Cyber Assessment Framework (CAF)
The NCSC Cyber Assessment Framework (CAF) is the UK's primary assurance framework for organisations responsible for Critical National Infrastructure (CNI) and other essential services. It is also widely used by public sector organisations, regulated industries, and any organisation seeking to assess its cyber security posture against a structured UK standard.
What the CAF is
The CAF provides a set of 14 security objectives grouped into four top-level goals. For each objective, the CAF defines indicators of good practice (IGP) — what a well-run organisation looks like — and indicators of poor practice (IPP) — warning signs that an objective is not being met.
The CAF is principle-based, not prescriptive: it describes outcomes, not specific technologies.
The four goals
Goal A: Managing security risk
| Objective | Description |
|---|---|
| A.1 | Governance — responsible individuals; clear accountability |
| A.2 | Risk management — proportionate, regularly reviewed |
| A.3 | Asset management — comprehensive, current inventory |
| A.4 | Supply chain — understanding and managing supply chain risk |
Goal B: Protecting against cyber attack
| Objective | Description |
|---|---|
| B.1 | Service protection policies and processes |
| B.2 | Identity and access control |
| B.3 | Data security |
| B.4 | System security — secure design, configuration, patching |
| B.5 | Resilient networks and systems |
| B.6 | Staff awareness and training |
Goal C: Detecting cyber security events
| Objective | Description |
|---|---|
| C.1 | Security monitoring — detecting security events |
| C.2 | Proactive security event discovery |
Goal D: Minimising the impact of cyber security incidents
| Objective | Description |
|---|---|
| D.1 | Response and recovery planning |
| D.2 | Lessons learned |
CAF and the NIS Regulations
The Network and Information Systems (NIS) Regulations 2018 (UK) require Operators of Essential Services (OES) to implement appropriate security measures. The CAF is the primary tool regulators use to assess compliance with NIS.
Sectors covered: Energy, Transport, Water, Health, Digital Infrastructure, and Finance.
Using the CAF for self-assessment
The CAF is freely available and can be used by any organisation for self-assessment:
- Work through each of the 14 objectives
- For each, assess current practice against the IGPs and IPPs
- Score each objective: Achieved / Partially achieved / Not achieved
- Produce a remediation plan for objectives that are not achieved
The CAF self-assessment produces a structured gap analysis that can prioritise security investment.
CAF vs Cyber Essentials
| Dimension | Cyber Essentials | CAF |
|---|---|---|
| Scope | All organisations | CNI / essential services / public sector |
| Depth | Five basic controls | 14 objectives across the full security lifecycle |
| Certifiable | Yes (third-party assessment) | Yes (regulator assessment for OES) |
| Cost | Low | Higher (detailed assessment) |
| Primary use | Baseline hygiene | Comprehensive organisational assurance |
For most organisations, Cyber Essentials is the starting point and CAF is the comprehensive assurance framework once baseline hygiene is in place.
Further reading
- NCSC CAF documentation — ncsc.gov.uk/cyber-assessment-framework
- NIS Regulations 2018 guidance
- NCSC CAF self-assessment tool