Suggested 10 steps for conducting the self-assessment
The following provides a series of suggested steps for cyber teams and system owners to take in approaching the self-assessment:
The following provides a series of suggested steps for cyber teams and system owners to take in approaching the self-assessment:
1. Understand the scope of GovAssure
The GovAssure Scoping Document should be shared with all important stakeholders to ensure awareness of the essential services, in-scope systems, and CAF Government Profiles assigned to them for GovAssure
2. Understand the CAF and define a WebCAF Organisation Lead
A good understanding of the CAF is required by all stakeholders before completing the CAF self-assessment. If individuals are not familiar with the CAF, it may seem complex. Therefore, it is important to make sure
that system owners have a good understanding of the CAF’s structure and how it should be interpreted. We advise that teams discuss and describe the high-level CAF principle before focusing on the contributing
outcome and indicators of good practice. A WebCAF Organisation Lead will need to be defined for your organisation and they will be responsible for configuring access and permissions.
3. Develop a plan for delivery
The GovAssure Pilot showed that it helps to develop a plan for the delivery of the self-assessment and schedule timeframes for the completion of the self-assessment to enable monitoring of progress and support the
scheduling of the independent assurance review.
4. Understanding your Cyber and IT Delivery and Operating Model and aligning roles to the CAF
Understanding your Cyber and IT Operating Model and combining this with a view of the CAF in terms of expected roles and input through each objective, principle and contributing outcome is essential to being able
to complete the CAF self-assessment most efficiently by sharing the division of responsibilities.
It is important to understand this first to identify any gaps in information or responsibility. System owners are usually important stakeholders, and their input and engagement are considered essential. Raising
awareness around GovAssure and the CAF amongst system owners, appropriate individuals and teams as early as possible will support those involved in the completion of the CAF self-assessment.
5. Assign individuals to principles and contributing outcomes
Completion of the CAF self-assessment will call upon multiple individuals. The organisation should obtain an early view of who within the organisation will be required to input to the self-assessment to
communicate expectations for their input and timescales.
6. Understand the WebCAF access roles within your organisation
WebCAF supports many roles and responsibilities to allow for joint working but with customisable permissions to restrict access to individual system assessments as required. WebCAF also allows the ability to edit
or gain a ‘read only’ view.
There are three categories of user profiles, and they are organised as follows:
- Organisation level – these users are able access the full view of the organisation including all systems and related assessments (lead/user/viewer)
- System level – these users can only access the systems and related assessments to which they are granted access (user/viewer)
- Assessors – these are the independent assurance reviewers, and they can access the organisation and or assessments to which your organisation grants access.
7. Workshopping the CAF with your team
Organisation cyber teams should conduct workshops of responses at a contributing outcome level to obtain an initial view of what a response might look like. This is a good opportunity to confirm who will respond
to that contributing outcome as some contributing outcomes can be completed at an enterprise level, by an organisation’s cyber security team, whereas other contributing outcomes can be completed at a system level
by individual system owners or teams.
You may also find that information relating to some IGPs may be held by an individual or team that is not the system owner. This needs to be identified before the formal self-assessment commences so that the
relevant team and system owner are aware of which parts of the self-assessment they are contributing to. When you workshop the contributing outcomes, it is important to be mindful of the Target Government CAF Profile to understand what the expectations are for achievement of the contributing outcomes and what you will be assessed against – “not achieved,” “achieved” or in some
cases “partially achieved”. This will focus on the relevant level for your organisation and avoid wasted effort. It is important to consider what evidence you will provide against each IGP so you may use this
workshop to construct an initial response and identify what evidence should be referenced.
Organisations should complete ‘Objective A’ of the CAF first and advise GSG when this has been completed.
8. Collation of evidence
Organisations should consider beginning to collate evidence before progressing to populating WebCAF and think about organising this logically by objective, principle, contributing outcome and at the IGP level. You
should ensure that evidence is collated and referenced in an appropriate and accessible way for the independent reviewer, for example creating a shared folder structure. The collated evidence pack allows the
reviewer to test whether the contributing outcomes are being met.
9. Conduct regular checkpoints to review progress and perform internal quality assurance
We recommend that your organisation schedules regular updates with individuals who have been identified as key stakeholders involved in completing the self-assessment. This is to ensure that progress remains on
track and that any questions or issues can be escalated and resolved.
It is recommended that throughout the completion of the self-assessment, there are regular reviews as to the quality of the narrative and evidence being provided to ensure that any issues are identified and
resolved in good time before submission and independent review at Stage Four.
10. Sign-off and submission of the self-assessment
It is recommended that you define and agree an internal process for your organisation that provides appropriate senior visibility, quality assurance and approval to submit the self-assessment via WebCAF.
As a minimum requirement, sign off and submission of the final self-assessment should be agreed between the GovAssure accountable officer and the GovAssure coordination lead.