Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Stage 4: Complete a Peer Review using WebCAF

Author: Government Cyber Unit (DSIT)

Last updated: 23 February 2026

Stage 4: Complete a Peer Review using WebCAF

The guidance on this page is for reviewers conducting a Peer Review of an organisation’s WebCAF self-assessment.

If you are an organisation having a Peer Review, see Stage 4: Have a Peer Review.  

If you are an Independent Assurance Reviewer, see Stage 4: Complete an Independent Assurance Review using WebCAF.

During stage 4, you will carry out a Peer Review to assess the current levels of an organisation’s cyber resilience. 

GovAssure assesses critical government systems against the NCSC’s Cyber Assessment Framework (CAF).

Note: For assessments in 2025 to 2026, GovAssure is using CAF version 3.2. Please be aware that this is not the latest version published by NCSC.

The objectives of the Peer Review are to: 

  1. Assess the organisation’s current levels of cyber resilience against the Baseline Government CAF profile.
  2. Evaluate the organisation’s cyber risk management practices.
  3. Consider the effectiveness of the organisation’s cyber security controls.
  4. Provide the organisation with a report including actionable recommendations.

You will review the organisation’s self-assessment and supporting evidence. You will use the digital service Peer review a WebCAF self-assessment to complete your review. When you have finished your review you can use WebCAF to generate an automated Peer Review Report. 

Preparing for your WebCAF review

Before you start your review, it is important to understand the stages of GovAssure. You should read the GovAssure guidance for stage 1, stage 2 and stage 3 to understand the approach the organisation has taken to scoping and self-assessment. 

You should also read the GovAssure detailed contributing outcome summary guidance to prepare for your review.

Working with the organisation

You must agree how you will work together with the organisation throughout your review. 

At the start of the stage 4 process, the organisation should give you: 

  • their completed scoping document
  • an export of their WebCAF self-assessment 
  • supporting evidence for each contributing outcome
  • a WebCAF user account to access their WebCAF self-assessment

The organisation’s scoping document sets out their context, threat, risk appetite and defensive posture. You must be familiar with this document because the organisation’s self-assessment responses are based on it.

As an alternative to an export of their self-assessment from WebCAF, the organisation may share a completed GovAssure self-assessment and evidence collation template. 

Accessing evidence 

Organisations are responsible for storing their own evidence securely and sharing this with you. You should discuss how you will access evidence with the organisation early in the process. 

You should read and review all documents and make a note of any questions to raise with the organisation. You may need to ask for extra evidence to support your understanding of the organisation’s self-assessment responses. 

Note: The organisation’s supporting evidence is not stored in or linked to from WebCAF. 

Ways of working 

You should start by holding an initial meeting with all stakeholders to: 

  • confirm the scope of the Peer Review and any exclusions
  • agree on planned delivery timelines
  • agree the ways of working
  • confirm arrangements for reviewing organisational evidence 

Desk-based reviews of the self-assessment and evidence 

Peer Reviews will mostly be desk-based. You will spend time independently reviewing information the organisation has shared with you throughout the review period. 

Requesting more information

There may be times when you want to ask the organisation for more evidence or information. You might: 

  • ask the organisation to share additional documents
  • have a meeting to discuss gaps you have identified with the organisation

Completing your review on WebCAF

The organisation will create an account for you in the WebCAF self-assessment service as a ‘peer reviewer’. 

When you log in you will be able to see a list of all systems allocated to you. Select ‘Review’ for the system you want to work on. 

Session time-out

When you have logged into WebCAF to start your Peer Review, you will be timed-out if you are inactive for 90 mins to protect your security.

If you have already saved pages, these will be stored securely in WebCAF. If you are timed out while working on a page, anything you have done on that page will not be stored and you will have to start it again.

Confirm the system details

Read through the system and review details and select ‘Confirm and return’. If you think there are any errors, you should contact the organisation. You can continue with the review while waiting for their response. 

Review the self-assessment

Select the CAF objective and contributing outcome you would like to review. You can work through the objectives and contributing outcomes in any order. 

The self-assessment outcome status is at the top of the contributing outcome page. It will show ‘achieved’, ‘not achieved’, or for some contributing outcomes, ‘partially achieved’. Check whether this meets the Baseline Government CAF profile and read through the organisation’s contributing outcome summary. 

In the self-assessment, organisations must provide explanations for some selected IGPs within the contributing outcome summary.

You should refer to the GovAssure detailed contributing outcome summary guidance for more detail on what organisations are expected to do.

Reviewing IGP statements

In their self-assessment, the organisation is asked to select an IGP statement if they believe it applies to their system or organisation.

Each IGP statement is titled and numbered, for example, ‘Achieved statement 1’. Underneath this, it will show:

  • ‘Organisation response: Yes’ which means the organisation selected the statement
  • ‘Organisation response: No’ which means the organisation did not select the statement

You must make your own decision on each statement, based on the organisation’s self-assessment and supporting evidence. When you have read each IGP statement you must select:

  • ‘Yes’ if you believe the statement applies to the system or organisation
  • ‘No’ if you believe the statement does not apply to the system or organisation

To make your decision, you should consider: 

  • the organisation’s contributing outcome summary
  • the organisation’s comments on alternative controls or exemptions, where this applies
  • the supporting evidence you have seen

There are 3 particular scenarios which you should be aware of and note how you should respond.

  1. Organisation has commented on alternative controls or exemptions

    There are times when an organisation will select an IGP statement that is not true about their system or organisation but they believe this should not affect the overall contributing outcome status.

    This may be because: 
  • they have alternative controls or exemptions in place 
  • the wording of the IGP statement does not apply to the system being assessed

    In this scenario you should select ‘Yes’ to the IGP statement if you agree that the organisation has provided a reasonable justification and supporting evidence.
  1. You selected ‘Yes’ for an ‘achieved’ IGP that exceeds the expectations of a similar ‘partially achieved’ IGP.

    In this scenario you must also select ‘Yes’ for the ‘partially achieved’ IGP.

    For example, if you select ‘Yes’ for an ‘achieved’ IGP that says the organisation ‘reviews a document regularly’, you must also select ‘Yes’ for the ‘partially achieved’ statement that says it ‘reviews a document occasionally’.
  2. Where ‘partially achieved’ statements are identical to ‘achieved’ statements.
    You should make the same selection for both statements.

Reviewing the contributing outcome status 

It is important that you use your professional judgement to select the most appropriate outcome status. You must take into account the context of the organisation and system, as well as any alternative controls the organisation has noted. 

After you have reviewed each IGP statement, you must decide whether the contributing outcome is ‘achieved’, ‘not achieved’ or, if applicable, ‘partially achieved’.

Achieved status

In most cases, the contributing outcome status should be ‘achieved’ if you have selected ‘Yes’ for all the ‘achieved’ and ‘No’ for all of the ‘not achieved’ IGPs.

Partially achieved status

In most cases, the contributing outcome status should be ‘partially achieved’ if you have selected ‘Yes’ for all ‘partially achieved’ IGPs and selected ‘No’ for:

  • one or more ‘achieved’ statement
  • all ‘not achieved’ statements

Not achieved status

In most cases, the contributing outcome status should be ‘not achieved’ if you select ‘Yes’ for one or more ‘not achieved’ IGPs.

In most cases, the contributing outcome status should be ‘not achieved’ if you do not select ‘Yes’ for all ‘achieved’ or ‘partially achieved’ IGP statements.

Note: If the outcome status you select is different to the status descriptions above, you must clearly explain the reasons why in the contributing outcome comments. 

Providing comments to support your review

You need to provide clear, concise comments to explain your reasons for selecting the contributing outcome status. 

Your comments should reflect your review of the controls and processes that are in place for the contributing outcome. They should reference:

  • areas of good practice 
  • current risks to the system or organisation and related areas for improvement 
  • the organisation’s supporting evidence
  • specific IGPs, including where the organisation has noted alternative controls or exemptions

When you have finished reviewing the contributing outcome, select ‘Save and continue’ to return to the list of outcomes. 

Note: your comments for each contributing outcome will be included in the Peer Review Report. 

Adding recommendations

You must focus on providing clear, evidence‑based recommendations.

You must add at least one recommendation for each contributing outcome that has not met the Baseline Government CAF profile. You may also add recommendations for other contributing outcomes where there is more that the organisation can do to ensure their cyber security controls are appropriate for their risk context.  

Organisations may have a high number of recommendations to address from one GovAssure review. In the Peer Review Report your recommendations will be grouped into two types to help with prioritisation. 

  1. Priority recommendations

Priority recommendations address gaps where the contributing outcome has not met the Baseline Government CAF Profile. 

  1. Other recommendations

Other recommendations address gaps where the contributing outcome has met the Baseline Government CAF profile.  

Note: your recommendations will be automatically sorted into these groups in the report based on the outcomes of your review.

Adding recommendations

In the service you can select to ‘add a recommendation’. 

You might use the language of relevant IGP statements to help you write your recommendations. 

Example recommendations

  1. Contributing outcome A1.a Board direction

Appoint a board-level individual with accountability for network and information system security. 

  1. Contributing outcome A1.c Decision-making

Implement a schedule to regularly review risk management decisions, to ensure their continued relevance and validity.

  1. B2.d Identity and access management (IdAM)

Set a schedule to review access rights regularly and revoke those no longer needed. 

Adding more recommendations

You must record each recommendation separately by selecting ‘add another recommendation’. When you have finished, select ‘Confirm and return’ to go back to the main menu. 

Commenting on the overall self-assessment

When you have reviewed all the contributing outcomes in an objective, you must comment on the overall self-assessment.

Your comments in these sections will be included in the Peer Review Report. These may be read by senior or less technical audiences so you should write them in accessible language. 

Commenting on areas of good practice

Your comments should:

  1. Summarise key themes across the CAF principles and objectives. 
  2. Reference specific areas of good practice such as clear governance structures, consistent risk management processes, or embedded procedures, and explain how these support the achievement of the objective. 

Commenting on areas for improvement

Your comments should:

  1. Summarise weaknesses across the CAF principles and objectives. 
  2. Outline resulting risks to the organisation. 
  3. Reference high-priority areas for improvement such as immaturity of controls, insufficient governance or particular vulnerabilities. 

Review details

Your comments in these sections will be included in the Peer Review Report.

Adding the Peer Review period

Add the start date and the predicted end date of your review. You can come back to change this later if needed. 

Adding your organisation details

Add the name of your organisation. 

Add the lead reviewer’s name. This may be you or a colleague. 

Describing your review method

Describe your data collection methods and how you reviewed evidence. You should note any limitations or constraints you encountered during your review.

Describing the quality of the self-assessment

You must comment on the quality of the organisation’s WebCAF self-assessment.

You should consider the level of detail provided by the organisation in the contributing outcome responses, and any comments it has included on alternative controls or exemptions at IGP level. For example, was there enough information to allow you to conduct an accurate, informed review? 

You should comment on whether the organisation provided appropriate supporting evidence to back up their contributing outcome status and IGP selections. 

Creating the Peer Review Report

When you are ready to create your report, WebCAF will direct you to a screen to choose ‘Create report now’.

When you have created the report, your next steps are to:

  1. Check the report is accurate and complete.
  2. Share and discuss the report with the organisation. 
  3. If you have agreed changes with the organisation, you can update to a new version of the report in WebCAF. 
  4. If needed, iterate through new versions until both you and the organisation agree. 
  5. Create a final version of the report.

When you have finalised the report you will no longer be able to create a new version. If you need to make more changes, contact webcaf@dsit.gov.uk.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now