The CAF- A Tool For Assessing Cyber Resilience
The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible. It is intended to be used either by the responsible organisation itself (selfassessment) or by an independent external entity, possibly a regulator or a suitably qualified organisation acting on behalf of a regulator.
The NCSC CAF cyber security and resilience principles provide the foundations of the CAF. The 14 principles are written in terms of outcomes, i.e. specification of what needs to be achieved rather than a checklist of what needs to be done. The CAF adds additional levels of detail to the top-level principles, including a collection of structured sets of Indicators of Good Practice (IGPs) as described in more detail below.
It should be noted that NCSC developed the CAF in its role as national technical authority for cyber security, with an expectation that it would be used, amongst other things, as a tool to support effective cyber regulation. NCSC itself has no regulatory responsibilities, and organisations subject to cyber regulation should consult with their regulators to learn whether they should use the CAF in the context of meeting regulatory requirements.
Views: 10
