Stage 4: Complete an Independent Assurance Review using WebCAF

If you are an organisation having an Independent Assurance Review, see Stage 4: Have an Independent Assurance Review.

During stage 4, you will carry out an Independent Assurance Review to assess an organisation’s cyber resilience and verify the accuracy of their WebCAF self-assessment. 

GovAssure assesses critical government systems against the NCSC’s Cyber Assessment Framework (CAF).

Note: For assessments in 2025-26, GovAssure is using CAF version 3.2. Please be aware that this is not the latest version published by NCSC.

The objectives of the Independent Assurance Review are to: 

1. Assess the organisation’s current levels of cyber resilience and progress towards achieving the target Government CAF profile.
2. Evaluate the organisation’s cyber risk management practices.
3. Determine the effectiveness of the organisation’s cyber security controls.
4. Provide the organisation with a comprehensive report including actionable recommendations to address risks identified in the review.

You will work with the organisation to review their self-assessment and supporting evidence. You will use the digital service WebCAF to complete your review. When you have finished your review you can use WebCAF to generate an automated Independent Assurance Review Report (IARR). 

An example of the Independent Assurance Review Report (IARR) will be available to download by 26 January 2026. 

Preparing for your WebCAF review

Before you start your review, it is important to understand the stages of GovAssure. You should read the GovAssure guidance for stage 1, stage 2 and stage 3 to understand the approach the organisation has taken to scoping and self-assessment. 

You should also read the GovAssure detailed contributing outcome summary guidance to prepare for your review.

Working with the organisation

You must agree how you will work together with the organisation throughout your review. You should take a flexible approach that will allow the organisation to clarify parts of their self-assessment and provide evidence when necessary. 

At the start of the stage 4 process, the organisation should give you: 

• their completed scoping document
• an export of their WebCAF self-assessment 
• supporting evidence for each contributing outcome
• a WebCAF user account to access their WebCAF self-assessment

The organisation’s scoping document sets out their context, threat, risk appetite and defensive posture. You must be familiar with this document because the organisation’s self-assessment responses are based on it.

As an alternative to an export of their self-assessment from WebCAF, the organisation may share a completed GovAssure self-assessment and evidence collation template. 

Accessing evidence 

Organisations are responsible for storing their own evidence securely and sharing this with you. You should discuss how you will access evidence with the organisation early in the process. 

You should read and review all documents and make a note of any questions to raise with the organisation. You may need to ask for extra evidence to support your understanding of the organisation’s self-assessment responses. 

Note: The organisation’s supporting evidence is not stored in or linked to from WebCAF. 

Ways of working 

There are a number of ways you might work with an organisation. You should start by holding an initial meeting with all stakeholders to: 

• confirm the scope of the Independent Assurance Review and any exclusions
• agree on planned delivery timelines
• agree the ways of working, including setting out interview and workshop requirements
• confirm arrangements for reviewing organisational evidence, including access to corporate IT systems 

Desk-based self-assessment and evidence reviews

Be prepared to spend time independently reviewing information the organisation has shared with you throughout the review period.

Workshops

Collaborating with the organisation in a workshop to look at their responses and evidence can help resolve anything that is unclear, needs more information or requires evidence. For example, you might hold a workshop on each CAF objective.

A group workshop can be useful if the organisation has provided conflicting information. Discussion can help to reach agreement on the accurate position of the organisation which can be captured in a record of decisions and reflected in your review.

Interviews

Interviews are an opportunity for you to speak directly to a subject matter expert or key stakeholder. For example, you might speak to an Information Technology Security Officer (ITSO) or the owner of a particular risk to discuss one or more specific contributing outcomes.

Technical demonstrations

You may want to see a demonstration in order to check that technical controls are in place. For example, an organisation may demonstrate the execution of regular vulnerability scans to show how it identifies and manages security weaknesses.

Completing your review on WebCAF

The organisation will create an account for you in the Review a WebCAF self-assessment service as an independent assurance reviewer. 

When you log in you will be able to see a list of all systems allocated to you. Select ‘Review’ for the system you want to work on. 

Session time-out

When you have logged into WebCAF to start your self-assessment, you will be timed-out if you are inactive for 90 mins to protect your security.

If you have already saved pages, these will be stored securely in WebCAF.

If you are timed out while working on a page, anything you have done on that page will not be stored and you will have to start it again.

Confirm the system details

Read through the system and review details and select ‘Confirm and return’. If you think there are any errors, you should contact the organisation. You can continue with the review while waiting for their response. 

Review the self-assessment

Select the CAF objective and contributing outcome you would like to review. You can work through the objectives and contributing outcomes in any order. 

The self-assessment outcome status is at the top of the contributing outcome page. It will show ‘achieved’, ‘not achieved’, or for some contributing outcomes, ‘partially achieved’. Check whether this meets the target CAF profile for the system and read through the organisation’s contributing outcome summary. 

In the self-assessment, organisations must provide explanations for some selected IGPs within the contributing outcome summary.

You should refer to the GovAssure detailed contributing outcome summary guidance for more detail on what organisations are expected to do.

Note: By the time you complete your WebCAF review, you should have already read the organisation’s written responses and discussed any questions or evidence gaps. 

Reviewing IGP statements

In their self-assessment, the organisation is asked to select an IGP statement if they believe it applies to their system or organisation.

Each IGP statement is titled and numbered, for example, ‘Achieved statement 1’. Underneath this, it will show:

• ‘Organisation selected’ which means the organisation selected the statement
• ‘Organisation did not select’ which means the organisation did not select the statement

When you have read each IGP statement you must select:

• ‘Yes’ if you believe the statement applies to the system or organisation
• ‘No’ if you believe the statement does not apply to the system or organisation

Note: You are not being asked to review the organisation’s response. You must read the IGP statement and select ‘Yes’ or ‘No’ if your review agrees or disagrees with it.

To make your decision, you should consider: 

• the organisation’s contributing outcome summary
• the organisation’s comments on alternative controls or exemptions, where this applies
• the supporting evidence you have seen
• your discussions with the organisation

There are 3 particular scenarios which you should be aware of and note how you should respond.

1. Organisation has commented on alternative controls or exemptions
   In this scenario you should select ‘Yes’ to the IGP statement if you agree that the organisation has provided a reasonable justification and supporting evidence.
2. You selected ‘Yes’ for an ‘achieved’ IGP that exceeds the expectations of a similar ‘partially achieved’ IGP.
   In this scenario you must also select ‘Yes’ for the ‘partially achieved’ IGP.
   
   For example, if you select ‘Yes’ for an ‘achieved’ IGP that says the organisation ‘reviews a document regularly’, you must also select ‘Yes’ for the ‘partially achieved’ statement that says it ‘reviews a document occasionally’.
3. Where ‘partially achieved’ statements are identical to ‘achieved’ statements.
   You should make the same selection for both statements.

Organisation comments for IGPs

There are times when an organisation will select an IGP statement that is not true about their system or organisation but they believe this should not affect the overall contributing outcome status.

This may be because: 

• they have alternative controls or exemptions in place 
• the wording of the IGP statement does not apply to the system being assessed 

Reviewer comments for IGPs

You only need to provide comments for IGPs in two situations. 

1. When the organisation has commented on an IGP
   You should state if you agree or disagree that the organisation has provided a reasonable justification and supporting evidence of alternative controls or exemptions. You must add the reasons for your decision.When this is the case, you will see comments from the organisation against an individual IGP. Organisations are advised to use this option sparingly.
2. When your response to an IGP is different to the organisation’s response.
   If your response to an IGP disagrees with the organisation’s selection, you must explain why. You may need to refer to any relevant evidence or gaps in the organisation’s cyber security measures for the IGP.

Your comments in both situations will be included in the Independent Assurance Review Report (IARR). 

Reviewing the contributing outcome status 

It is important that you use your expert judgement to select the most appropriate outcome status. You must take into account the context of the organisation and system, as well as any alternative controls the organisation has noted. 

After you have reviewed each IGP statement, you must decide whether the contributing outcome is ‘achieved’, ‘not achieved’ or, if applicable, ‘partially achieved’.

Achieved status

In most cases, the contributing outcome status should be ‘achieved’ if you have selected ‘Yes’ for all the ‘achieved’ and ‘No’ for all of the ‘not achieved’ IGPs.

Partially achieved status

In most cases, the contributing outcome status should be ‘partially achieved’ if you have selected ‘Yes’ for all ‘partially achieved’ IGPs and selected ‘No’ for:

• one or more ‘achieved’ statement
• all ‘not achieved’ statements

Not achieved status

In most cases, the contributing outcome status should be ‘not achieved’ if you select ‘Yes’ for one or more ‘not achieved’ IGPs.

In most cases, the contributing outcome status should be ‘not achieved’ if you do not select ‘Yes’ for all ‘achieved’ or ‘partially achieved’ IGP statements.

Note: If the outcome status you select is different to the status descriptions above, you must clearly explain the reasons why in the contributing outcome comments 

Providing comments to support your review

You need to provide clear, concise comments to explain your reasons for selecting the contributing outcome status. 

Your comments should reflect your review of the controls and processes that are in place for the contributing outcome. They should reference:

• areas of good practice 
• current risks to the system or organisation and related areas for improvement 
• the organisation’s supporting evidence
• specific IGPs, including where the organisation has noted alternative controls or exemptions
• where relevant, if the organisation is close to achieving the target resilience level for the contributing outcome

When you have finished reviewing the contributing outcome, select ‘Save and continue’ to return to the list of outcomes. 

Note: your comments for each contributing outcome will be included in the Independent Assurance Review Report (IARR). 

Adding risks and recommendations

You must focus on providing clear, evidence‑based recommendations that directly address the risks identified in your review.

Your recommendations should be appropriate for the risk context of the organisation and system, as described in the organisation’s GovAssure scoping document. 

You must add at least one recommendation for each contributing outcome that has a status of ‘not achieved’ or ‘partially achieved’. 

Organisations may have a high number of recommendations to address from one GovAssure review. In the Independent Assurance Review Report (IARR) your recommendations will be grouped into two types to help with prioritisation. 

1. Priority recommendations
   Priority recommendations address gaps where the contributing outcome has not met the target Government CAF Profile.
2. Other recommendations
   Other recommendations address gaps where the contributing outcome has met the target Government CAF profile but there is more that the organisation can do to ensure their cyber security controls are appropriate for their risk context.

Note: your recommendations will be automatically sorted into these groups in the report based on the outcomes of your review.

Adding risks and recommendations

In the service you can select to ‘add a recommendation’. 

Each recommendation must address a risk that you have identified.

Example risk and recommendation

Contributing outcome A1a. Board direction, achieved statement 3.

Add the risk.

Example: There is a risk that cyber security is managed in isolation from the organisation’s core objectives, leading to a failure to protect essential functions and a lack of accountability for high-impact security decisions.

Add your recommendation details. It is helpful to tell the organisation where they can address a recommendation quickly with a lower level of resource. 

Example: Appoint a board-level individual with accountability for network and information system security. This will support integration of cyber security into corporate governance, providing the strategic oversight necessary to align technical defences with business priorities and mitigate the risk of operational failure. This recommendation can be implemented without significant financial investment. 

Adding more recommendations

You must record each recommendation separately by selecting ‘add another recommendation’. 

You might make more than one recommendation to address the same risk. In this case, you must select ‘add another recommendation’ and repeat the risk for each one. 

When you have finished, select ‘Confirm and return’ to go back to the main menu. 

Commenting on CAF objectives

When you have reviewed all the contributing outcomes in an objective, you must comment on the overall objective.

Your comments in these sections will be included in the Independent Assurance Review Report (IARR). These may be read by senior or less technical audiences so you should write them in accessible language. 

Commenting on areas of good practice

Your comments should:

1. Summarise key themes across the contributing outcomes and principles in the objective. 
2. Reference specific areas of good practice such as clear governance structures, consistent risk management processes, or well‑embedded procedures, and explain how these support the achievement of the objective. 

Commenting on areas for improvement

Your comments should:

1. Summarise key weaknesses across the contributing outcomes and principles in the objective. 
2. Outline resulting risks to the organisation. 
3. Reference specific high-priority areas for improvement such as immaturity of controls, insufficient governance or particular vulnerabilities. 

Note: You must provide comments for each CAF objective. 

Review details

Your comments in these sections will be included in the Independent Assurance Review Report (IARR).

Adding the Independent Assurance Review (IAR) period

Add the start date and the predicted end date of your review. You can come back to change this later if needed. 

Adding your company details

Add the name of your company as the organisation knows it. This will usually be the company trading name. 

Add the lead reviewer’s name and company email address. This may be you or a colleague. 

Describing your review method

You must briefly describe the overall scope of the assessment. Mention any exclusions of specific components from the scope and the rationale for excluding them. These should be in the scoping document. 

Describe your data collection methods and how you reviewed evidence. You should describe the quality and depth of your review and note any limitations or constraints you encountered during it.

Describing the quality of the self-assessment

You must comment on the quality of the organisation’s WebCAF self-assessment.

You should consider the level of detail provided by the organisation in the contributing outcome responses, and any comments it has included on alternative controls or exemptions at IGP level. For example, was there enough information to allow you to conduct an accurate, informed review? 

You should comment on whether the organisation provided appropriate supporting evidence to back up their contributing outcome status and IGP selections.

While describing the quality of the self-assessment you should consider:  

1. Timeliness: Is the evidence recent enough to support the organisation’s narrative and has it been in use long enough to be effectively embedded?
2. Completeness: Is the evidence complete and detailed enough?
3. Approval status: Has the evidence been approved, or is it still in draft, which might suggest that it has not been implemented and used?

Creating the Independent Assurance Review Report

Note: The option to create a report will be available in WebCAF from early February 2026. 

When you are ready to create your report, WebCAF will direct you to a screen to choose ‘Create report now’.

When you have created the report, your next steps are to:

1. Check the report is accurate and complete.
2. Share and discuss the report with the organisation. 
3. If you have agreed changes with the organisation, you can update to a new version of the report in WebCAF. 
4. If needed, iterate through new versions until both you and the organisation agree. 
5. Create a final version of the report.

When you have finalised the report you will no longer be able to create a new version. If you need to make more changes, contact cybergovassure@cabinetoffice.gov.uk.