Cyber Assessment Framework
The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations,[1] but the objectives can be used by other organisations.[2] In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.[3]
Principles
The CAF has fourteen objectives, grouped into four categories:[4] These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013.
Objective A: Managing security risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Objective B: Protecting against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Objective C: Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Objective D: Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.
Further reading
See also
- ISO 27001
- GovAssure
- Cyber Essentials
- Security Policy Framework
References
- ↑ "Cetome | the Cyber Assessment Framework". https://cetome.com/research/nis-directive/caf.
- ↑ "The role of the National Cyber Security Centre (NCSC)". 19 May 2023. https://ico.org.uk/for-organisations/the-guide-to-nis/the-role-of-the-national-cyber-security-centre-ncsc/.
- ↑ "Cyber Assessment Framework - Policy Brief | Local Government Association". https://www.local.gov.uk/our-support/cyber-digital-and-technology/cyber-digital-and-technology-policy-team/cyber-assessment.
- ↑ "NIS Regulations: Cyber Assessment Framework". https://www.itgovernance.co.uk/nis-regulations-cyber-assessment-framework.
Original source: https://en.wikipedia.org/wiki/Cyber Assessment Framework.
Read more |