Peer Review Guidance
Who is this guidance for?
This guidance is for organisations undertaking GovAssure that are not subject to an Independent Assurance Review (IAR), and instead will be undergoing a form of peer review for their
Cyber Assessment Framework (CAF) self-assessments.
- The guidance is advised for any organisation and individual involved in a form of review, including;
- Review by the Lead Government Department (LGD)
- Peer review by another organisation
- Internal review
This guidance is applicable to both the individual(s) performing the peer review as well as the organisation being peer reviewed.
GovAssure material often contains references to 'Tranches' these are:
Tranche 1 - All Lead Government Departments (LGD) and Government Critical National Infrastructure (CNI)-holding organisations. They started the process in June, and are required to perform third-party Independent Assurance Reviews on all their CAF returns
Tranche 2 - Any organisation not falling into the category above that have either self-selected, or their LGD has put them in scope for GovAssure. They have a number of alternatives to the third-party Independent Assurance Review (see slide).
This gudiance is for both reviewers and reviewees considering any of options 2,3,4.
Government Security Group (GSG) has created additional options for alternative GovAssure validation, beyond the formal Independent Assurance Review with a third party.
## What do we mean by peer review?
- An assessment of an organisation’s WebCAF returns by another individual that does not have a conflict of interest.
- An assessment focused at the contributing outcome (CO) level, where reviewers will assess whether the organisation has achieved the target CO level based on the self-assessment and evidence provided.
- Reviewers will use the Baseline profile to understand what target level the organisation is meeting or working towards.
- Reviewers should expect and account for flexibility in organisations’ answers, since there is more than one way to meet an outcome.
- Where an organisation and reviewer CO answers are the same, no extensive commentary is required.
- Where the answers differ, reviewers should use the contributing outcome box to explain what and why they disagree with the organisation’s CO assessment.
If as a peer reviewer you are presented with a system designated as 'Enhanced' to review, please contact GSG : email@example.com
Peer review is...
- For organisations participating in an alternative form of review as part of the GovAssure process.
- For systems assessed against the Baseline CAF profile.
- A cost-effective alternative to a third-party Independent Assurance Review.
- Going to provide organisations with a summary report and Targeted Improvement Plan (TIP).
- Undertaken at the organisation’s discretion, following direction from LGD.
- An opportunity for you and your organisation to share information on security practise with peers.
Peer review is not...
- Appropriate for systems assessed against the Enhanced CAF profile.
- Going to provide as in-depth validation as the Independent Assurance Review.
- As structured and objective of a view as the IAR.
- Centrally coordinated by GSG - The peer review will be arranged and coordinated between the LGD and relevant organisations.
- A form of assurance to assess the overall cyber posture of organisations.
Peer Review Options
Lead Government Departments in collaboration with their ALBs should select one of the following validation approaches to meet the assurance requirements:
Certified third party Independent Assurance Review (IAR), procured through Cyber Security Services 3
LGD Review: An organisation with existing engagement with their LGD may have their review conducted by the department
- Organisations should discuss with their LGD as early as possible in the GovAssure process if this i an approach that will be followed
- If agreed, the LGD should identify an individual with sufficient time and capability to dedicate the review
Peer Review by another Organisation: Peer review is conducted by a different organisation. They should be a government organisation that ideally has experience with GovAssure or cyber assurancee more broadly. Organisations should consult and agree this approach with their LGD
- Organisations may select an organisation with whom they have an existing relationship as their reviewer.
LGDS are expected to support their organisations with indetifying a potential reviewer from within their sector
Internal Review by Organisation: Peer review is performed by an individual from within the same organisation. Organisations should consult and agree this approach with their LDG.
Organisations will identify individual(s) not directly invovled in the specific system return to perform the review, for example , an owner of a system that is not being assessed.
No review (agreed with GSG)
End-to-end process for peer review
- Organisation to share GovAssure Scoping document with Peer Reviewer
- Peer reviewer to understand and familiarise themselves with them organisational context and systems being assessed
- Both organisation and peer reviewer to agree ways of working, timelines and document sharing
- Organisation to provide access to WebCAF for the peer reviewer and to provide self-assessment evident and documentation to the peer reviewer
- Peer reviewer to read example assessments and understand the requirements for the Baseline Profile
- Peer reviewer to read NCSC CAF Contributing Outcomes and underpinning indicators of good practice (IGPs) (e.g what kind of answers and evidence would constitute achieved, partially achieved, not achieved at the contributing outcome level
- Peer reviewer to read CAF self-assessment contributing outcomes, statements, justification and evidence
- Organisation and peer reviewer to identify any areas unclear or requiring more evidence
- Peer reviewer to evaluate CAF self-assessment contributing outcome statement considering underpinning IGP answers
- Peer reviewer to indicate and provide commentary on WebCAF whether contributing outcome achievement statements apply to the system using dropdown boxes
- Organisation and peer reviewer to entered into in an arbitration process. This is optional.