Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Stage 4: Have a Peer Review

Author: Government Cyber Unit (DSIT)

Last updated: 20 February 2026

Stage 4: Have a Peer Review

The guidance on this page is for organisations having a Peer Review of their WebCAF self-assessment.

If you are an organisation having an Independent Assurance Review, see Stage 4: Have an Independent Assurance Review.  

If you are a Peer Reviewer, see Stage 4: Complete a Peer Review using WebCAF.

The objectives of the Peer Review are to: 

  1. Assess your organisation’s current levels of cyber resilience against the Baseline CAF profile.
  2. Evaluate your organisation’s cyber risk management practices.
  3. Determine the effectiveness of your organisation’s cyber security controls.
  4. Provide your organisation with a report including actionable recommendations.

Working with your reviewer

You should discuss how you will work together with your reviewer. 

At the start of the stage 4 process, you should give your reviewer: 

  • your completed scoping document
  • an export of your WebCAF self-assessment 
  • supporting evidence for each contributing outcome
  • a WebCAF user account to access your WebCAF self-assessment

As an alternative to an export of your self-assessment from WebCAF, you may share a completed GovAssure self-assessment and evidence collation template. 

Providing access to evidence 

Your organisation is responsible for storing evidence securely and sharing this with the reviewer. You should discuss how you will do this early in the process. 

Your reviewer may need to ask for extra evidence to support their understanding of your organisation’s self-assessment responses. 

Providing access to WebCAF

You should create a WebCAF user account for each reviewer working on your Independent Assurance Review. WebCAF organisation leads can do this from the ‘Manage users’ section of WebCAF. You should select the user type ‘Peer reviewer’.

Ways of working 

You should start by holding an initial meeting with your reviewer to: 

  • confirm the scope of the Peer Review and any exclusions
  • agree on planned delivery timelines
  • agree the ways of working
  • confirm arrangements for reviewing organisational evidence 

Desk-based reviews of the self-assessment and evidence 

Peer Reviews will mostly be desk-based. Your reviewer will spend time reviewing the information your organisation has shared with them throughout the review period. 

Requesting more information

There may be times when your reviewer wants to ask you for more evidence or information. They might: 

  • ask you to share additional documents
  • have a meeting to discuss gaps they have identified with you

The Peer Review process on WebCAF

You can read the Stage 4: Complete a Peer Review using WebCAF guidance to see how your reviewer will work on WebCAF. 

WebCAF organisation leads will have read-only access to reviews while the reviewer is working on WebCAF. 

Peer Review Report

When your reviewer has finished the review, they will generate an automated Peer Review Report from the WebCAF service. You can read this within the service or download a PDF copy.

You should discuss the report with your reviewer. If you agree on changes, your reviewer can update to a new version of the report in WebCAF. 

When you have agreed on a version of the report, your reviewer will finalise this in WebCAF. 

If you work with a GovAssure cyber advisor, you should share a copy of your final report with them. If you are an arm’s length body, you should share it with your Lead Government Department.  

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now