To support public sector organisations in addressing cyber security challenges, the UK Government and National Cyber Security Centre (NCSC), along with local government organisations, have adapted the Cyber Assessment Framework (CAF) for use by councils.
The CAF offers a systematic approach to assessing how well an organisation manages cyber risks to its essential functions. It provides requirements, principles and outcomes to evaluate and improve cyber security.
Leaders should use the following questions to guide their evaluation and enhance their cyber resilience.
- Are you using the CAF to assist in cyber resilience assessments?
- Are you combining the CAF with existing cyber security standards?
- How are you using the CAF to identify effective activities for improving cyber security and resilience?
- How do you ensure your CAF approach is outcome-focused rather than a box-ticking exercise?
- Are your senior leaders and managers using the CAF to set meaningful security targets for the organisation to achieve?
- Is the CAF strengthening management policies, processes and procedures governing the security of your networks and information systems?
- Is your organisation using the CAF to identify, assess and understand security risks to essential functions?
- Is the CAF helping your organisation to understand and manage security risks arising from dependencies on partners and suppliers?
- How does the CAF help your organisation and its partners build system-wide resilience against cyber attacks and failures?
- Are you using the CAF to enhance the effectiveness of your organisation and partners’ capabilities to minimise the impact of cyber incidents and restore functions?