Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Stage 4
  4. Conducting A Peer Review

Conducting a peer review


This guidance aims to provide peer reviewers with a clear understanding of how to conduct a peer review, including understanding the cyber assessment framework (CAF) and the government CAF profiles that underpin GovAssure.

Upon reading this guidance, you will:

For a slide deck on conducting a peer review please email from a government email address.

Before you start

Before you start a peer review, please ensure you have completed the following:

  1. Read the GovAssure guidance on Stage 1, Stage 2, Stage 3 and general peer review guidance.
  2. Be provided with the relevant Scoping Documents to understand the context of the organisation they are reviewing.
  3. Be granted access to the self-assessment(s) that have been submitted to WebCAF as an “Assessor” and assigned to the self-assessment(s) that have been submitted for peer review. Please note that if you are conducting a peer review and you previously had access to WebCAF, you may need to sign out and sign back in again as an assessor. You will then be able to see the assessments that you have been assigned to for peer review.
  4. Have access to the evidence referenced in the self-assessment, or an understanding of the relevant evidence.

GSG anticipates a full peer review to take around 1-2 days; however, timescales are expected to vary depending on the organisation and number of systems being reviewed.

Step 1: Understand the organisational context

The organisation being reviewed will have completed a GovAssure Scoping Document covering the following:


Step 2: CAF profiles and WebCAF examples

As part of the scoping process, the organisation being reviewed will have assigned one of two government CAF profiles to the systems in scope. For the purpose of peer review, systems in scope for this type of review are those assigned the Baseline profile only.

WebCAF has an example of a completed CAF assessment at Baseline. You should familiarise themselves with this as an indication of the kinds of answers organisations may provide as part of the self-assessment.

As a peer reviewer, please exercise flexibility in your scoring. Although we have provided illustrative examples on WebCAF, there are numerous ways organisations may be meeting the Baseline requirements, so please exercise your expert judgement.


Step 3: Understanding the organisation's CAF self-assessment

WebCAF allows organisations to submit CAF self-assessments which are then evaluated by assessors. As a peer reviewer, you are assigned as an assessor to review specific system assessments within WebCAF by the Organisation Lead.

Once a self-assessment has been progressed for review, the organisation’s answers will be locked. You will then be able to read the organisation’s answers, and provide your own contributing outcome rating and commentary (step 4).

For each contributing outcome (CO) in an assessment, you should:


Step 4: Reviewing the CAF self-assessment

In step 4, you will be expected to use your judgement to complete the peer review. However, it is important to understand that for peer review you are expected to provide answers at CO level only. You are not required to provide any answers at IGP level. On WebCAF, you will be able to fill out an achievement rating and a comment for each CO.

If you come to the same conclusion as the organisation for a CO, there is no need to provide detailed commentary. Where your judgement differs from the organisation, you should explain why in your commentary. You may contact the organisation for further clarification. References to individual IGPs may be made in the CO statement review; however, this is optional.


WebCAF submission

When you have completed the peer review, the Organisation Lead will be able to submit the CAF assessment to GSG.

Following submission, the reviewed CAF return will be stored in a tier two storage environment and will not be accessible on WebCAF in the long term. The reviewed assessment will be collated into a report, including where multiple systems have been put through GovAssure by the organisation. Organisations, in combination with their LGDs, will also work on a targeted improvement plan based on final CAF returns. Peer reviewers will not be expected to contribute to either product unless they do so voluntarily.

If you would like access to the Peer review template or for additional questions on the GovAssure process or peer review, please contact For technical issues with WebCAF, please contact