The NCSC Cyber Assessment Framework self-assessment, a practical guide

The short version

The Cyber Assessment Framework was published by the National Cyber Security Centre (NCSC) to assess how well an organisation manages cyber security risk to its essential functions. Unlike a checklist standard, it is outcome focused. It does not hand you a fixed list of controls to tick. It asks you to demonstrate a set of security outcomes and to show the evidence that you achieve them. That difference shapes everything about how a self-assessment works.

A CAF self-assessment is the exercise of judging your own position against the framework, objective by objective, and recording why you believe you meet each outcome or where you fall short. It is the practical first step whether you are formally in scope under the regulations or a prime contractor has simply asked to see your CAF position. It will not produce a certificate, because none exists. What it produces is a clear, honest read of where you stand and a prioritised route to close the gaps.

• The CAF is outcome based. It asks you to prove security outcomes, not to tick a list of controls.
• There is no CAF certificate. A self-assessment gives you an evidenced, defensible position, which is what a regulator or buyer wants to see.
• If you already run security well, much of the evidence exists. The work is finding it, judging it honestly, and closing the real gaps.

The four objectives, A to D

The CAF organises cyber resilience into four objectives, each made up of contributing outcomes. A self-assessment works through all four, judging your current position against each. Here they are in plain English.

Objective	What it covers	The question it really asks
A. Managing security risk	Governance, risk management, asset management, and supply chain security	Do you understand and own the risk, rather than just react to it?
B. Protecting against cyber attack	Access control, data security, system hardening, network security, and staff awareness	Are the controls that reduce a successful attack actually in place, and can you prove it?
C. Detecting security events	Security monitoring, logging, alerting, and threat detection	Would you actually know if something were wrong, and how quickly?
D. Minimising the impact of incidents	Incident response, recovery planning, business continuity, and learning from events	How well do you contain, recover, and improve when something does go wrong?

Two things are worth noticing. First, the objectives run in a logical arc: understand the risk, reduce it, spot what gets through, and limit the damage. Second, they are broad. The CAF is not only about technology. Objective A is about governance and ownership, and objective D is as much about planning and continuity as about tooling. A self-assessment that treats it as a purely technical exercise misses half the picture.

How a self-assessment actually works

The framework expresses each contributing outcome through indicators of good practice, statements that describe what achieving the outcome looks like. A self-assessment judges your position against those indicators, usually placing each outcome as achieved, not achieved, or partially achieved. The honest part is the hard part. The value of the exercise comes entirely from judging yourself as a sceptical assessor would, not as you would like to be seen.

In practice the work follows a clear path.

• Agree the scope. Decide which systems and essential functions the assessment covers, and record the starting point so progress is demonstrable later.
• Assess against each outcome. Work through objectives A to D, judging your position against the indicators of good practice and noting the basis for each judgement.
• Gather the evidence. For every outcome you claim to achieve, record what proves it: a policy, a configuration, a log, a test, a record of a decision. An unevidenced claim is the first thing a competent authority will challenge.
• Identify and rank the gaps. Map where you fall short, then prioritise by risk, so the work that reduces real exposure comes first rather than the work that is merely easy.
• Close the gaps and maintain the position. Put the missing controls in place, document what was done and when, and keep the assessment current as systems and threats change. A CAF position is a living thing, not a document you file once.

The output is not a pass or a certificate. It is an evidenced statement of where you stand against the framework, with a prioritised plan behind it. That is precisely what a competent authority or a prime contractor expects to receive.

Who the CAF applies to

The Network and Information Systems (NIS) Regulations 2018 place duties on operators of essential services to put appropriate security measures in place and to report significant incidents. The regulated sectors include energy, water, transport, healthcare, telecoms, government, and defence. Where a competent authority uses the CAF to assess that resilience, a self-assessment is the practical way to show you meet the expectation.

The CAF is also turning up well beyond its original remit. Prime contractors and buyers in regulated supply chains increasingly reference it, so the question is often less whether you are legally in scope and more whether someone you want to work with has asked to see your position. Either way, the self-assessment is the same exercise, and it is the sensible first step before anyone external looks at you.

Where the CAF overlaps ISO 27001

The CAF and ISO 27001 are easy to confuse, because both are about managing security properly. The difference is in what they check. ISO 27001 certifies a management system against a defined set of controls. The CAF assesses whether you achieve a set of security outcomes. They are complementary, not competing, and the work you do for one is rarely wasted on the other.

	ISO 27001	Cyber Assessment Framework
Focus	A management system and its controls	Security outcomes
Approach	Prescriptive, built around the Annex A controls	Outcome based, across the contributing outcomes in objectives A to D
How it is checked	Third party certification by an accredited body	Self-assessment, or assessment by a competent authority
Result	A certificate you can hold and show	An evidenced position; there is no certificate
Best when	You need to show systematic, certified security management	You need to meet a UK regulated sector or NIS expectation

In practice the overlap is large. The risk management in CAF objective A maps closely onto the risk approach behind an ISO 27001 management system. The controls in objective B sit alongside many of the Annex A controls. The monitoring in objective C and the incident response in objective D have direct equivalents in the standard. Organisations serving UK regulated sectors often hold ISO 27001 certification and align to the CAF alongside it, each answering a different question for a different audience. If you are weighing up which standard a contract actually calls for, our guide on Cyber Essentials or ISO 27001 walks through how to read the clause, and the same care applies when a buyer mentions the CAF or asks for something equivalent.

How to get started

You do not need to solve the whole framework at once. A first self-assessment is about establishing an honest baseline, and the path is straightforward.

• Read the framework and decide your scope. The NCSC publishes the CAF openly. Start by agreeing which essential functions and systems the assessment covers.
• Do an honest first pass. Work through objectives A to D and place each outcome as achieved, partially achieved, or not achieved, recording why. Resist the urge to mark yourself generously. The exercise is only worth doing if it is candid.
• Find your evidence as you go. For each outcome you claim, note what proves it. The gaps in your evidence are often as telling as the gaps in your controls.
• Prioritise the gaps by risk. Turn the assessment into a plan, with the highest risk gaps first. This is what turns a self-assessment from a document into an improvement.
• Get help where the judgement is hard. An outside view is most valuable on the honesty of the self-assessment and the ranking of the gaps, because that is where organisations most often flatter themselves.

We are not a tick the box consultancy, and we are not trying to be. The view we take is simple: a CAF self-assessment is only worth anything if it is honest, and the outcomes it claims only hold if the controls behind them are real. Because the same team can assess your position and then run the monitoring, the access control, and the incident response that objectives B, C, and D depend on, the evidence reflects what is actually in place. You can read more about how we approach this on our CAF alignment page.