Cyber Assessment Framework

From HandWiki

The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations,[1] but the objectives can be used by other organisations.[2] In addition to national public-sector and infrastructure bodies, the CAF is also being used by local government.[3]

Principles

The CAF has fourteen objectives, grouped into four categories:[4] These set high-level objectives which fit the needs of organisations handling high-impact data or performing essential functions. These have some similarities, but are not identical, to the categories of controls used by ISO 27001:2013.

Objective A: Managing security risk

  • A.1 Governance
  • A.2 Risk management
  • A.3 Asset management
  • A.4 Supply chain

Objective B: Protecting against cyber attack

  • B.1 Service protection policies and procedures
  • B.2 Identity and access control
  • B.3 Data security
  • B.4 System security
  • B.5 Resilient networks and systems
  • B.6 Staff awareness and training

Objective C: Detecting cyber security events

  • C.1 Security monitoring
  • C.2 Anomaly detection

Objective D: Minimising the impact of cyber security incidents

  • D.1 Response and recovery planning
  • D.2 Improvements

Each of these are linked to "outcomes" and "contributing outcomes". There are a total of 14 outcomes and 39 contributing outcomes. NCSC has published Indicators of Good Practice; IGP tables can be used to assess whether each objective has been "Achieved", "Not achieved", or "Partially achieved". Organisations are expected to self-assess, and to draw up an improvement roadmap. Competent Authorities review the assessment and the roadmap.

Further reading

See also

References