risks are addressed early and escalated in the right way
  • help escalate projects with low security confidence for extra support or oversight
  • promote a standardised approach to Secure by Design activities across programmes and portfolios
  • encourage the use of templates, tools, and checklists (like the Secure by Design self assessment tracker) to help teams apply principles consistently
Guide to adopting Secure by Design
Preparation
Transition

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now