NCSC's Cyber Assessment Framework (CAF)

Cyber Assessment Framework (CAF) assesses how satisfactorily an organisation manages cyber threats to core functions. The outcomes of cyber attacks vary widely, both in terms of the nature of the computer systems attacked and the goals of the attackers. Generally, very strong levels of cyber privacy and flexibility are required in cases where the potential effects of cyber disasters are highly significant or even catastrophic. The NCSC has compiled the CAF for the institutions administrating the essential services and pursuits that are to the collective advantage of all of us.

As stated in the National Cyber Strategy, the CAF is being introduced as part of a new programme aimed at improving government cyber security. Outside of government, the organisations likely to find the CAF collection most useful fall into three broad categories:

    1. Organisations within the UK Critical National Infrastructure (CNI)
    2. Organisations subject to Network and Information Systems (NIS) Regulations
    3. Organisations managing cyber-related risks to public safety

CAF Requirements

CAF was designed to meet the following requirements:

    1. Give online privacy breach resilience evaluations a framework.
    2. Uphold the outcome-focused NCSC cybercrime and resilience principles and discourage tick-box evaluations.
    3. Concede with existing protection recommendations and standards.
    4. Identify effective online breaches and resilience enhancement activities.
    5. Sector-agnostic shared core version.
    6. Accommodate sector-specific components as needed.
    7. Enable organisations to define expressive targets that may represent regulator views of adequate and proportionate security.
    8. Be simple and affordable to implement.

CAF explained

The CAF is structured around four overall security objectives and 14 cyber security principles:

Objective A: Managing security risk

Appropriate organisational structures, policies and processes are in place to understand, assess, and systemically manage security risks.


    • A1 Governance
    • A2 Risk management
    • A3 Asset management
    • A4 Supply chain

Objective B: Protecting against cyber attack

Proportionate security measures are in place to protect core government functions and critical systems from cyber attacks.


    • B1 Services protection policies and processes
    • B2 Identity and access control
    • B3 Data security
    • B4 System security
    • B5 Resilient networks and systems
    • B6 Staff awareness

Objective C: Detecting cyber security events

Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect core government functions.


    • C1 Security monitoring
    • C2 Proactive security event discovery

Objective D: Minimising the impact of cyber security incidents

Appropriate organisational structures, policies and processes are in place to understand, assess and systemically manage security risks.


    • D1 Response and recovery planning
    • D2 Lessons learned

The objectives should be viewed as interdependent, where the CAF should contribute to performing continual security improvement activity through the detection of incidents and events contributing to lessons learned and the continual refinement of existing security measures.

Indicators Of Good Practices (IGP)

The Indicators of Good Practice (IGP) are a set of statements developed by NCSC that describe what a good practice looks like in a particular area of cyber security. The IGP covers a range of cyber security practices across different categories, including governance, risk management, access control, network security, and incident management.

The IGP statements are meant to serve as a guide for companies to better understand what constitutes secure practices and how to implement them.

Each outcome is associated with a set of IGPs which are broken down into the following three categories with an explanation of how they should be interpreted, and recommended that these are worked through from top to bottom:

    1. Not achieved: The ‘not achieved’ column of an IGP table defines the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of ‘not achieved’ at the contributing outcome level.
    2. Partially achieved: When present, the ‘partially achieved’ column of an IGP table defines the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security benefits. Assessing at ‘partially achieved’ should represent more than giving credit for doing something vaguely relevant.
    3. Achieved: The ‘achieved’ column of an IGP table defines the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of ‘achieved’ at the contributing outcome level.