How to complete a self-assessment workbook
What to consider when completing your CAF for local government self-assessment – from who to involve, to sharing with your assurer.
Before you start the self-assessment, read about what the self-assessment stage involves and how to download the workbooks.
1. Establish who needs to be involved
Your CAF lead should invite collaborators with relevant expertise to inform how your council is meeting the objectives, and to collate relevant evidence.
Organisational self-assessment
Collaborators for the organisational self-assessment might include:
- service leads
- risk managers
- procurement leads
- legal adviser
- business continuity managers
Your team should allow approximately 40 hours to complete the self-assessment of your organisation.
Critical systems self-assessment
Collaborators for the critical systems self-assessment might include:
- system mappers
- security operations centre (SOC) manager
- IT disaster recovery lead
- information governance lead
- business system owners
- policy lead
- human resources
Your team should allow approximately 60 hours to complete a self-assessment of one critical system.
How to collaborate with your team
Your CAF lead should:
- Brief your CAF collaborators to make sure they understand the CAF and what is expected of them
- Confirm which outcomes and indicators of good practice (IGPs) are appropriate for each collaborator to contribute towards
- Discuss the best way for your team to collaborate on the workbooks. This should be a collaborative exercise and your CAF lead should have oversight. You may want to:
- work centrally on one spreadsheet
- collate responses in smaller teams with regular check-ins
- book in workshops to discuss or review responses
If you have decided to assess a commercial (third-party) service or system that is critical for your council, you will need to work with the supplier to complete the self-assessment.
We suggest arranging a meeting with your supplier to cover:
- what the CAF for local government involves
- how to approach the self-assessment collaboratively
- how to gather and share evidence securely
We would like to hear about your experience of working with suppliers to complete your self-assessment. Email caf@localdigital.gov.uk to share your feedback.
2. Review indicators of good practice (IGPs)
To complete your self-assessments, your CAF team needs to assess and document if and how your council meets the contributing outcomes.
To understand whether your council has achieved, not achieved, or partially achieved an outcome, you should work through the set of indicators of good practice (IGPs) associated with each outcome.
It is useful to start with the ‘Achieved’ IGPs for each outcome and ask:
- Does this statement apply to your council?
- To what extent do you meet this IGP?
- Are there any alternative controls in place for meeting this IGP?
- Do you have evidence that you can reference to show how you are meeting this IGP?
Find out how to use the indicators of good practice (IGPs).
3. Gather evidence to support your self-assessment
As you complete your self-assessment, it is useful to gather evidence that demonstrates how your council is meeting the contributing outcomes. You can reference this evidence when looking through your IGPs.
Collate and organise your evidence as you go, so that you:
- have evidence to reference as you are completing your workbook
- have time to gather evidence from different teams across your council
- maintain evidence that can be reviewed for future cyber assessments
Find out how to gather good evidence for your self-assessment.
When assessing more than one critical system, you should consider each system individually. This will give you a more detailed understanding of your cyber resilience.
There may be times when you believe an IGP covers policy, processes or procedures that apply to multiple critical systems. In these cases, the same evidence could be used for each critical system.
Where you are using specific technical controls for a system, you likely need to provide different evidence for each critical system you are assessing.
Example: evidence is valid for each critical system
IGPs for B2.a – Identity Verification, Authentication and Authorisation refer to a ‘process of initial identity verification’. This could be achieved by a new starter presenting a physical passport to the IT manager to prove their identity. The IT team would then grant them access to the required systems.
Example: different evidence is needed for each critical system
An IGP for B2.a refers to using ‘additional authentication mechanisms, such as multi-factor (MFA)’. What these additional authentication mechanisms are, and how they are used, is likely to differ across different types of systems and applications. For example, cloud-based systems may use a different authentication method to systems that are owned and managed by the council.
4. Summarise your response for each IGP
Once you have reviewed each IGP and discussed what evidence your council has, add a short explanation outlining how your council is meeting each IGP.
This helps your independent assurer understand how you have interpreted an IGP in the context of your council.
In your summary, you might include:
-
- why you have a process in place
- how often your council reviews or updates this
- any dependencies with third parties
- what your supporting evidence demonstrates
Read more about what a good self-assessment looks like.
5. Self-assess against each contributing outcome
Once you have collectively reviewed and collated your evidence, choose how you have assessed your council against each contributing outcome.
You and your collaborators should use your expert judgement and knowledge of your council before deciding if you are achieving a contributing outcome or not.
Understanding which IGPs you meet will provide you with a good starting point for deciding if you have achieved a contributing outcome or not. However, there can be more than one way to meet a contributing outcome.
You should also consider if there are any alternative controls, factors or circumstances that change your assessment. If this is the case, you should make sure you explain this in your supporting commentary.
Meeting the CAF for local government profile
The CAF for local government provides councils with a baseline to work towards. We understand you might not meet this right away, but by completing a CAF self-assessment you will identify what improvements you can make to achieve it in the future.
The value of the CAF is in understanding your council’s current position, its exposure to cyber risk and how the position can be improved over time.
6. Prepare your self-assessment for assurance
Check you have provided relevant context
The Cyber Assessment Framework (CAF) for local government is designed to be flexible, so you can tailor it to the needs of your council. It is important you share information about your decision process with your assurer.
Your assurer needs to know:
- how your organisation has interpreted the CAF
- how and why you have concluded you meet the CAF outcomes
- what has influenced your organisation’s decisions
- the scope of the work
Sharing these details with your assurer helps them build a picture of your council. Once they understand the risk to the council, they can review if your current cyber resilience is sufficient.
Your CAF self-assessment workbook should include a short summary outlining how your organisation or critical systems:
- meets the contributing outcome
- meets the indicator of good practice
To do this, consider:
- how you implement an activity or policy
- how often you review and update these
- details of any constraints or issues unique to your council
- references to evidence that demonstrates how you meet the indicators of good practice
- reasons why an indicator of good practice might not apply to your council
7. Check your self-assessment for quality and accuracy
Your quality assurer and approver will need to review your self-assessment workbooks before they are shared with your independent assurer for review.
Your quality assurer should consider if:
- this accurately reflects your council
- your evidence is relevant and up to date
- this gives enough organisational context to an external reviewer
- your evidence is accessible to an external reviewer
- any internal feedback has been addressed
Once your quality assurer has reviewed your workbook, you need to get sign-off from your approver.
8. Finalise and share your self-assessment with the independent assurer
This stage is complete when:
- the workbook is reviewed and signed off by your quality assurer and approver
- evidence is recorded in the evidence tracker
- the workbook and evidence are securely stored and your independent assurer can access them
You will then email your assurer to let them know that the self-assessment is ready for review.
You cannot resubmit your self-assessment to the independent assurer.
Find out more about independent assurance.