How assurance works
Your team is responsible for managing cyber security risks in your capability or service.
You no longer apply for security accreditation that lasts for a period of time.
Assess your security
To be Secure by Design, you need to keep checking that your capability or service is secure.
How often you do assessments depends on your capability or service, but you need to do one at least every 3 months.
You must also do an assessment when you make changes or discover new threats.
You can check how to do assessments in Defence.
Independent assessments
The Cyber Security Assurance and Advisory Services (CySAAS) team looks at a selection of assessment reports submitted by projects. This helps make sure teams are being consistent.
You can ask CySAAS to check how you are doing at major milestones, for example before an investment appraisal. CySAAS has to deal with priority projects first.
Find out how to ask for support.
Give regular updates
Give your Senior Responsible Owner (SRO) and other stakeholders regular updates on your Secure by Design activities. They need to be confident that you are keeping your capability or service secure.
Make security part of your existing governance and meetings. For example, add a security update to the agenda for your project boards. You also need to record security risks on your risk register.
Your SRO is accountable for security but anyone on your team can give relevant updates.
Follow the guidance
Check the activities you need to do and the tools you can use.
Follow the Secure by Design guidance in each phase:
We are continuously improving this guidance. If you cannot find the guidance you need, send us your feedback.
Published August 2024