Agreeing a security controls set for your service
When building a digital service you should leverage appropriate security control frameworks as a blueprint to select controls from as part of security risk management. Your organisation may already have preferred security control frameworks which should be used across digital services.
Frameworks provide good practice technical and procedural controls to help delivery teams manage security risks, reduce vulnerabilities and meet security obligations.
Agreeing the right frameworks for your service will allow you to:
- use a common language for discussing security controls to create clarity in decision making and consistency in implementation
- perform more effective risk management by identifying mitigations from a comprehensive set of industry recognised controls that are relevant to specific environments and vulnerabilities
- improve compliance and governance reporting by using controls that meet legal and regulatory requirements
This activity should be conducted taking into account your service assets and security risk assessment. Before attempting to respond to and mitigate risks you should have identified the relevant security control frameworks, and continue to revisit them whenever new functionality or components are added.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach and make changes securely.
Who is involved
This activity should be led by technical and security architects in collaboration with the security team in the organisation who have a good understanding of security frameworks and how to interpret them.
How to agree the security control set for your service
The steps below describe how to agree on an appropriate security controls set for your service.
Your organisation’s security team may already maintain a security controls taxonomy which will provide a baseline for your project. Engage with them to understand the recommended frameworks and how they could be applied to your service.
An example taxonomy is available if your organisation does not have an agreed set of controls.
Example Secure by Design Controls Taxonomy (ALPHA)
This template shows how project teams can map appropriate security controls from recognised industry security standards and frameworks to NCSC Cyber Assessment Framework (CAF) outcomes and Indicators of Good Practice (IGP). It provides a starting point that should be adapted by security experts within your organisation to suit the scope, characteristics and regulatory requirements of your digital service.
Step 1. Establish what needs protecting
When performing a security risk assessment you should have determined which service assets are in scope. This information along with the service design, technical architecture and vulnerabilities of your service should form a list of what needs protecting and be the basis of your research to shortlist appropriate security frameworks.
Step 2: Research and shortlist relevant security control frameworks
Security professionals with support from the technical architect within your project and organisation’s security team should work together to research and agree security control frameworks based on the assets you need to protect.
Below are examples of some of the common cyber security frameworks and best practice guidance that should be considered. These are not exhaustive lists. You should source the controls that meet the specific cyber security objectives of your service.
Many recognised security frameworks are provided by international organisations, reflecting the global nature of cyber threats. When reviewing these, consider how they can be applied by organisations based in the UK.
Security control frameworks
- ISO/IEC 27002:2022: Information security, cybersecurity and privacy protection
- National Cyber Security Centre (NCSC): Cyber Assessment Framework (CAF)
- NCSC Cyber Essentials
- NCSC 10 Steps to Cyber Security
- National Institute of Standards and Technology (NIST): Cybersecurity Framework
- NIST: Security and Privacy Controls for Information Systems and Organizations (SP 800-53)
- Center for Internet Security (CIS): Critical Security Controls
- Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM)
- MITRE Corporation: ATT&CK Mitigations
Security control guidelines
- NCSC: Cloud Security Principles
- NCSC: Zero trust architecture design principles
- NCSC: CAF guidance
- Information Security Forum (ISF): Standard of Good Practice for Information Security (SOGP)
- Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks
Different sets of frameworks will be applicable to different projects. For example, if you are building Software as a Service (SaaS), you should consider the NCSC: Cloud Security Principles and Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). For networks you should consider Center for Internet Security (CIS): Critical Security Controls and for web services you should consider OWASP Top 10.
This activity is separate to understanding your cyber security obligations. Follow the steps within that guidance to make sure your service meets the necessary legal and regulatory requirements.
Step 3: Agree and share the security controls set
Using the shortlisted frameworks from your research, generate a security controls set which reflects what needs protecting as well as security obligations you are aiming to meet. This will allow you to put proportionate controls in place that map to the specific characteristics of your service and the environment it operates in.
If your research determines there are security needs for your service that sit outside of standard security controls, you may need to add your own custom processes alongside the recognised frameworks. If you need to do this, consult with security professionals within your organisation who can advise on the appropriate way to integrate your unique needs into a controls set.
You should ensure that key changes in the service over its lifecycle are fed into the selection of appropriate security frameworks and share the security controls set with the delivery team to use when responding to and mitigating security risks.