Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Author: Government Security Guidance

Stage 4: Independent assurance review

GovAssure is subject to an assurance model where accredited suppliers are contracted by the receiving organisation, to perform independent assurance reviews to verify the organisation’s WebCAF self-assessment.

Please email cybergovassure@cabinetoffice.gov.uk for a transcript if required.

GovAssure is subject to an assurance model where accredited suppliers are contracted by the receiving organisation, to perform independent assurance reviews to verify the organisation’s WebCAF self-assessment. The exercise is not a security compliance audit, it is a risk based assurance review. Independent assurance reviews will also be submitted via WebCAF.

Independent Assurance Reviewers will need to meet the GovAssure Accreditation standard as well as being sufficiently independent to provide these reviews. Organisations will be able to select their supplier of choice from a pool of accredited suppliers. Your organisation should ensure that you have funding set aside for this review.

Organisations undergoing a peer review instead of an independent assurance review should consult the peer review guidance instead.

Checkpoint Review

It is important that before submitting the WebCAF self-assessment, the organisation and GSG are content that the self-assessment is sufficiently complete for the independent assurance reviewer to conduct the review. The review will commence once it has been agreed with GSG that the organisation’s self-assessment is ready for review.

Objectives of the independent assurance review

The Assurance Review will provide an independent assessment and verification of your organisations WebCAF self-assessment.

The objectives of this assurance review are to:

  1. Assess the level of attainment of the target Government CAF profile that has been assigned to the system.
  2. Validate the opinion of ‘achieved’ or ‘partially achieved’ along with the associated commentary against each CAF contributing outcome, based on the evidence provided by your organisation and the associated indicators of good practice.
  3. Assess at a high level, how your organisation is identifying and managing its cyber risks.
  4. Understand the key cyber security risks related to your organisation and your in-scope critical systems.
  5. Determine the effectiveness of current cyber security controls
  6. Provide a draft report covering observations and recommendations against the target government CAF profile and, following an agreement process, a final report, detailing challenges and important observations for the organisation.

GovAssure Independent Assurance Reviewer and GovAssure on Crown Commercial Services

See our GovAssure Independent Assurance Reviewer guidance for information on:

  • Becoming an Independent Assurance Reviewer
  • GovAssure on Crown Commercial Services
  • GovAssure Independent Assessor requirements and accreditation requirements
  • Independent Assessor obligations

GSG has worked closely with NCSC and Crown Commercial Service to develop the minimum accreditation requirements for independent assurance reviewers. However, organisations will also be able to add further requirements if they wish to do so.

The assurance reviewer will use the GovAssure Scoping Document that was completed during Stage 1 and Stage 2 to understand the organisation’s context, threat, risk and defensive posture. This will contextualise each WebCAF self-assessment so that the reviewer can consider the meaning of the responses to the self-assessment for your organisation.

Independent Assurance Review – a high level approach

See our detailed guidance on The Assurance Review Process for more information.

The five stage approach for the Independent assurance review includes:

  • Onboarding/scoping
  • Planning
  • Assessment and analysis
  • Reviewing and communicating results
  • Independent Assurance Review Report (IARR)

Once the organisation’s self-assessment has been finalised and agreed that it is ready for review as part of Stage three, an independent assessor or assessors, “the assessor” will conduct an independent and expert assessment of the self-assessment return in conjunction with the supporting evidence, “the review”. The assessor will provide an independent judgement of the organisations self-assessed position against the 39 contributing outcomes of the CAF against the assigned target CAF profile that has been selected for the systems being assessed.

The assessor will complete their review using the ‘assurance reviewer view’ within WebCAF. Specifically, the assessor will complete the assurance reviewer section against each of the Contributing Outcomes for each of the systems assessed.

The GovAssure Scoping Document completed during Stage 1 and Stage 2 will be used from the start of the review to understand the organisation’s context, threat, risk and defensive posture and where appropriate controls should be pitched; the collated evidence pack allows the assessor to test whether the outcomes are being met.

Key considerations as part of the independent assurance review

  1. Independence, objectivity and conflict checks. It is important that the provider does not have any conflict of interest. This could arise if they have been responsible for some or all of the system being assessed. This must be considered when the provider selection process is performed; it is also incumbent upon a provider to call out if they feel that there is such a conflict that has been missed by the organisation. This won’t necessarily preclude that company from bidding for the work, but failure to declare any interests could preclude them from bidding for future GovAssure work. Some examples of conflicts include;
    • previously been involved in the design of the system
    • performed CHECK pen testing, or
    • been involved in architectural design reviews.
  2. Engagement in the process. The individuals involved in the completion of the self-assessment will be expected to work with the assessor throughout Stage 4.
  3. Your data and your responsibility. Throughout the self-assessment process, it is important to remember that the data and all aspects around managing, processing, storing or using the data should be under the direction and control of the organisation receiving the review and should agree and formalise arrangements with the provider. The organisation should have a means of setting out their requirements for how their information and data will be handled in line with contractual obligations with the provider.
  4. Final CAF submission and review readiness: CAF submission and internal sign-off processes suggests that the CAF is ready for review by the assessor, the organisation should maintain evidence of internal sign-off prior to submission.
  5. Risk based assurance review: The review is not a security compliance audit; therefore, the assessor will recognise that there are a number of ways in which individual contributing outcomes and supporting IGPs may be achieved, and the assessor will be encouraged to consider compensating controls that the organisation may have in place when the assessor is making their judgments, providing an organisation’s approach to completing the self-assessment is appropriately evidenced.
  6. Limitations of the GovAssure independent assurance review: The review does not constitute a complete and full assessment of the organisation’s cyber security as a whole and does not include all possible internal control weaknesses that an end-to-end and comprehensive compliance assessment might identify. It, therefore, should not be considered as a means of providing full assurance over an organisation’s cyber security measures.

7.Reliance on accurate information: The review is focused on an independent view of your self-assessment, workshops and the evidence provided. Its value will be reliant on the honest and accurate completion of the self-assessment.

Assumptions and dependencies

The assessor’s ability to provide an effective assurance review depends on the organisation carrying out the following:

  • Ensuring that all required stakeholders will be available to actively participate as necessary.
  • Providing information, documentation, and evidence to the assessors in a timely manner.
  • Designating a single point of contact to coordinate interactions with the assessor (for example the GovAssure Coordination lead) and helping to escalate any issues, such as non-engagement by stakeholder(s). It is assumed that this individual will be empowered to facilitate key delivery decisions and communicate with senior stakeholders across the organisation.
  • Working with the assessor to provide agreement and approval of their work.

Next Steps

By the end of Stage Four, organisations will have agreed a list of observations with the independent assurance provider. This will be developed into the Independent Assurance Review Report (IARR) as part of the final assessment feeding into the Targeted Improvement Plan (TIP), to be delivered as part of Stage Five.

We have provided a stage 4 outcome checklist to support you.

Further guidance

The Assurance Review Process

Stage 4 outcome checklist

Becoming a GovAssure Independent Assurance Reviewer

Peer Review Guidance for Lead Government Departments

Conducting a peer review

Back to Stage 3   Move on to Stage 5

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now