The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations, but the objectives can be used by other organisations.
In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.
Principles
The CAF has fourteen objectives, grouped into four categories: These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013.
Objective A: Managing security risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Objective B: Protecting against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Objective C: Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Objective D: Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.
Further reading
See also
References
- "Cetome | the Cyber Assessment Framework".
- "The role of the National Cyber Security Centre (NCSC)". 19 May 2023.
- "Cyber Assessment Framework - Policy Brief | Local Government Association".
- "NIS Regulations: Cyber Assessment Framework".