CAF as a Continuous Programme, Not a Point-in-Time Audit
Most organisations still treat NCSC CAF as a once-a-year deliverable. This article explains why continuous assurance is a better fit for how cyber risk actually behaves, and how scheduled runs, an assurance history, and shareable live posture turn CAF into a programme you run rather than an event you survive.

For many organisations, an NCSC CAF assessment is an event. Evidence is gathered in the weeks before a deadline, judgements are made under time pressure, a report is produced, and the whole exercise is filed away until next year. That model is familiar, but it is increasingly at odds with how cyber risk actually behaves.
The CAF is an outcomes-based framework. It asks whether cyber risks to essential functions are being managed — not whether a document existed on the day of the assessment. Managing risk is a continuous activity, so assessing it as a single annual snapshot leaves most of the year unmeasured.
Why point-in-time assessment falls short
Cyber environments change continuously. Cloud configurations drift, new systems are onboarded, access rights accumulate, suppliers change their services, and vulnerabilities appear daily. A contributing outcome that was well evidenced in March can be undermined by a configuration change in May. A point-in-time assessment cannot see that, because by the time it is repeated, the evidence has to be gathered all over again.
There is also a practical cost. Annual assessments concentrate effort into a short, stressful window. Teams scramble to locate evidence, chase colleagues, and reconstruct the rationale behind decisions made months earlier. The result is expensive, inconsistent, and hard to defend.
What a continuous CAF programme looks like
A continuous programme keeps the assessment alive between formal reviews. Instead of one annual push, assurance runs on a schedule, evidence is refreshed as it changes, and posture is always current. Three capabilities make this practical.
Scheduled, recurring runs. Recurring assessment runs turn assurance into a steady operational rhythm. Rather than a fire drill before an audit, the programme continually re-checks contributing outcomes against current evidence, so drift is caught early rather than discovered at the next review.
An assurance history. A control timeline records how each contributing outcome has changed cycle over cycle, with the rationale behind those changes. That history is valuable in its own right: it demonstrates that controls remain effective over time, and it makes regressions visible instead of leaving them buried in old spreadsheets.
Live, shareable posture. Boards and regulators do not want a snapshot from six months ago. A shareable heatmap link that reflects the current assessment lets stakeholders see where essential functions are resilient and where improvement activity is underway, without waiting for the next report.
Continuous does not mean unattended
Continuous assurance is not about removing people. Expert judgement still sits at the centre: assessors validate scope, review contributing outcome judgements, and sign off conclusions. What changes is the cadence. Instead of judging everything once a year, the programme keeps evidence and conclusions current, and focuses human attention where something has changed.
This also strengthens defensibility. A living assurance record — with scheduled runs, retained rationale, and a visible history — tells a far more convincing story to a regulator than a single annual report. It shows that cyber risk is understood, governed, and managed continuously, which is exactly what the CAF is designed to encourage.
How CyConex supports continuous CAF
CyConex is built for continuous assurance. Assessments can run on a schedule, an assurance history tracks changes across cycles, and shareable dashboards keep posture current for boards and reviewers. Evidence connected from Microsoft 365 and SharePoint stays aligned with the systems in scope, so refreshing an assessment does not mean starting from scratch.
The shift from point-in-time to continuous is not just a tooling change; it is a change in how assurance is understood. CAF stops being an event you survive and becomes a programme you run — one that gives leadership a living view of whether controls remain sufficient for the risks the organisation cannot accept.