Cyber attacks can disrupt your essential services, damage trust and cause significant financial losses. 

The number of incidents affecting the public sector is on the rise, so it's important you’re taking steps to protect your most important services.

The first step is to understand your level of cyber resilience.

The Cyber Assessment Framework for local government - or ‘CAF’ - is a tool that can help your council to assess and improve your cyber resilience.

Completing the CAF can support you to identify cyber risks that could disrupt your most important services, improve your resilience to potential cyber attacks, spend your time and money more efficiently, and embed a culture of cyber security across your organisation

The CAF can be completed alongside other cyber security standards to further strengthen your cyber resilience.

So, what does the CAF for local government involve?

First, prepare your council to start the CAF.  

This includes identifying who to involve from your organisation, planning your schedule and making contact with an independent assurer.

Next, you’ll set the scope of your CAF assessment. 

This involves documenting your organisational context, identifying your essential services and then identifying and prioritising your critical systems.

Once you’ve set your scope, you’re ready to begin the self-assessment of your organisation.

This is where you’ll evaluate how well your council is managing security risk, and minimising the impact of cyber security incidents.

Once you’ve completed the assessment, you’ll share it with an independent assurer, who will give you an external view of your organisation’s cyber resilience.

The assurer will give you feedback and recommendations on where to focus your efforts, which you can use to create a plan for improving the cyber resilience of your organisation.

The next part of the CAF looks at your critical systems. 

You’ll begin by creating architecture diagrams for the critical systems you’re assessing. 

This is called architecture mapping.

Once that’s complete, you can start self-assessing your critical systems. 

During this stage, you’ll evaluate how well your council is protecting against cyber attack, and detecting cyber security events.

You’ll then share the completed self-assessment with your independent assurer, and use their feedback to create a plan for improving the resilience of your critical systems.

Make the CAF a part of your routine risk management to maintain a clear and up-to-date picture of your current cyber resilience.

On the UK Government Security website you can find more guidance on each stage of the caf - including estimated timescales and who to involve from across your organisation.