NCSC Cyber Assessment Framework (CAF) Assessment & GovAssure Readiness

Download the brochure Get the 10-step checklist

The Cyber Assessment Framework (CAF) is a security assurance and governance framework created by the UK National Cyber Security Centre (NCSC). It is primarily designed for organisations operating essential services across sectors such as energy, healthcare, transport, digital infrastructure and government. The framework supports both internal assessments and external oversight bodies, helping organisations meet legal and regulatory requirements, including the NIS Regulations.

Swipe to view more

Who is it for?

The CAF provides a structured method to assess how well an organisation is protecting essential services against cyber threats. It helps safeguard businesses, citizens and public services.

More particularly, it applies to:

Organisations subject to the Network and Information Systems (NIS) Regulations

Organisations within the UK Critical National Infrastructure (CNI)

Organisations managing cyber-related risks to public safety

Public-sector bodies supporting core government functions

Other organisations or sectors that may find the CAF a useful governance and assurance tool

Why use the CAF?

The main benefits of using the CAF include:

Aligns security with the NIS Regulations, demonstrating compliance to regulators and helping avoid penalties

Focuses on the resilience of essential services, protecting people, the economy and national security

Offers a risk-based, outcome-focused approach, allowing flexible implementation without prescriptive controls

Drives continual improvement over time, rather than acting as a one-off audit

Supports regulator oversight by providing a consistent method to assess multiple operators

What does it cover?

The CAF is divided into 14 cyber security principles, grouped into four overarching objectives.

Some regulators apply additional sector-specific requirements, which are described in objective E.

A1 Governance
A2 Risk Management
A3 Asset Management
A4 Supply Chain

B1 Service Protection Policies, Processes and Procedures
B2 Identity & Access Control
B3 Data Security
B4 System Security
B5 Resilient Networks & Systems
B6 Staff Awareness & Training

C1 Security Monitoring
C2 Threat Hunting

D1 Response and Recovery Planning
D2 Lessons Learnt

Some regulators, including the NHS, introduce additional CAF objectives to address sector-specific risks.

Where required, we incorporate these additional controls and objectives to ensure full alignment with regulatory expectations.

Who can do it?

The NCSC CAF provides a systematic approach to assessing how well cyber risks to essential functions are being managed. CAF-based assessments can be carried out by the responsible organisation itself (self-assessment) or by an NCSC-assured commercial service provider such as GRC Solutions.

GRC Solutions CAF services

To avoid conflict of interest, GRC Solutions can provide either the below services or the independent audit, but not both.

Scoping

Identify critical services, stakeholders, evidence sources and assessment boundaries

CAF maturity assessment

Review current controls, processes and documentation against CAF objectives and principles

Evidence review

Validate existing evidence and identify gaps

Gap analysis and prioritisation

Clear, actionable findings mapped to risk, resources and regulatory deadlines

Independent audit

Audit your self-assessment to validate your findings

Improvement roadmap

Practical steps to reach the required maturity level

Support and remediation

Policy development, risk management improvements and advisory support

Why GRC Solutions?

Whether you're preparing for self-assessment or undertaking an independent audit, GRC Solutions provides efficient, specialist CAF assessment expertise tailored to your organisation.

NCSC certified

We are certified by the NCSC to provide Cyber Resilience Audit (CRA) services through our Chartered Cyber Security Professionals

Clear guidance

We offer straightforward guidance with no jargon and no ambiguity

Outcome focused

We focus on outcomes, not documentation for the sake of it

Regulator ready

We provide assessment output that stands up to scrutiny by regulators and senior stakeholders

Get tailored cyber security and compliance support for your CAF project

Get clear advice on your risks, controls and regulator expectations. Fill in the form and one of our experts will review your position and outline the next steps.