Skip to main content
Learn how ArcKit accelerates security architecture and compliance documentation for regulated environments including government, healthcare, and financial services.

When to Use This Approach

Use ArcKit for security and compliance when you need to:
  • Meet UK government security classifications (OFFICIAL, SECRET)
  • Achieve GDPR, UK GDPR, or DPA 2018 compliance
  • Comply with sector regulations (NHS Data Security and Protection Toolkit, FCA)
  • Generate compliance artifacts for audit and certification
  • Document security controls and threat models
  • Create DPIAs (Data Protection Impact Assessments)
  • Map controls to frameworks (ISO 27001, NIST, CIS)

Relevant Commands

# Initialise secure project
arckit init --classification official

# Generate security architecture
arckit.security --classification official-sensitive

# Compliance documentation
arckit.compliance --standards gdpr,iso27001

# Threat modeling
arckit.threats

# Data protection impact assessment
arckit.dpia

# Risk register with security focus
arckit.risks --focus security

# Generate control mapping
arckit.controls --framework nist-csf

Example Walkthrough: NHS Appointment System

Reference project: arckit-test-project-v7-nhs-appointment Demonstrates comprehensive security and compliance documentation for a health data platform.

Step 1: Data Classification

ArcKit identified and classified data types:
  • Personal identifiable information (PII): Names, NHS numbers, contact details
  • Special category data: Health records, appointment reasons
  • Technical data: Audit logs, system metadata

Step 2: Threat Modeling

Generated STRIDE-based threat model covering:
  • Spoofing: Patient identity verification controls
  • Tampering: Appointment record integrity protection
  • Repudiation: Audit logging for all actions
  • Information Disclosure: Encryption and access controls
  • Denial of Service: Rate limiting and availability design
  • Elevation of Privilege: Role-based access enforcement

Step 3: Security Controls

Documented controls aligned to NHS DSPT (Data Security and Protection Toolkit):
  • Authentication: NHS Identity integration, MFA for staff
  • Authorisation: Role-based access, principle of least privilege
  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Audit: Comprehensive logging with tamper protection
  • Network: Segmentation, firewall rules, DDoS protection

Step 4: GDPR Compliance

ArcKit generated GDPR compliance documentation:
  • Lawful basis: Article 6(1)(e) public task + Article 9(2)(h) health data
  • Data minimisation: Only collect appointment-relevant information
  • Purpose limitation: Data used solely for appointment booking
  • Retention: Appointment data deleted after retention period
  • Data subject rights: Access, rectification, erasure procedures
  • DPIA: Comprehensive impact assessment for health data processing

Step 5: Control Mapping

Mapped controls to multiple frameworks:
  • NHS DSPT: All 10 data security standards
  • ISO 27001:2022: Annex A controls
  • NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
  • CIS Controls: Critical Security Controls v8

Key Artifacts Generated

Security Architecture

Network diagrams, zone segmentation, security boundaries

Threat Model

STRIDE analysis, attack trees, mitigation controls

DPIA

Data Protection Impact Assessment for GDPR

Control Mapping

Requirements mapped to implemented controls

Risk Register

Security risks with likelihood, impact, mitigations

Compliance Evidence

Audit-ready documentation for certifications

Compliance Frameworks Supported

ArcKit generates comprehensive GDPR documentation including lawful basis, data flows, retention schedules, data subject rights procedures, and DPIA content aligned with ICO guidance.
Documents security controls for OFFICIAL, OFFICIAL-SENSITIVE, and SECRET data. Includes network segmentation, access controls, encryption standards, and personnel security.
Maps controls to all 10 DSPT standards covering organisational, technical, and process requirements for NHS data handling.
Generates control documentation aligned to Annex A controls, supporting ISMS development and certification audit evidence.
Documents controls across Identify, Protect, Detect, Respond, and Recover functions with implementation guidance.
Maps technical controls to CIS Controls, prioritising implementation groups based on risk profile.
Generates evidence for UK government baseline security certification covering firewalls, secure configuration, access control, malware protection, and patch management.

Best Practices

Security-First Design

Run arckit.security early in design phase. Retrofitting security controls is expensive and risky. ArcKit embeds security architecture from the start.

Threat-Informed Architecture

Use arckit.threats to identify attack vectors before building. The threat model directly informs architectural decisions and control selection.

Compliance by Design

Don’t treat compliance as documentation burden at the end. Use arckit.compliance throughout development to ensure controls are built in, not bolted on.

Data Flow Mapping

For GDPR and data protection, comprehensive data flow diagrams are essential. ArcKit documents where personal data enters, how it flows, where it’s stored, and when it’s deleted.

Control Verification

Generated control mappings must be verified during implementation. Use ArcKit documentation as the blueprint, then evidence actual implementation for audit.

Living Documentation

Security and compliance documentation must evolve with the system. Re-run ArcKit commands as architecture changes to keep documentation current.

NHS Appointment Booking

Health data security and NHS DSPT compliance

HMRC Tax Assistant

Tax data protection and GDPR compliance

Cabinet Office GenAI

OFFICIAL data security for government AI

Patent Application System

IP confidentiality and document security

Build docs developers (and LLMs) love

Get started for freeTalk to us