Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Making architecture scoping decisions

Author: Local Digital

Last updated: 2025-05-07

Making architecture scoping decisions

What your CAF for local government team should consider when finalising your architecture mapping workbook and architecture diagram(s).

Decide what is in scope

Include system and service owners in the process

Their input will be invaluable when identifying and agreeing system boundaries.

They will need to contribute to documenting your council’s approach and justification for identifying system boundaries.

Identify component breakdown, dependencies and boundaries

It is important that the full details of the core network and critical system have been identified and documented.

This includes all critical system interfaces and dependencies.

Once you have defined your component breakdown, dependencies and system boundaries and your council understands what the critical system is made up of, then you can decide what is in scope.

Determine cloud service responsibility

Your council is always responsible for ensuring controls are implemented, but some controls may be implemented by your cloud service provider.

Who implements which control depends on your cloud service and agreed shared responsibility model.

Scoping must be justified

If you declare something out of scope, you must explain exactly what is out of scope as well as justification for excluding it.

Consider what impact this might have on the value of your assessment.

There is space to include your rationale for excluding something in the ‘System boundaries’ tab of your workbook.

Understand your chosen scope

It is important that your council’s choices around scope are understood and documented.

If you remove something from a system’s scope, you must consider what effect this might have on the assessment of any other critical system in scope for your CAF. For example, shared functions that underpin several systems.

If certain architecture components are not considered in scope, then your CAF assessment and assurance will not typically cover it.

Systems that could be out of scope

Architecture mapping is where you set the boundaries for your CAF self-assessment. There are some reasons why your council may exclude a system from your architecture scope.

Additional integrated systems

These could be financial or corporate systems that are integrated so they can access data from the critical system, but they are not required for the critical system to function.

Systems managed by business partners (for example, NHS, schools, leisure centres)

These could be systems that connect to the council that you have no management control over, but your council administers access to.

Cloud-based (SaaS, PaaS) or commercial (third-party) applications

First, attempt to gain the information required to support your CAF assessment from a third party. If they do not comply, your council may consider excluding them from your CAF assessment.

Make sure you document the security implications of any cloud or commercial (third-party) applications you exclude.

The backend infrastructure of popular cloud-based applications will not be known, so specific areas of a system may be excluded. Include this justification for your assurer.

Create an architecture map: step by step

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now