If your organisation falls under the NIS Regulations, or a regulator or prime contractor expects the NCSC Cyber Assessment Framework, we map where you stand against its outcomes and show you, in order, what closes each gap. Run by a team that is itself UKAS accredited for ISO 27001 and a Cyber Essentials certification body.
The Cyber Assessment Framework is the NCSC's standard for assessing cyber resilience. It is outcome focused rather than a fixed checklist, so it asks you to demonstrate security outcomes rather than tick a list of controls. CAF alignment means assessing your position against those outcomes, recording the evidence, and working through the gaps in priority order. There is no CAF certificate to hold, so the goal is a defensible, evidenced position you can put in front of a competent authority or a buyer.
The CAF organises cyber resilience into four objectives, A to D, each made up of contributing outcomes. We work through all four with you, map your current position against each, and translate the framework's language into work you can actually plan.
Governance structures, risk management processes, asset management, and supply chain security. The objective that asks whether you understand and own the risk, not just react to it.
Access control, data security, system hardening, network security, and staff awareness. The controls that reduce the chance of a successful attack, and the proof they are actually in place.
Security monitoring, logging, alerting, and threat detection. The objective that asks whether you would actually know if something were wrong, and how quickly.
Incident response, recovery planning, business continuity, and learning from what happens. The objective that asks how well you contain, recover, and improve when something does go wrong.
The Network and Information Systems (NIS) Regulations 2018 require operators of essential services to put appropriate security measures in place and to report significant incidents. The regulated sectors include energy, water, transport, healthcare, telecoms, government, and defence. Where a competent authority uses the CAF to assess that resilience, alignment is the practical way to show you meet the expectation.
The CAF is also turning up well beyond its original remit. Prime contractors and buyers in regulated supply chains increasingly reference it, so the question is often less whether you are legally in scope and more whether someone you want to work with expects to see it.
The two are easy to confuse, because both are about managing security properly. The difference is in what they check. ISO 27001 certifies a management system against a defined set of controls. The CAF assesses whether you achieve a set of security outcomes. The work you do for one is rarely wasted on the other, and organisations serving UK regulated sectors often hold ISO 27001 certification and align to the CAF alongside it.
| ISO 27001 | Cyber Assessment Framework | |
|---|---|---|
| Focus | A management system and its controls | Security outcomes |
| Approach | Prescriptive, built around the Annex A controls | Outcome based, across the contributing outcomes in objectives A to D |
| How it is checked | Third party certification by an accredited body | Self assessment, or assessment by a competent authority |
| Recognition | International standard | UK government standard |
| Best when | You need to show systematic, certified security management | You need to meet a UK regulated sector or NIS expectation |
If you are weighing up which standard a contract actually calls for, our guide on Cyber Essentials or ISO 27001 walks through how to read the clause, and the same care applies when a buyer mentions the CAF or asks for something "equivalent".
For an organisation that already runs security well, alignment can be shown relatively quickly through a self assessment and gap analysis. Starting from a lower base, meaningful alignment is more often a matter of months. Either way the path is the same.
We agree the systems in scope and assess your current position against the four objectives, recording the starting point so progress is demonstrable later.
We map where you fall short of each outcome and rank the gaps by risk, so the work that reduces real exposure comes first, not the work that is merely easy.
We put the controls in place and operate them, documenting what was done and when, as part of running the technology rather than as an afterthought.
We assemble the evidence into a clear pack mapped to the framework, ready for a competent authority or a buyer, and keep it current as things change.
CAF alignment proves a set of security outcomes. Those outcomes only hold if the controls and the systems underneath them are real, which is why the same team runs all of it.
The controls behind the evidence. Access control, monitoring, and incident response map directly onto objectives B, C, and D, run by a certified team. The security we prove is the security we put in place.
Go to Cyber Security Get readyIf the CAF is one of several obligations on your plate, our compliance readiness service pulls Cyber Essentials, ISO 27001, and GDPR into a single prioritised path rather than four separate projects.
See compliance readinessCAF alignment matters most to organisations in the regulated supply chain. If you supply the Ministry of Defence, the framework sits alongside Def Stan 05-138 and Cyber Essentials in the wider picture, which we cover on our defence and aerospace page. This service is part of our governance and audit work, and it pairs naturally with audit and assurance for the ongoing evidence a competent authority expects to see.
It is not universally mandatory, but it is increasingly required when you serve a regulated sector. The Network and Information Systems Regulations 2018 place duties on operators of essential services, and a competent authority may use the CAF to assess them. Beyond that, prime contractors and buyers in regulated supply chains often ask for it whether or not you are formally in scope.
There is no CAF certification in the way ISO 27001 offers a certificate. The CAF uses a self assessment or a competent authority assessment model. Alignment means you have honestly assessed your position against the framework's outcomes and hold the evidence to support it, which is what a buyer or authority actually wants to see.
It depends on where you start. An organisation that already runs security to a good standard can often demonstrate alignment relatively quickly through a self assessment and gap analysis. Starting from a lower base, meaningful alignment more commonly takes a number of months, because the gaps have to be closed and the evidence has to be generated, not just written down.
They are complementary. Cyber Essentials covers five technical basics, ISO 27001 certifies a whole management system, and the CAF assesses security outcomes for regulated and essential services. The work overlaps, so effort is rarely wasted. Many organisations serving UK regulated sectors hold ISO 27001, certify to Cyber Essentials, and align to the CAF, each answering a different question.
Yes, and that is the point of working with us rather than a pure consultancy. We assess your position, close the gaps, and then operate the controls behind objectives B, C, and D as part of our cyber security work. Because one accountable team both runs the technology and evidences it, the proof reflects what is actually in place.
Tell us which authority or contract is asking, and we will tell you plainly where you stand against the framework and what it takes to close the gaps. We reply within one working day, and you will speak to an engineer, not a salesperson.
Hello, I am Ainsley, the assistant here at Dead Simple Computing. I built nothing today, but I am one of the governed AI assistants we build for clients. Ask me about managed IT, cyber security, software and AI, or governance and audit.
Ainsley is an assistant and can be wrong. For anything that matters you will speak to an engineer.