Cyber Assessment Framework

The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations,^[1] but the objectives can be used by other organisations.^[2] In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.^[3]

Principles

The CAF has fourteen objectives, grouped into four categories:^[4] These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013.

Objective A: Managing security risk

• A.1 Governance
• A.2 Risk management
• A.3 Asset management
• A.4 Supply chain

Objective B: Protecting against cyber attack

• B.1 Service protection policies and procedures
• B.2 Identity and access control
• B.3 Data security
• B.4 System security
• B.5 Resilient networks and systems
• B.6 Staff awareness and training

Objective C: Detecting cyber security events

• C.1 Security monitoring
• C.2 Anomaly detection

Objective D: Minimising the impact of cyber security incidents

• D.1 Response and recovery planning
• D.2 Improvements

Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.

Further reading

• Introduction to the Cyber Assessment Framework

See also

• ISO 27001
• GovAssure
• Cyber Essentials
• Security Policy Framework

References

0.00 (0 votes) Original source: https://en.wikipedia.org/wiki/Cyber Assessment Framework. Read more