Get the basics right

Agree your approach

You need an approach to security that works for your capability or service.

Create a strategy

Write a risk management strategy. Your strategy should include:

• how much risk is acceptable for your capability or service
• managing cyber security risks throughout the life of the project
• adding cyber security to existing governance
• considerations for stakeholders, including suppliers
• how you will monitor and share cyber security threats

Set reminders to regularly review your strategy.

Set your risk appetite

The SRO should define how much risk is acceptable to your programme. For example, a non-critical system is able to accept more risk than one directly supporting a military operation.

Get your team involved in setting your risk appetite. Your Senior Responsible Owner (SRO) needs to formally agree to it.

You must review your risk appetite, especially when you make changes or discover new threats.

Check existing risk appetites

Your risk appetite must not introduce risk that is unacceptable to the Ministry of Defence (MOD) or your organisation.

You need to consider 3 levels of risk appetite:

1. MOD's risk appetite.

2. Your organisation's risk appetite, for example your top level budget.

3. Your programme or project's risk appetite.

For MOD's risk appetite statement, search for 'JSP 440 Leaflet 1c' on MODNET.

You can also search MODNET for your organisation's risk appetite statement.

For more guidance, go to:

• GOV.UK guidance on setting your risk appetite
• National Cyber Security Centre's blog post on risk appetites

Make security part of what you do

Add security to your existing activities and meetings.

For example, you need to:

• know how you will embed security design from the start
• share what you are doing with everyone in the team
• keep your Senior Responsible Owner (SRO) updated
• put security on the agenda for programme level meetings
• tell stakeholders about your progress towards security milestones
• make sure your security risks are in existing risk registers

If you do not have a security working group, set one up. You can decide how often the group needs to meet.

• You can use the National Cyber Security Centre's introduction to risk management.

Share your strategy

Share your strategy with internal and authorised stakeholders, including:

• your team
• programme boards
• suppliers

Make sure you classify your strategy correctly. Find out how to classify information.

Published August 2024