Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Supporting arm’s length bodies

Author: AnnaB

Last updated: 2025-11-26

Supporting arm’s length bodies

Information for Lead Government Departments with arm's length bodies going through GovAssure.

As a Lead Government Department (LGD), you are responsible for overseeing the progress of your arm’s length bodies (ALBs) through GovAssure

In your role as the Lead Government Department, you will: 

  • decide which of your arm’s length bodies are in scope for each year of GovAssure
  • act as the point of contact for your ALBs throughout the process
  • support your ALBs through the five stages of GovAssure
  • share relevant information about the progress of your ALBs with the Government Digital Service (GDS)

The only exception to this arrangement is where an arm’s length body is putting government-sector CNI through GovAssure. In this case, the ALB will have direct engagement with GDS through an allocated cyber advisor. 

This guide provides an overview of the five stages of GovAssure and how you should support your ALBs through the process. The guide can be used flexibly and should be adapted to suit your approach to supporting your ALBs to meet the reporting timelines for the year. 

If you have any questions or need support, please contact the GDS GovAssure team at cybergovassure@cabinetoffice.gov.uk.

*Please note – the GovAssure 2025-26 guidance and documentation for stages 4-5 is currently under review. This guide will be updated to reflect any changes.

Preparing for GovAssure

Before the start of a new GovAssure year, GDS will get in touch with you to find out which of your arm’s length bodies (ALBs) will be going through GovAssure. You should make this decision following discussion with your ALBs, based on:

  • your knowledge of your ALB landscape
  • the criticality of your ALBs’ services and systems
  • which ALBs have been through GovAssure in previous years

When you have decided which of your ALBs are in scope for the current year of GovAssure, you should discuss with them the type of stage 4 review they will have. This could be: 

  • an independent assurance review
  • a peer review conducted by the Lead Government Department (you), or
  • a peer review conducted by another arm’s length body

Your GDS cyber advisor will discuss this with you. 

If any of your ALBs will be undergoing an independent assurance review at stage 4, you will need to make sure that they are engaged with their commercial team and able to start the procurement process to obtain an accredited independent assessor in time to meet the reporting deadlines.

For guidance on obtaining an accredited independent assessor, ALBs should visit Crown Commercial Services GovAssure guidance.

Please note – from 2026-27, independent assessors must be members of NCSC’s Cyber Resilience Audit scheme

Stage 1

Stage 1 is the start of the scoping exercise. At this stage the arm’s length body (ALB) will begin completing the scoping document and detail the organisation’s objectives and the context in which it operates. They will also identify all of the essential services the organisation is responsible for.

At the start of the new GovAssure year, you should meet with each ALB and:

  • Agree who their GovAssure organisation lead will be. This person will own and coordinate GovAssure, acting as your main point of contact.
  • Confirm the ALB’s organisation lead for WebCAF. In most cases, this will be the same as the overall GovAssure organisation lead. 
  • Share the GovAssure guidance and scoping document template with the ALB.
  • Confirm the type of stage 4 review the ALB will have:
    • independent assurance review
    • peer review by the Lead Government Department (you), or
    • peer review by another arm’s length body
  • Agree a timetable to meet with the ALB to support them as they complete the scoping document. We recommend a check-in meeting every two weeks to keep track of progress and to address any questions. 

Following the meeting, you should:

  • Keep in touch with the ALB about how their scoping document is progressing. 
  • Review the ALB’s progress completing stage 1 of the scoping document and share feedback with them at your check-in meetings throughout stage 1.  

Note: when reviewing the scoping document, ensure that all questions under stage 1, parts A and B are answered in full, and all requested information is provided.

Stage 2

In stage 2 the ALB will continue to use the scoping document to identify which critical systems their essential services rely on. They will also decide the number of systems they want to assess during the current year. 

During this stage you will support the ALB to define the scope of each system that is being assessed and to decide which Government CAF profile (baseline or enhanced) to assign to each system.

During stage 2, you should: 

  • Continue to meet regularly with each ALB to support the scoping process. 
  • Review the ALB’s progress completing stage 2 of the scoping document and share feedback with them at your check-in meetings.  

Note: when reviewing the scoping document, ensure that all questions under stage 2, parts A and B are answered in full, and all requested information is provided.

  • Discuss and agree with the ALB which Government CAF profile to assign to each in-scope system. 
  • Once all your feedback has been addressed, conduct a final review of the completed scoping document and sign it off. 
  • Share the completed scoping document with your GDS cyber advisor. 

GDS will: 

  • Conduct a separate review and sign-off of any scoping documents where the enhanced profile has been assigned. 

Note: all systems assigned the enhanced profile must undergo an independent assurance review in stage 4.

  • Add the ALB’s systems and organisation lead user to WebCAF and let you know when this has been done. 

Stage 3

At stage 3, the ALB will complete a WebCAF self-assessment for the systems they are putting through GovAssure in the current year.

You should continue to meet with your ALBs throughout stage 3 as they progress with the self-assessment. We recommend around 2-3 meetings, though this may vary depending on each ALB’s circumstances. 

When your GDS cyber advisor has confirmed the ALB’s in-scope systems have been added to WebCAF, you should arrange a meeting with the ALB to:

  • Let them know that they can progress to stage 3. 
  • Share the GovAssure self-assessment and evidence collation template with them. 
  • Ask them to log into WebCAF and start a new assessment for each system. 
  • Ask them to add additional users for their organisation into WebCAF. 
  • Ask them to you as a user on WebCAF for their assessments to enable you to track their progress. 
  • Remind them to refer to the stage 3 guidance throughout the self-assessment period.
  • Confirm the timeline and deadline for stage 3 and arrange a schedule for meetings throughout the self-assessment period. 

Stage 4

During stage 4, a third-party reviewer will verify the content of the ALB’s self-assessment.

*Please note – the GovAssure 2025-26 guidance and documentation for stage 4 is currently under review. This guide will be updated ahead of the start of stage 4.

You will have previously decided which type of stage 4 review the ALB’s self-assessment will have. This could be:

  • an independent assurance review
  • a peer review by the Lead Government Department (you), or
  • a peer review by another arm’s length body

Independent assurance review

If an independent assessor will be carrying out the stage 4 review, you should: 

  • Ensure your ALB’s CAF self-assessment is completed and ready for review.
  • Ensure your ALB requests WebCAF access for the assessor(s) by sending over their name, email and company name to webcaf@cabinetoffice.gov.uk.
  • Ensure your ALB has assigned the assessor(s) to each assessment on WebCAF. 
  • Ensure your ALB has shared evidence with the assessor(s) to support the independent review.
  • Make sure your ALB submits the independent assessment on WebCAF once it has been completed.

Peer review by the Lead Government Department

If your department will be carrying out the peer review, you should:

  • Allocate an appropriate person within your organisation to conduct the peer review. 
  • Share the peer review guidance with the ALB and ensure the peer reviewer follows this. 
  • Keep in regular contact with the ALB throughout the process. 
  • Let your GDS cyber advisor know when you have completed your review on WebCAF. 

Peer review by another arm’s length body

If another arm’s length body will be carrying out the self assessment, you should: 

  • Introduce the peer reviewer to the ALB being reviewed. 
  • Share the peer review guidance with both ALBs. 
  • Keep in touch with both parties throughout the stage 4 period to monitor progress. 
  • Let your GDS cyber advisor know when the peer review has been completed on WebCAF. 

Stage 5

In the final step of the GovAssure process, arm’s length bodies will use the outcomes of their stage 4 assessment to develop a targeted improvement plan.

*Please note – the GovAssure 2025-26 guidance and documentation for stage 5 is currently under review. This guide will be updated ahead of the start of stage 5.

During stage 5, you should:

  • Review the outcomes of stage 4. Depending on the type of review the ALB had, this may involve reading the independent assessment review report, reading the peer review report and/or reviewing outcomes on WebCAF. 
  • Arrange a meeting with the ALB to discuss their GovAssure outcomes and develop a targeted improvement plan. 
  • Review and sign off the ALB’s targeted improvement plan.
  • Share the final targeted improvement plan with GDS. 

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now