Please fill out this form to download your file


Cyber Assessment Framework

National Cyber Security Centre

What Is The CAF?

The National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) provides guidance for organisations responsible for delivering vitally important services and activities.

The framework consists of a set of 14 cyber security and resilience principles, together with guidance on using and applying the principles.
It is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience.

The principles define a set of top-level outcomes that, collectively, describes good cyber security for organisations performing essential functions. Each principle is accompanied by a narrative and guidance for achieving the outcome and recommends some ways to tackle common cyber security challenges.

Principles And Guidance

The NCSC intends for the principles and guidance to be used in the following way:

Understand the principles, why they are essential, and interpret them for the organisation.

Compare the outcomes described in the principles to the organisation’s current practices and use the guidance to inform the comparison.

Identify shortcomings and understand the seriousness of the shortcomings using organisational context and prioritise.

Implement prioritised remediation and use the guidance to inform remediation activities.

The Four Objectives

The CAF is centred on four objectives, each of which has several principles and guidance associated with them.

Managing cyber security risk

Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions. This objective covers the principles of:

Governance – having appropriate policies and processes to govern an organisation’s approach to cyber security.
Risk management – ensuring steps are taken to identify, assess and understand security risks.
Asset management – determining and understanding what systems and services are required to deliver essential functions.
Supply chain – understanding and managing security risks introduced through external suppliers.

Detecting Cyber Security Events

Capabilities exist to ensure security defences remain effective in detecting cyber security events affecting or potentially affecting essential functions. This objective covers the principles of:

  • Security monitoring – monitoring is in place to detect security issues and track whether existing security measures are effective
  • Proactive security event discovery – detecting cyber security events 

Minimising the Impact of Cyber Security Incidents

Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including restoring those functions where necessary. This objective covers the principles of:

  • Response and recovery planning – putting suitable incident management and mitigation processes in place.
  • Lessons learned – learning from incidents and implementing lessons to improve the resilience of essential functions.

Protecting Against Cyber Attack Objectives

Defining and communicating appropriate policies to secure systems and data. 

Managing access to networks and information systems. 

Protecting data stored, processed, or transmitted electronically from actions that may have an adverse impact. 

Protecting critical systems from cyber-attack. 

Building resilient networks and systems that protect and defend against a cyber attack.

Supporting staff to understand their role and contribute to the cyber security of essential functions.


How We Support You

Our team of highly qualified and experienced consultants will work with you to assess your level of compliance. We’ll then identify any areas for development and create a plan to get you where you need to be.

We provide practical assistance and recommendations to ensure your Cyber Security Management System meets your business requirements.

Whatever your security needs, CyberWhite will apply our wealth of knowledge to your organisation, designing solutions catered to your specific requirements and risk appetite.

Please complete the form below to find out more.

Contact Us

    Contact Form Image

    What Our Clients Say

    “CyberWhite have been a pleasure to deal with by repeatedly demonstrating their professionalism and technical knowledge throughout the procurement process and execution of our project. From initially exploring our goals to a consultant working with us on-site and remotely, we’ve enjoyed a positive experience that has ultimately benefited our organisation and helped to improve our Cyber Security posture.”

    Read More
    Head of Network and Infrastructure

    View our video Testimonial from Clear Links by Gerard Norris, Central Operations Manager

    Gerard Norris, Central Operations Manager

    View our video Testimonial from Hays Travel by Ken Campling, Group Finance Director

    Ken Campling, Group Finance Director

    “I would like to say a thousand “thank you’s” to CyberWhite after rescuing us from the commercial disaster we faced after being subjected to a very sophisticated fraud. Without the timely involvement and expertise from CyberWhite, we would undoubtedly have faced catastrophic consequences including a significant financial loss and possibly a forced closure of the business. We will always remember the kindness and professional approach taken by the CyberWhite team. They were able to successfully recover the critical data which was the life blood of our business. This expertise has allowed us to continue trading and provided us with the additional benefits of ensuring that we are more cyber risk aware and we now have a security partner to support us.”

    Read More
    Jon Moore, Director

    Our video Testimonial from Mental Health Concern (NHS) by Lawrence Thompson, Head of IT

    Lawrence Thompson, Head of IT

    “As an Operator of Essential Services, PX Group comply with advice provided by recognised security bodies such as NCSC. The advice is relevant to all organisations who provide infrastructure or support to the UK’s critical national infrastructure. PX Group engaged CyberWhite to undertake Third Party Security Audits (aligned to ISO28000:2007) against key suppliers who had access to information assets within the PX Group domain. CyberWhite created a comprehensive audit document set and supported this with interviews and visits in order to validate responses. The output from CyberWhite was comprehensive and provided security assurance to PX Groups stakeholders and interested parties that the key suppliers had a focus on security and understood and could demonstrate best practices in relation to the handling of PX Groups information assets. This process has been invaluable in validating what we believed and providing a platform from which we will continue to assess, review and benchmark all parties in our information supply chain.”

    Read More
    Lee Farrow, ICT Network & Security Specialist