NCSC’s Cyber Assessment Framework

NCSC’s Cyber Assessment Framework

Blog written by Sam Taylor, Cyber Security Consultant at Arcanum.

This blog piece is the first part of our five-part series delving into the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF). In this introductory piece, we will demystify the CAF, providing an overview of its structure and key elements. As we progress through the series, we will examine each component of the CAF in greater detail.

What is the Cyber Assessment Framework (CAF)?

The CAF is a framework developed by the NCSC to help organisations assess and improve their cyber resilience. The NCSC define cyber resilience as “an organisation’s ability to maintain the correct operation of its essential functions, even in the presence of adverse cyber events.” The CAF was produced to support the implementation of the Network and Information Systems (NIS) Regulations 2018, which are based on the European Union (EU) Directive on Security of Network and Information Systems (NIS Directive) from 2016. The CAF is mainly intended for Operators of Essential Services (OES) that are subject to the NIS Regulations and part of Critical National Infrastructure (CNI). However, the CAF can be useful by other organisations that want to improve their cyber security practices and resilience. The CAF stands out from most typical standards and guidelines as it is applicable to both Information Technology (IT) and Operational Technology (OT).

The CAF is designed to be used by organisations and third parties such as auditors to assess the cyber resilience of the organisation. It is designed to be flexible and adaptable to different sectors and contexts, and to align with existing cyber security standards and guidelines. It also helps organisations to identify and address any gaps or weaknesses in their cyber security practices, and to demonstrate compliance with the NIS Regulations to sector relevant Component Authorities (CAs) and Regulators.

The CAF consists of four high-level objectives with 14 principles (illustrated by Figure 1 below) that describe the desired outcomes of cyber resilience. Each principle is further divided into Contributing Outcomes and Indicators of Good Practice (IGPs) that provide more specific and measurable guidance for achieving the principles. It is important to remember that the CAF is not a prescriptive checklist; it is a descriptive framework of what good cyber resilience looks like.


Figure 1 – NCSC CAF Objectives and Principles

Now let us break down each of the CAF’s Objectives in greater detail:

  • Objective A: Managing security risk, focuses on ensuring the security of essential network and information systems. Organisations must adopt comprehensive governance, risk management, asset management, and supply chain management strategies. These strategies involve creating, enforcing, and updating policies and processes that govern security; identifying, assessing, and managing security risks; understanding the systems supporting essential functions; and managing risks associated with dependencies on external suppliers.
  • Objective B: Protecting against cyber-attack, requires organisations to implement proportionate security measures to shield their network and information systems that support essential functions from cyber-attack. Organisations need to define and communicate appropriate policies and procedures to secure systems and data that support the operation of essential functions. They need to protect stored or transmitted data from actions that may cause an adverse impact on essential business functions. Staff need appropriate awareness and training to foster a proactive cyber security culture. Collectively, the efforts of this objective are directed towards creating networks and systems that are secure and resilient against cyber-attacks.
  • Objective C: Detecting cyber security events, focuses on maintaining effective security defences and detecting cyber security events affecting, or with the potential to affect, an organisation’s essential functions. This requires secure generation of event logs, monitoring the networks and systems which support essential functions to detect potential security problems and anomalous events to respond appropriately and track the effectiveness of existing security measures.
  • Objective D: Minimising the impact of cyber security incidents, ensures that capabilities exist to both minimise the negative impact of cyber security incidents on essential operational functions, and restore the affected functions where necessary. Organisations need to establish comprehensive incident response and recovery plans by implementing incident management and mitigation processes. They also need to incorporate lessons learned from previous incidents to drive improvements to the security and resilience of essential functions.

In the next parts of this blog series, we shall explore the four objectives in greater detail, looking at the Contributing Outcomes, IGPs and additional insights that could prove invaluable to organisations embarking on their CAF journey.

Arcanum Information Security’s Cyber Security for Operational Technology

How Can Arcanum Help?
At Arcanum, our OT teams are experienced in implementing and assessing all aspects of security and can offer your organisation independent, vendor-agnostic advice that is tailored to your specific business needs while providing the highest level of risk reduction possible in your situation, without impacting normal business functions.

call: 02922 784452

email: contact@arcanum-cyber.com

website: https://arcanum-cyber.com/operational-technology/