diff --git a/helm/Chart.yaml b/helm/Chart.yaml
new file mode 100644
index 00000000..93e61830
--- /dev/null
+++ b/helm/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: engineering-guidance-and-standards
+description: A Helm chart for Engineering Guidance and Standards
+type: application
+version: 1.0.0
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
new file mode 100644
index 00000000..a46435f6
--- /dev/null
+++ b/helm/templates/_helpers.tpl
@@ -0,0 +1,6 @@
+{{/*
+Name of the chart.
+*/}}
+{{- define "app.name" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
new file mode 100644
index 00000000..419b2b5d
--- /dev/null
+++ b/helm/templates/deployment.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app.name" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "app.name" . }}
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: {{ include "app.name" . }}
+    spec:
+      containers:
+      - name: {{ .Chart.Name }}
+        image: {{ .Values.app.image.repository }}:{{ .Values.app.image.version }}
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: "20Mi"
+            cpu: "100m"
+          limits:
+            memory: "400Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: {{ .Values.app.port }}
diff --git a/helm/templates/ingress-external.yaml b/helm/templates/ingress-external.yaml
new file mode 100644
index 00000000..70024efa
--- /dev/null
+++ b/helm/templates/ingress-external.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.ingress.external.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app.name" . }}-external
+  labels:
+    cert-manager.io/solver: route53
+  annotations:
+    cert-manager.io/enabled: "true"
+    ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: "nginx-external"
+  tls:
+    - hosts:
+        - {{ .Values.ingress.external.host }}
+      secretName: {{ include "app.name" . }}-external
+  rules:
+    - host: {{ .Values.ingress.external.host }}
+      http:
+        paths:
+        - path: /
+          pathType: ImplementationSpecific
+          backend:
+            service:
+              name: {{ include "app.name" . }}
+              port:
+                number: {{ .Values.service.port }}
+{{- end }}
diff --git a/helm/templates/ingress-internal.yaml b/helm/templates/ingress-internal.yaml
new file mode 100644
index 00000000..2a76ddca
--- /dev/null
+++ b/helm/templates/ingress-internal.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.ingress.internal.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name:  {{ include "app.name" . }}-internal
+  labels:
+    cert-manager.io/solver: route53
+  annotations:
+    cert-manager.io/enabled: "true"
+    ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: "nginx-internal"
+  tls:
+    - hosts:
+        - {{ .Values.ingress.internal.host }}
+      secretName: {{ include "app.name" . }}-internal
+  rules:
+    - host: {{ .Values.ingress.internal.host }}
+      http:
+        paths:
+        - path: /
+          pathType: ImplementationSpecific
+          backend:
+            service:
+              name: {{ include "app.name" . }}
+              port:
+                number: {{ .Values.service.port }}
+{{- end}}
diff --git a/helm/templates/networkpolicy.yaml b/helm/templates/networkpolicy.yaml
new file mode 100644
index 00000000..ab96f5a0
--- /dev/null
+++ b/helm/templates/networkpolicy.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "app.name" . }}-service-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "app.name" . }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: ingress-internal
+        - namespaceSelector:
+            matchLabels:
+              name: ingress-external
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
new file mode 100644
index 00000000..0229483b
--- /dev/null
+++ b/helm/templates/service.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app.name" . }}
+spec:
+  selector:
+    app: {{ include "app.name" . }}
+  type: ClusterIP
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.app.port }}
diff --git a/helm/values.yaml b/helm/values.yaml
new file mode 100644
index 00000000..d6f48b78
--- /dev/null
+++ b/helm/values.yaml
@@ -0,0 +1,16 @@
+app:
+  image:
+    repository: quay.io/ukhomeofficedigital/engineering-guidance-and-standards
+    version:
+  port: 80
+
+service:
+  port: 443
+
+ingress:
+  internal:
+    enabled: true
+    host: engineering.internal.sas.homeoffice.gov.uk
+  external:
+    enabled: false
+    host: engineering.homeoffice.gov.uk