Cyber Assessment Framework (CAF)

The NCSC’s Cyber Assessment Framework (CAF) is an initiative aimed at helping organisations running essential services and critical infrastructure achieve an appropriate level of cyber resilience. The CAF has two levels, or profiles, Basic and Enhanced. Recent developments have seen regulators mandate that Operators of Essential Services (OES) work towards achieving the Enhanced Profile by the end of 2027.

We understand that this can feel overwhelming, and we have set out a series of services specifically focused on helping you get there.

"I need to understand and close my CAF compliance gaps to protect my critical infrastructure or essential service."

We believe in the principles of CAF and view the assessment as a great framework to help build cyber reliance in your organisation, however we also appreciate the level of detail required (in addition to BAU) means that sometimes you need a partner to share the load.

Understanding the gap

Whether you’re on the road to Basic or moving to Enhanced, we will start with a Gap Analysis. Through interviews with key stakeholders and policy and procedure reviews, we work through each aspect of the CAF at the Indicators of Good Practice (IGP) level, so nothing is missed. Our gap analysis service provides a detailed understanding of what needs to be done, generates achievable actions and provides the framework for writing your Security Improvement Plan. We triage findings and actions with you in real-time and present our results in a user-friendly, exec-ready dashboard!

We can also work with you to develop your Security Improvement Plan (SIP). Our focus is to ensure you have a clear understanding of what needs to be done to attain CAF compliance and to have a costed, clear, step-by-step plan to do so. Whether you have ambitions to accelerate your plan or take it one step at a time, we will ensure you know what needs to be done, by who and how much it will cost.

Securing investment

Once the plans are written, we can support you in preparing your funding submission to the regulator, if required. We understand that navigating the production of Investment Justification Papers (IJP) can be a challenge, and that’s why we have developed a framework for producing the required documents which comply with the regulators’ guidance. Through ongoing dialogue and regular review, we try to remove some of the pressure that can come with submitting funding requests on a tight deadline.

Self assessment

Using the knowledge gained from Gap Analysis, SIP development and IJP writing, we can also write your CAF Self Assessment. We ensure that the level of detail captured in all other activities is mapped to the regulator’s requirements for the CAF self-assessment, resulting in an efficient, timely delivery. We also know that you have further security ambitions and compliance frameworks; that’s why we ensure we map to other frameworks, like ISO 27000 and NIST, so you can tie everything together.

We don’t just tell you what needs to be done: we have the expertise and resources to help you close the gaps, quickly mobilising teams to manage projects to help you deliver your SIP with the right people at the right time.

Through our experience working with OES’ to attain both Basic and Enhanced profiles, our passion and deep understanding of the subject, we aim to balance the spirit of the CAF, your regulatory commitments, and security ambitions, with the ultimate objective of helping you become as safe and secure as possible.