This standard ensures security is embedded from the outset-not bolted on later-by integrating threat modelling, secure design, and controls into early development stages. It reduces risk while supporting speed and scale.
Aligned to our "Secure by Design" policy, this standard builds resilience through foresight, not reaction. Without it, vulnerabilities emerge late, are costlier to fix, and erode user and stakeholder trust.
Clearly defined impacts of meeting this standard include improved delivery flow, reduced risk, higher system resilience, and better alignment to business needs. Over time, teams will see reduced rework, faster time to value, and stronger system integrity.
Level 1 – Initial: Security considerations are reactive or absent.
Level 2 – Managed: Security reviews occur, but only late in development.
Level 3 – Defined: Security requirements and threat modelling are embedded in early design phases.
Level 4 – Quantitatively Managed: Security posture is measured, and risks are actively prioritised.
Level 5 – Optimising: Security is treated as a design principle and continuously improved through proactive feedback loops.