Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

CAF Self-Assessment Guide

Cyber Assessment Framework for Critical Infrastructure

18 min read January 2026

Cyber Assessment Framework for Critical Infrastructure

A practical guide to assessing your organisation against the NCSC Cyber Assessment Framework

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • What Is The Cyber Assessment Framework?
  • Who Uses CAF?
  • The Four Objectives
  • The 14 Principles
  • Conducting a Self-Assessment
  • Indicators of Good Practice
  • Common Gaps and How to Address Them
  • Preparing for Regulator Assessment
  • CAF and Other Frameworks
  • Self-Assessment Checklist
  • How DSC Can Help

1. Executive Summary

The Cyber Assessment Framework (CAF) is the UK's primary framework for assessing cyber security in critical national infrastructure and essential services. Developed by the National Cyber Security Centre (NCSC), it provides a systematic approach to evaluating cyber resilience.

Key points:

  • Outcome-focused - CAF describes what good looks like, not how to achieve it
  • Risk-based - Proportionate to the threats and impacts relevant to your organisation
  • Used by regulators - Sector regulators use CAF to assess operators of essential services
  • Government standard - The Government Cyber Security Strategy adopts CAF for public sector

The framework:

  • 4 Objectives
  • 14 Principles
  • 39 Contributing Outcomes
  • Indicators of Good Practice (IGPs) for each outcome

Why self-assess:

  • Understand your current security posture
  • Identify gaps before regulators do
  • Prioritise improvements
  • Demonstrate due diligence
  • Prepare for formal assessment

2. What Is The Cyber Assessment Framework?

Background

CAF was developed by the NCSC to provide a consistent approach to assessing cyber security across critical national infrastructure. It supports the Network and Information Systems (NIS) Regulations and is used by sector regulators to assess operators of essential services.

Purpose

CAF helps organisations:

  • Understand the outcomes needed for good cyber security
  • Assess their current state against those outcomes
  • Identify areas for improvement
  • Demonstrate security to regulators and stakeholders

Key Characteristics

Outcome-based:

CAF describes the outcomes that indicate good cyber security, not the specific controls or technologies to implement. This allows flexibility in how organisations achieve the outcomes.

Risk-based:

The framework is designed to be applied proportionately based on:

  • The threats relevant to the organisation
  • The potential impact of a cyber incident
  • The organisation's risk appetite

Principles-focused:

CAF is organised around principles that describe categories of security outcomes, not detailed technical requirements.

Structure


CAF Structure:



4 OBJECTIVES

    └── 14 PRINCIPLES

            └── 39 CONTRIBUTING OUTCOMES

                    └── INDICATORS OF GOOD PRACTICE (IGPs)

Objectives - High-level security goals

Principles - Categories of outcomes supporting each objective

Contributing Outcomes - Specific outcomes that demonstrate the principle

IGPs - Observable indicators that an outcome is being achieved

3. Who Uses CAF?

Operators of Essential Services

Under NIS Regulations, operators in these sectors must meet security requirements assessed using CAF:

Sector Regulator
Energy (electricity, oil, gas) Ofgem
Transport (air, rail, water, road) CAA, MCA, ORR, DfT
Health DHSC
Drinking water DWI, Ofwat
Digital infrastructure Ofcom

Government and Public Sector

The Government Cyber Security Strategy adopts CAF as the assurance framework for government. Public sector organisations are expected to assess against CAF profiles appropriate to their risk level.

Critical National Infrastructure

Organisations designated as CNI, even if not formally under NIS Regulations, may be expected to demonstrate alignment with CAF.

Supply Chain

Organisations supplying to CAF-assessed entities may face:

  • Customer requirements to demonstrate CAF alignment
  • Flow-down of specific CAF outcomes
  • Security questionnaires based on CAF principles

Voluntary Adoption

Any organisation can use CAF to:

  • Assess their security posture
  • Structure security improvements
  • Demonstrate security maturity
  • Prepare for potential future regulation

4. The Four Objectives

CAF is organised around four top-level objectives:

Objective A: Managing Security Risk

Focus: Appropriate organisational structures, policies, and processes to understand, assess, and systematically manage security risks.

Key themes:

  • Governance and accountability
  • Risk management
  • Asset management
  • Supply chain

Why it matters:

You can't protect what you don't understand. Effective security requires knowing your assets, understanding your risks, and having governance to manage them.

Objective B: Protecting Against Cyber Attack

Focus: Proportionate security measures to protect systems and data from cyber attack.

Key themes:

  • Service protection policies
  • Identity and access management
  • Data security
  • System security
  • Resilient networks
  • Staff awareness

Why it matters:

Prevention is the first line of defence. Appropriate protective measures reduce the likelihood of successful attacks.

Objective C: Detecting Cyber Security Events

Focus: Capabilities to ensure security defences remain effective and to detect cyber security events.

Key themes:

  • Security monitoring
  • Anomaly detection
  • Proactive security event discovery

Why it matters:

No protection is perfect. Detection capabilities ensure you know when something is wrong, enabling timely response.

Objective D: Minimising the Impact of Cyber Security Incidents

Focus: Capabilities to minimise the impact of a cyber security incident on essential functions.

Key themes:

  • Response planning
  • Response and recovery capability
  • Lessons learned

Why it matters:

When incidents occur, effective response limits damage and enables recovery. Learning from incidents improves future resilience.

5. The 14 Principles

Objective A: Managing Security Risk

A1. Governance

The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.

Contributing outcomes:

  • Board-level accountability
  • Organisational security policy
  • Defined roles and responsibilities

A2. Risk Management

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential functions.

Contributing outcomes:

  • Risk management process
  • Assurance of risk management

A3. Asset Management

Everything required to deliver, maintain or support networks and information systems for essential functions is determined and understood.

Contributing outcomes:

  • Asset inventory (hardware, software, data, people, suppliers)
  • Asset management process

A4. Supply Chain

The organisation understands and manages security risks to networks and information systems supporting the delivery of essential functions that arise as a result of dependencies on external suppliers.

Contributing outcomes:

  • Supply chain risk management
  • Contracts and agreements
  • Supplier assurance

Objective B: Protecting Against Cyber Attack

B1. Service Protection Policies and Processes

The organisation defines, implements, communicates and enforces appropriate policies and processes for protecting networks and information systems.

Contributing outcomes:

  • Policy and process development
  • Policy implementation
  • Compliance measurement

B2. Identity and Access Management

The organisation understands, documents and manages access to networks and information systems supporting essential functions.

Contributing outcomes:

  • Identity verification
  • Access management (least privilege, need-to-know)
  • Privileged user management
  • Identity and access management (IdAM) systems

B3. Data Security

Data stored or transmitted electronically is protected from actions that may cause disruption to essential functions.

Contributing outcomes:

  • Data understanding
  • Data protection

B4. System Security

Network and information systems and technology critical for the delivery of essential functions are protected from cyber attack.

Contributing outcomes:

  • Secure design
  • Secure configuration
  • Secure management
  • Vulnerability management

B5. Resilient Networks and Systems

The organisation builds resilience against cyber attack.

Contributing outcomes:

  • Resilience preparation
  • Design for resilience
  • Backups

B6. Staff Awareness and Training

Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of networks and information systems.

Contributing outcomes:

  • Cyber security culture
  • Cyber security training

Objective C: Detecting Cyber Security Events

C1. Security Monitoring

The organisation monitors the security status of networks and information systems to detect potential security problems and track effectiveness of security measures.

Contributing outcomes:

  • Monitoring coverage
  • Securing logs
  • Generating alerts
  • Identifying incidents

C2. Anomaly Detection

The organisation detects activity that deviates from normal system function.

Contributing outcomes:

  • Capability to detect anomalies
  • Use of threat intelligence

Objective D: Minimising Impact of Incidents

D1. Response and Recovery Planning

There is a suitable incident management capability in place, and plans for responding to incidents and recovering normal operations.

Contributing outcomes:

  • Response plan
  • Response and recovery capability
  • Testing and exercising

D2. Lessons Learned

When an incident occurs, steps are taken to understand its causes and ensure appropriate remediating action is taken.

Contributing outcomes:

  • Incident root cause analysis
  • Using lessons learned

6. Conducting a Self-Assessment

Preparation

Define scope:

  • Which systems and services are in scope?
  • What essential functions do they support?
  • What are the boundaries?

Gather documentation:

  • Security policies and procedures
  • Risk assessments
  • Asset inventories
  • Network diagrams
  • Incident response plans
  • Training records
  • Audit reports

Identify stakeholders:

  • Who owns each area?
  • Who has the information needed?
  • Who needs to be involved in the assessment?

Assessment Approach

For each principle:

  • Understand the principle - What is it asking for?
  • Review contributing outcomes - What specific outcomes demonstrate the principle?
  • Examine your organisation - What do you have in place?
  • Compare to IGPs - How do your arrangements compare to indicators of good practice?
  • Assess achievement - To what extent are outcomes achieved?
  • Document evidence - What evidence supports your assessment?
  • Identify gaps - Where do you fall short?

Rating Achievement

CAF uses three achievement levels for each contributing outcome:

Achieved:

The outcome is fully achieved. Evidence demonstrates that the indicators of good practice are met.

Partially Achieved:

The outcome is partially achieved. Some elements are in place, but gaps exist.

Not Achieved:

The outcome is not achieved. Significant gaps exist, or no evidence of the outcome.

Documentation

For each contributing outcome, document:

  • Current state - What's in place today
  • Evidence - Documentation, records, observations supporting assessment
  • Achievement level - Achieved, Partially Achieved, Not Achieved
  • Gaps - What's missing or incomplete
  • Risks - What risks do the gaps create
  • Remediation - What's needed to address gaps

Prioritisation

Not all gaps are equal. Prioritise based on:

  • Risk - What's the potential impact?
  • Likelihood - How likely is exploitation?
  • Regulatory focus - What do regulators emphasise?
  • Quick wins - What can be fixed easily?
  • Dependencies - What enables other improvements?

7. Indicators of Good Practice

IGPs provide detail on what "good" looks like for each contributing outcome. They help assessors determine whether outcomes are achieved.

How to Use IGPs

IGPs are indicators, not requirements:

  • They describe what you'd typically see when an outcome is achieved
  • Not every IGP needs to be met
  • Alternative approaches may also achieve the outcome
  • Context matters - what's appropriate for your risk level?

IGPs inform assessment:

  • Compare your arrangements to IGPs
  • Where you differ, consider why
  • Can you demonstrate the outcome is still achieved?
  • Document your reasoning

Example: A1 Governance

Contributing Outcome: A1.a - Board direction

Example IGPs might include:

  • The board sets the organisation's risk appetite for cyber security
  • The board receives regular reporting on cyber security
  • A board member has explicit responsibility for cyber security
  • The board has access to competent advice

Self-assessment questions:

  • Does our board set cyber risk appetite?
  • How often does the board receive cyber reports?
  • Who on the board owns cyber security?
  • What expertise does the board have access to?

Example: B4 System Security

Contributing Outcome: B4.c - Secure management

Example IGPs might include:

  • Systems are managed using secure management architecture
  • Remote access is secured appropriately
  • Privileged actions are logged and monitored
  • Changes follow change management processes

Self-assessment questions:

  • How are systems managed?
  • How is remote access secured?
  • Are privileged actions logged?
  • Do we have change management?

8. Common Gaps and How to Address Them

Objective A: Managing Security Risk

Common gaps:

Gap Impact Remediation
No board-level ownership Cyber not treated as business risk Assign board sponsor, establish reporting
Incomplete asset inventory Don't know what to protect Asset discovery, maintain inventory
Risk assessment not current Decisions based on old information Regular risk assessment cycle
Supply chain not assessed Blind spot for third-party risk Supplier risk assessment programme

Objective B: Protecting Against Cyber Attack

Common gaps:

Gap Impact Remediation
No MFA on critical systems Easy credential compromise Implement MFA broadly
Privileged access not managed Excess risk from admin accounts PAM solution, access review
Patching inconsistent Known vulnerabilities exploited Patch management process
Staff not trained Human-enabled attacks Security awareness programme
Backups not tested Recovery may fail Regular backup testing

Objective C: Detecting Cyber Security Events

Common gaps:

Gap Impact Remediation
Limited logging Can't detect or investigate Expand logging coverage
No central log management Can't correlate events Implement SIEM
No 24/7 monitoring Attacks outside hours missed MDR service or SOC
No threat intelligence Unaware of relevant threats Subscribe to threat feeds, sector sharing

Objective D: Minimising Impact of Incidents

Common gaps:

Gap Impact Remediation
No incident response plan Chaotic response Develop and document IR plan
Plan not tested Won't work when needed Regular tabletop exercises
No lessons learned process Repeat same mistakes Post-incident review process
Recovery not planned Extended downtime Business continuity planning

9. Preparing for Regulator Assessment

Understanding Regulator Expectations

Sector regulators assess operators using CAF. Understanding their approach helps you prepare.

Typical process:

  • Self-assessment submission
  • Regulator review
  • Questions and clarifications
  • On-site assessment (often)
  • Feedback and findings
  • Improvement plan agreement
  • Ongoing monitoring

What regulators look for:

  • Evidence that outcomes are achieved
  • Proportionality to risk
  • Continuous improvement
  • Honest self-assessment
  • Clear remediation plans for gaps

Self-Assessment Submission

Quality matters:

  • Be accurate - don't overstate achievement
  • Provide evidence - not just assertions
  • Acknowledge gaps - with remediation plans
  • Be consistent - across the organisation

Common mistakes:

  • Claiming "Achieved" without evidence
  • Inconsistency between answers
  • Ignoring known gaps
  • Not addressing supply chain
  • Outdated information

On-Site Assessment

What to expect:

  • Interviews with key personnel
  • Documentation review
  • Technical evidence gathering
  • Observation of processes
  • Testing of controls (potentially)

Preparation:

  • Brief relevant staff
  • Organise documentation
  • Prepare evidence packs
  • Test that controls work
  • Identify SMEs for each area

Responding to Findings

When gaps are identified:

  • Accept findings professionally
  • Understand the gap fully
  • Develop realistic remediation plan
  • Commit to timelines
  • Report progress

Remediation plans should:

  • Address the root cause
  • Be realistic and achievable
  • Have clear ownership
  • Include milestones
  • Be tracked and reported

10. CAF and Other Frameworks

CAF and ISO 27001

Aspect CAF ISO 27001
Focus Essential services, CNI Any organisation
Structure Principles and outcomes Controls and ISMS
Assessment Regulator or self Accredited certification
Certification No (it's an assessment framework) Yes

Mapping:

CAF and ISO 27001 have significant overlap. NCSC provides mapping documents showing how ISO 27001 controls relate to CAF outcomes.

Using both:

  • ISO 27001 provides certifiable ISMS
  • CAF provides sector-specific assessment
  • ISO 27001 implementation supports CAF achievement
  • CAF gaps may indicate ISO 27001 weaknesses

CAF and Cyber Essentials

Aspect CAF Cyber Essentials
Scope Comprehensive Five technical controls
Depth Detailed outcomes Baseline controls
Certification No Yes
Target CNI, essential services Any organisation

Relationship:

  • Cyber Essentials covers a subset of CAF Objective B
  • CE/CE+ demonstrates some CAF outcomes
  • CAF requires more comprehensive assessment
  • CE+ is often a starting point, not the end point

CAF and NIS2

The EU NIS2 Directive has similar objectives to UK CAF. The Government is aligning CAF with ENISA guidance under NIS2.

For organisations subject to both:

  • Map NIS2 requirements to CAF
  • Single compliance effort where possible
  • Note differences in reporting requirements

CAF and the Cyber Governance Code

The Cyber Governance Code of Practice (April 2025) aligns with CAF Objective A (Managing Security Risk), particularly around governance, risk management, and board oversight.

DSIT provides mapping between the Cyber Governance Code and CAF, showing how implementing the Code supports CAF achievement.

11. Self-Assessment Checklist

Objective A: Managing Security Risk

A1. Governance

  • Board-level accountability for cyber security established
  • Security policies defined and communicated
  • Roles and responsibilities documented
  • Regular reporting to board on security

A2. Risk Management

  • Risk management process defined
  • Risk assessments conducted and documented
  • Risks reviewed and updated regularly
  • Risk appetite defined and communicated

A3. Asset Management

  • Hardware inventory complete and current
  • Software inventory complete and current
  • Data assets identified and classified
  • Dependencies understood
  • Asset management process in place

A4. Supply Chain

  • Critical suppliers identified
  • Supplier risks assessed
  • Contracts include security requirements
  • Supplier security monitored

Objective B: Protecting Against Cyber Attack

B1. Service Protection Policies

  • Security policies documented
  • Policies implemented and enforced
  • Compliance measured

B2. Identity and Access Management

  • User identities verified
  • Access based on least privilege
  • Privileged access managed
  • MFA implemented for sensitive access
  • Access reviewed regularly

B3. Data Security

  • Data classified
  • Data protection measures appropriate to classification
  • Encryption used appropriately

B4. System Security

  • Secure design principles applied
  • Systems securely configured
  • Vulnerability management in place
  • Patching process effective

B5. Resilient Networks and Systems

  • Resilience requirements defined
  • Resilience built into design
  • Backups performed and tested

B6. Staff Awareness and Training

  • Security awareness programme in place
  • Training completion tracked
  • Security culture promoted

Objective C: Detecting Cyber Security Events

C1. Security Monitoring

  • Logging enabled on critical systems
  • Logs secured and retained appropriately
  • Alerts generated for security events
  • Capability to identify security incidents

C2. Anomaly Detection

  • Capability to detect anomalous activity
  • Threat intelligence used to inform detection

Objective D: Minimising Impact of Incidents

D1. Response and Recovery Planning

  • Incident response plan documented
  • Response capability in place
  • Plan tested at least annually
  • Recovery procedures defined

D2. Lessons Learned

  • Post-incident review process defined
  • Lessons incorporated into improvements

12. How DSC Can Help

Dead Simple Computing helps organisations assess against CAF and address identified gaps.

CAF Assessment Services

CAF Gap Analysis

  • Assessment against all 14 principles
  • Identification of gaps and weaknesses
  • Risk-prioritised findings
  • Remediation roadmap

Self-Assessment Facilitation

  • Guide your team through self-assessment
  • Ensure consistent approach
  • Challenge and validate findings
  • Prepare documentation

Regulator Preparation

  • Review self-assessment before submission
  • Prepare evidence packs
  • Brief key personnel
  • Mock assessment

Remediation Support

Technical remediation:

  • Implement security controls
  • Deploy monitoring (SIEM, MDR)
  • Improve access management
  • Address vulnerabilities

Process and governance:

  • Develop policies and procedures
  • Establish risk management
  • Implement supplier assurance
  • Create incident response plans

Ongoing Support

vCISO Services

  • Ongoing CAF compliance management
  • Regular assessment updates
  • Regulator liaison
  • Continuous improvement

Managed Security

  • 24/7 monitoring (supports C1, C2)
  • UK SIEM (supports logging, detection)
  • Vulnerability management (supports B4)
  • Security that helps achieve CAF outcomes

Contact us:

Resources

NCSC Resources

CAF Collection:

ncsc.gov.uk/collection/caf

CAF Guidance:

  • Introduction to CAF
  • Using CAF
  • CAF Principles
  • IGPs for each principle

Sector-Specific Guidance:

Available for different CNI sectors

Government Resources

Cyber Governance Code Mapping to CAF:

gov.uk

Government Cyber Security Strategy:

gov.uk

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 to help organisations conduct self-assessments against the NCSC Cyber Assessment Framework.

This guide is for informational purposes and does not constitute regulatory advice. Organisations should engage with their sector regulator for authoritative guidance on CAF assessment requirements.

© 2026 Dead Simple Computing Ltd. All rights reserved.

Related Guides

Compliance Cyber Essentials Plus Preparation Guide Compliance ISO 27001 Gap Assessment Guide