Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Create your improvement and implementation plan

Author: Local Digital

Last updated: 11 February 2026

Create your improvement and implementation plan

Use the feedback on your CAF for local government assessment to plan your next steps and improve your cyber resilience.

You are ready to start your improvement and implementation plan when you have:

  • received the assurance report from your independent assurer
  • reviewed the assurance report with your CAF team

About your improvement and implementation plan

Your assurance report will provide feedback highlighting where you should prioritise your efforts.

You will also receive an improvement and implementation plan with relevant sections completed by the assurer. They will give recommendations for each contributing outcome that needs action.

Use this information to complete your plan, prioritise which recommendations you will implement, and know who to involve and when to schedule work.

How to use your plan

The plan you make to address the issues identified throughout the CAF process is how you build your cyber resilience. This is where your organisation will see real improvement.

Your plan is a tool to:

  • highlight significant security gaps to senior decision-makers
  • align improvements with your existing plans or strategies
  • effectively plan time and resource
  • plan potential costs
  • measure progress
  • share next steps with your wider council

What creating your plan involves

  1. Review the assurance report from your assurer
  2. Work with your colleagues to draft an improvement and implementation plan
  3. Share your plan with your assurer for feedback
  4. Attend an improvement and implementation session arranged by your assurer
  5. Share the amended plan with your internal quality assurer
  6. Finalise the plan and share it with your quality assurer and approver for sign-off
  7. Submit the finalised assurance report and improvement and implementation plan to MHCLG

Once you have finalised the assurance report, we recommend you create an executive presentation to share with your senior leadership and management team.

How to complete your plan

Read a transcript of the how to complete your improvement and implementation plan video (.txt, 8KB).

Review assurance report and recommendations

Before you complete your plan, review the feedback from your assurance report. The report provides an external perspective on where your council should focus its efforts.

You might want to include your CAF lead, key collaborators and service owners in this review meeting.

As part of the assurance report, the assurer will provide a draft implementation and improvement plan. For each contributing outcome, the assurer will provide:

  • recommended actions you could take to meet the outcome
  • the risk level associated with the recommendation
  • a description of the risk and what it could mean for your council
  • the control types associated with the recommendation – for example, people or process

Use this information to prioritise what recommendations to implement when completing the plan.

Complete your draft plan

After you have reviewed the assurer’s recommendations and any associated risks, complete the plan by providing the following for each recommendation:

  • who will be responsible for implementing it
  • cost, effort and complexity of implementing it
  • how you have justified the implementation
  • how you have prioritised it
  • when work to address the recommendation can be scheduled

How long it takes to implement a recommendation will depend on complexity and cost, with improvements happening in the near term, mid term and long term. We suggest breaking this work down into quarters.

When completing the plan, consider:

  • the time and capacity to implement recommendations and address risks
  • who might need to be involved, including who needs to sign off budget
  • available resource
  • organisational dependencies
  • if implementing a recommendation will address more than one outcome
  • if implementing a recommendation might be a larger piece of work that requires a separate workstream

Download an example improvement and implementation plan for organisational assessment (objectives A and D) (.xlsx, 63KB).

Download an example improvement and implementation plan for critical system assessment (objectives B and C) (.xlsx, 63KB).

Share your draft plan for feedback

Share your draft plan with your assurer. They will give feedback and arrange a session to discuss your plan with you.

You can then use this feedback to adjust the plan before sharing it with your CAF quality assurer.

Finalise and share your plan

  1. Share your assurance report and finalised plan with your internal CAF quality assurer
  2. Make any changes based on feedback from the quality assurer
  3. Get final sign off from your CAF approver

Do not send your improvement and implementation plan by email. Find out how to share documents with your assurer securely.

Submit your assurance report and improvement and implementation plan to MHCLG

When you have finalised your assurance report and improvement and implementation plan, your assurer will confirm that you can submit it to MHCLG.

Find out how to submit documents to MHCLG.

Create an executive presentation

Contact the CAF for local government team

Email us to ask a question or share feedback

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now