Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

What Is the Cyber Assessment Framework (CAF)?

Quick Answer

The Cyber Assessment Framework (CAF) is the UK's framework for assessing cyber security in critical national infrastructure and other regulated sectors. Developed by the NCSC, it has 14 principles across 4 objectives. Regulators use CAF to assess organisations under NIS Regulations.

Quick answer: The Cyber Assessment Framework (CAF) is the UK's framework for assessing cyber security in critical national infrastructure and other regulated sectors. Developed by the NCSC, it has 14 principles across 4 objectives. Regulators use CAF to assess organisations under NIS Regulations.

What CAF Is

CAF is the NCSC's framework for:

  • Assessing cyber resilience of organisations
  • Consistent approach across regulators
  • Outcome-based (focuses on what you achieve, not how)
  • Used for NIS Regulation compliance
It's not a certification scheme. It's an assessment framework used by regulators to evaluate your cyber security posture.

Who CAF Applies To

Directly:

  • Operators of Essential Services (OES) under NIS Regulations
  • Energy, transport, health, water, digital infrastructure
  • Organisations designated by sector regulators
Indirectly:
  • Suppliers to regulated organisations
  • Organisations wanting to demonstrate robust security
  • Those using CAF principles for self-assessment

The Four Objectives

Objective A: Managing Security Risk

Principles:

  • A1: Governance
  • A2: Risk management
  • A3: Asset management
  • A4: Supply chain
What it covers: Leadership commitment, risk-based decision making, knowing what you have, managing third-party risk.

Objective B: Protecting Against Cyber Attack

Principles:

  • B1: Service protection policies and processes
  • B2: Identity and access control
  • B3: Data security
  • B4: System security
  • B5: Resilient networks and systems
  • B6: Staff awareness and training
What it covers: Technical and procedural controls to prevent attacks.

Objective C: Detecting Cyber Security Events

Principles:

  • C1: Security monitoring
  • C2: Proactive security event discovery
What it covers: Ability to detect attacks and security events.

Objective D: Minimising the Impact of Cyber Security Incidents

Principles:

  • D1: Response and recovery planning
  • D2: Lessons learned
What it covers: Responding to incidents and improving from them.

How Assessment Works

Indicators of Good Practice (IGPs)

Each principle has IGPs describing what "good" looks like. These aren't requirements—they're indicators that help assessors evaluate your posture.

Contributing Outcomes

Principles are broken into contributing outcomes—specific aspects to assess.

Achieved/Not Achieved

For each contributing outcome, assessment determines whether you've achieved the expected level of security.

Profile

Your CAF profile shows achievement against each principle—identifying strengths and gaps.

Preparing for CAF Assessment

Self-assessment first

Before regulatory assessment:

  1. Understand CAF structure and principles
  2. Gather evidence against each IGP
  3. Identify gaps honestly
  4. Prioritise remediation

Evidence preparation

What assessors look for:

  • Policies and procedures (documented, current)
  • Technical evidence (configurations, logs)
  • Process evidence (meeting minutes, reviews)
  • Outcome evidence (test results, incidents handled)
Document everything. Good practice without evidence is unverifiable.

Gap remediation

Common gaps:

  • Governance not formalised
  • Asset inventory incomplete
  • Supply chain risk management immature
  • Security monitoring limited
  • Incident response not tested
Address before assessment where possible.

CAF vs Other Frameworks

CAFISO 27001Cyber Essentials
PurposeRegulatory assessmentCertificationBaseline certification
ScopeCritical infrastructureAny organisationAny organisation
ApproachOutcome-basedControl-basedControl-based
AssessmentRegulator-ledThird-party auditSelf/verified
CertificationNoYesYes
They're complementary. ISO 27001 or CE+ demonstrates good practice that supports CAF achievement.

Sector Regulators Using CAF

  • Ofgem: Energy
  • DfT/CAA: Aviation
  • Ofwat: Water
  • NHS Digital: Health
  • Ofcom: Communications
  • FCA: Financial services (with DORA)
Each regulator may have sector-specific expectations on top of CAF.

How We Help

CAF readiness:

  • Self-assessment facilitation
  • Evidence review and gap identification
  • Remediation planning and support
  • Evidence preparation
Ongoing support:
  • vCISO for continuous compliance
  • Security controls that support CAF
  • Regular review and improvement
For CNI organisations: We understand CAF requirements and help you demonstrate appropriate security to your regulator.

---

about preparation and support.

---

Related Questions