NCSC Cyber Assessment Framework

The NCSC Cyber Assessment Framework (CAF) is a structured approach developed by the UK’s National Cyber Security Centre for assessing and improving the cyber resilience of organisations that operate essential services and critical national infrastructure. It provides a systematic method for evaluating your security posture against defined objectives, principles, and indicators of good practice.

For organisations operating in regulated sectors or delivering government services, the CAF is the benchmark your regulator will use to assess your cyber maturity. Understanding where you stand against it, and where the gaps are, is the starting point for any serious security improvement programme.

Field	Detail
Full name	NCSC Cyber Assessment Framework (CAF)
Type	Framework
Maintained by	National Cyber Security Centre (NCSC), part of GCHQ
First published	2018 (current version: CAF v4.0, released 2025)
Applies to	Operators of essential services (OES), critical national infrastructure (CNI), government departments, and organisations subject to NIS Regulations
UK relevance	The primary UK government framework for cyber resilience assessment; mandated through GovAssure for government departments; used by nearly all UK cyber regulators
Wikipedia	No dedicated article
Wikidata	No dedicated entry

The four objectives

The CAF is built around four high-level objectives, supported by 14 principles and 39 contributing outcomes.

Objective A: Managing security risk covers governance, risk management, and asset management, ensuring your organisation understands what it needs to protect and has the structures in place to manage security risk at board level.

Objective B: Protecting against cyber attack addresses service protection policies, identity and access management, data security, system security, and resilient networks. The technical and procedural controls that reduce your attack surface.

Objective C: Detecting cyber security events focuses on security monitoring and proactive detection, whether your organisation can identify when something is wrong, before it becomes a breach.

Objective D: Minimising the impact of incidents covers response and recovery planning and lessons learned, ensuring that when incidents occur, the impact is contained and your organisation can recover quickly.

Each principle is supported by indicators of good practice (IGPs) that define what ‘good’ looks like at different levels of maturity. The result is not a pass/fail assessment, it’s a maturity profile showing where you meet expectations and where improvement is needed.

Who the CAF applies to

For operators of essential services under the NIS Regulations: energy, transport, health, water, digital infrastructure, CAF assessment is mandated by sector regulators including Ofgem, Ofcom, the CAA, and NHS Digital. For UK government departments, the GovAssure scheme requires annual CAF assessment of critical systems. And defence supply chain organisations increasingly use the CAF to demonstrate cyber maturity to contracting authorities.

Beyond mandated use, private sector organisations operating critical services or pursuing government contracts are adopting the CAF voluntarily as a structured, government-backed benchmark. If you’re being asked to demonstrate your security posture to a UK regulator or public sector client, the CAF is likely the framework they’ll expect you to assess against.

How a CAF assessment works

A CAF assessment typically follows four stages. Scoping identifies which systems and services fall within scope based on their criticality and regulatory context. Self-assessment evaluates your current posture against the 39 contributing outcomes using the indicators of good practice. For regulated organisations, independent assessment by a qualified assessor then validates the findings. And improvement planning prioritises gaps by risk and develops a remediation roadmap with clear ownership and timelines.

The CAF is a tool for continuous improvement, not a one-off compliance exercise. The most effective organisations treat it as an ongoing programme, assessing annually, tracking improvement against their roadmap, and using each assessment to inform security investment decisions.

How the CAF relates to other frameworks

The CAF was originally developed to support NIS Regulations implementation, and it remains the primary assessment tool for NIS compliance in the UK. It complements ISO 27001, while ISO 27001 provides a certifiable management system focused on processes and controls, the CAF provides outcome-based assessment focused on resilience. Many organisations use both. The CAF also aligns conceptually with NIST CSF 2.0, and the NCSC provides a mapping between the two frameworks. At a baseline level, Cyber Essentials covers foundational technical controls, while the CAF operates at a higher maturity level for organisations with more complex risk profiles.

How we deliver CAF assessments

As one of 24 NCSC Assured Cyber Security Consultancies in the UK, and one of only six assured for Risk Audit and Review, we deliver CAF assessments across government, critical national infrastructure, and regulated sectors. Our consultants help you scope the assessment to your regulatory context, evaluate your posture against the CAF objectives, identify and prioritise gaps, and build a practical improvement roadmap. We combine CAF assessment with CREST-certified penetration testing and threat modelling to give you both the governance view and the technical assurance.

Learn more about our cyber resilience audit and review services →

Related glossary terms

• CREST certification – accreditation for testing providers involved in CAF-related penetration testing
• Threat modelling – structured threat analysis that informs CAF Objective A (managing security risk)
• MITRE ATT&CK – adversary framework used to assess detection coverage under CAF Objective C

External references

• NCSC: Cyber Assessment Framework – official CAF documentation and guidance
• UK Government Security: Introduction to CAF – government overview of CAF application

Frequently asked questions