Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Stage 4
  4. Peer Review Guidance

Peer Review Guidance

Who is this guidance for?

This guidance is for organisations undertaking GovAssure that are not subject to an Independent Assurance Review (IAR), and instead will be undergoing a form of peer review for their Cyber Assessment Framework (CAF) self-assessments. - The guidance is advised for any organisation and individual involved in a form of review, including; - Review by the Lead Government Department (LGD) - Peer review by another organisation - Internal review

This guidance is applicable to both the individual(s) performing the peer review as well as the organisation being peer reviewed.

GovAssure material often contains references to 'Tranches' these are:

This gudiance is for both reviewers and reviewees considering any of options 2,3,4.

Government Security Group (GSG) has created additional options for alternative GovAssure validation, beyond the formal Independent Assurance Review with a third party.

## What do we mean by peer review?

If as a peer reviewer you are presented with a system designated as 'Enhanced' to review, please contact GSG : cybergovassure@cabinetoffice.gov.uk

Peer review is...

Peer review is not...

Peer Review Options

Lead Government Departments in collaboration with their ALBs should select one of the following validation approaches to meet the assurance requirements:

  1. Certified third party Independent Assurance Review (IAR), procured through Cyber Security Services 3

  2. LGD Review: An organisation with existing engagement with their LGD may have their review conducted by the department

    • Organisations should discuss with their LGD as early as possible in the GovAssure process if this i an approach that will be followed
    • If agreed, the LGD should identify an individual with sufficient time and capability to dedicate the review
  3. Peer Review by another Organisation: Peer review is conducted by a different organisation. They should be a government organisation that ideally has experience with GovAssure or cyber assurancee more broadly. Organisations should consult and agree this approach with their LGD

  4. Organisations may select an organisation with whom they have an existing relationship as their reviewer.
  5. LGDS are expected to support their organisations with indetifying a potential reviewer from within their sector

  6. Internal Review by Organisation: Peer review is performed by an individual from within the same organisation. Organisations should consult and agree this approach with their LDG.

  7. Organisations will identify individual(s) not directly invovled in the specific system return to perform the review, for example , an owner of a system that is not being assessed.

  8. No review (agreed with GSG)

End-to-end process for peer review

Stage 1:

Stage 2:

Stage 3:

Stage 4:

Stage 5:

Stage 6:

 

OFFICIAL