Stage 1: Define your organisation’s context and services

For both stage 1 and stage 2 of GovAssure, you will record your information in a scoping document. Download the template from documents and downloads.

Knowing the operating context of your organisation and the ways that your data might attract cyber criminals allows you to understand the sophistication of attackers and their motives for targeting you.

This knowledge can help your organisation to put better protection and risk-based controls in place as well as minimise the impact of cyber security incidents.

Stage 1 of GovAssure helps you to:

• take a broader look at your organisation and its operating environment
• review your current approach to cyber risk management
• understand how a cyber attack could impact your organisation’s ability to deliver essential services

Before you start 

It is important that you talk to the right people in your organisation to get the information you need so that you can record your essential services accurately.

For example, this might be the teams that are responsible for setting out your organisation’s primary risks, such as chief risk officers or business continuity teams.

When you talk to these people, it is important that you make sure they understand the process so they can provide what you need. If you would like support to engage individuals within your organisation on GovAssure please contact your GDS cyber advisor.

To complete stages 1 and 2, you should ask to see any existing information that records what is necessary to maintain your organisation’s essential services and functions in the event of disruption. This could be outcome delivery plans, business continuity strategies, processes and procedures. 

How the scoping document is used

Your organisation’s scoping document is a core document in the GovAssure process. Your organisation owns the scoping document and you are responsible for making sure it is completed accurately.

Once the scoping document is completed it will:

• set out the scope of your GovAssure review 
• help the GovAssure team to understand what is critical to your organisation
• allow third party reviewers at stage 4 to understand your organisation, its context and cyber risk appetite
  

Note: You will need to include evidence-based justifications of the scope of the systems and services you include in your assessment.

The scoping document is divided into 2 parts which correspond to stage 1 and stage 2 of the GovAssure process. These are:

1. Organisational context and essential services.
2. All critical systems that support your organisation’s essential services, the systems that are being assessed in the current year and the Government CAF profiles you have assigned to them.

Completing the scoping document 

Stage 1 requires you to record the organisation context and essential services in the scoping document. This has 2 parts:

• part A – describe your organisation’s context and mission
• part B – identify and define your organisation’s essential services

Record your organisation’s context and mission

This section of your scoping document encourages your organisation to think about and record the following:

1. Mission: What is the organisation trying to achieve? How does it support the delivery of government services?
2. Objectives: What are the objectives to deliver that mission?
3. Priorities: What are the organisation’s top priorities?
4. Threat landscape: Who may seek to target the organisation? Why? What could go wrong if they were successful?
5. Cyber risk appetite: What is the cyber risk appetite for the organisation? How is the cyber risk appetite documented? 

When you have recorded all of this information, you will move onto part B where you identify your organisation’s essential services. 

Identify and define your organisation’s essential services

Knowing your organisation’s essential services is crucial for business continuity planning, risk management, emergency response and ensuring operational efficiency.

GovAssure asks you to document the essential services of your organisation to make sure that the most important underlying systems and processes are assessed.

Categorising essential services

Essential services are categorised in the following ways:

Critical National Infrastructure (CNI)
CNI services are ones that the UK public relies on daily or on a near daily basis. These are defined in the National Protective Security Authority’s CNI guidance.

Operator of essential services (OES)
If your organisation is an OES under the NIS Regulations 2018, your services are automatically considered essential. Examples of sectors classed as essential include:

• energy
• transport
• health
• water 
• digital infrastructure 

Services fundamental to organisational outputs and mission
This describes services that must be delivered and without which the organisation would not be able to operate. For example, government policy development, regulation, ministerial briefings, analysis and advice.

Get help to identify your essential services 

We have created a 5 Lens Model to support you to identify your organisations essential services and the underpinning critical systems. The model is a mapping exercise using an example of a fictitious government department. The work you need to do for this stage is supported by lenses 1 and 2. Download the 5 Lens Model.

Next steps

When you have completed stage 1 of GovAssure in your scoping document, you will have developed an understanding of your organisation’s context and documented the essential services.

You can now use the scoping document to complete stage 2 of GovAssure. In this stage you will identify which critical systems are in-scope for your GovAssure review and which Government CAF profile to use.

Back to overview   Proceed to stage 2