UK NCSC Cyber Assessment Framework 3.1
Details
The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible. It is intended to be used either by the responsible organisation itself (self-assessment) or by an independent external entity, possibly a regulator or a suitably qualified organisation acting on behalf of a regulator.
The NCSC cyber security and resilience principles provide the foundations of the CAF. The 14 principles are written in terms of outcomes, ie. specification of what needs to be achieved rather than a checklist of what needs to be done. The CAF adds additional levels of detail to the top-level principles, including a collection of structured sets of Indicators of Good Practice (IGPs) as described in more detail below. The CAF itself can be found here. It should be noted that the NCSC developed the CAF in its role as national technical authority for cyber security, with an expectation that it would be used, amongst other things, as a tool to support effective cyber regulation. The NCSC itself has no regulatory responsibilities, and organisations subject to cyber regulation should consult with their regulators to learn whether they should use the CAF in the context of meeting regulatory requirements.
Getting Started
Enter your getting started instructions hereMore Information
Jurisdiction | United Kingdom |
---|---|
Type | Laws or related obligations |