Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Stage 4
  4. The Assurance Review Process

The Assurance Review Process

1. Onboarding/Scoping

The review for an organisation’s CAF self-assessment return should be commissioned either in advance of the self-assessment or in parallel. It is important that the assessor understands early on in the process the scope of the self-assessment activity to be in a position to understand the likely level of scale and effort. At this point you may want to provide a copy of your GovAssure Scoping Document to the provider ahead of the planning stage.

As part of the onboarding process and in good time ahead of the review itself, it is sensible to engage the assessor early on and hold an on-boarding / scoping call to agree logistics around agreeing arrangements for access to IT equipment and provisioning access to any systems (e.g. setting independent assessors up with ‘Assessor’ profile access on WebCAF) or file shares that may be required for the assessor to gain access to evidence and artefacts as part of the review.

2. Planning for the independent assurance review

As part of the planning stage, the organisation should meet with the assessor to brief them on the context of the organisation, systems being assessed and the assigned target government CAF profile, their approach to completing the CAF self-assessment. The organisation’s GovAssure Scoping Document should be referred to throughout this planning phase.

At the initiation stage of the review, individuals who are involved in the work – those who completed the CAF self-assessment return, as well as those who can help with the evidence supporting the assertions in the return – should be identified and put in contact with the assurance provider. At this meeting, or immediately afterwards, the provider should be sent the details necessary to log onto the WebCAF portal to access the return as well as the collection of evidence supporting the self-assessment.

We recommend that the assessor prepares an operational terms of reference document for the review that includes how the review will be managed, timelines and key contacts and that this document is agreed between the organisation and the provider.

3. Assessment and analysis

Once dates have been agreed for the commencement of the review, the review can begin. Assessors are advised to follow a similar process to that of the organisation. This is usually approached in the following way:

Initial high-level desk-based review

The assessor will typically perform an initial high-level assessment self-assessment submission. Consideration will be given to the following:

Detailed IGP assessment in support of contributing outcomes

Following an initial high-level review, the assessor will take an in-depth view of contributing outcomes, their assessed state compared to the target CAF profile and the supporting IGPs. Consideration will be given to the following:

Question and query resolution

The general approach is that the assessor will collate their initial comments and queries and then work through these as part of dedicated workshops, generally, on a ‘per Objective’ basis, you should work in a way that suits you whilst not introducing delays. Some providers may prefer to provide a list of questions and queries back to the organisation for response from the appropriate technical contacts; this may make a more efficient use of time. We recommend not providing repeated loops around this process as this may delay the work. It is better to have a single, focused ‘Request for comment’ round.


Working with the organisation lead, the independent assessor will schedule a series of workshops covering objectives A – D. The size of Objective B might mean that it needs to be assessed over more than one workshop session. The workshops may cover the following:

Development of a list of control gaps / observations

Summarise the findings of any control gaps at a CO level, providing an overall achievement level and justification for this (especially if it differs from the original level). There should be an understanding of the IGPs leading to the contributing outcome not achieving its target CAF profile.

4. Reviewing and communicating results

The arbitration process is required if the workshops and reviews identify conflicting views that the department and the assurance organisation cannot resolve. In the first instance, the areas of dissent should be identified in a single list and a separate workshop arranged to focus on their resolution. This should include the senior stakeholder from the department. Similarly, any final lists of observations and recommendations should be reviewed and agreed between the organisation and the provider to allow the Independent Assurance Review Report (IARR) to be produced.

If there are still remaining unresolved points following this workshop, they can be escalated to the Cabinet Office team within the Government Security Group (GSG).

GovAssure WebCAF External Assessment System Report

The assessor is expected to document their results in WebCAF but they may want to support working through the assurance review with the auto-generated report containing outputs from an organisation’s self-assessment including the assessor assessment of an individual system. This will be available to the organisation and the assessor following the completion of the stage 4 independent assurance review and will provide a full ‘download’ report covering assessors’ comments across the CAF on a system by system basis.

The report provides the following:

This auto-generated report will be used by assessors to generate the Independent Assurance Review Report (IARR) which will be shared with organisations. The data and graphs produced in this report should be used by assessors in the IARR.

Next Steps

By the end of Stage Four, organisations will have agreed a list of observations with the independent assurance provider. This will be developed into the Independent Assurance Review Report (IARR) as part of the final assessment feeding into the Targeted Improvement Plan (TIP), to be delivered as part of Stage Five.