Copy of – Overview of the CAF for local government
What the Cyber Assessment Framework (CAF) for local government involves.
The CAF for local government is available to councils in England to help them assess their cyber resilience.
Overview of the CAF for local government
| Stage of the assessment | Estimated time for team to complete |
|---|---|
| Prepare for the CAF for local government | 45 hours |
| Set the scope of your assessment | 35 to 40 hours |
| Complete a self-assessment of your organisation | 40 hours |
| Assure your organisation assessment and develop your improvement and implementation plan (IIP) | 15 to 20 hours |
| Map the architecture of your critical systems | 15 to 25 hours (per critical system) |
| Complete a self-assessment of your critical systems | 60 hours (per critical system) |
| Assure your critical systems assessment and develop your improvement and implementation plan (IIP) | 20 hours |
These times are estimates and are likely to vary depending on:
- the size of your council
- access to relevant stakeholders
- your ability to prioritise the CAF for local government
What the CAF for local government involves
Prepare to start the CAF for local government
Prepare your council for the self-assessment, including planning your schedule and identifying key roles and responsibilities.
Find out how to prepare to start the CAF for local government.
Set the scope of your assessment
Document your organisational context and essential services, and identify and prioritise three critical systems.
Find out how to set the scope of your assessment.
Complete a self-assessment of your organisation
Evaluate how well your council is managing security risk (objective A) and minimising the impact of cyber security incidents (objective D).
Find out what a CAF self-assessment involves
Following your self-assessment, you can submit your assurance report and improvement and implementation plan to MHCLG.
Independent assurance review of your organisation self-assessment
Get an external view of how well your council is managing security risk and minimising the impact of cyber security incidents.
Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your organisation.
Find out about the independent assurance process, and then how to arrange independent assurance.
Map the architecture of your critical systems
Create system architecture diagrams of up to three of the critical systems you identified during scoping.
Find out how to map your critical systems architecture.
Complete a self-assessment of your critical systems
Evaluate how well your council is protecting against cyber attack (objective B) and detecting cyber security events (objective C).
Find out what a CAF self-assessment involves
Independent assurance review of your critical system self-assessment
Get an external view of your council’s ability to protect against cyber attacks and detect cyber security events.
Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your critical systems.
Find out about the independent assurance process, and then how to arrange independent assurance.