Peer review guidance

A peer review guidance pack is available to download on the Templates and Downloads page

Scope and audience

This guidance is for organisations undertaking GovAssure that are not subject to an Independent Assurance Review (IAR) and instead will be undergoing a form of peer review for their CAF self-assessments.

The guidance is advised for any organisation and individual involved in a form of review, including:

• Peer review by the lead government department (LGD)
• Peer review by the Government Internal Audit Agency (GIAA)
• Peer review by another organisation
• Internal peer review

This guidance applies to both the individual(s) performing the peer review as well as the organisation being reviewed.

If you are a peer reviewer, please also read the guidance on conducting a peer review.

GovAssure material often contains references to tranches, which are how we categorise organisations going through the process. The tranches are defined as follows:

• Tranche 1: All LGDs and government Critical National Infrastructure (CNI) holding organisations. They started the process in June 2023 and are required to perform third-party independent assurance reviews of all their CAF returns.
• Tranche 2: Any organisation not falling into the category above that has either self-selected or their LGD has put them in scope for GovAssure. They have several alternatives to the third-party IAR.

Peer review

A peer review involves the evaluation of an organisation’s WebCAF returns by an impartial individual, ensuring no conflict of interest influences the assessment. It focuses on the contributing outcome (CO) level, where reviewers analyse whether the organisation has achieved the target CO level, drawing insights from the self-assessment and accompanying evidence. Reviewers will use the Baseline profile as a benchmark to comprehend the target level the organisation is meeting or working towards.

Reviewers should anticipate and accommodate the flexibility in organisations’ responses. When the CO answers of both the organisation and the reviewer align, extensive commentary isn’t necessary. However, in cases where the CO answers differ, reviewers are encouraged to utilise the CO box to elaborate on the disagreement with the organisation’s CO assessment, providing reasoning and context for the difference.

Peer review serves as an alternative form of review as part of the GovAssure progress. It specifically applies to systems assessed against the Baseline CAF profile, offering a cost-effective alternative to a third party IAR. As part of this progress, organisations can anticipate receiving a comprehensive summary report and a targeted improvement plan (TIP). It presents a valuable opportunity for both you and your organisation to actively share security information practices with peers.

If, as a peer reviewer, you are presented with a system designated as 'Enhanced' to review, please contact the Government Security Group (GSG) at cybergovassure@cabinetoffice.gov.uk.

Peer review options

If any organisation is undergoing a peer review instead of an IAR, lead Government Departments, in collaboration with their ALBs, should select one of the following validation approaches to meet the assurance requirements:

• Peer review by the lead government department (LGD): An organisation with existing engagement with their LGD may have their review conducted by the department.
• Organisations should discuss with their LGD as early as possible in the GovAssure process if this is an approach to be followed.
• If agreed, the LGD should identify an individual with sufficient time and capability to dedicate to the review.
• Peer review by the Government Internal Audit Agency (GIAA): Peer review is conducted by GIAA and agreed between the organisation and their lead government department.
• Peer review by another organisation: Peer review is conducted by a different organisation. They should be a government organisation that ideally has experience with GovAssure or cyber assurance more broadly. Organisations should consult and agree on this approach with their LGD.
• An organisation may select an organisation with whom they have an existing relationship as their reviewer.
• LGDs are expected to support their organisations in identifying a potential reviewer from within their sector.
• Internal peer review: Peer review is performed by an individual from within the same organisation. Organisations should consult and agree on this approach with their LGD.
• Organisations will identify individual(s) not directly involved in the specific system-return to perform the review, for example, an owner of a system that is not being assessed.
• No review: Must be agreed with GSG.

Adding peer reviewers on WebCAF

To have peer reviewers added on WebCAF, organisations need to send a list of names, email addresses and home organisations for all agreed peer reviews to webcaf@cabinetoffice.gov.uk. They will each be added as “Assessors” to WebCAF. Once they have been added to the service, Organisation Leads will then be able to assign peer reviewers (assessors) to the relevant assessments.

Multiple peer reviewers can be assigned to an assessment. If an organisation has multiple system assessments being peer reviewed, Organisation Leads will need to assign the relevant peer reviewers to each assessment.

It is the responsibility of Organisation Leads to ensure that assessors (internal or external) have appropriate access.