GovAssure detailed contributing outcome summary guidance
Specific guidance on how to write a summary for each contributing outcome in NCSC's Cyber Assessment Framework (CAF).
Please note: the content on this page is currently being updated. Guidance will be available for all 39 contributing outcomes soon.
You will need to write a summary of up to 1,500 words for every contributing outcome.
At stage 4, your reviewer will use the summary to understand how your IGP responses and evidence support your contributing outcome status.
Make your summary clear and evidence-based. This will help your reviewer to confirm your compliance without needing to ask for clarification. It will also help them to make a decision if they are considering downgrading or upgrading your contributing outcome status.
In your contributing outcome summary, you should:
- Be specific to your organisational context.
- Confirm the processes and controls in place.
- Explain how processes and controls are managed and who is responsible.
- Explain how often your organisation reviews processes.
- Describe how key controls and processes support the contributing outcome.
- Explain how you implement these controls.
- Include references to your supporting evidence.
- Make sure that you reference your responses to IGPs, including where you have commented on alternative controls or exemptions.
- Include any gaps or limitations that your organisation faces with cyber security measures.
Note: It is important that you write a summary even if your status is ‘not achieved’. This will allow the reviewer to provide more targeted recommendations in their final report.
CAF Objective A – Managing security risk
“You have effective organisational security management led at board level and articulated clearly in corresponding policies.”
Cyber resilience starts at the top. Organisations must ensure that their board or executive leadership actively directs and oversees cyber security strategy. This includes setting priorities, allocating resources, and embedding cyber risk into decision-making. Strong board direction is essential to building a culture of accountability and ensuring that cyber security supports the organisation’s mission.
The board should:
- set clear expectations for cyber security outcomes
- ensure cyber risks are considered in strategic planning and decision-making
- allocate appropriate resources to manage cyber risks
- receive regular updates on cyber posture and incidents
- champion a culture of cyber awareness and accountability
Board-level engagement is critical to embedding cyber resilience into the organisation’s core operations.
What reviewers are looking for
Where possible, your contributing outcome summary should demonstrate that:
- the board has formally endorsed cyber security objectives and priorities
- cyber risk is integrated into strategic planning and governance
- the board receives regular, structured reporting on cyber posture and incidents
- there is a clear link between board decisions and cyber security resource allocation
- board members are informed and engaged in cyber risk discussions
- cyber security responsibilities are clearly defined at the leadership level
- board members have access to cyber expertise or training
What to include in your contributing outcome summary
What you include will vary depending on your system and organisational context. You should consider the following, where applicable.
- explain how the board sets and reviews cyber security objectives
- reference evidence of cyber security being discussed at board level (e.g. meeting minutes, agenda items)
- describe how cyber risk is integrated into strategic decision-making
- describe the frequency and format of cyber reporting to the board
- explain how board decisions influence cyber security investment and priorities
- describe any training or awareness provided to board members on cyber issues
- outline relevant governance structures that support board oversight of cyber risk
“Your organisation has established roles and responsibilities for the security of network and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.”
Clear roles and responsibilities are essential for strong governance and resilience. Organisations should define and document security roles, and communicate them clearly and regularly. They should ensure everyone understands responsibilities and risk escalation paths, and review and update roles periodically to maintain clarity and accountability. Processes should be aligned with external partners and suppliers.
Organisations should:
- define roles for senior leadership, operational teams, and third parties
- document responsibilities for security tasks such as risk management, incident response, and compliance
- communicate effectively through policies, training, and organisational charts
- establish escalation routes for reporting security concerns
- integrate suppliers by embedding responsibilities in contracts and service agreements
What reviewers are looking for
Where possible, your contributing outcome summary and evidence should demonstrate that:
- you have a clear role matrix mapping responsibilities across the organisation
- you document responsibilities in policies, job descriptions, and SLAs
- there are well-defined and understood escalation channels that are operational
- you communicate roles and responsibilities across the organisation and have appropriate training in place
- suppliers are aligned with contractual obligations and you monitor this
What to include in your contributing outcome summary
What you include will vary depending on your system and organisational context. You should consider the following, where applicable.
- describe how roles are assigned, communicated, and reviewed
- describe the frequency and process for reviewing and updating roles and responsibilities
- reference evidence in the form of a summary table showing roles, responsibilities, and escalation paths
- describe relevant training and awareness activities
- include details of supplier integration and contractual responsibilities
“You have senior-level accountability for the security of network and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of the essential function(s) are considered in the context of other organisational risks.”
Cyber decisions must be informed, accountable, and aligned with organisational priorities, particularly where they affect essential functions. Organisations should ensure that decision-making processes are clear, supported by accurate information, and involve the right people. Strong governance around cyber decisions enhances resilience, reduces risk, and supports strategic outcomes.
Effective cyber decision-making requires:
- clear governance structures that support informed and timely decisions
- defined processes for escalating and approving cyber-related decisionsd
- Access to accurate and timely risk, threat, and operational information.
- Involvement of appropriate stakeholders, including technical experts and business leaders.
- Documentation of decisions and rationale to support accountability and learning.
- Integration of cyber decision-making into broader organisational risk and strategic planning.
Decisions should be made in a way that balances security, operational needs, and business risk appetite.
What reviewers are looking for
Where possible, your contributing outcome summary and evidence should demonstrate that:
- your organisation establishes governance frameworks that define how cyber decisions are made and by whom
- you ensure that decision-makers have access to relevant risk, threat, and performance data
- risk and threat information is used to inform decisions
- decisions affecting essential functions are escalated and reviewed appropriately
- you involve cross-functional stakeholders in cyber decision-making processes
- you document decisions thoroughly, including rationale, risks considered, and expected outcomes
- cyber decisions are integrated into wider organisational governance and planning
- you review decision-making processes regularly to ensure they remain effective and responsive
- you ensure cyber decisions are aligned with organisational strategy and risk appetite
What to include in your contributing outcome summary
What you include will vary depending on your system and organisational context. You should consider the following, where applicable:
- describe how cyber decisions are made, escalated, and approved
- explain who is involved in decision-making and the governance structures that support this
- describe the information used to inform decisions (e.g. risk assessments, threat intelligence)
- explain how decisions are documented and reviewed.
- describe how cyber decision-making aligns with organisational strategy and risk management
- share any recent examples of decisions affecting essential functions and how they were handled
- explain how decision-making processes are evaluated and improved
“Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.”
What reviewers are looking for
Where possible, your contributing outcome summary should demonstrate that:
- risk assessments are informed by an understanding of the vulnerabilities to the essential function
- the output from the security risk management (SRM) process is a clear set of security requirements that will address the identified risks
- key security decision-makers and accountable individuals are informed of significant conclusions drawn from the output of risk assessment activity
- there is a clear shared understanding of what triggers initiation of a risk assessment
- appropriate threat analysis activity is conducted
What to include in your contributing outcome summary
What you include will vary depending on your system and organisational context. You should consider the following, where applicable.
- Policy, standards and processes:
- outline your risk management policy, standards and processes
- explain how these are communicated to the organisation
- describe any reviews undertaken and their frequency
- Governance
- outline how security risk is communicated to stakeholders at board level
- demonstrate that risk owners are identified and are accountable for ownership of security risks within their area of responsibility
- outline the criteria for escalation of risk reporting and the relevant processes
- explain how staff are made aware of their responsibilities around security risk and outline any training provided
- Risk assessment
- describe what triggers a risk assessment to be conducted by the organisation
- explain how security risk subject matter experts (SMEs) are involved in risk assessment activity
- outline the risk management documentation for the essential function
- explain how third-party suppliers are captured in the security risk management process
- Vulnerabilities
- explain how vulnerabilities affecting the essential function are identified and used in the risk assessment process.
- describe how security SMEs are engaged to identify these vulnerabilities
- Threat analysis
- describe how the organisation uses threat intelligence to inform risk assessments
- outline the sources used to identify threats to the essential function
- Mitigation
- describe how mitigation plans are agreed and prioritised with input from security subject matter experts
- describe how mitigating controls are tested for effectiveness and re-assessed should they be considered ineffective
Content coming soon.
Content coming soon.
Content coming soon.
CAF Objective B – Protecting against cyber attacks
Content coming soon
CAF Objective C – Detecting cyber security events
Content coming soon
CAF Objective D – Minimising the impact of cyber security incidents
Content coming soon