Conducting a peer review

Once the peer reviewer(s) have been assigned to the organisation they will need to:

• Read the GovAssure guidance on Stage 1, Stage 2 and Stage 3
• Be provided with the relevant Scoping Documents to understand the context of the organisation they are reviewing.
• Be granted access to the self-assessment(s) that have been submitted to WebCAF for review as an ‘Assessor’. WebCAF has the capacity to allow multiple reviewers per system assessment. Each system assessment will require the organisation to assign a reviewer, therefore if a reviewer is in line to review multiple returns, the organisation will need to assign them to all assessments.
• Have access to the evidence referenced in the self-assessment, or an understanding of the relevant evidence.
• Complete their review on WebCAF confirming achievement at IGP level and providing commentary at the contributing outcome level where required.
• Perform a brief moderation of the review with the organisation before formal submission on WebCAF.

Government Security Group anticipate a full peer review to take around 1-2 days, however timescales are expected to vary depending on the organisation and number of systems being reviewed.

Step 1: Understand the organisational context

The organisation being reviewed will have completed a GovAssure Scoping Document covering the following: - (1) Organisational context and essential services - (2) In-scope systems and assignment of the target Government CAF profile The reviewer should read and digest the contents of the Scoping Document to understand the systems for which they are reviewing CAF self-assessments.

Actions

• The GovAssure Scoping Document will need to be shared at the earliest opportunity with the selected peer reviewer.
• The organisation and reviewer will agree a rough timeline and establish ways of working. This should include; access to the self-assessments, how supporting document and evidence will be shared, who will be involved and when discussions between reviewer and organisation should take place (where needed).

Step 2: CAF profiles and WebCAF examples

As part of the scoping process, the organisation being reviewed will have assigned one of two Government CAF profiles to the systems in scope. For the purpose of peer review, systems in scope for this type of review are those assigned the Baseline Profile only. WebCAF has an example completed CAF assessment at Baseline. Peer reviewers should familiarise themselves with this as an indication of the kinds of answers organisations may provide as part of the self-assessment. As a peer reviewer, please exercise flexibility in your scoring. Although we have provided illustrative examples on WebCAF, there are numerous ways organisations may be meeting the Baseline requirements, so please exercise your expert judgement.

Actions:

• The organisation will assign the reviewer(s) to the assessments being reviewed on WebCAF.
• The reviewer will read the example CAF assessment for Baseline to aid their review.

Step 3 and 4: Understanding the organisations CAF self-assessment

• The reviewer(s) will be assigned a specific system assessment on WebCAF by the organisation lead. WebCAF is the bespoke online portal both organisations and assessors will use to fill in and review CAF returns. Guidance on WebCAF is aimed at independent assurance reviewers. Peer reviewers should follow this guidance instead.
• The self-assessment responses and supporting narrative will be ‘locked’ for the reviewer to work through systematically.
• Organisations will complete a CAF return focusing on assessment at contributing outcome (CO) level. Organisations will focus their returns at the CO level and reviewers should do the same. Organisations may have written IGP statements, but peer reviewers do not need to assess them, only read them to understand the context of the CO answer
• Narrative is focused at the CO level, and reviewers should comprehend the CO and individual IGP statements before assessing the CO statement.
• Evidence will be referenced on WebCAF and reviewers should be provided access to the evidence that is stored separately.

Actions:

• Stage 3 - reviewer reads NCSC’s CAF CO description and associated IGPs
• Stage 4 - reviewer reads organisations CO answer
• Stage 5 - reviewer reads the CO in the context of the given IGPs (if applicable)

Step 6: Reviewing the CAF self-assessment

In step 6, reviewers will be expected to use expert judgement to complete the peer review. For peer review, commentary should be focused at the contributing outcome level only. On WebCAF, boxes will appear below each set of contributing outcome statements for the reviewer to populate.

Where the organisation and reviewer are the same, there is no need to provide detailed commentary. Where organisation and reviewer comments differ, commentary should be provided as to what and why. Organisations may be contacted for further clarification by the reviewer. References to individual IGPs may be made in the CO statement review, however this is optional.

Actions: - Reviewer uses Yes or No checkboxes to assess whether the contributing outcome statement applies to the system in question, and supporting commentary is provided if necessary. Yes or No scores or commentary is not required for IGPs. Commentary from reviewers should be focused at the CO level. - Where reviewer assessments differ from the organisations contributing outcome achievement, they should justify fully and with reference to the areas of difference. - An agreement should be made on whether any additional (and optional) arbitration workshops and feedback are necessary - Reviewer, organisation (and optionally LGD) should fully check quality of review before submission to GSG on WebCAF.

WebCAF Submission

Following submission, the reviewed CAF return will be stored in a SECRET environment and will not be accessible on WebCAF in the long term. The reviewed assessment will be collated into a report if multiple systems have been put through GovAssure by the organisation. Organisations, in combination with their LGDs, will also work up a Targeted Improvement Plan based on final CAF returns. Peer reviewers will not be expected to contribute to either product, unless they do so voluntarily.

For additional questions on the GovAssure process or peer review, please contact cybergovassure@cabinetoffice.gov.uk For technical issues with WebCAF, please contact webcaf@cabinetoffice.gov.uk