Secure by Design is a cross – government strategy that seeks to develop the Government’s cyber resilience by building resilient digital services through continuous assurance.

Secure by Design is intended primarily for project teams responsible for delivering digital services. However, it is also highly relevant to security professionals and Governance, Risk, and Compliance (GRC) specialists who oversee projects, ensuring they meet security and assurance standards.

The cross-government Secure by Design approach will be required for central government entities and arm’s-length bodies (ALBs). With Group 1 organisations working towards the fast approaching January 2025 operational phase and Group 2 organisations working towards the 2026 Secure by Design (SbD) commitment deadline, we are here to support you every step of the way.

The recent changes introduced by the Secure by Design approach reflect the evolving landscape of security threats. Some of the new changes are;

• Zero Trust Architecture – Emphasising the need to verify every access attempt, regardless of whether it originates inside or outside the network.
• Artificial Intelligence and Machine Learning – Utilising AI and machine learning to predict potential threats and automate responses to security incidents.
• Supply Chain Security – Assessing and managing security risks associated with third parties.
• Privacy by Design – Collecting and processing the minimum amount of data that’s necessary for functionality.

Central Government Secure by Design (SbD) Principles

With over 20 years of experience, we specialise in providing Secure by Design (SbD) services to Central Government and ensure continuous assurance of digital programmes and projects, adhering to HMG policies, NCSC standards, Data Protection Act, and GDPR. Our services leverage NCSC CAF, NIST CSF, NIST SP-800-53, ISO27001, and GovAssure standards.

What will this affect?

Adopting a “Secure by Design” approach in Central Government will lead to stronger cybersecurity, reducing vulnerabilities and improving security measures against ongoing and potential threats. For organisations, the SbD strategy affects;

• Information systems – All government databases are designed to protect sensitive data from cyber-attacks.
• Public services – A guarantee that public services, such as health care and emergency services are resilient to cyber incidents and can operate smoothly. This includes digital services, like identity verification, ensuring that they’re secure and trustworthy.
• Critical National Infrastructure – To protect critical infrastructure and information systems from cyber attacks.
• Policy and Regulation – Policies will need to mandate the Secure by Design principles across all government departments.
• Public Trust – This demonstrates commitment to the security and privacy of the public, and in return will build trust and confidence.
• Crisis Management and Incident Response – Improves response time and effectiveness in responding to security incidents, as the systems will be better prepared.
• Security Training – Implementing mandatory security training programs for government employees will significantly reduce the risk of human error and insider threats.