The NCSC Cyber Assessment Framework: Turning Cyber Resilience into Measurable Assurance

Cyber security has moved far beyond the question of whether an organisation has firewalls, passwords and anti-malware in place. For organisations that deliver essential services, support public-sector operations, manage critical supply chains or operate systems on which people and businesses depend, the real question is much bigger: can the organisation demonstrate that it understands, manages and can recover from cyber risk in a way that is proportionate to the services it provides?

That is the role of the NCSC Cyber Assessment Framework, usually known as the CAF.

Developed by the UK's National Cyber Security Centre, the CAF provides a structured way to assess cyber security and resilience against outcomes that matter. It helps organisations move from a general belief that "we are probably secure enough" to an evidence-based position: what services are critical, what threats matter, what controls are in place, what evidence supports those controls, where the gaps are, and what needs to improve.

For many organisations, CAF is becoming one of the most important cyber assurance frameworks in the UK. It is already embedded in regulatory, public-sector and critical national infrastructure contexts, and it is increasingly relevant to suppliers and service providers that support essential services. Even organisations that are not formally required to undertake a CAF assessment can use it as a powerful benchmark for cyber resilience.

However, preparing for a CAF assessment is not trivial. It involves evidence, interpretation, scoping, judgement and a defensible understanding of how cyber security measures support essential services. This is exactly where CyConex can help.

What is the NCSC Cyber Assessment Framework?

The CAF is a cyber security and resilience assessment framework. It is designed to help organisations assess how well they are managing cyber risks to essential functions.

That phrase is important. CAF is not simply a technology checklist. It is not just a certification badge. It is an outcome-focused framework that asks whether an organisation has the governance, risk management, protective controls, detection capability and recovery arrangements needed to protect the services that matter most.

The framework is organised around four high-level objectives:

Objective A: Managing security risk

This covers governance, accountability, cyber risk management, asset management and supply chain security. It asks whether cyber security is properly owned, understood and managed across the organisation.

Objective B: Protecting against cyber attack

This covers the policies, processes and technical measures that reduce the likelihood of compromise. It includes areas such as identity and access control, data security, system security, resilient networks and staff awareness.

Objective C: Detecting cyber security events

This focuses on monitoring, logging, alerting and the ability to detect suspicious or malicious activity. CAF expects organisations to have a meaningful ability to identify cyber security events, not simply to assume that preventative controls will always work.

Objective D: Minimising the impact of cyber security incidents

This covers incident response, recovery planning, exercising and lessons learned. It asks whether the organisation can respond to incidents and restore essential functions in a controlled and timely way.

Under these objectives sit principles, contributing outcomes and indicators of good practice. The indicators help organisations and assessors judge whether the expected outcome is being met. The focus is not merely whether a document exists, but whether the organisation can demonstrate that the outcome is achieved in practice.

A brief history of the CAF

The CAF emerged from the UK's need for a consistent, outcome-based way to assess cyber resilience in essential services and critical sectors. Its roots are closely linked to the Network and Information Systems Regulations, which came into force in 2018 and were designed to improve the cyber security and resilience of important systems across the UK.

The first CAF release appeared in 2018. Since then, the framework has evolved through multiple versions as cyber threats, regulatory expectations and operational realities have changed. Later versions refined the approach, clarified expectations and expanded guidance. CAF version 3.2 was released in 2024, and CAF version 4.0 was released by the NCSC in 2025.

The release of CAF 4.0 reflected an important shift in the threat landscape. The NCSC highlighted the growing threat to critical national infrastructure and the need for providers of essential services to keep pace with changing attacker methods. CAF 4.0 strengthened coverage in areas such as threat understanding, secure software, security monitoring, threat hunting and AI-related cyber risk.

This evolution matters because CAF is not static. It is intended to remain relevant as attackers change, technology changes and regulation develops. Organisations preparing for an assessment should always confirm which version and profile applies to their specific assessment route, regulator, sector or oversight body.

Who is CAF for?

CAF is primarily intended for organisations that operate essential services or support functions where serious cyber incidents could have significant consequences. This includes organisations in sectors such as energy, transport, healthcare, digital infrastructure and government.

It is also relevant to organisations subject to cyber regulation, public-sector bodies, critical national infrastructure operators, suppliers to essential services and organisations managing cyber risk to public safety.

In practice, CAF is increasingly useful for a wider group of organisations. A managed service provider, cloud platform, SaaS provider, local authority, technology supplier or professional services firm may not initially think of itself as "critical infrastructure". But if its services support organisations that deliver essential public or economic functions, it may be asked to demonstrate a level of cyber assurance that goes beyond basic security controls.

This is one of the reasons CAF is so important for suppliers. Even where a supplier is not directly regulated, its customers may be. Those customers may need assurance that their supply chain is resilient, that risks are understood, and that evidence exists to support cyber security claims. CAF gives those conversations a common language.

How CAF assessments work

A CAF assessment begins with scope. The organisation must understand which essential services or critical systems are being assessed. Poor scoping can make the whole assessment difficult: too narrow, and important dependencies are missed; too broad, and the assessment becomes unmanageable.

Once scope is understood, the organisation assesses itself against the relevant CAF objectives, principles and outcomes. This requires more than answering "yes" or "no". It involves explaining the organisation's approach, identifying the evidence that supports that position, understanding gaps and judging whether the implemented controls are appropriate for the risk.

Evidence can come from many places: policies, standards, risk registers, asset inventories, architecture diagrams, supplier assurance records, incident response plans, vulnerability reports, monitoring outputs, board papers, meeting minutes, training records, technical configuration exports, test results and audit reports.

This is where CAF preparation becomes challenging. The evidence often exists, but it is scattered across teams, systems and document repositories. Security teams may know that controls are operating, but struggle to show clear, traceable evidence against each CAF outcome. Business owners may understand the service, but not how to describe cyber resilience in assessment language. Technical teams may provide detailed evidence, but without mapping it to the relevant CAF expectations.

A good CAF assessment therefore needs three things: a clear scope, a defensible interpretation of the CAF outcomes, and a strong evidence story.

CAF and Cyber Essentials: how do they work together?

Cyber Essentials and CAF are both important, but they serve different purposes.

Cyber Essentials is the UK government-backed minimum standard for cyber security. It focuses on five core technical controls designed to protect organisations from common internet-based attacks: firewalls, secure configuration, security update management, user access control and malware protection. Cyber Essentials is suitable for organisations of all sizes and provides a practical baseline for reducing exposure to common threats.

Cyber Essentials Plus builds on the same requirements but adds independent technical testing to provide a higher level of assurance that the controls are actually in place.

CAF operates at a broader and deeper level. It looks at cyber security and resilience in the context of essential services and organisational outcomes. It covers governance, risk management, supply chain, monitoring, incident response, recovery and the ability to demonstrate resilience proportionate to the threat.

The two frameworks are therefore complementary. Cyber Essentials can provide a strong foundation for CAF Objective B, particularly around basic technical protection. However, Cyber Essentials alone does not address the full range of CAF expectations. It does not, for example, provide the same depth of assessment around governance, risk ownership, supply chain assurance, threat hunting, incident recovery or board-level accountability.

A useful way to think about it is this: Cyber Essentials helps demonstrate that the organisation has locked the front door against common attacks. CAF asks whether the organisation understands the building, the people inside it, the services it supports, the adversaries that may target it, the controls needed to protect it, the alarms that detect intrusion, and the recovery plan if something still goes wrong.

Why CAF preparation is difficult

CAF assessments are demanding because they are evidence-led and outcome-focused.

Many organisations underestimate the effort required. They may already have a strong cyber security programme, but assessment preparation exposes practical challenges. Evidence is often fragmented. Policies may be out of date. Technical controls may not be linked to business services. Risk registers may not clearly map to essential functions. Supplier assurance may be held in procurement systems rather than security systems. Incident response plans may exist, but testing evidence may be limited. Board reporting may mention cyber risk, but not provide enough detail to demonstrate ownership, challenge and decision-making.

Another challenge is interpretation. CAF indicators of good practice are written to support judgement, not mechanical box-ticking. That means organisations need to understand what the framework is really asking. A literal reading can create unnecessary work, while an overly optimistic reading can create false confidence.

Optimism bias is a common problem. Teams naturally believe that their controls are better evidenced than they really are. They may know a process exists, but an assessor needs to see whether it is documented, implemented, reviewed and effective. They may know monitoring tools are deployed, but the assessment needs to understand what is monitored, how alerts are handled, whether coverage is complete and whether the organisation can detect the threats that matter.

CAF preparation therefore requires a disciplined approach: gather evidence, map it to outcomes, test the strength of that evidence, identify gaps, improve weak areas and build a clear assessment narrative.

How CyConex supports CAF assessment preparation

CyConex is designed to make CAF assessment preparation faster, clearer and more defensible.

Instead of relying on manual document review, spreadsheets and scattered evidence trackers, CyConex can ingest large volumes of organisational evidence and analyse it against the CAF. This may include policies, procedures, risk registers, technical reports, meeting minutes, audit outputs, supplier assurance documents, control checklists and other relevant records.

CyConex then helps map evidence to the relevant CAF objectives, principles and outcomes. It identifies where evidence appears to support a requirement, where the evidence is weak, and where gaps may exist. This gives organisations a much clearer view of their readiness before they enter a formal assessment.

The benefit is not just speed. It is confidence.

CAF preparation often consumes large amounts of time because skilled people have to read and assimilate large volumes of information. They need to work out which documents matter, what they say, which CAF outcome they support and whether the evidence is strong enough. CyConex reduces this burden by doing the heavy lifting: finding relevant evidence, extracting meaning, mapping it to the framework and presenting structured findings for review.

That allows cyber, risk and compliance teams to focus their time where it adds most value: interpretation, challenge, remediation planning and engagement with business owners.

Reducing time, effort and cost

A traditional CAF preparation exercise can be expensive because it depends heavily on manual effort. Consultants or internal teams may spend days or weeks collecting documents, reading evidence, interviewing stakeholders, populating spreadsheets and writing assessment commentary.

CyConex changes the economics of preparation. By automating much of the evidence review and mapping process, it can significantly reduce the time required to understand the current evidence position. Organisations can move more quickly from "we need to prepare" to "we know where we stand".

This matters for several reasons.

First, it reduces the cost of preparation. Less time is spent manually searching for evidence and re-reading documents that may not be relevant.

Second, it improves coverage. CyConex can review evidence consistently across the CAF, reducing the risk that important documents are overlooked or that evidence is only considered for the most obvious controls.

Third, it improves repeatability. CAF readiness is not a one-off exercise. Organisations need to maintain their evidence position, track improvements and prepare for future assessment cycles. CyConex supports a more continuous approach to assurance, rather than a last-minute scramble before an assessment.

Fourth, it improves confidence. Leadership teams and assessors need a clear, evidence-backed view of readiness. CyConex helps provide that view before the organisation is exposed to formal scrutiny.

Supporting organisations that are only considering CAF

Not every organisation starts with a formal CAF requirement. Some simply want to understand whether CAF is relevant to them. Others may be suppliers to regulated organisations and want to prepare early. Some may be planning to bid for public-sector or critical infrastructure work and recognise that cyber assurance expectations are increasing.

CyConex can support these organisations by providing an early CAF readiness view. It can help answer practical questions such as:

What evidence do we already have?

Which CAF areas appear well supported?

Where are the obvious gaps?

How much work might be required before a formal assessment?

Which policies, processes or technical evidence should we prioritise?

This allows organisations to make informed decisions before committing significant internal or consultancy effort. It also helps turn CAF from an intimidating framework into a structured improvement roadmap.

Human judgement remains essential

CyConex is not intended to replace the human assessor, security leader or risk owner. CAF assessments require judgement. They require understanding of context, proportionality, business impact, threat and operational reality.

What CyConex does is accelerate the work that is slow, repetitive and difficult to do consistently at scale. It can read, organise, map and summarise evidence far faster than a manual process. It can highlight potential gaps and provide structured rationale. But the organisation still needs human judgement to validate findings, challenge assumptions, agree risk positions and decide what action to take.

That human-in-the-loop approach is especially important for CAF. The framework is outcome-based, and outcomes require interpretation. A policy might exist but not be embedded. A control might be technically deployed but not operationally effective. A risk might be accepted but not at the right level of authority. These are questions that require experienced judgement, supported by good evidence.

From assessment preparation to continuous assurance

The real value of CAF is not simply passing an assessment. It is improving cyber resilience.

CyConex helps organisations use CAF as a living assurance model. Evidence can be maintained, reviewed and refreshed over time. Gaps can be tracked. Improvements can be prioritised. Reports can be generated for security teams, executives, auditors and assessors. Supply chain evidence can be gathered and reviewed more consistently. The organisation can build a stronger, more defensible cyber assurance position with less manual effort.

This is a better way to approach cyber resilience. Instead of preparing under pressure shortly before an assessment, organisations can understand their position continuously. Instead of relying on confidence or assumption, they can rely on evidence. Instead of treating CAF as a compliance burden, they can use it as a framework for better governance, better resilience and better decision-making.

Conclusion: CAF readiness starts with evidence

The NCSC Cyber Assessment Framework has become one of the UK's most important models for assessing cyber resilience. It is particularly relevant to essential services, public sector organisations, critical national infrastructure and the suppliers that support them. It works alongside frameworks such as Cyber Essentials by building on basic technical controls and extending the assessment into governance, risk, monitoring, response, recovery and resilience.

For organisations preparing for CAF, the challenge is rarely a lack of cyber activity. The challenge is proving, clearly and defensibly, that the right outcomes are being achieved.

That proof depends on evidence.

CyConex helps organisations find, understand, map and assess that evidence at speed. It reduces the manual effort involved in CAF preparation, identifies gaps earlier, supports better remediation planning and gives organisations greater confidence before they enter an assessment.

Whether an organisation is already committed to a CAF assessment or simply exploring what CAF might mean for them, CyConex provides a faster, smarter and more evidence-led route to readiness.

CAF asks an important question: can you demonstrate that your essential services are resilient against cyber threats?

CyConex helps you answer that question with confidence.