Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. GovAssure Reviewers Hub

Author: Government Security Group (GSG), Cabinet Office

Last updated: 2025-05-02

GovAssure Reviewers Hub

Information for companies who want to find out how to become an Independent Assurance Reviewer for GovAssure.

As part of stage 4 of GovAssure, most government organisations are required to undergo an Independent Assurance Review (IAR) of their critical systems against the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). Government organisations are responsible for procuring a company to do this from a list of pre-approved companies on the Cyber Security Service 3 Dynamic Purchasing System under the ‘Consultancy and Advice’ service.

From Summer 2025 we plan to close the current accreditation routes (NCSC Assured and Non-NCSC Assured) for GovAssure assessors being added to the DPS. This will not impact procurements by government organisations already in motion for GovAssure Year 3 (2025/26FY).

From April 2026 only companies that are part of NCSC’s Cyber Resilience Audit scheme and comply with our bespoke GovAssure requirements will be able to deliver GovAssure IARs. We are working closely with the NCSC and Crown Commercial Service (CCS) on this transition.

Supplier obligations

Before the assessment begins, the supplier will hold a planning meeting with the government organisation to outline review timelines and logistics. In this meeting the government organisation will present their completed GovAssure Scoping Document. The supplier will then work with the government organisation throughout the review period. The supplier will  author a technical report (an ‘Independent Assurance Review Report’), with a final version agreed by the government organisation and Government Security Group.

During the review the supplier will have secure access to the evidence and information presented by the government organisation in their CAF self-assessment.. The government organisation will decide the most appropriate way of sharing this information with suppliers. The government organisation’s data and information must not sit on the supplier’s network or devices.

Some further obligations:

  • The supplier should be willing to work virtually and in-person when required.
  • The final deliverable will be an Independent Assurance Review Report (IARR) for the government organisation which provides an independent assessment of whether the government organisation has met the relevant government CAF profile.
  • The supplier will only use the report template and WebCAF provided by Government Security Group when completing the independent assurance review and authoring the final technical report.
  • All members from the supplier’s team working on the government organisation’s GovAssure review will hold Security Check (SC) clearance.
  • For each GovAssure Independent Assurance Review (IAR) that the government organisation bids for, there must be a named authority for the supplier. The named authority is responsible for signing-off the outputs of the review.
  • The named authority should either be a Head Consultant for Risk Management or Audit & Review.
  • The named authority does not necessarily need to perform parts of the assessment, but should have oversight throughout the review. In signing off any of the outputs from the review they are taking responsibility on behalf of their organisation that the review  has been conducted to satisfactory standards and they will act as a point of escalation if any issues or questions subsequently arise.
  • The named authority for the supplier will have experience of working within HM Government (this includes the wider public sector). The government organisation will require customer references/ contract examples from the supplier.
  • In the interests of transparency, the supplier and government organisation must declare any potential conflicts of interest when it comes to providing assurance on a specific government system. For example, they may have been involved in the design of the system or CHECK pen testing previously, or involved in architectural design reviews. This won’t necessarily preclude that company from bidding for the work, but failure to declare any interests could preclude them from bidding for future GovAssure work. Suppliers will be required to complete a conflict of interest form as part of their submission.

Requirements for companies to conduct a GovAssure Review

For GovAssure, companies are required to:

  • be an ‘Assured Service Provider’ on the NCSC Cyber Resilience Audit scheme (from April 2026)
  • have prior experience of working with the UK Government in cyber security, including working in the wider public sector
  • have had ALL colleagues working on GovAssure read the GovAssure “guidance for independent assessors document” and attended the GovAssure assurance reviewer training
  • hold Security Check (SC) clearance. This is a requirement due to the sensitive government information that companies will have access to

How does a company get on the Cyber Resilience Audit (CRA) Scheme?

Companies must be on the Cyber Resilience Audit (CRA) scheme to do GovAssure reviews from April 2026.

The Cyber Resilience Audit Scheme is a NCSC scheme that gives government organisations confidence in companies that have been assessed as meeting the NCSC standard for delivering independent assurance reviews. The CRA scheme is also available for non-government sectors.

For more information on how to join, visit NCSC guidance Cyber Resilience Audit Scheme.

Or contact NCSCIndustryAssurance@ncsc.gov.uk.

How does a company get listed as a GovAssure supplier on the Cyber Services 3 framework?

Companies can apply to join the Cyber Security Services 3 Dynamic Purchasing System, scroll down and click ‘Access as a Supplier’.

The bid pack contains information on how to complete your application and within the DPSQ you can select ‘GovAssure’ as a service.

If you are already registered on the DPS, please login to your dashboard and click ‘Update DPSQ’ or ‘Respond’ underneath the relevant questionnaire. This will allow you to edit your responses and select ‘GovAssure’ as a service.

Government Security Group provides CCS with the names of individuals who have completed the GovAssure training.

Crown Commercial Services

For further information on the commercial agreement, visit CCS’ Cyber Security Services 3 website.

If you have any questions relating to how your company can get onto the framework, contact cyberdps@crowncommercial.gov.uk.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now