Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Stage 4
  4. Peer Review Guidance

Peer review guidance

A peer review guidance pack is available to download on the Templates and Downloads page

Scope and audience

This guidance is for organisations undertaking GovAssure that are not subject to an Independent Assurance Review (IAR) and instead will be undergoing a form of peer review for their CAF self-assessments.

The guidance is advised for any organisation and individual involved in a form of review, including:

This guidance applies to both the individual(s) performing the peer review as well as the organisation being reviewed.

If you are a peer reviewer, please also read the guidance on conducting a peer review.

GovAssure material often contains references to tranches, which are how we categorise organisations going through the process. The tranches are defined as follows:

Peer review

A peer review involves the evaluation of an organisation’s WebCAF returns by an impartial individual, ensuring no conflict of interest influences the assessment. It focuses on the contributing outcome (CO) level, where reviewers analyse whether the organisation has achieved the target CO level, drawing insights from the self-assessment and accompanying evidence. Reviewers will use the Baseline profile as a benchmark to comprehend the target level the organisation is meeting or working towards.

Reviewers should anticipate and accommodate the flexibility in organisations’ responses. When the CO answers of both the organisation and the reviewer align, extensive commentary isn’t necessary. However, in cases where the CO answers differ, reviewers are encouraged to utilise the CO box to elaborate on the disagreement with the organisation’s CO assessment, providing reasoning and context for the difference.

Peer review serves as an alternative form of review as part of the GovAssure progress. It specifically applies to systems assessed against the Baseline CAF profile, offering a cost-effective alternative to a third party IAR. As part of this progress, organisations can anticipate receiving a comprehensive summary report and a targeted improvement plan (TIP). It presents a valuable opportunity for both you and your organisation to actively share security information practices with peers.

If, as a peer reviewer, you are presented with a system designated as 'Enhanced' to review, please contact the Government Security Group (GSG) at

Peer review options

If any organisation is undergoing a peer review instead of an IAR, lead Government Departments, in collaboration with their ALBs, should select one of the following validation approaches to meet the assurance requirements:

Adding peer reviewers on WebCAF

To have peer reviewers added on WebCAF, organisations need to send a list of names, email addresses and home organisations for all agreed peer reviews to They will each be added as “Assessors” to WebCAF. Once they have been added to the service, Organisation Leads will then be able to assign peer reviewers (assessors) to the relevant assessments.

Multiple peer reviewers can be assigned to an assessment. If an organisation has multiple system assessments being peer reviewed, Organisation Leads will need to assign the relevant peer reviewers to each assessment.

It is the responsibility of Organisation Leads to ensure that assessors (internal or external) have appropriate access.