NCSC developed Indicators of Good Practice (IGP) to help organisations to assess their cyber security practices against the contributing outcomes and inform your overall achievement of the contributing outcome. They are designed to provide a good starting point for helping with the ‘workshop’ discussions around the achievement of the overall contributing outcomes and should be used in conjunction with NCSC and Government guidance.
The IGPs are not intended to be exhaustive, and organisations may implement additional good practice or compensating controls that would otherwise return an Achieved or Partially Achieved Contributing Outcome. Where alternative good practice is implemented, this should be reflected in comments to support the IGP statements to allow assurance reviewers to be able to consider this as part of their review. Organisations will be required to demonstrate how they meet each Contributing Outcome and the stated IGPs by providing statements and evidence. The GovAssure process will result in 39 individual self-assessed judgements on contributing outcomes reflecting the circumstances of the system and wider organisation.
The following provides a definition for each achievement status:
The Not Achieved indicators define the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of Not Achieved. If you answer Yes to any not achieved IGPs (even one) you should make this contributing outcome as Not Achieved.
When present, the Partially Achieved indicators define the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security benefits. To mark this contributing outcome as Partially Achieved, you need to demonstrate that your organisation or system meets and answers Yes to every Partially Achieved IGP (except where an IGP is marked Not Applicable).
The Achieved indicators define the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of Achieved. To mark this contributing outcome as Achieved, you need to demonstrate that your organisation or system meets and answers Yes to every Achieved IGP (except where an IGP is marked Not Applicable).
WebCAF develops the use of IGPs by grouping statements with an identification as to whether they are part of the Not Achieved, Partially Achieved or Achieved sets. These then appear logically as opposing or contradictory statements to aid completion and make it easier to comment on similar themes. Each IGP statement has also received a unique reference label.
As an example, for Objective B: Data security > B3.c – Stored Data, the following IGPs have been grouped together for IGP Group 1 as opposing statements:
IGP B3.c.1: You have only necessary copies of this data. Where data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. This IGP is part of the Achieved set.
IGP B3.c.6: All copies of data important to the operation of your essential function are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. This IGP is part of the Partially Achieved set.
IGP B3.c.10: You have no, or limited, knowledge of where data important to the operation of the essential function is stored. This IGP is part of the Not Achieved set.
For each IGP statement, you should use appropriate judgement to decide whether you agree with the statement from the drop-down selection, by selecting:
Yes – Yes, the IGP describes the organisation of system.No – No, the IGP does not describe the organisation of system.Not Applicable – Not applicable or exempt IGPs.In the example above, if you have selected Yes to the first statement (B3.c.1) in the Achieved set, then the expectation would be that you would select No for the statements in the Partially Achieved (B3.c.6) and Not Achieved" (B3.c.10).
Some contributing outcomes will have multiple IGP groupings. For the example above, we have illustrated the first grouping, but there are eight IGP groupings in total for this contributing outcome. In some cases, a specific IGP may not apply exactly to your organisations business model.
On occasions, individual IGP statements are duplicated as part of grouped sets. We have maintained this duplication to retain the integrity of the CAF as this maintains the presentation in NCSC’s CAF and these statements can fall into both Partially Achieved and Achieved states. Where this is the case, please provide the same response for both statements and on concluding the contributing outcome revisit the most appropriate achievement set as part of the overall contributing outcome achievement status.
OFFICIAL