Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Becoming An Independent Assurance Reviewer

Becoming a GovAssure Independent Assurance Reviewer

This page is for companies who want to find out how to become an Independent Assurance Reviewer for GovAssure.

As part of the fourth stage of GovAssure, most Government Organisations will be required to undergo an Independent Assurance Review of their critical systems against the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.

Working with Crown Commercial Services Colleagues and the NCSC, we have created a route on Cyber Security Service 3 Dynamic Purchasing System (DPS), displayed under the ‘Consultancy and Advice’ service, for government organisations to procure third-party reviews from companies for GovAssure.

Overview and supplier obligations

Before the assessment begins, the supplier will hold a planning meeting with the Government Organisation and Government Security Group to outline review timelines and logistics. In this meeting the Government Organisation will present their completed GovAssure Scoping Document. The supplier will then work with the Government Organisation throughout the review period. The supplier will then author a final technical report, with a final version agreed by the Government Organisation and Government Security Group.

The supplier will have secure access to the evidence and information presented by the Government Organisation in their self-assessment of the Cyber Assessment Framework. The Government Organisation will decide the most appropriate way of sharing information with suppliers. The Government Organisation’s data and information must not sit on the supplier's network or devices.

Some further obligations:

Requirements for companies to conduct a GovAssure Review

For GovAssure, companies are required to:

Upcoming GovAssure assurance reviewer training sessions

Please contact for information on GovAssure reviewer training sessions.

NCSC assured GovAssure Service

To be eligible for GovAssure work through the NCSC assured route, companies must already be active participants in two NCSC schemes as laid out below:




Companies may wish to go into partnerships with other companies to come under the NCSC assured route on the marketplace. This should be made clear to the buyer and the Head Consultant or Named authority must be clearly stated.

Non-NCSC GovAssure Service

To ensure capacity, companies who meet the following criteria will also be able to conduct GovAssure reviews.

One of:

One of:

Companies are allowed to partner with other companies who have these requirements. They must agree to Crown Commercial Service’s commercial guidance on sub-contracting. The risk owner must be clearly stated (e.g. head consultant from the contracting company).

Why have we set this approach?

Firstly, we view that the requirements asked for blend the necessary technical cyber expertise with the essential skills of conducting assurance reviews. Furthermore, alongside NCSC assured companies, we have opened the scheme to current non-NCSC assured companies to increase engagement with industry all across the country and to encourage Small Medium Enterprise companies to partake in the scheme. By doing this want to grow and develop the cyber industry across the entire UK.

Approach for year two of GovAssure

For the first year of GovAssure, working with Crown Commercial Services’ we have created two routes for Government Organisations, as outlined above, to acquire the services of an Independent Assurance Reviewer company for Stage 4 of GovAssure - Independent Assurance Review.

In previous communications we have advertised that the second year approach would be NCSC GovAssure approved companies only. We want to continue building market maturity for CAF assurance reviewers so for year two of GovAssure we will continue to accept both NCSC GovAssure Assured companies, and Non-NCSC GovAssure companies. The requirements under both of these routes will remain the same.

How does a company get on the GovAssure service via CCS?

Companies can apply to join the Cyber Security Services 3 DPS by accessing the Supplier Registration System here, scrolling down to Cyber and clicking ‘access as a supplier’.

The bid pack contains information on how to complete your application and within the DPSQ you can select ‘GovAssure’ as a service.

If you are already registered on the DPS, please login to your dashboard and click ‘Update DPSQ’ or ‘Respond’ underneath the relevant questionnaire. This will allow you to edit your responses and select ‘GovAssure’ as a service.

Crown Commercial Services

Please visit CCS’ Cyber Security Services 3 website for further information on the commercial agreement.

If you have any questions relating to how your company can get onto the framework, please contact