The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations, but the objectives can be used by other organisations. In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.

Principles

The CAF has fourteen objectives, grouped into four categories: These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013. Objective A: Managing security risk * A.1 Governance * A.2 Risk management * A.3 Asset management * A.4 Supply chain Objective B: Protecting against cyber attack * B.1 Service protection policies and procedures * B.2 Identity and access control * B.3 Data security * B.4 System security * B.5 Resilient networks and systems * B.6 Staff awareness and training Objective C: Detecting cyber security events * C.1 Security monitoring * C.2 Anomaly detection Objective D: Minimising the impact of cyber security incidents * D.1 Response and recovery planning * D.2 Improvements Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.

References

{{reflist, 40em Cybercrime in the United Kingdom Government of the United Kingdom Information technology organisations based in the United Kingdom National security of the United Kingdom Information assurance standards Information governance

Principles

Further reading

See also

References