Introduction¶
Security by Design cannot succeed without effective Security Management – the structured discipline of directing, governing, and sustaining security efforts over time. While risk assessment tells you what to prioritise, security management provides the machinery to actually deliver and maintain those protections. This section moves from theory into the practical governance of secure systems.
We begin by examining the multiple aspects of security management – including strategic, operational, policy, compliance, and cultural dimensions. You will learn that security management is not merely a technical function but a business enabler that requires clear roles, responsibilities, and accountability structures. Understanding these different aspects helps you avoid the common trap of treating security solely as an IT problem.
From there, we introduce the concept of a security framework. Frameworks such as ISO/IEC 27001, NIST CSF, and Cyber Essentials provide proven, standardised structures for organising security management activities. You will learn how to select, tailor, and apply a framework appropriate to your organisation’s size, sector, and risk appetite, rather than building disjointed security processes from scratch.
With a framework in place, we turn to the active task of mitigating cyber risks. This section translates risk assessment outputs into actionable controls, policies, and response plans. You will learn how to select proportionate mitigations, assign ownership, set measurable objectives, and monitor effectiveness over time – closing the loop between identifying risks and actually reducing them.
Finally, we introduce a practical key management template. This because key management is essential for security but seldom done well. This template gives you a consistency, repeatability, and auditability to key management activities.
Learning Objectives¶
By the end of this section, you will be able to:
Describe the core aspects of security management and explain why security is a management discipline, not solely a technical one
Select and justify an appropriate security framework (e.g., ISO 27001, NIST CSF) for a given organisational context
Translate risk assessment outputs into a coherent plan for mitigating cyber risks, including control selection and ownership assignment
Use a key management template to document, track, and communicate security management activities consistently
Explain how security management sustains Security by Design principles throughout the system lifecycle