Agree your approach
You need an approach to security that works for your capability or service.
Create a strategy
Write a risk management strategy. Your strategy should include:
- how much risk is acceptable for your capability or service
- managing cyber security risks throughout the life of the project
- adding cyber security to existing governance
- considerations for stakeholders, including suppliers
- how you will monitor and share cyber security threats
Set reminders to regularly review your strategy.
Set your risk appetite
The SRO should define how much risk is acceptable to your programme. For example, a non-critical system is able to accept more risk than one directly supporting a military operation.
Get your team involved in setting your risk appetite. Your Senior Responsible Owner (SRO) needs to formally agree to it.
Check existing risk appetites
Your risk appetite must not introduce risk that is unacceptable to the Ministry of Defence (MOD) or your organisation.
You need to consider 3 levels of risk appetite:
- MOD's risk appetite.
- Your organisation's risk appetite, for example your top level budget.
- Your programme or project's risk appetite.
For MOD's risk appetite statement, search for 'JSP 440 Leaflet 1c' on MODNET.
You can also search MODNET for your organisation's risk appetite statement.
For more guidance, go to:
- GOV.UK guidance on setting your risk appetite (opens in a new tab)
- National Cyber Security Centre's blog post on risk appetites (opens in a new tab)
Make security part of what you do
Add security to your existing activities and meetings.
For example, you need to:
- know how you will embed security design from the start
- share what you are doing with everyone in the team
- keep your Senior Responsible Owner (SRO) updated
- put security on the agenda for programme level meetings
- tell stakeholders about your progress towards security milestones
- make sure your security risks are in existing risk registers
If you do not have a security working group, set one up. You can decide how often the group needs to meet.
- You can use the National Cyber Security Centre's introduction to risk management.
Share your strategy
Share your strategy with internal and authorised stakeholders, including:
- your team
- programme boards
- suppliers
Make sure you classify your strategy correctly. Find out how to classify information.
Published August 2024