Start typing to search
  • Popular Searches
  • AI governance
  • Data privacy and the GDPR
  • PCI DSS
  • Cyber essentials
  • ISO 27001
  • SOC 2
Get a quote
GRC Wave Graphics

NCSC Cyber Assessment Framework (CAF) Assessment & GovAssure Readiness

Speak to an expert
CAF

A Practical Framework for Cyber Governance and Compliance

The Cyber Assessment Framework (CAF) is a security assurance and governance framework created by the UK National Cyber Security Centre (NCSC). It is primarily designed for organisations operating essential services across sectors such as energy, healthcare, transport, digital infrastructure and government. The framework supports both internal assessments and external oversight bodies, helping organisations meet legal and regulatory requirements, including the NIS Regulations.
Download the brochure Get the 10 step checklist
Swipe to view more

Who is it for?

The CAF provides a structured method to assess how well an organisation is protecting essential services against cyber threats. It helps safeguard businesses, citizens and public services.

More particularly, it applies to:

Organisations subject to the Network and Information Systems (NIS) Regulations
Organisations within the UK Critical National Infrastructure (CNI)
Organisations managing cyber-related risks to public safety
Public-sector bodies supporting core government functions
Other organisations or sectors that may find the CAF a useful governance and assurance tool

Why use the CAF?

The main benefits of using the CAF include:

Aligns security with the NIS Regulations, demonstrating compliance to regulators and helping avoid penalties
Focuses on the resilience of essential services, protecting people, the economy and national security
Offers a risk-based, outcome-focused approach, allowing flexible implementation without prescriptive controls
Drives continual improvement over time, rather than acting as a one-off audit
Supports regulator oversight by providing a consistent method to assess multiple operators

What does it cover?

The CAF is divided into 14 cyber security principles, grouped into four overarching objectives.

Some regulators apply additional sector-specific requirements, which are described in objective E.

  • A1 Governance
  • A2 Risk Management
  • A3 Asset Management
  • A4 Supply Chain

  • B1 Service Protection Policies, Processes and Procedures
  • B2 Identity & Access Control
  • B3 Data Security
  • B4 System Security
  • B5 Resilient Networks & Systems
  • B6 Staff Awareness & Training

  • C1 Security Monitoring
  • C2 Threat Hunting

  • D1 Response and Recovery Planning
  • D2 Lessons Learnt

Some regulators, including the NHS, introduce additional CAF objectives to address sector-specific risks.

Where required, we incorporate these additional controls and objectives to ensure full alignment with regulatory expectations.

Who can do it?

The NCSC CAF provides a systematic approach to assessing how well cyber risks to essential functions are being managed. CAF-based assessments can be carried out by the responsible organisation itself (self-assessment) or by an NCSC-assured commercial service provider such as GRC Solutions.

GRC Solutions CAF services

To avoid conflict of interest, GRC Solutions can provide either the below services or the independent audit, but not both.

Scoping

Identify critical services, stakeholders, evidence sources and assessment boundaries

CAF maturity assessment

Review current controls, processes and documentation against CAF objectives and principles

Evidence review

Validate existing evidence and identify gaps

Gap analysis and prioritisation

Clear, actionable findings mapped to risk, resources and regulatory deadlines

Independent audit

Audit your self-assessment to validate your findings

Improvement roadmap

Practical steps to reach the required maturity level

Support and remediation

Policy development, risk management improvements and advisory support

Why GRC Solutions?

Whether you're preparing for self-assessment or undertaking an independent audit, GRC Solutions provides efficient, specialist CAF assessment expertise tailored to your organisation.

NCSC certified

We are certified by the NCSC to provide Cyber Resilience Audit (CRA) services through our Chartered Cyber Security Professionals

Clear guidance

We offer straightforward guidance with no jargon and no ambiguity

Outcome focused

We focus on outcomes, not documentation for the sake of it

Regulator ready

We provide assessment output that stands up to scrutiny by regulators and senior stakeholders

Get tailored cyber security and compliance support for your CAF project

Get clear advice on your risks, controls and regulator expectations. Fill in the form and one of our experts will review your position and outline the next steps.

NCSC logo

CAF Assessment & GovAssure Readiness FAQs

The Cyber Assessment Framework (CAF) is the UK’s benchmark for cyber resilience in essential and high-impact organisations. It helps organisations demonstrate to regulators and stakeholders that they have appropriate risk management, security controls and governance in place to protect critical services.

CAF assessment is expected for organisations in regulated sectors such as financial services, energy, telecommunications, transport and healthcare. It should be done when regulators request evidence, when there’s a business risk review cycle, or ahead of external audits and preparedness programmes.

The cost of a CAF assessment depends on organisational size, complexity, maturity of existing controls, and the scope of the assessment. Costs typically include readiness diagnostics, control mapping, evidence collection, testing activities and reporting. Early readiness work often reduces the overall cost by highlighting gaps before formal assessment begins.

GovAssure readiness refers to structured preparation aligned to government and regulator expectations for frameworks such as CAF. It ensures organisations can show structured governance, risk management and evidence of control effectiveness before an official assessment or regulator enquiry.

A CAF assessment reviews core areas such as governance, risk management, asset and configuration management, identity controls, protective monitoring, response and recovery planning, supplier management and staff awareness. It examines both policy and operational effectiveness of controls.

The duration of a CAF assessment varies by organisation size and maturity but typically ranges from a few weeks for smaller scoped assessments to several months for enterprise or multi-site organisations. Early readiness work accelerates the process and improves quality of outcomes.

CAF assessment produces structured evidence and reporting that aligns with regulator expectations, risk registers, internal audits and governance requirements. This evidence strengthens regulator confidence, supports audits, and reduces the risk of enforcement action.

The Cyber Assessment Framework defines the security and resilience outcomes organisations are expected to achieve. GovAssure is the government assurance approach used to assess and validate how well organisations meet those outcomes. CAF sets the standard, while GovAssure provides the assessment and assurance mechanism.

Successful CAF assessments require evidence such as risk assessments, policies, procedures, configuration baselines, incident logs, staff training records, supplier risk assessments, monitoring outputs and audit trails that demonstrate how controls operate in daily practice.

After a CAF assessment, organisations receive a report highlighting strengths, gaps and areas for improvement. This enables prioritised action planning, risk mitigation, evidence improvement and roadmap development to elevate cyber resilience and regulator confidence over time.