If your organisation delivers essential services in the UK — in government, infrastructure or a regulated sector — you’ve probably come across the Cyber Assessment Framework (CAF).
Understanding the CAF is one thing. Knowing how to get real value from it is another. There’s a lot to manage — shifting priorities, changing guidance, and multiple frameworks to align with. It’s not always clear what good looks like, or where to focus first.
Developed by the National Cyber Security Centre (NCSC), the CAF is a high-level, outcome-focused framework that helps organisations assess and strengthen their cyber resilience.
It’s being used by operators of essential services under the Network and Information Systems (NIS) Regulations and is becoming increasingly central across both the public and private sectors — particularly within Critical National Infrastructure (CNI).
This blog breaks down what the CAF is, why it matters, and what’s involved in preparing for an assessment.
Why adopt the CAF?
The short version: clarity, consistency, and accountability.
The CAF enables organisations to assess cyber risk and resilience against a recognised, national-level standard — one that’s aligned across government and CNI. By adopting the framework, organisations can clearly demonstrate how they’re managing cyber threats to the systems that underpin essential functions.
For government, this means greater visibility across departments and sectors — enabling more targeted remediation, better prioritisation, and a stronger collective response to cyber risk. For organisations, it provides structure, direction, and a shared language for tackling complex challenges.
What is the Cyber Assessment Framework?
The CAF helps organisations show how they’re managing cyber risks, with a focus on essential functions. These are the systems and services that, if disrupted, could seriously affect the public, the economy or national security.
The framework is built around:
- 4 security objectives
- 14 outcomes (or principles)
- 39 contributing outcomes
- And a set of Indicators of Good Practice (IGPs)
Users can use it in two ways: as a self-assessment tool and in independent assurance reviews like GovAssure.
The Four Security Objectives
Here’s a quick overview of what the Cyber Assessment Framework covers:
A: Managing Security Risk
This objective focuses on the structures, policies, and processes needed to manage cyber risk across your organisation.
B: Protecting Against Cyber Attack
Security controls that protect critical services and systems from compromise.
C: Detecting Cyber Security Events
Detection capabilities that help ensure threats don’t go unnoticed.
- C1 Security Monitoring
- C2 Proactive Security Event Discovery
D: Minimising the Impact of Cyber Security Incidents
Planning and processes that ensure incidents are managed and learned from effectively.
- D1 Response and Recovery Planning
- D2 Lessons Learned
These objectives are interconnected. Strong governance (A) enables better protection (B), which supports effective detection (C) and faster recovery (D). You can’t do one in isolation and expect resilience.
What are Contributing Outcomes and IGPs?
Each of the 14 outcomes is supported by a set of contributing outcomes — 39 in total. These represent specific areas where evidence is needed to demonstrate how your organisation is managing cyber risk.
To guide this process, the NCSC has developed Indicators of Good Practice (IGPs). These aren’t tick-lists or box-checking exercises — they’re a reference point to support internal discussions and shape realistic assessments of what’s working and what needs attention.
Each contributing outcome is assessed as:
- Not Achieved
- Partially Achieved
- Achieved
Not every outcome needs to be fully achieved. The CAF is risk-based for a reason — it recognises that not all systems face the same level of threat, and the response should reflect that.
Introducing CAF Government Profiles
For organisations going through GovAssure, two official CAF profiles have been developed to define the expected standard of achievement:
Baseline Profile
This is the minimum standard for all organisations under GovAssure. It assumes that a threat may be detected later in the attack chain — and that third-party notification might play a role in identification. It sets a reasonable, risk-based benchmark.
Enhanced Profile
Organisations facing higher threat levels — like those handling sensitive data, operating across multiple sites, or supporting national security — may need to follow the enhanced profile. It sets a higher bar for controls, especially when it comes to early detection and system-level protection.
The Enhanced profile does not imply a higher classification level, and it doesn’t expect organisations to be immune to every advanced threat. It reflects a more demanding threat landscape — and asks for appropriate response.
A Practical Approach to Preparation
If you’re preparing for a CAF assessment, here’s how to start:
- Understand Your Essential Functions
Begin by clearly defining what parts of your organisation deliver essential services, and which systems support them. These functions form the foundation of the assessment.
- Map Contributing Outcomes To Your Current Posture
Review the 39 contributing outcomes and compare them to your current controls.
Where do you meet the expectation?
Where are you partially there?
Where are the gaps?
- Use The ‘Indicators of Good Practice’ To Shape Evidence Gathering
IGPs help you translate outcomes into practical controls. Use them to support internal workshops and guide how you approach evidence collection.
- Be Clear On Organisational Vs. System-Level Requirements
Objectives A and D are typically organisational-level, meaning they apply across multiple systems. Objectives B and C are system-specific — and will need to be reviewed separately for each essential system in scope.
- Don’t Over-Engineer It
Not every goal will be fully met, and that’s okay. What matters is that you base your choices on clear risks and can justify them. The goal is appropriate resilience, not over-compliance.
Final thoughts: Making the CAF work for you
The Cyber Assessment Framework is not just about following rules. Done properly, it highlights strengths, pinpoints gaps, and helps security leaders prioritise investment where it’s most needed.
Whether you’re just starting out or refining your approach ahead of a formal review, we can help. We help organisations in government, critical infrastructure, and high-risk sectors. We guide them through readiness assessments, evidence mapping, and system scoping. Our goal is to help them navigate the CAF confidently and effectively.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
