Secure by Design: The Future of Information Assurance for UK Policing

• by Anthony Orjally
• Advent IM Blog

For decades, information assurance in UK policing has relied heavily on accreditation processes and the Risk Management and Accreditation Document Set (RMADS). While these frameworks provided a degree of structure, they often fell short in agility, technical relevance, and real-world application. In response to evolving threats and the changing landscape of digital policing, Secure by Design is now emerging as the pragmatic, security-led alternative.

The End of RMADS and Legacy Accreditation

Historically, RMADS and accreditation were seen as formal checkpoints—paper-based assessments signed off at a fixed point in time. Systems were frequently accredited after development, with security bolted on rather than embedded throughout the lifecycle. This model often led to:

• Delayed identification of vulnerabilities
• Security being treated as a compliance exercise
• Misalignment with agile or iterative delivery models
• A false sense of assurance disconnected from operational realities

With the National Cyber Security Centre (NCSC) moving away from system accreditation as a service, and in light of Police Digital Service (PDS) guidance, it’s clear that legacy RMADS are no longer sufficient.

What is Secure by Design?

Secure by Design is not a single process or document—it’s a mindset and approach that integrates security into every stage of a system’s lifecycle. It’s rooted in modern engineering principles, emphasising continuous risk management, secure architecture, and active threat modelling.

The core principles include:

• Security as an enabler, not a blocker
• Risk-based, not compliance-driven decision making
• Ongoing assurance, not one-off certification
• Shared accountability across delivery teams, not siloed security roles

This approach aligns with the NCSC’s Secure by Design guidance, supporting services that are resilient by default, and capable of operating securely in hostile environments.

Key Elements of Secure by Design for Police Forces

1. Early Threat Modelling
   Integrate threat modelling into discovery and design phases. Use STRIDE or attack trees to assess how real-world adversaries might exploit the system.
2. Security Architecture
   Develop defensible, layered architectures. Align to NCSC patterns and guidance, particularly for cloud-based or hybrid deployments.
3. DevSecOps
   Embed security into CI/CD pipelines with automated code scanning, dependency checking, and infrastructure validation.
4. Operational Security Monitoring
   Build in audit and logging capabilities from the outset. Ensure systems can be monitored effectively and that incident response plans are tested and in place.
5. Live Risk Management
   Maintain a living risk register. Risks should be tracked, reviewed, and updated throughout the programme lifecycle—not frozen in an outdated document.
6. Assurance Through Delivery
   Demonstrate assurance through artefacts such as penetration testing reports, secure code reviews, and environment hardening evidence—not just static paperwork.

Implications for Police Forces

Police services and digital delivery partners must rethink their approach to information assurance. Rather than waiting for “accreditation sign-off”, teams should:

• Shift left—build security into discovery, architecture, and design
• Upskill delivery teams on secure coding, zero trust, and defensive engineering
• Collaborate early with Security Assurance Co-ordinators (SACs) or local authority equivalents
• Adopt modern standards like the NCSC Cyber Assessment Framework (CAF) where appropriate

Conclusion

Secure by Design is a mature, operationally-focused evolution in police information assurance. It’s agile-compatible, threat-informed, and grounded in security engineering—not paperwork. By adopting Secure by Design, UK police forces can build safer, more resilient digital services that protect the public, data, and operational integrity in an increasingly hostile threat landscape.

Written by Ellie Hurst, Advent IM Commercial Director.