The Cyber Assessment Framework: lessons for assurance
The Cyber Assessment Framework was first developed by NCSC in 2018 to improve the cyber resilience of the UK’s critical national infrastructure. But it was rolled out to all government departments last year as part of the Government Cyber Security Strategy, and is now the central tool that departments should be using to assess their resilience across a range of objectives and indicators.
The CAF is not about box-ticking. It’s a tool for constant learning and improvement, and an effective assurance process is as much about understanding your department’s objectives and culture as it is about technical controls.