Please email cybergovassure@cabinetoffice.gov.uk for a transcript if required.
Stage 1 will provide further detail on starting the GovAssure process through the completion of a scoping exercise. The successful scoping of GovAssure relies on a full understanding of the strategic context of the organisation, the essential services provided and the overall mission. This will help to put into context the cyber security threat landscape in which it operates, as well as the services deemed essential to the operations of the organisation.
Successful scoping should enable the organisation to identify, as part of Stage 2 (In-scope systems and assigning the target Cyber Assessment Framework (CAF) Profile), the critical systems that underpin the delivery of organisations essential services. This will help to determine what will be in scope for the organisation’s CAF self-assessment, so that subsequent risk, security and resilience management is framed appropriately.
Where possible, use existing sources of information that will support the thinking around the organisational context and essential services and the links to underpinning critical systems. For example, organisational outcome delivery plans, business continuity information and any exercises that explain the flow of personally identifiable information (PII) within your organisation, as well as any other work that may have been commissioned previously to better understand and illustrate the essential services delivered by your organisation.
Identification and assignment of GovAssure roles and responsibilities and RASCI completion
Introducing the GovAssure Scoping Document
At the start of the GovAssure process, government organisations will be asked to complete the ‘GovAssure Scoping Document’. Part A of the document will encourage you to think about and record the following:
Mission – What is your organisation trying to achieve? How does it support the delivery of government services?
Objectives – What are the key objectives used to deliver that mission?
Priorities – What are your organisation’s top priorities?
Threat landscape – Who is looking to attack your organisation? Why? What could happen if they were successful?
Cyber Risk Appetite – What is the cyber risk appetite for your organisation?
The GovAssure Scoping Document is important because it will be used by the independent assurance reviewers to understand the context and risk appetite set by the organisation, which will support the reviewer to determine whether the security controls in place are appropriate and proportionate for the level of risk exposure.
The outputs of Stage 1 should be recorded under Part A of the GovAssure Scoping Document. We have an example of a completed GovAssure Scoping Document to support this process, using the fictitious government department, the ‘Department of Artificial Intelligence and Robotic Technologies’ (DAIRT).
Essential services will differ between organisations, so each organisation should refer to its annual reporting, organisational outcome delivery plans and wider strategic documentation to support this identification.
Determining the essential services that underpin the delivery of your organisation’s mission, objectives and priorities can be complex. We have developed a ‘Guide to thinking through essential services and systems through five lenses’ to support your organisation in considering and documenting the thinking through the different lenses, and ultimately the critical systems you will select to be included in scope for GovAssure. Depending on the organisation, the number of services that might be considered ‘essential’ will vary. We expect organisations to select a practical number of essential services for consideration to include in the scope for GovAssure.
Each organisation will need to consult with a wide range of colleagues to support this exercise. For example, Chief Risk Officers should be consulted to check the understanding and recording of the primary organisational risks. Only once an organisation has defined its essential services can it move on to identifying the critical systems in scope for GovAssure (Stage 2). The outputs of this stage should be recorded under Part B of the GovAssure Scoping Document.
Government Critical National Infrastructure Services: Services that the UK public rely upon, on a daily or near-daily basis, as per official guidance.
Operators of essential services (OES): Services which are essential for the maintenance of key societal or economic activities, as per official guidance. For example, energy, transport, health, water, digital infrastructure.
Fundamental organisational outputs and mission: Services fundamental to the outcomes of the organisation, which the organisation must provide. For example, government policy development, regulation, delivery and support, briefings, analysis and advice.
OFFICIAL