Ingest evidence, assess contributing outcomes and IGPs, and export CAF heatmaps and audit-ready reports — from one secure workspace.
CyConex uses Agentic Assurance to get you there: intelligent agents orchestrate evidence work, control mapping, and AI-assisted review while your assessors retain expert judgement and sign-off across every conclusion.
A quick overview of how Agentic Assurance supports evidence-led NCSC CAF assessments.
Browse the workspace for evidence libraries, CAF assessments, dashboards, and exportable reports.
Ingest Word, PDF, Excel, and text files — or connect SharePoint — to build the evidence base your CAF assessment requires.
Screenshots show the early access product and may change as features are refined.
Get started
Try CyConex free or request a demo
Sign up in minutes for free early access, or tell us about your NCSC CAF assurance programme and we'll walk you through the platform.
Request a demo
NCSC Cyber Assessment Framework
Purpose-built for UK CAF assurance programmes
The NCSC CAF is the UK's outcomes-based framework for assessing how well organisations manage cyber risk to essential functions. Used by nearly all UK cyber regulators, adopted across public sector via GovAssure, and aligned to NIS Regulations for operators of essential services, it demands evidence-led judgement — not checkbox compliance. CyConex is designed around that reality.
CAF assessments are structured around four security objectives and fourteen principles, broken down into contributing outcomes assessed via IGPs:
A
Managing security risk
Governance, risk management, asset management, and supply chain — the foundations for proportionate cyber security across essential functions.
B
Protecting against cyber attack
Policies, identity and access, data security, system hardening, resilient networks, and staff awareness that defend critical services.
C
Detecting cyber security events
Security monitoring and threat hunting capabilities that give organisations visibility before incidents escalate.
D
Minimising incident impact
Response, recovery planning, and lessons learned — ensuring resilience when defences are tested.
How CyConex supports CAF assessments
From scoping essential functions to exporting reviewer-ready outputs — without losing the expert judgement the NCSC expects.
Work at contributing outcome and IGP level
Structure assessments around CAF's 41 contributing outcomes and Indicators of Good Practice — recording achieved, partially achieved, or not achieved judgements with linked evidence, not generic control checklists.
Align to regulator CAF profiles
Assess against the target profile your competent authority or GovAssure programme requires, whether that means sector-specific interpretations or government baseline profiles for critical systems.
Support self-assessment and independent review
Give internal teams and external assessors a shared evidence base, traceable IGP references, and exportable reports that support the dialogue CAF assessments are designed to encourage.
Communicate posture with CAF heatmaps
Publish objective and principle-level heatmaps so boards, SROs, and oversight bodies see where essential functions are resilient — and where improvement activity is needed.
CyConex supports CAF-aligned assessment workflows. It is not affiliated with or endorsed by the NCSC. Organisations subject to regulation should confirm requirements with their competent authority or cyber oversight body.
Platform workflow
Evidence, assessment, and reporting
Connect SharePoint and document libraries, assess NCSC CAF contributing outcomes and IGPs with expert judgement, and export heatmaps and audit-ready reports — from GovAssure self-assessments to regulated CNI programmes.
CAF assessments depend on policies, procedures, audit reports, and operational evidence drawn from across the organisation. Ingest documents directly or connect Microsoft 365 and SharePoint sources to keep your evidence library aligned with the systems and essential functions in scope.
Upload policy, procedure, and audit files for CAF review
Connect SharePoint and Microsoft 365 evidence libraries
Keep evidence scoped to the right organisation and assessment programme
CAF assessment
Map evidence to contributing outcomes and IGPs
The NCSC expects assessors to exercise expert judgement — IGPs inform conclusions, they do not replace them. CyConex surfaces relevant evidence for each contributing outcome, helping teams record achieved, partially achieved, or not achieved judgements with traceable references.
Structured NCSC CAF catalogue with principles and IGPs
Semantic search across policy, procedure, and audit evidence
Human reviewers retain final say on every IGP assessment
Transparency
Follow the evidence from source to assessment
Every control assessment shows how evidence was considered, filtered, and cited. Review the documents sent to the AI reviewer, see which chunks supported the outcome, and understand the confidence behind each judgement.
Evidence review trail with considered, selected, and used counts
Documents and chunks explicitly cited in the assessment
Clear rationale for achieved, partially achieved, or not achieved outcomes
Assurance history
Track how control outcomes evolve
Every reassessment is recorded on a control timeline — showing score changes, newly assessed evidence, and the rationale when an outcome stays the same. Assurance leads can see what changed and why, cycle over cycle.
Chronological assessment history per contributing outcome
Score and status changes linked to new evidence uploads
Clear explanations when outcomes are unchanged
Assurance outputs
Turn CAF assessments into board-ready reporting
Generate Excel and Word assessment exports, track assessment history across review cycles, and publish CAF heatmaps at objective and principle level for GovAssure reviewers, competent authorities, and governance stakeholders.
Principle-level CAF heatmaps and compliance scorecards
Exportable reports for self-assessment and independent review
Also supports NIST 800-53 and NIST CSF 2.0 catalogues
Workflow
How CAF assessment works in CyConex
A straightforward workflow from evidence connection to CAF reporting — designed around the outcomes-based approach the NCSC expects.
1
Connect evidence
Upload policy, procedure, and audit files, or connect Microsoft 365 and SharePoint evidence libraries to your project workspace.
2
Scope your CAF assessment
Define essential functions, select your target CAF profile, and import the NCSC CAF catalogue — principles, contributing outcomes, and IGPs — or other framework control sets.
3
Match evidence and assess IGPs
Use semantic matching and AI-assisted review to link evidence to contributing outcomes, supporting achieved, partially achieved, or not achieved judgements.
4
Review and export for assurance
Human reviewers validate conclusions, then export audit-ready Excel and Word reports and CAF heatmap dashboards for oversight bodies and governance stakeholders.
Audience
Built for UK assurance teams
CyConex supports the stakeholders involved in NCSC CAF programmes — from operators of essential services to public sector assurance reviewers.
For NIS and CNI operators
Prepare CAF assessments aligned to your competent authority's target profile — demonstrating how essential services manage cyber risk under UK NIS Regulations.
For public sector GovAssure programmes
Support self-assessment workflows for critical government systems — gathering evidence, structuring IGP responses, and preparing outputs for independent review.
For internal assurance and GRC teams
Replace spreadsheet-driven CAF programmes with a repeatable, evidence-led process that preserves expert judgement and clear audit trails.
For boards and senior responsible owners
See CAF posture at objective and principle level through heatmaps and scorecards — making resilience gaps visible before regulators or reviewers do.
Frameworks
Supported frameworks
NCSC CAF is CyConex's primary framework — with NIST 800-53, NIST CSF 2.0, and custom control catalogues also supported for multi-framework assurance programmes.
NCSC CAF
Supported
The UK NCSC's outcomes-based Cyber Assessment Framework — four objectives, fourteen principles, 41 contributing outcomes, and IGPs. Used for GovAssure, NIS Regulations, and CNI sector oversight. CyConex's primary framework support.
NIST 800-53
Supported
Comprehensive security and privacy controls for federal and enterprise use.
NIST CSF 2.0
Supported
Structured cybersecurity framework outcomes for maturity assessment and reporting.
Custom control frameworks
Supported
Define and assess against your organisation's own control libraries and catalogues.
Framework coverage and control mappings in early access may expand or change over time.
Trust & security
Designed for sensitive assurance work
CyConex is built around secure tenant and project boundaries. Evidence, assessments, users, and review history are scoped to the right organisation and project, with support for hosted identity, MFA-aware access patterns, audit logging, and encrypted evidence storage options.
AI usage is auditable, helping teams adopt automation while preserving accountability.
Create a free account and start exploring NCSC CAF assessments today. The platform is live for early access customers while we refine features with your feedback.
