Security by Design means considering security requirements during the design phase of a system or application. You analyse threats, define the security architecture, and select secure components before the first line of code is written. This approach is far more cost-effective than retrofitting patches later. Methods include threat modelling, least-privilege design, and defence in depth. In an ISMS, Security by Design is a guideline for software development and system procurement per ISO 27001 Annex A 8.25. It complements the SDLC.