What is the Cyber Assessment Framework (CAF)

The term Cyber Assessment Framework, or CAF, is usually an unknown when it comes to private businesses protecting their assets. However, if you work around Critical National Infrastructure (CNI) or the public sector then this term should be very familiar to a lot of people.

A CAF is a framework which provides guidance for businesses who are primarily responsible for providing services and activities for critically important systems within the country (think power stations for one), or need to manage cyber-related risks to the members of the public or are subject to Network and Information Systems (NIS) regulations.

The CAF, when probably designed and implemented, can help to provide a systematic and comprehensive approach to reducing the number of cyber related incidents a business may fall fowl to.

The CAF is usually intended to be used by either the organisation itself or someone external, such as a regulator or a professionally qualified external body acting on behalf of the regulator.

Businesses can implement the framework to ensure that they are managing their cyber risk through:

  • Ensuring that appropriate policies and processes are in place throughout the business
  • Ensuring that staff are trained and aware of the policies and processes
  • Ensuring that staff know the importance of security
  • Implementing appropriate risk and asset management
  • Understanding the supply chain and their risks
  • Ensuring that the security of data is protected at all times
  • Staff security awareness training
  • Building resilience into the network and systems
  • Testing business continuity and recovery
  • Implementing and monitoring log events and alerting across all systems
  • Being proactive with events and identifying events that stick out from the trend
  • Perform lessons learnt and additional training when things don’t go to plan
  • Implement and use change management

When looking at the Cyber Assessment Framework, the NCSC defines several cyber security and resilience principles which make the backbone of the framework as well as some best practices.

These requirements are:

  • provide a suitable framework to assist in carrying out cyber resilience assessments
  • maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises
  • be compatible with the use of appropriate existing cyber security guidance and standards
  • enable the identification of effective cyber security and resilience improvement activities
  • exist in a common core version which is sector-agnostic
  • be extensible to accommodate sector-specific elements as may be required
  • enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security
  • be as straightforward and cost-effective to apply as possible

As you can see, although the CAF is primarily designed at unique industries, a lot of what is in place for the framework can work for businesses of all sizes, and when implemented, can further help protect the business from cyber based attacks.  If implemented with the Cyber Essentials Scheme, these can go hand in hand when being implemented.

If you’d like to know more about the Cyber Assessment Framework, the National Cyber Security Centre, NCSC have released a lot of information about what a CAF is and what you should be doing, this can be found here: https://www.ncsc.gov.uk/collection/caf