Once the organisation has identified their essential services as part of Stage 1, they can begin to consider and identify the critical systems that underpin those essential services, to create a prioritised list of critical systems considered for inclusion in GovAssure. This list of critical systems generated may be different to existing system prioritisation exercises already conducted within the organisation.
We expect organisations to prioritise and select a practical number of critical systems that are representative of the organisation and its business to take through the GovAssure process. This could be a mix of operational and support systems, such as corporate and estate systems, and analytic systems. Agreement of essential services and the critical systems that underpin them should be agreed with system owners and wider business areas within the organisation. The final selection of in-scope systems will be agreed with Government Security Group (GSG) before progressing to the self-assessment stage of GovAssure.
Once an organisation’s essential services have been identified, this will help inform which critical systems are in scope for GovAssure. These systems should be able to be interpreted as:
Government Critical National Infrastructure (CNI): Systems characterised as Government Sector Critical National Infrastructure (CNI) according to the main CNI criteria. These systems are considered critical by GSG and the Enhanced Profile will automatically be applied to them.
Operators of Essential Services (OES): Systems which support Operators of Essential Services.
Systems supporting fundamental organisational outputs and mission: Systems that support the mission and day-to-day business of the organisation, which the organisation must provide, and without which, it would not be able to continue to operate (e.g. primary departmental corporate network).
For the critical systems prioritised for GovAssure, it’s important to include individuals with a deep understanding of those systems in any wider touch points and scoping conversations. Their knowledge will be required to understand the architecture and interconnected-nature of the systems, including boundaries and dependencies as well as the flow of data to and from the systems.
At this point it is also worth starting to familiarise those individuals with the NCSC Cyber Assessment Framework (CAF) to understand the areas where their input is most likely to be required as part of Stage 3 (CAF self-assessment).
It is useful to be able to illustrate this view through the use of systems architecture and data flow diagrams to support the scoping exercise.
This process (including drawing the system boundary) will be documented as part of the GovAssure Scoping Document and will need to be signed off by the CISO or relevant senior risk owner.
Organisations should consider the following when undertaking system scoping, to ensure systems are scoped appropriately:
Engagement with service and system owners: Individual service and system owners should be part of this process. You will need their input when identifying and agreeing the system boundary, and they will need to contribute to documenting the approach that you have taken to identifying the system boundary.
Identifying dependencies: It is important that you set out the full details of the network and information system, including the dependencies that are fundamental to the system, on system bearers and service providers. You may carve out elements and decide to carry out assurance on those elements during a later round of GovAssure.
Drawing the line: You will need to take a realistic approach to identifying the boundary for a system that will be included in-scope for GovAssure. It may not be possible to assure a connected network and information system in its entirety and it is important that you draw the line somewhere. Being clear on what you are declaring out of scope will help with this.
What is out of scope: If you are declaring something out of scope, you need to declare exactly what is out of scope and what your justification is for excluding it from scope. If you are removing something from a system’s scope you must consider what impact this might have on the assessment of any other critical system in scope for GovAssure, for example shared functions that underpin several systems.
As referred to in ‘The CAF Components Explained’ section, once your organisation has identified the critical systems in scope for GovAssure, you will need to assign the Baseline or Enhanced Profile to them. This selection of CAF profile will be determined as part of a discussion between the organisation, GSG and NCSC and any application will be based on the conditions of the specific system and relevant level of threat. You can find more guidance on which CAF profile to use here.
The Enhanced Profile will be automatically applied to government Critical National Infrastructure (CNI). For other critical systems, the following should be considered when determining whether the Enhanced profile should be applied:
OFFICIAL