Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Author: Government Security Guidance

Stage 1: Organisational context, essential services and mission

Stage 1 will provide further detail on starting the GovAssure process through the completion of a scoping exercise.

Please email cybergovassure@cabinetoffice.gov.uk for a transcript if required.

Stage 1 will provide further detail on starting the GovAssure process through the completion of a scoping exercise. The successful scoping of GovAssure relies on a full understanding of the strategic context of the organisation, the essential services provided and the overall mission. This will help to put into context the cyber security threat landscape in which it operates, as well as the services deemed essential to the operations of the organisation.

Successful scoping should enable the organisation to identify, as part of Stage 2 (In-scope systems and assigning the target Cyber Assessment Framework (CAF) Profile), the critical systems that underpin the delivery of organisations essential services. This will help to determine what will be in scope for the organisation’s CAF self-assessment, so that subsequent risk, security and resilience management is framed appropriately.

Existing sources of information to use on your GovAssure journey

Where possible, use existing sources of information that will support the thinking around the organisational context and essential services and the links to underpinning critical systems. For example, organisational outcome delivery plans, business continuity information and any exercises that explain the flow of personally identifiable information (PII) within your organisation, as well as any other work that may have been commissioned previously to better understand and illustrate the essential services delivered by your organisation.

Identification and assignment of GovAssure roles and responsibilities and RASCI completion

Introducing the GovAssure Scoping Document

GovAssure Scoping Document – Part A: Mission, Objectives and Priorities

At the start of the GovAssure process, government organisations will be asked to complete the ‘GovAssure Scoping Document’. Part A of the document will encourage you to think about and record the following:

  1. Mission – What is your organisation trying to achieve? How does it support the delivery of government services?
  2. Objectives – What are the key objectives used to deliver that mission?
  3. Priorities – What are your organisation’s top priorities?
  4. Threat landscape – Who is looking to attack your organisation? Why? What could happen if they were successful?
  5. Cyber Risk Appetite – What is the cyber risk appetite for your organisation?

The GovAssure Scoping Document is important because it will be used by the independent assurance reviewers to understand the context and risk appetite set by the organisation, which will support the reviewer to determine whether the security controls in place are appropriate and proportionate for the level of risk exposure.

The outputs of Stage 1 should be recorded under Part A of the GovAssure Scoping Document. We have an example of a completed GovAssure Scoping Document to support this process, using the fictitious government department, the ‘Department of Artificial Intelligence and Robotic Technologies’ (DAIRT).

GovAssure Scoping Document – Part B: Identifying and Defining Essential Services

Essential services will differ between organisations, so each organisation should refer to its annual reporting, organisational outcome delivery plans and wider strategic documentation to support this identification.

Determining the essential services that underpin the delivery of your organisation’s mission, objectives and priorities can be complex. We have developed a ‘Guide to thinking through essential services and systems through five lenses’ to support your organisation in considering and documenting the thinking through the different lenses, and ultimately the critical systems you will select to be included in scope for GovAssure. Depending on the organisation, the number of services that might be considered ‘essential’ will vary. We expect organisations to select a practical number of essential services for consideration to include in the scope for GovAssure.

Each organisation will need to consult with a wide range of colleagues to support this exercise. For example, Chief Risk Officers should be consulted to check the understanding and recording of the primary organisational risks. Only once an organisation has defined its essential services can it move on to identifying the critical systems in scope for GovAssure (Stage 2). The outputs of this stage should be recorded under Part B of the GovAssure Scoping Document.

Essential services of the organisation in scope

  1. Government Critical National Infrastructure Services: Services that the UK public rely upon, on a daily or near-daily basis, as per official guidance.
  2. Operators of essential services (OES): Services which are essential for the maintenance of key societal or economic activities, as per official guidance. For example, energy, transport, health, water, digital infrastructure.
  3. Fundamental organisational outputs and mission: Services fundamental to the outcomes of the organisation, which the organisation must provide. For example, government policy development, regulation, delivery and support, briefings, analysis and advice.

Further guidance on Stage 1

Useful documents to download for Stage 1

Back to overview   Move on to Stage 2

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now