Cyber Assessment Framework

The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations, but the objectives can be used by other organisations.

In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.

Principles
The CAF has fourteen objectives, grouped into four categories: These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013.

Objective A: Managing security risk Objective B: Protecting against cyber attack Objective C: Detecting cyber security events Objective D: Minimising the impact of cyber security incidents Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.
 * A.1 Governance
 * A.2 Risk management
 * A.3 Asset management
 * A.4 Supply chain
 * B.1 Service protection policies and procedures
 * B.2 Identity and access control
 * B.3 Data security
 * B.4 System security
 * B.5 Resilient networks and systems
 * B.6 Staff awareness and training
 * C.1 Security monitoring
 * C.2 Anomaly detection
 * D.1 Response and recovery planning
 * D.2 Improvements