Secure Innovation Security Reviews

Secure Innovation Security Reviews have been developed to provide the UK emerging technology sector with support and guidance from a security professional to protect their intellectual property, competitive advantage, and reputations, especially from state threat actors and state backed competitors. They are particularly relevant for spin-outs and start-ups with significant potential to grow.

The Security Review scheme provides access to approved Security Reviewers who assess an organisation’s current protective security practices and provide expert guidance against a framework developed by the UK’s national technical authorities, NPSA and the NCSC. The goal is not just to implement security measures, but to position security as a strategic enabler—enhancing investor and customer confidence.

The Security Review scheme provides early-stage innovative companies holistic and actionable protective security advice to support them to protect their IP, looking at the company’s approach to protective security governance, risk and incident management, security culture, cyber security, and supply chains and partnerships.

Businesses receiving a Security Review will also receive a £300 voucher towards Cyber Essentials certification. Cyber Essentials is recommended by the NCSC as the minimum baseline for cyber security in the UK.

To be eligible to apply:

• You must be a UK registered and trading business.
• You must be a small or medium sized enterprise (under 250 people)
• You must agree to contribute £500 (including VAT) towards the cost of the Security Review.
• You must be able and willing to dedicate resource, including potential financial resource, to developing your protective security strategy.
• You must be able and willing to complete the full review process, including the 6-month follow-up review and submission of any required documentation.
• You must be working in one of the 17 sensitive areas of the economy set out in the National Security and Investment Act, or within one of the four selected areas of the UK’s Modern Industrial Strategy (see below for further details of these sectors).
• Receipt of this support is subject to the Subsidy Control Act (2022). To qualify an enterprise cannot have received more than £315,000 Minimal Financial Assistance (MFA) and or De Minimis within any three-year period (in Northern Ireland €300,000 De Minimis).
• If your business in based in Northern Ireland, please note that EU State aid rules now only apply in limited circumstances. Please see the Windsor Framework to check if these rules apply to your organisation.

National Security and Investment Act:

• Advanced materials (including semiconductors)
• Advanced robotics
• Artificial intelligence
• Civil nuclear
• Communications
• Computing hardware
• Critical suppliers to government
• Cryptographic authentication
• Data Infrastructure
• Defence
• Energy
• Military and dual-use
• Quantum Technologies
• Satellite and space technologies
• Suppliers to the emergency services
• Synthetic biology
• Transport

UK Industrial Strategy:

• Advanced Manufacturing
• Clean Energy Industries
• Defence
• Life Sciences

To encourage organisations receiving a security review to progress toward achieving Cyber Essentials certification (the NCSC recommends Cyber Essentials as the minimum standard of cyber security for all organisations), a £300 voucher code towards Cyber Essentials will be provided to each organisation after the report has been submitted. This voucher code will be sent with your successful application email.

The voucher code can be redeemable against certifying or recertifying to CE level 1 (independently verified self-assessment). Organisations wishing to use this must do so by 31st March 2026 by visiting IASME’s website https://iasme.co.uk/cyber-essentials/ where use of the voucher code will automate the £300 discount. This voucher code is non-transferable and may only be used by the organisation to which it was issued.

Secure Innovation Security Review participating businesses contribute £500 towards the service, with the remaining £2,500 funded by the scheme.

Cyber Essentials – on acceptance participating businesses will receive a £300 voucher towards cyber essentials certification.

Who are NPSA?

National Protective Security Authority (NPSA) are part of MI5. They are the UK’s national technical authority for personnel and physical security.  Their mission is to reduce the vulnerability of UK government, businesses, and academia to a range of threats, including terrorism, espionage, and sabotage. NPSA provides expert guidance to help organisations strengthen their protective security posture.

Who are the NCSC?

The National Cyber Security Centre (NCSC) are part of GCHQ. They are the UK’s national technical authority for cyber security. Their role is to make the UK the safest place to live and work online. They support the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public.

What are state threats?

State threats are overt or covert actions by foreign governments which fall short of direct armed conflict with the UK but go beyond peaceful diplomacy and expected statecraft to harm or threaten the safety or interests of the UK or our allies.

State threats present a real and evolving risk to the UK. They can manifest in a range of forms. These include attempts to:

• steal sensitive information through espionage or cyber attacks

• threaten the public’s safety, including through physical violence.

• harm our prosperity

• undermine our values and freedoms

State threats do not only materialise against government and intelligence agencies. Some states are particularly interested in industrial or commercial information which could be used to support their own economy or military. This information may not be “classified” or an obvious target for espionage.

States may seek to exploit foreign direct investment, academic partnerships and supply chains to gain access to sensitive information.

This includes information on companies’ products and plans or commercial/academic research. State actors could seek to fast track their own technological capabilities or increase their military advantage. Examples of industries in which states show particular interest include advanced materials, biotech, and artificial intelligence. It also includes research and mainly academic research, particularly in STEM (science, technology, engineering and mathematics), dual-use technologies, emerging technology and other commercially sensitive areas. As with business information, state actors could seek to exploit research to improve their own technological or military capabilities.

Are state threats relevant to the private sector and small businesses?

Yes. State actors do not only target large corporations or government entities. In fact, companies of all sizes —especially those with lower levels of security—can be attractive targets. No business is too small or too early-stage to be of interest, particularly if it holds valuable intellectual property, innovative technologies, or sensitive data.

Can a small company really do anything to protect themselves from state threats?

Yes. There are steps businesses of any size can take to reduce their vulnerabilities to state threats. The aim of the protective security measures outlined in Secure Innovation is to reduce the risk to the business and increase the risk to the state actor trying to get hold of their assets. The better an organisation’s protective security measures are, the harder a state actor will have to try to get access to their technologies, and the greater the chance that they will be detected doing so. State actors will make a risk-benefit decision on who to target, so the higher the risk to them, the less likely they are to try.

How do you apply for a Security Review?

A company can apply for a Secure Innovation Security Review here.

Applications are assessed by Innovate UK Business Growth against the criteria set out in the application form.

Is funding guaranteed?

Secure Innovation Security Reviews is a subsidy scheme. Until all slots are filled, organisations that meet the eligibility criteria and successfully pass the application process will be offered access to a partially funded Secure Innovation Security Review. Participating companies will contribute £500; while the government will fund the remaining £2,500.

Funding for the scheme is limited and will be awarded on a first-come, first-served basis. Once the available funding has been allocated, no further awards can be made—meaning only a limited number of companies will be able to benefit from the scheme this financial year.

It should be noted that the government will fund £2,500 (including VAT) of the total cost of the review which is £3,000 (including VAT); by making an application for a Security Review an organisation is confirming their agreement to fund the remaining £500 (including VAT) of the overall cost. This will be invoiced and paid directly to the Security Reviewer.

Where do you find information on appointing an appropriate Security Reviewer who can complete the review?

Following approval of your application, your organisation will be required to appoint a Security Reviewer to carry out the review. A list of approved Security Reviewers will have been shared in the grant acceptance email. It is the organisation’s responsibility to choose an appropriate professional from this list.

All approved Security Reviewers are either Chartered Security Professionals (CSyP), appear on the Register of Security Engineers and Specialists (RSES) or are NCSC assured Cyber Advisors. They have applied to be part of this scheme, have completed training on the Secure Innovation Security Review framework with NPSA and NCSC and passed a knowledge check to demonstrate an understanding of the scheme and framework, and have signed up to complete reviews anywhere in the UK.

While we provide basic information about each professional’s experience and location preferences to assist organisations in making a selection, the framework and scope of the scheme remain consistent across all reviewers. Therefore, it is not advisable for organisations to request multiple reviewers to ‘bid’ or ‘pitch’ for the review.

We recommend that organisations appoint their chosen Security Reviewer within one week of receiving the grant acceptance email to ensure timely scheduling of the review.

What do you need to do before meeting the Security Reviewer you appoint?

Firstly, you should share the content of your confirmation email along with a copy of your application form with the appointed security reviewer.

Secondly, you should undertake the Secure Innovation Action plan preparatory work.

What do you need to do before the due date?

The deadline detailed in the confirmation email is the deadline for your Security Reviewer to have submitted a final report. Prior to this deadline a company must:

1. 1. Appoint a Security Reviewer from the list provided.
   2. Share the content of the confirmation email along with a copy of their application form to the security reviewer.
   3. Complete the preparatory work.
   4. Arrange an in-person site visit with the Security Reviewer.
   5. Review and sign-off the report.
   6. Confirm that your Security Reviewer has submitted the final report and their invoice for £2,500 via email to secureinnovation@iukbg.ukri.org
   7. The business receiving the security review will be responsible for paying the outstanding £500 to the appointed Security Reviewer.

What if you can’t complete the above by the due date?

Innovate UK Business Growth should be contacted by email secureinnovation@iukbg.ukri.org as early as possible by the party requiring an extension (either the organisation or security reviewer) to request an extension to the deadline.

If the report is not submitted within the time allowed and an extension has not been agreed; or if an extension has been agreed, but the report is not submitted before the expiry of the extension period, we will assume the review report is not going to be submitted and withdraw the funding offer. Innovate UK Business Growth will not be responsible for any costs incurred by the business or Security Reviewer if funding is withdrawn.

It is the organisation’s responsibility to ensure that the Security Reviewer is aware of the deadline detailed in the confirmation email.

Is the Security Review report confidential?

Yes. It will only be shared with selected individuals within DBT/DSIT, Innovate UK, NPSA and the NCSC.

Does the £3000 cover the cost of implementing protective security measures?

No, the £3000 is for the purposes of the security review only.

How long will the Security Review scheme run for?

Applications for the current scheme will be open until the end of the 25/26 financial year. There are grants available for 500 organisations, which will be allocated on a first-come-first-served basis to organisations who pass the eligibility criteria and assessment.

Does the review include penetration (PEN) testing?

The reviews do not include PEN testing. NCSC have the CHECK scheme which is a list of NCSC approved companies who can do cyber PEN testing. NPSA do not recommend PEN testing for physical and personnel security.

Do we get an official certification or is there a logo we can display to show we have gone through this process?

This is not a certification scheme, as there is no requirement and/or test or audit to ensure organisations have implemented the security measures recommended by the review. We do not offer a logo which companies can display to show they have gone through the process. This is to avoid the risk of the scheme being misinterpreted as a certification or accreditation scheme. However, you can mention having had a security review completed as a way of demonstrating your commitment to security.

What data will be collected as part of the Secure Innovation Security Review Scheme?

Data will be collected through various stages of the scheme, including the application process, site visit, written report, Health Check Questionnaires, and feedback surveys. This may include business contact details, security-related information, and feedback on the scheme.

Who will my data be shared with?

Your data will be shared with the following organisations involved in the funding, delivery and oversight of the scheme:

• • Department for Business and Trade (DBT)
  • Department for Science, Innovation and Technology (DSIT)
  • Innovate UK
  • National Protective Security Authority (NPSA)
  • National Cyber Security Centre (NCSC)
  • Innovate UK Business Growth service consortium delivery partner

Why is my data being shared with these organisations?

These organisations are responsible for funding, managing, delivering, and evaluating the scheme. Data sharing enables them to monitor the scheme’s effectiveness, assess behavioural change, and inform future improvements or expansion.

Will my data be used for marketing purposes?

No. Your data will not be used for marketing purposes unless you have explicitly consented to this.

Is this data sharing compliant with UK GDPR?

In accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (as applicable), by participating in the Secure Innovation Security Review Scheme, you acknowledge and agree that any data you provide or that is collected throughout the scheme via the site visit, written report, Health Check Questionnaires, and feedback surveys—may be shared with Innovate UK Business Growth service consortium delivery partner, the Department for Business and Trade (DBT), the Department for Science, Innovation and Technology (DSIT), the National Protective Security Authority (NPSA), and the National Cyber Security Centre (NCSC). This data will be used solely for the purposes of administering, evaluating, and improving the scheme, and for monitoring its impact. All data will be handled in accordance with applicable data protection laws and will not be used for marketing purposes without your explicit consent.

By providing your contact details, you agree to any partner mentioned above storing your information and they may contact you at a future date to learn about your experiences and to share opportunities related to other Secure Innovation products. Your data will be handled in accordance with the relevant privacy notices of each organisation as available on their websites.

Who can I contact with questions about data protection?

If you have any questions or concerns about how your data is being used, you should contact the delivery partner or the data protection officer for the scheme at secureinnovation@iukbg.ukri.org

Please contact secureinnovation@iukbg.ukri.org