Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Stage 4: Having an Independent Assurance Review

Author: Government Cyber Unit (DSIT)

Last updated: 2026-01-16

Stage 4: Having an Independent Assurance Review

The guidance on this page is for organisations having an Independent Assurance Review (IAR) of their WebCAF self-assessment.

If you are an independent assurance reviewer, see Stage 4: Complete an Independent Assurance Review using WebCAF.

Procurement of an Independent Assurance Review

You should procure a company to carry out an Independent Assurance Review (IAR) early in the GovAssure process. See the GovAssure guidance page for more information.

The objectives of the Independent Assurance Review are to:

  1. Assess your organisation’s current levels of cyber resilience and progress towards achieving the target Government CAF profile.
  2. Evaluate your organisation’s cyber risk management practices.
  3. Determine the effectiveness of your organisation’s cyber security controls.
  4. Provide your organisation with a comprehensive report including actionable recommendations to address risks identified in the review.

Working with your reviewer

You must agree how you will work together with the reviewer. Your reviewer should take a flexible approach that will allow your organisation to clarify parts of your self-assessment and provide additional evidence when necessary.

At the start of the stage 4 process, you should give your reviewer:

  • your completed scoping document
  • an export of your WebCAF self-assessment
  • supporting evidence for each contributing outcome
  • a WebCAF user account to access your WebCAF self-assessment

As an alternative to an export of your self-assessment from WebCAF, you may share a completed GovAssure self-assessment and evidence collation template.

Providing access to evidence

Your organisation is responsible for storing evidence securely and sharing this with the reviewer. You should discuss how you will do this early in the process.

Your reviewer may need to ask for extra evidence to support their understanding of your organisation’s self-assessment responses.

Providing access to WebCAF

You should create a WebCAF user account for each reviewer working on your Independent Assurance Review. WebCAF organisation leads can do this from the ‘Manage users’ section of WebCAF. You should select the user type ‘Independent assurance reviewer’.

Ways of working

There are a number of ways you might work with your reviewer. You should start by holding an initial meeting with all stakeholders to:

  • confirm the scope of the Independent Assurance Review and any exclusions
  • agree on planned delivery timelines
  • agree the ways of working, including setting out interview and workshop requirements
  • confirm arrangements for reviewing organisational evidence, including access to corporate IT systems

Desk-based self-assessment and evidence reviews

Your reviewer will spend time independently reviewing information your organisation has shared with them throughout the review period.

Workshops

If anything is unclear to the reviewer or they need more information or evidence, it can help to hold a workshop. For example, you might hold a workshop on each CAF objective.

A group workshop can also be useful if there are differing views within your organisation. Discussion can help to reach agreement which the reviewer can include in their review.

Interviews

It can help your reviewer to speak directly to a subject matter expert or key stakeholder. For example, they might speak to an Information Technology Security Officer (ITSO) or the owner of a particular risk to discuss one or more specific contributing outcomes.

Technical demonstrations

Your reviewer may want to see a demonstration to check that technical controls are in place. For example, you may show the reviewer how regular vulnerability scans are run to identify and manage security weaknesses.

The Independent Assurance Review process on WebCAF

You can read the Stage 4: Complete an Independent Assurance Review using WebCAF guidance to see how your reviewer will work on WebCAF.

WebCAF organisation leads will have read-only access to reviews while the reviewer is working on WebCAF.

Independent Assurance Review Report

When your reviewer has finished the review, they will generate an automated Independent Assurance Review Report (IARR) from the WebCAF service. You can read this within the service or download a PDF copy.

You should discuss the report with your reviewer. If you agree on changes, your reviewer can update to a new version of the report in WebCAF.

When you have agreed on a version of the report, your reviewer will finalise this in WebCAF.

If you work with a GovAssure cyber advisor, you should share a copy of your final report with them. If you are an arm’s length body, you should share it with your Lead Government Department.

Back to stage 3   Proceed to stage 5

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now