CAF Aligned Managed Service Provider
UK-based MSP meeting the Cyber Assessment Framework requirements for Critical National Infrastructure, government, healthcare, defence, and regulated sectors.
What is the Cyber Assessment Framework?
The Cyber Assessment Framework (CAF) is the UK Government's standard for assessing cyber resilience, developed by the National Cyber Security Centre (NCSC). Unlike checkbox compliance frameworks, CAF is outcome-focused—it asks "can you demonstrate these security outcomes?" rather than prescribing specific technical controls.
CAF was originally designed to help Operators of Essential Services (OES) meet their obligations under the NIS Regulations, and for assessing Critical National Infrastructure (CNI) organisations. It's now used across government, healthcare, defence, and increasingly required from suppliers in these sectors' supply chains.
The Four CAF Objectives
Objective A: Managing Security Risk
Governance structures, risk management processes, asset management, and supply chain security controls.
Objective B: Protecting Against Cyber Attack
Access control, data security, system hardening, network security, and staff awareness training.
Objective C: Detecting Security Events
Security monitoring capabilities, logging, alerting, and threat detection mechanisms.
Objective D: Minimising Impact of Incidents
Incident response procedures, recovery planning, business continuity, and lessons learned processes.
Each objective contains multiple contributing outcomes that organisations must demonstrate. Rather than simply having policies in place, CAF requires evidence that security outcomes are actually being achieved.
Who Does CAF Apply To?
CAF is used to assess cyber resilience across multiple regulated sectors in the UK.
Energy
Electricity, gas, oil
Water
Supply & wastewater
Transport
Aviation, rail, maritime
Healthcare
NHS trusts & providers
Telecoms
Communications networks
Government
Central & local govt
Defence
MOD & supply chain
Supply Chain
All regulated suppliers
NIS Regulations and CAF
The Network and Information Systems (NIS) Regulations 2018 require Operators of Essential Services to implement appropriate security measures and report significant incidents. The NCSC recommends using CAF as the framework for assessing NIS compliance.
Crucially, NIS Regulations require organisations to manage supply chain risk—which means IT providers, managed service providers, and other suppliers increasingly need to demonstrate CAF-aligned security to serve these clients.
What Does CAF Mean for Managed Service Providers?
If you're an MSP serving clients in regulated sectors, CAF alignment is rapidly becoming essential.
Supply Chain Flow-Down
Organisations subject to NIS Regulations must manage supply chain risk. This means assessing their IT providers against security frameworks like CAF. Your clients need you to be CAF-aligned to meet their own compliance obligations.
Contract Requirements
Government departments, NHS trusts, and CNI operators increasingly require CAF alignment from suppliers as a contractual condition. Without it, you may be excluded from tenders or lose existing contracts.
MSPs as High-Value Targets
MSPs with access to multiple client environments are prime targets for attackers. CAF provides a framework for demonstrating your security posture protects—not endangers—your clients.
Competitive Differentiation
Many MSPs aren't yet CAF-aware. Being able to demonstrate CAF alignment differentiates your tender responses and reduces friction in client security assessments.
CAF vs ISO 27001: Do I Need Both?
A common question: does CAF replace ISO 27001, or vice versa? The short answer: they're complementary, not competing.
| Aspect | ISO 27001 | CAF |
|---|---|---|
| Focus | Management system and controls | Security outcomes |
| Approach | Prescriptive (93 Annex A controls) | Outcome-based (41 contributing outcomes) |
| Certification | Third-party certification available | Self-assessment or authority assessment |
| Recognition | International standard | UK Government standard |
| Best for | Demonstrating systematic security management | Meeting UK regulated sector requirements |
For MSPs serving UK regulated sectors, the ideal combination is ISO 27001 certification plus CAF alignment. ISO 27001 provides the systematic control framework, while CAF demonstrates you achieve the outcomes UK regulators and clients require.
Our CAF Alignment
Our security controls are designed to meet the contributing outcomes across all four CAF objectives.
Governance & Accountability
Board-level ownership, documented policies, defined roles, regular management reviews
Risk Management
Formal risk assessment methodology, maintained risk register, documented treatment decisions
Asset Management
Complete asset inventory, criticality classification, ownership assigned, dependencies mapped
Supply Chain Security
Supplier risk assessments, contractual security requirements, annual reviews
Identity & Access Control
MFA mandatory everywhere, least privilege, quarterly access reviews, immediate deprovisioning
Data Security
UK data residency, encryption at rest and in transit, classification scheme, secure disposal
Security Monitoring
24/7 SOC partnership, 12-month log retention, automated threat alerting, regular log reviews
Incident Response
Documented playbooks, severity-based escalation, client notification SLAs, post-incident reviews
Business Continuity
Defined RTO/RPO targets, daily encrypted backups, quarterly restore testing, annual exercises
Staff Security
Background screening, security clearances available, phishing simulations, awareness training
UK-Based, UK-Focused
We're a British company built to serve UK organisations with regulatory requirements. Our security posture is designed to meet the expectations of UK regulators and clients.
UK-Owned & Operated
British registered company with UK-based staff only. No offshore support centres or foreign ownership complications.
Security Cleared Personnel
Staff can hold BPSS clearance as standard. Higher clearances available where client requirements dictate.
UK Data Sovereignty
Client data never leaves UK jurisdiction. UK-based cloud infrastructure with UK suppliers prioritised.
Regulatory Awareness
We understand NIS Regulations, GDPR, and sector-specific requirements. We speak the language your compliance team needs.
Common Questions
Everything you need to know about CAF and what it means for your organisation.
Get in TouchNeed a CAF-Aligned IT Partner?
Whether you're in CNI, government, healthcare, defence, or simply want an MSP that takes security seriously—we can help.
Microsoft Certified
Top 3 IT Services 2025