Conducting a peer review

Introduction

This guidance aims to provide peer reviewers with a clear understanding of how to conduct a peer review, including understanding the cyber assessment framework (CAF) and the government CAF profiles that underpin GovAssure.

Upon reading this guidance, you will:

• Have a clear understanding of the CAF, and the target government CAF profiles that underpin the assessment.
• Be familiar with the end-to-end GovAssure process.
• Feel able to perform a peer review on another organisation’s CAF return.
• Feel confident in the peer review process, including the roles and responsibilities of both the reviewer and reviewee.
• Develop a broader understanding of the security practices implemented by peer organisations and share best practices.
• Know who to contact if there are any issues.

For a slide deck on conducting a peer review please email cybergovassure@cabinetoffice.gov.uk from a government email address.

Before you start

Before you start a peer review, please ensure you have completed the following:

1. Read the GovAssure guidance on Stage 1, Stage 2, Stage 3 and general peer review guidance.
2. Be provided with the relevant Scoping Documents to understand the context of the organisation they are reviewing.
3. Be granted access to the self-assessment(s) that have been submitted to WebCAF as an “Assessor” and assigned to the self-assessment(s) that have been submitted for peer review. Please note that if you are conducting a peer review and you previously had access to WebCAF, you may need to sign out and sign back in again as an assessor. You will then be able to see the assessments that you have been assigned to for peer review.
4. Have access to the evidence referenced in the self-assessment, or an understanding of the relevant evidence.

GSG anticipates a full peer review to take around 1-2 days; however, timescales are expected to vary depending on the organisation and number of systems being reviewed.

Step 1: Understand the organisational context

The organisation being reviewed will have completed a GovAssure Scoping Document covering the following:

• Organisational context and essential services.
• In-scope systems and assignment of the target government CAF profile. You should read and digest the contents of the scoping document to understand the systems for which they are reviewing CAF self-assessments.

Actions

• The GovAssure Scoping Document will need to be shared with you at the earliest opportunity.
• You should agree with the organisation on a rough timeline and establish ways of working. This should include access to the self-assessments, how supporting documents and evidence will be shared, who will be involved, and when discussions between you and the organisation should take place (where needed).

Step 2: CAF profiles and WebCAF examples

As part of the scoping process, the organisation being reviewed will have assigned one of two government CAF profiles to the systems in scope. For the purpose of peer review, systems in scope for this type of review are those assigned the Baseline profile only.

WebCAF has an example of a completed CAF assessment at Baseline. You should familiarise themselves with this as an indication of the kinds of answers organisations may provide as part of the self-assessment.

As a peer reviewer, please exercise flexibility in your scoring. Although we have provided illustrative examples on WebCAF, there are numerous ways organisations may be meeting the Baseline requirements, so please exercise your expert judgement.

Actions:

• The Organisation Lead assigns you to the assessments being reviewed on WebCAF.
• Read the example CAF assessment for Baseline to aid your review.

Step 3: Understanding the organisation's CAF self-assessment

WebCAF allows organisations to submit CAF self-assessments which are then evaluated by assessors. As a peer reviewer, you are assigned as an assessor to review specific system assessments within WebCAF by the Organisation Lead.

Once a self-assessment has been progressed for review, the organisation’s answers will be locked. You will then be able to read the organisation’s answers, and provide your own contributing outcome rating and commentary (step 4).

For each contributing outcome (CO) in an assessment, you should:

• Read the description from NCSC’s CAF (provided in WebCAF), as well as the indicators of good practice (IGPs) associated with that CO.
• Focus on what the organisation has answered for its CO rating, along with the comments they have provided.
• Read the supporting IGP answers associated with that CO. You will not be expected to evaluate these IGPs individually, but you should review how they support the organisation’s overall CO rating. Where evidence is referenced within WebCAF, you should request access to this evidence from the organisation where appropriate (no evidence is stored on WebCAF).

Actions:

• Read the NCSC’s CAF CO description and associated IGPs.
• Read the organisation's CO answer.
• Read the supporting IGP answers and evidence where appropriate.

Step 4: Reviewing the CAF self-assessment

In step 4, you will be expected to use your judgement to complete the peer review. However, it is important to understand that for peer review you are expected to provide answers at CO level only. You are not required to provide any answers at IGP level. On WebCAF, you will be able to fill out an achievement rating and a comment for each CO.

If you come to the same conclusion as the organisation for a CO, there is no need to provide detailed commentary. Where your judgement differs from the organisation, you should explain why in your commentary. You may contact the organisation for further clarification. References to individual IGPs may be made in the CO statement review; however, this is optional.

Actions:

• On WebCAF, assess each CO by providing an achievement rating and supporting commentary necessary (answers are not required at IGP level).
• Where your assessment differs from the organisation's CO achievement, you should justify this fully and with reference to the areas of difference.
• An agreement should be made on whether any additional (and optional) arbitration workshops and feedback are necessary.
• You, the organisation, and, optionally, LGD (if not already involved in peer review) should fully check the quality of the review before submission to GSG.

WebCAF submission

When you have completed the peer review, the Organisation Lead will be able to submit the CAF assessment to GSG.

Following submission, the reviewed CAF return will be stored in a tier two storage environment and will not be accessible on WebCAF in the long term. The reviewed assessment will be collated into a report, including where multiple systems have been put through GovAssure by the organisation. Organisations, in combination with their LGDs, will also work on a targeted improvement plan based on final CAF returns. Peer reviewers will not be expected to contribute to either product unless they do so voluntarily.

If you would like access to the Peer review template or for additional questions on the GovAssure process or peer review, please contact cybergovassure@cabinetoffice.gov.uk. For technical issues with WebCAF, please contact webcaf@cabinetoffice.gov.uk.