Follow a framework
Use a risk management framework to help you monitor and manage your security risks.
Choose a framework
Use a risk management framework that fits your project best. You can adapt a framework to your delivery approach and ways of working. You might need to show why you have chosen a particular framework.
In the Ministry of Defence, Secure by Design is informed by the risk management framework from the United States' National Institute of Standards and Technology (NIST) and other industry good practices.
If you are following a different framework, you do not need to move to NIST.
- Find out more about the NIST framework (opens in a new tab).
- Check frameworks listed on GOV.UK (opens in a new tab)
Evidence your decisions
Whichever framework you use, you need to show that you are continuously managing security risks.
You need evidence that you:
- identify and track security risks
- regularly review the design of your capability or service
- have appropriate controls in place
You need to link to evidence as part of your regular assessments.
Put your controls in place
After agreeing your controls, your team is responsible for setting up and monitoring them. Consider setting up an alert to regularly review your controls.
Your Senior Responsible Owner (SRO) is accountable for controls being in place and working.
Published August 2024