We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Secure by Design: The Future of Information Assurance for UK Policing

News and information from the Advent IM team.

For decades, information assurance in UK policing has relied heavily on accreditation processes and the Risk Management and Accreditation Document Set (RMADS). While these frameworks provided a degree of structure, they often fell short in agility, technical relevance, and real-world application. In response to evolving threats and the changing landscape of digital policing, Secure by Design is now emerging as the pragmatic, security-led alternative.

The End of RMADS and Legacy Accreditation

Historically, RMADS and accreditation were seen as formal checkpoints—paper-based assessments signed off at a fixed point in time. Systems were frequently accredited after development, with security bolted on rather than embedded throughout the lifecycle. This model often led to:

  • Delayed identification of vulnerabilities
  • Security being treated as a compliance exercise
  • Misalignment with agile or iterative delivery models
  • A false sense of assurance disconnected from operational realities

With the National Cyber Security Centre (NCSC) moving away from system accreditation as a service, and in light of Police Digital Service (PDS) guidance, it’s clear that legacy RMADS are no longer sufficient.

What is Secure by Design?

Secure by Design is not a single process or document—it’s a mindset and approach that integrates security into every stage of a system’s lifecycle. It’s rooted in modern engineering principles, emphasising continuous risk management, secure architecture, and active threat modelling.

The core principles include:

  • Security as an enabler, not a blocker
  • Risk-based, not compliance-driven decision making
  • Ongoing assurance, not one-off certification
  • Shared accountability across delivery teams, not siloed security roles

This approach aligns with the NCSC’s Secure by Design guidance, supporting services that are resilient by default, and capable of operating securely in hostile environments.

Key Elements of Secure by Design for Police Forces

  1. Early Threat Modelling
    Integrate threat modelling into discovery and design phases. Use STRIDE or attack trees to assess how real-world adversaries might exploit the system.
  2. Security Architecture
    Develop defensible, layered architectures. Align to NCSC patterns and guidance, particularly for cloud-based or hybrid deployments.
  3. DevSecOps
    Embed security into CI/CD pipelines with automated code scanning, dependency checking, and infrastructure validation.
  4. Operational Security Monitoring
    Build in audit and logging capabilities from the outset. Ensure systems can be monitored effectively and that incident response plans are tested and in place.
  5. Live Risk Management
    Maintain a living risk register. Risks should be tracked, reviewed, and updated throughout the programme lifecycle—not frozen in an outdated document.
  6. Assurance Through Delivery
    Demonstrate assurance through artefacts such as penetration testing reports, secure code reviews, and environment hardening evidence—not just static paperwork.

Implications for Police Forces

Police services and digital delivery partners must rethink their approach to information assurance. Rather than waiting for “accreditation sign-off”, teams should:

  • Shift left—build security into discovery, architecture, and design
  • Upskill delivery teams on secure coding, zero trust, and defensive engineering
  • Collaborate early with Security Assurance Co-ordinators (SACs) or local authority equivalents
  • Adopt modern standards like the NCSC Cyber Assessment Framework (CAF) where appropriate

Conclusion

Secure by Design is a mature, operationally-focused evolution in police information assurance. It’s agile-compatible, threat-informed, and grounded in security engineering—not paperwork. By adopting Secure by Design, UK police forces can build safer, more resilient digital services that protect the public, data, and operational integrity in an increasingly hostile threat landscape.

Written by Ellie Hurst, Advent IM Commercial Director.

Share this Post

© 2025 Advent IM Limited.