Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Stage 3

Stage 3: Self-assessment

Please email for a transcript if required.

Stages 1 and 2 of the GovAssure process come together to provide the scoping inputs for Stage 3, the CAF self-assessment. Organisations will complete a self-assessment for each critical system identified as in-scope for GovAssure, as well as assessing their wider organisational security arrangements under Objectives A and D.

Organisations will need to show how they meet each CAF contributing outcome and the associated indicators of good practice (IGPs) by inputting statements of achievement and supporting commentary into WebCAF, the online platform used for completing CAF self-assessments in GovAssure.

Organisations are expected to conduct a comprehensive but realistic CAF self-assessment supported by evidence. The self-assessment is to be performed within the parameters set out in the GovAssure Scoping Document.

Principles to consider when completing the Cyber Assessment Framework (CAF) self-assessment:

Consider who to involve in the CAF self-assessment – role alignment

It is important to recognise that completion of the CAF self-assessment will require input from many individuals across the organisation with a shared division of work and responsibility for completing the CAF self-assessment between cyber teams, system owners as well as others. It may be appropriate for an organisation to complete Objectives A and D at a strategic level if the organisation deems that the systems in scope have commonality across these objectives and their sub-principles.

Objectives B and C are more commonly assessed by system owners, but some of the contributing outcomes for B and C may also be answered best at a strategic level, particularly where monitoring processes are conducted through a central SOC, and where security policies are set and mandated centrally.

Collecting evidence

Suitable supporting evidence tends to fall into several different types, for example, policies, strategies, procedures, meeting minutes and plans. Evidence should be relevant and already present, not created for the purpose of GovAssure. We have developed example evidence or artefacts that indicate how to evidence each indicator of good practice across the target CAF profiles and this is available on WebCAF for both the Baseline and Enhanced profiles.

The independent reviewer will use a combination of the self-assessment statements on WebCAF and the evidence provided to perform an initial assessment as to whether the evidence supports the statements made against the indicators of good practice. Evidence is not stored on WebCAF and we suggest that you maintain a suitable repository of evidence structured and aligned with the CAF in a suitably secure location and with access managed appropriately. It will be necessary to provide access to the independent reviewer as part of Stage 4.

Evidence should be relevant and suitably cross-referenced and ideally where applicable referenced where in the particular document or artefact the reviewer should be looking. This will make it as straightforward and efficient as possible for the reviewer to perform an assessment between WebCAF and the evidence repository. WebCAF allows you to add file references and where appropriate, URL links to documentation to support the completion of the IGP statements and the overall contributing outcome.

Before commencing the self-assessment, the organisation should ensure that it has identified important stakeholders and communicated the GovAssure process and expectations. It is good practice to gather some or all the following documentation to provide a good starting foundation for the self-assessment:

Do not write new evidence where documentation does not exist. The reviewer will judge how well integrated evidence is and any gaps will be highlighted for review and remediation in the report.

GovAssure and existing assurance framework mapping

Commonly used cyber security frameworks are consistent with the CAF, which means that assurance reporting requirements can align with internal cyber security risk management structures and processes. Government Security Group have developed CAF guidance mapping to assist those within an organisation completing a CAF self- assessment. It is not a direct mapping tool. It is a tool to guide and suggest where users should look within existing organisational security management frameworks.

Users should use these to gather relevant evidence to meet the outcomes stated within the target CAF assessment profile. The following frameworks have been mapped to CAF:

Further Guidance on Stage 3

Self-assessment additional resources

WebCAF has been designed to be as self-contained as possible, but to aid completion, you may wish to refer to additional cyber security standards and resources to support completion.

Useful documents to download for Stage 3: Self-assessment:

Back to Stage 2    Move on to Stage 4