Misplaced Pages

Cyber Assessment Framework

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations, but the objectives can be used by other organisations.

In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.

Principles

The CAF has fourteen objectives, grouped into four categories: These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013.

Objective A: Managing security risk

  • A.1 Governance
  • A.2 Risk management
  • A.3 Asset management
  • A.4 Supply chain

Objective B: Protecting against cyber attack

  • B.1 Service protection policies and procedures
  • B.2 Identity and access control
  • B.3 Data security
  • B.4 System security
  • B.5 Resilient networks and systems
  • B.6 Staff awareness and training

Objective C: Detecting cyber security events

  • C.1 Security monitoring
  • C.2 Anomaly detection

Objective D: Minimising the impact of cyber security incidents

  • D.1 Response and recovery planning
  • D.2 Improvements

Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.

Further reading

See also

References

  1. "Cetome | the Cyber Assessment Framework".
  2. "The role of the National Cyber Security Centre (NCSC)". 19 May 2023.
  3. "Cyber Assessment Framework - Policy Brief | Local Government Association".
  4. "NIS Regulations: Cyber Assessment Framework".
Categories: