Stage 3: Self-assessment
Stages 1 and 2 of the GovAssure process come together to provide the scoping inputs for Stage 3, the CAF self-assessment.
Please email cybergovassure@cabinetoffice.gov.uk for a transcript if required.
Stages 1 and 2 of the GovAssure process come together to provide the scoping inputs for Stage 3, the CAF self-assessment. Organisations will complete a self-assessment for each critical system identified as in-scope for GovAssure, as well as assessing their wider organisational security arrangements under Objectives A and D.
Organisations will need to show how they meet each CAF contributing outcome and the associated indicators of good practice (IGPs) by inputting statements of achievement and supporting commentary into WebCAF, the online platform used for completing CAF self-assessments in GovAssure.
Organisations are expected to conduct a comprehensive but realistic CAF self-assessment supported by evidence. The self-assessment is to be performed within the parameters set out in the GovAssure Scoping Document.
Principles to consider when completing the Cyber Assessment Framework (CAF) self-assessment:
- Individuals involved in the completion of the CAF should have received appropriate briefings and training to understand how the CAF works before attempting completion.
- Organisations are not expected to be assessed as ‘Achieved’ for every contributing outcome across each system. The target government CAF profile (Baseline or Enhanced)
will detail the target level, and it is important that individuals are aware of this before completing the self-assessment, so they are not encouraged to try and find evidence that may not be there - The CAF is not intended to be inflexible, rule-based, or applied as a checklist. It is recognised that where an Indicator of Good Practice (IGP) is not being met, an organisation may be implementing alternative
controls or methods which meet the contributing outcome. - Organisations can decide whether individual IGPs do not apply to them, or they have taken a decision to not meet specific indicators because they judge them to be unnecessary or disproportionate to do so. In these
cases, organisations should ensure they document the justification for marking an indicator as not applicable and the reason for taking this decision. This will be particularly important when it comes to the
independent assurance review. - Descriptive statements to support contributing outcomes should be sufficiently detailed to allow an independent reviewer to perform an initial desk-based review, supported by appropriate evidence stored in an
organised manner. - Do not write new evidence where documentation does not exist. The reviewer will judge how well integrated evidence is and any gaps will be highlighted for review and remediation in the report.
- Individuals are responsible for submitting their organisation’s return through WebCAF and should make sure that it is subject to appropriate control checks and signoffs before submitting. It is important to outline
who will be involved here as early in the GovAssure process as possible and this may be recorded in the RASCI template . - When completing the self-assessment return, it is important to provide honest and accurate statements.
Consider who to involve in the CAF self-assessment – role alignment
It is important to recognise that completion of the CAF self-assessment will require input from many individuals across the organisation with a shared division of work and responsibility for completing the CAF self-assessment between cyber teams, system owners as well as others. It may be appropriate for an organisation to complete Objectives A and D at a strategic level if the organisation deems that the systems in scope have commonality across these objectives and their sub-principles.
Objectives B and C are more commonly assessed by system owners, but some of the contributing outcomes for B and C may also be answered best at a strategic level, particularly where monitoring processes are conducted through a central SOC, and where security policies are set and mandated centrally.
Collecting evidence
Suitable supporting evidence tends to fall into several different types, for example, policies, strategies, procedures, meeting minutes and plans. Evidence should be relevant and already present, not created for the purpose of GovAssure. We have developed example evidence or artefacts that indicate how to evidence each indicator of good practice across the target CAF profiles and this is available on WebCAF for both the Baseline and Enhanced profiles.
The independent reviewer will use a combination of the self-assessment statements on WebCAF and the evidence provided to perform an initial assessment as to whether the evidence supports the statements made against the indicators of good practice. Evidence is not stored on WebCAF and we suggest that you maintain a suitable repository of evidence structured and aligned with the CAF in a suitably secure location and with access managed appropriately. It will be necessary to provide access to the independent reviewer as part of Stage 4.
Evidence should be relevant and suitably cross-referenced and ideally where applicable referenced where in the particular document or artefact the reviewer should be looking. This will make it as straightforward and efficient as possible for the reviewer to perform an assessment between WebCAF and the evidence repository. WebCAF allows you to add file references and where appropriate, URL links to documentation to support the completion of the IGP statements and the overall contributing outcome.
Before commencing the self-assessment, the organisation should ensure that it has identified important stakeholders and communicated the GovAssure process and expectations. It is good practice to gather some or all the following documentation to provide a good starting foundation for the self-assessment:
- Organisational and governance structure
- Governance reporting arrangements
- Risk nanagement arrangements
- Roles and responsibilities
- Cyber security strategy
- Security initiatives and improvement plans
- Recent examples of any cyber security assessment or assurance activities
- Asset inventories
- Network architecture diagrams
- System architecture diagrams for each system in-scope
Do not write new evidence where documentation does not exist. The reviewer will judge how well integrated evidence is and any gaps will be highlighted for review and remediation in the report.
GovAssure and existing assurance framework mapping
Commonly used cyber security frameworks are consistent with the CAF, which means that assurance reporting requirements can align with internal cyber security risk management structures and processes.
Government Security Group have developed CAF guidance mapping to assist those within an organisation completing a CAF self- assessment. It is not a direct mapping tool. It is a tool to guide and suggest where users should look within existing organisational security management frameworks.
Users should use these to gather relevant evidence to meet the outcomes stated within the target CAF assessment profile. The following frameworks have been mapped to CAF:
- NIST SP 800-53 Rev.4
- CIS CSC
- COBIT 5
- ISA 62443-2-1: 2009
- ISA62443-3-3: 2013
- ISO/IEC 27001: 2013
Further Guidance on Stage 3
- Suggested 10 steps for conducting the self-assessment.
- CAF Objectives and Components
- Indicators of Good Practice (IGPs)
- Using WebCAF for the self-assessment
Self-assessment additional resources
WebCAF has been designed to be as self-contained as possible, but to aid completion, you may wish to refer to additional cyber security standards and resources to support completion.