Skip to main content

Getting started with the Secure by Design approach

Isometric icons of shield and protection signs symbolising cyber security

We are delighted to announce the publication of the entire cross - government Secure by Design approach and would like to invite the digital and security communities to familiarise themselves with the principles and activities. 

This brief video provides an overview of the approach and its benefits - feel free to share it with your teams!  

As a refresher, the approach aims to integrate effective security practices in digital delivery and improve the security culture by positioning security as the responsibility of everybody within a project team, with security risks being treated as business and delivery risks.

The Secure by Design principles drive outcomes and their adoption is mandatory across central government and ALBs. They promote consistent and coherent security ways of working in digital delivery. Organisations which already have a local Secure by Design approach - or elements of one - will be expected to adhere to the principles, although they may wish to develop additional ones (and activities) to cater for their own circumstances.

The Secure by Design activities are advisory and designed to help organisations realise the principles. Designed to be flexible, organisations may tailor how they carry out the Secure by Design activities based on their own security risk management and assurance frameworks.

Digital and security leadership should come together and begin to:

  • Raise awareness of Secure by Design and its benefits among your internal stakeholders
  • Position Secure by Design as a shared responsibility between digital,technology and security colleagues
  • Consider the implementation of Secure by Design including the integration of Secure by Design into your organisation’s ways of working (including the Project Management Office gate process), policies, standards and governance.

Focusing on rollout and implementation

We have been working with specific organisations which have already started their journey of implementing Secure by Design to understand potential implementation models and activities (for both government organisations and CDDO), challenges and lessons learned as well as developing content required to support effective implementation.

Recognising the diverse profile and maturity of government organisations, we appreciate that each organisation will be adopting the Secure by Design approach from a different starting position. 

We are developing the Secure by Design rollout approach with input from the digital and security communities, aligning its timescales with the Secure by Design commitment in Transforming for a Digital future: 2022 to 2025 roadmap for digital and data. We expect to be able to confirm further details by the end of March.

We are also working on an indicative implementation model, suggesting how organisations might wish to integrate the Secure by Design approach into their own practices. 

We will be sharing some helpful resources to support implementation developed with colleagues from across government. These include a gap analysis template and generic transition and communication plans you can adapt as appropriate.

We’ll also be confirming details shortly of further webinars to build awareness and understanding of the approach among key roles, professional communities and organisations.

We’re very much on a journey with Secure by Design. We expect to continue refining the approach in light of organisations’ experiences with the approach and further discovery work in the future.

Find out more about Secure by Design

Keep up to date with Secure by Design by signing up to our newsletter or, if you have a question, emailing us at

Sharing and comments

Share this page

Leave a comment

We only ask for your email address so we know you're a real person

By submitting a comment you understand it may be published on this public website. Please read our privacy notice to see how the GOV.UK blogging platform handles your information.