Summary of engineering standards’ requirements
Writing a standard
Last updated: 4 August 2023
- A standard MUST have an ID
- A standard MUST have a Title
- A standard MUST have a Description
- A standard MUST have one or more Requirements
- A standard MUST have Tags
- A standard MUST show when it was Last Updated
Writing a principle
Last updated: 28 November 2024
- A principle MUST have a title
- A principle MUST have a description
- A principle MUST have a rationale
- A principle MUST state expected applications and implications
- A principle MUST have tags
- A principle MUST show when it was last updated
Minimal documentation set for a product
Last updated: 14 March 2024
- Product documentation MUST include a description of the product and what it is for
- Product documentation MUST include key architectural views
- Product documentation MUST include a decision log
- Product documentation MUST include runbooks for expected tasks
- Product documentation MUST include information about observability
- Product documentation MUST include build, release and deployment processes
Open source licensing
Last updated: 24 May 2023
- Open source repositories MUST contain a licence file
- Open source repositories MUST have a licence that adheres to the Open Source Definition
- Open source repositories MUST state who owns the copyright
Infrastructure as code
Last updated: 3 August 2023
- Infrastructure definitions MUST be stored as code
- Infrastructure definitions MUST be validated
- Secrets MUST NOT be stored in infrastructure definitions
- Source management best practices MUST be followed for infrastructure definitions
Managing secrets
Last updated: 8 August 2023
- Secrets MUST be generated in accordance with the Home Office Password Policy
- You MUST only store secrets in an approved secret management system
- You MUST proactively manage access to secrets
- You MUST implement secret scanning
- You MUST ensure that secrets are not exported into monitoring systems
- You MUST document how secrets are managed
- You MUST monitor the usage of secrets to identify suspicious behaviour
- You MUST have a response plan ready to enact if you have an incident
Managing the security of software dependencies
Last updated: 8 September 2023
- You MUST assess the security of external components before introducing them into software designs
- You MUST maintain a discoverable dependency tree for your systems
- You MUST proactively identify vulnerabilities in dependencies with scanning and other tools
- You MUST regularly update, replace and remove dependencies
Accessibility
Last updated: 8 September 2023
Signing code commits
Last updated: 26 November 2024
- All code commits MUST be cryptographically signed by the author of that commit
- All Source code repositories MUST require all commits be signed
Encrypting data at rest and in transit
Last updated: 8 September 2023
- Data at rest MUST be encrypted
- Data in transit MUST be encrypted
- Cryptographic keys MUST be protected
Infrastructure utilisation monitoring
Last updated: 20 September 2023
- Infrastructure MUST be observable relative to defined service level expectations
- CPU utilisation MUST be observable
- Memory utilisation MUST be observable
- Disk utilisation MUST be observable
- Network utilisation MUST be observable
- Historical infrastructure monitoring metrics MUST be retained for analysis
Low code workflow naming
Last updated: 15 November 2023
- Naming conventions MUST be consistent
- Acronyms or uncommon abbreviations MUST be defined in a central or project glossary
- Workflow, action step and scope block names MUST be descriptive and convey the purpose or objective
- Workflow, action step and scope block names MUST begin with a verb to describe the function, followed by the subject of the verb
- Words in a workflow name MUST be separated by a space where possible
- Scope blocks that are used for error handling MUST be prefixed with the word ‘Try’ or ‘Catch’
Developer Testing
Last updated: 5 January 2024
- You MUST test early and often
- You MUST automate tests
- You MUST make tests repeatable
- You MUST have a way of measuring the effectiveness of testing
- Tests MUST have a purpose and explicit result
- You MUST think about the edge cases
Service reliability
Last updated: 26 April 2024
- Service reliability MUST be observable relative to defined service level expectations
- Service MUST be tolerant to expected and unexpected failure of a data centre
- Service MUST be tolerant to expected and unexpected failure of physical or virtualised hardware as well as network
- Service MUST be tolerant to expected and unexpected failure of upstream services such as databases
- Service MUST be sized appropriately for normal operations and MUST be able to automatically scale as appropriate based on metrics
- Service MUST be able to handle requests to protect the overall service
- Service MUST be able to tolerate expected load
- Service MUST be able to tolerate expected stress
- Service MUST be soak tested