Skip to content

Operational Requirements

Last Updated 12 October 2020

Operational Requirements (OR) are an essential tool to enable an organisation to produce a clear, considered and high level statement of their security needs based on the risks they face.

A well-defined OR increases the likelihood of success in any security project and reduces the risk of commissioning expensive nugatory work. The involvement of key stakeholders in the OR process will increase executive buy-in for the project, simplifying any organisational change required.

CPNI has recommended the use of an OR process for many years. The development of this process is based on observing projects where security requirements were poorly defined or developed in isolation. Where CPNI has been asked to assist in failing security projects, in almost all cases an OR process has not been followed.  In many cases a comprehensive risk assessment is also absent which is why CPNI recommends completing both risk assessments and the OR process as an essential part of any security project.

Where a suitable OR process is used, projects have a significantly higher success rate and stakeholders are better engaged in the security measures implemented.


See below for the OR documents which provide a step by step guide to completing the process. This self-help guidance and accompanying worked examples should enable a security manager to facilitate a structured OR workshop to develop a set of security mitigations for their organisation.


Did you find this page useful? YesNo
Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.