Standard : Security is considered from the start

Purpose and Strategic Importance

This standard ensures security is embedded from the outset—not bolted on later—by integrating threat modelling, secure design, and controls into early development stages. It reduces risk while supporting speed and scale.

Aligned to our "Secure by Design" policy, this standard builds resilience through foresight, not reaction. Without it, vulnerabilities emerge late, are costlier to fix, and erode user and stakeholder trust.

Strategic Impact

  • Improved delivery flow through early risk mitigation
  • Reduced exposure to security threats across the SDLC
  • Stronger stakeholder trust and compliance posture
  • Less rework due to early consideration of vulnerabilities

Risks of Not Having This Standard

  • Late discovery of security flaws increasing fix cost
  • Poor resilience and degraded system trust
  • Frustration among teams from reactive firefighting
  • Breaches and non-compliance due to overlooked risks

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Security is rarely discussed or considered.
Focus is placed entirely on functionality or speed.
Process & Governance No formal process for incorporating security early.
Technology & Tools No tools or frameworks in place to support secure design.
Measurement & Metrics No measurement of security posture until post-release.

Level 2 – Managed

Category Description
People & Culture Teams recognise the need to think about security but apply it inconsistently.
Process & Governance Security reviews or assessments occur, but only late in development.
Technology & Tools Security scanning tools introduced after implementation.
Measurement & Metrics Manual tracking of security defects in late-stage reviews.

Level 3 – Defined

Category Description
People & Culture Security is treated as a shared responsibility.
Threat modelling is conducted in early phases.
Process & Governance Security requirements are documented at the start of design or planning.
Technology & Tools Frameworks support secure-by-default components and architecture.
Measurement & Metrics Vulnerability trends are tracked from development through release.

Level 4 – Quantitatively Managed

Category Description
People & Culture Teams monitor risk exposure and use data to inform decisions.
Security knowledge is actively shared.
Process & Governance Security risks are prioritised and mitigated through tracked remediation plans.
Technology & Tools Tools enforce secure coding practices and flag insecure patterns in real time.
Measurement & Metrics Risk metrics and time-to-fix are continuously measured and improved.

Level 5 – Optimising

Category Description
People & Culture Security-first mindset embedded across all roles.
Teams reflect and improve proactively.
Process & Governance Continuous feedback loops drive secure design evolution.
Technology & Tools Security automation and AI-driven analysis guide design decisions.
Measurement & Metrics Predictive metrics reduce likelihood of vulnerabilities before implementation.

Key Measures

  • % of features assessed for security at design stage
  • % of security issues found pre- vs. post-release
  • Average time from identification to resolution of risks
  • Adoption rate of secure design practices
  • Developer participation in secure design activities