To make the most of your techUK website experience, please login or register for your free account here.

07 Jun 2024

Understanding and implementing the Cyber Assessment Framework (CAF)

London Tech Week blog from Littlefish

The Cyber Assessment Framework (CAF) was designed to offer a comprehensive and systematic approach for organisations to manage cyber security risk. It was developed by the National Cyber Security Centre (NCSC) to support the implementation of the Network and Information Systems (NIS) Regulations 2018.

The purpose of the CAF was originally to help ensure the reliability and security of network and information systems for essential functions. For example, Critical National Infrastructure (CNI) like electricity, water, oil and gas. However, because it is designed to be flexible and adaptable, the CAF is also a very useful guide for other types of organisations that want to improve their cyber resilience (for example, NHS Digital recently assured all their services against the CAF framework).

The CAF is unique compared to more typical cyber security standards and guidelines because it’s applicable to both Information Technology (IT) and Operational Technology (OT). It was also developed specifically for use by UK organisations and is aligned with UK government cyber security policy.

Intended to be used either by the responsible organisation itself (known as a self-assessment) or by an independent external entity (possibly a regulator or a suitably qualified organisation such as a managed service provider), the CAF defines cyber resilience as “an organisation’s ability to maintain the correct operation of its essential functions, even in the presence of adverse cyber events”.

The CAF’s objectives and principles

Though it may seem complicated at first glance, the CAF is actually neatly divided into four high-level objectives, under which sit fourteen principles. Taking this further, each principle is then divided into contributing outcomes and indicators of good practice (IGPs) which are intended to provide very specific and measurable guidance for organisations to check they are achieving the principles.

Objective A: managing security risk

Managing security risk focuses on ensuring the security of essential network and information systems. To achieve this, CAF advises that organisations must adopt comprehensive governance, risk management, asset management, and supply chain management strategies (these are the four principles which sit beneath this objective).

To implement these strategies, organisations will need to create, roll-out, and update policies and processes that govern security, as well as identify, assess, and manage security risks efficiently.

Objective B: protecting against cyber-attack

The most detailed objective, the CAF requires organisations to meet six principles to effectively protect against cyber-attacks. These include service protection policies and processes, identity and access control, data security, system security, resilient networks and systems, and staff awareness and training.

To implement these principles and meet objective B, organisations will need to ensure they have defined and communicated appropriate organisational policies and processes to secure systems and data. They will need to understand, document and control access to networks and information systems that support essential functions. They will have to protect stored or electronically transmitted data from actions that may negatively impact essential functions. They will be required to protect critical network, information systems, and technology from cyber-attacks and threats. They will need to build resilience against cyber-attacks and become cyber mature and, finally, they must appropriately support and educate staff to ensure all users understand and contribute to the cyber security of essential functions.

Objective C: detecting cyber security events

Involving two principles, to meet objective C, organisations must undertake cyber security monitoring and establish proactive security event discovery.

This objective focuses on maintaining effective security defenses and detecting cyber security events. Achieving this requires measures in place to generate secure event logs, monitor networks and systems, and respond appropriately to track the effectiveness of current security measures.

Objective D: minimising the impact of cyber security incidents

CAF’s objective D involves response and recovery planning as well as a ‘lessons learned’ function.

To meet these standards, organisations must ensure that capabilities are put in place to minimise the negative impact of cyber security incidents on essential operational functions, as well as remediate and restore functions where necessary.  Organisations will also need to incorporate lessons learned from previous incidents to drive improvements to the security and resilience of essential functions.

Sakif Zafar is Principal Information Security Consultant at Littlefish, a Managed IT and Cyber Security Service Provider based in the UK.

techUK and TechSkills at London Tech Week

techUK is proud to once again be a strategic partner of London Tech Week. The event is a fantastic showcase for UK tech, and we’re pleased that techUK members and colleagues are represented on the agenda.

We are pleased to be working with 20 techUK members at London Tech Week to highlight the positive impact of the tech industry in the UK. 

You can find more details on the author of this blog, below:



Managed IT and cyber services excellence