← Back to articles
Article20 min readCyConex Team

Understanding the NCSC CAF Assessment Process: From Evidence Collection to Assessment Readiness

How the NCSC Cyber Assessment Framework assessment process works, why evidence management matters, and how CyConex helps organisations prepare for CAF assessment with greater confidence and lower effort.

Infographic showing evidence complexity flowing through CyConex AI-assisted assurance to CAF assessment readiness with objective coverage, gap analysis and confidence scoring

For many UK organisations, preparing for an NCSC Cyber Assessment Framework assessment can feel complex, time-consuming and difficult to interpret. The challenge is rarely a lack of security activity. Most organisations already have policies, risk registers, technical controls, supplier processes, incident plans, monitoring arrangements and governance meetings in place. The harder question is whether those activities can be clearly evidenced against the outcomes expected by the CAF.

That is where many organisations struggle.

The NCSC Cyber Assessment Framework, commonly known as CAF, is not a simple checklist. It is an outcome-focused framework designed to help organisations assess and demonstrate cyber resilience, particularly where important or essential services are involved. It looks beyond whether a document exists and asks whether the organisation can show that cyber risk is being understood, managed, monitored and improved in practice.

A successful CAF assessment therefore depends on evidence. Not just the presence of evidence, but its relevance, quality, currency and traceability. Organisations need to show how policies, processes, technical controls, assurance activities and operational records support the required CAF outcomes.

This article explains how the CAF assessment process works, why evidence management is so important, and how CyConex helps organisations prepare for assessment with greater confidence, lower effort and stronger assurance.

What is the NCSC Cyber Assessment Framework?

The NCSC Cyber Assessment Framework is a structured framework for assessing cyber security and resilience. It is particularly relevant to organisations that provide or support important services, including critical national infrastructure, regulated sectors, public sector bodies and organisations involved in supply chains where cyber assurance is a growing expectation.

CAF is built around four high-level objectives:

Managing security risk

Protecting against cyber attack

Detecting cyber security events

Minimising the impact of cyber security incidents

These objectives are supported by principles, contributing outcomes and Indicators of Good Practice. Together, they provide a way of assessing whether an organisation has appropriate cyber resilience in place for the functions, services and systems being considered.

The important point is that CAF is written in terms of outcomes. It is not simply asking whether an organisation has implemented a standard list of controls. It asks whether the organisation can demonstrate that the right outcomes are being achieved, in context, and to an appropriate level.

That distinction matters. A policy may exist, but does it define real accountability? A risk register may be maintained, but does it inform decision-making? Access controls may be configured, but are privileged accounts governed, reviewed and monitored? Incident response plans may be documented, but have they been tested and improved?

CAF assessment is about that deeper level of assurance.

Why CAF assessments can feel difficult

CAF assessments can feel overwhelming because they require organisations to connect many different types of information.

Relevant evidence may be spread across:

cyber security policies

risk registers

asset inventories

supplier assurance records

board papers

security committee minutes

vulnerability reports

access reviews

incident response plans

backup and recovery tests

monitoring dashboards

training records

technical configuration exports

audit findings

remediation plans

service management tickets

cloud security reports

internal assurance reviews

Each artefact may support several CAF outcomes. Equally, a single CAF outcome may require evidence from many different sources. For example, governance cannot usually be demonstrated by a single policy. It may require board reporting, risk ownership, decision records, accountability statements, resourcing evidence, assurance activity and evidence that security risks are being tracked to closure.

This creates a practical challenge: organisations often have evidence, but they cannot easily prove what it demonstrates.

That is why evidence mapping is one of the hardest parts of CAF preparation. It is not enough to gather documents into a folder. Evidence must be reviewed, interpreted and connected to the relevant CAF principles and outcomes in a way that is clear, defensible and repeatable.

The CAF assessment process explained

Although every assessment will vary depending on the organisation, sector, scope and oversight body, the CAF assessment journey normally follows a series of recognisable phases.

Phase 1: Scope the assessment

The first step is to define what is being assessed.

This means identifying the organisation, service, system, business function or essential function that is in scope. It also means understanding the boundaries of the assessment. Which systems are included? Which suppliers support the service? Which teams operate or maintain it? Which locations, networks, cloud environments or third-party services are relevant?

Poor scoping creates problems later. If the scope is too vague, evidence collection becomes unfocused. If the scope is too narrow, important dependencies may be missed. If the scope is too broad, the assessment can become unmanageable.

Good scoping should answer questions such as:

What function, service or system is being assessed?

Why is it important?

What unacceptable consequences could arise from cyber compromise?

Which assets, suppliers, users and processes support it?

Who owns the risks?

Who owns the evidence?

Which CAF version or sector-specific profile is being used?

Is there a regulator, oversight body, customer or assessor involved?

This phase should involve both cyber security and business stakeholders. CAF is not just a technical assessment. It requires input from governance, operations, risk management, service owners, IT, suppliers and senior leadership.

Phase 2: Understand the CAF outcomes

Once the scope is clear, the organisation needs to understand what the relevant CAF outcomes mean in context.

This is where many organisations make the mistake of treating CAF like a generic checklist. The Indicators of Good Practice are useful, but the assessment still requires judgement. The organisation must interpret what good looks like for the service, risk environment and threat context being assessed.

For example, the evidence required to demonstrate effective security monitoring for a small internal system may differ from the evidence required for a critical public service. The same principle applies, but the expected depth, maturity and assurance may be different.

A strong preparation process should therefore translate each relevant CAF principle into practical questions:

What would we expect to see if this outcome were being achieved?

What evidence would prove that the outcome is achieved in practice?

What evidence would show the outcome is only partially achieved?

What evidence would indicate a gap?

Which documents, records, systems or people are likely to hold the evidence?

What judgement would an assessor need to make?

This interpretation stage is critical. It helps the organisation move from "we have documents" to "we can demonstrate assurance".

Phase 3: Collect and organise evidence

The next phase is evidence collection.

This is often the most labour-intensive part of the CAF process. Teams are asked to gather policies, procedures, records, logs, reports, screenshots and meeting evidence from across the organisation. Evidence may be stored in SharePoint, Teams, ticketing systems, GRC platforms, cloud consoles, vulnerability tools, spreadsheets, email attachments and local folders.

The problem is not just volume. It is also relevance.

A typical CAF assessment may involve hundreds of documents and thousands of pages of material. Some of it will be directly relevant. Some will be outdated. Some will support one outcome but not another. Some may describe a process that is not actually followed. Some may contain useful evidence buried deep inside a meeting pack or technical report.

Good evidence management should consider:

ownership: who is responsible for each artefact?

currency: is the evidence current and approved?

scope: does the evidence relate to the system or service being assessed?

quality: does it demonstrate implementation, or only intention?

traceability: which CAF outcomes does it support?

confidence: how strong is the evidence?

gaps: what is missing, unclear or contradictory?

Evidence collection should not become a document dump. The aim is to build an evidence base that supports assessment judgement.

Phase 4: Map evidence to CAF outcomes

Evidence mapping is where CAF preparation becomes more demanding.

An assessor does not simply want to know that a document exists. They need to understand what it proves. A security policy may support governance, risk management, access control, incident response and supplier management, but only if the relevant sections are clear, approved and implemented. A vulnerability report may support protective security, but only if there is evidence that vulnerabilities are triaged, remediated and reported through governance.

This means each evidence artefact needs to be reviewed and mapped to the relevant CAF principles, contributing outcomes and Indicators of Good Practice.

For each mapping, the organisation should be able to explain:

which CAF outcome the evidence supports

which part of the evidence is relevant

whether the evidence is primary or supporting

whether it demonstrates design, implementation or operational effectiveness

how strong the evidence is

whether there are limitations

what further evidence may be needed

This is where manual approaches often break down. Spreadsheets can track document names, but they rarely provide strong traceability from specific evidence to specific CAF outcomes. They also make it difficult to explain why evidence was considered sufficient, partial or weak.

CyConex is designed to help with this problem. It supports evidence ingestion, analysis and mapping so that organisations can understand which artefacts support which controls or outcomes, where evidence is strong, and where coverage gaps remain. This gives teams a clearer view of assessment readiness before a formal review begins.

Phase 5: Perform gap analysis

Once evidence has been mapped, the organisation can identify gaps.

A gap may exist for several reasons:

there is no evidence for a required outcome

the evidence is outdated

the evidence is too generic

the evidence does not relate to the assessed scope

the evidence describes a process but does not prove it operates

the evidence is contradicted by other records

the control exists but is not consistently applied

accountability is unclear

risk decisions are not recorded

remediation is not tracked to completion

CAF gap analysis should be honest and practical. The aim is not to create a perfect picture. The aim is to understand where the organisation is ready, where it has partial coverage, and where improvement is required.

This is also where the distinction between policy evidence, process evidence, technical evidence and operational evidence becomes important.

A policy may show intent. A procedure may show design. A ticket, report, log, minutes extract or test result may show implementation. A trend report, review cycle or assurance finding may show ongoing operation and improvement.

Strong CAF preparation usually requires a combination of these evidence types.

Phase 6: Prepare assessment outputs

After evidence mapping and gap analysis, the organisation needs to prepare outputs that can support internal review, assessor engagement or formal submission.

These may include:

an assessment readiness report

evidence registers

CAF outcome summaries

control coverage summaries

gap analysis reports

remediation plans

evidence packs

management briefings

risk acceptance records

board or committee updates

The quality of these outputs matters. A good CAF preparation report should not simply list documents. It should explain the assessment position, the supporting evidence, the level of confidence and the remaining areas of uncertainty.

This is where CyConex can significantly reduce manual effort. Instead of forcing teams to read and cross-reference large evidence sets manually, CyConex helps structure the evidence, identify relevant content, highlight gaps and produce clearer assessment outputs.

The result is not the removal of human judgement. It is better preparation for human judgement.

Phase 7: Remediate and improve

CAF should not be treated as a one-off assessment exercise. The findings should feed into risk management, improvement planning and governance.

Where gaps are identified, the organisation should agree remediation actions. These actions should have owners, deadlines, priorities and evidence requirements. Senior stakeholders should understand which gaps create material risk and which actions are needed to improve resilience.

Examples of remediation activity might include:

updating governance terms of reference

clarifying cyber risk ownership

improving supplier assurance processes

strengthening access review evidence

testing incident response plans

improving vulnerability remediation tracking

formalising backup and recovery testing

updating policy documents

improving monitoring coverage

documenting risk acceptance decisions

creating clearer board reporting

The most mature organisations use CAF as part of a continuous assurance cycle. Evidence is maintained, reviewed and updated over time, rather than rebuilt from scratch before each assessment.

Phase 8: Maintain ongoing assurance

CAF readiness should not disappear after an assessment.

Cyber risk changes constantly. Systems change, suppliers change, threats change, vulnerabilities emerge, staff move roles and new services are introduced. Evidence that was valid six months ago may no longer reflect the current environment.

Ongoing assurance means maintaining a live view of:

which outcomes are well supported

which evidence needs review

which risks remain open

which suppliers need reassessment

which controls have changed

which remediation actions are overdue

which evidence has become stale

which areas require management attention

This is where platform-assisted assurance provides a major advantage over manual evidence tracking. A structured system can help organisations maintain evidence, monitor coverage and prepare for future reviews without starting again each time.

Manual CAF preparation versus platform-assisted preparation

Many organisations still prepare for CAF assessments manually. This often involves spreadsheets, shared folders, long email chains and repeated meetings to ask teams for evidence.

That approach can work for small scopes, but it becomes difficult as the assessment grows.

Evidence collection: with a manual approach, documents are gathered through email, folders and spreadsheets. With CyConex, evidence can be uploaded, organised and managed in a structured workspace.

Evidence review: manual preparation relies on reading and interpretation by hand. CyConex provides AI-assisted review to help identify relevant content and evidence coverage.

CAF mapping: spreadsheet-based mapping offers limited traceability. CyConex maps evidence to relevant controls, obligations or outcomes with stronger traceability.

Gap analysis: manual approaches depend on reviewer familiarity and judgement alone. CyConex highlights coverage gaps more quickly and consistently.

Reporting: manual report preparation is time-consuming. CyConex produces structured outputs to support readiness reviews and assessor engagement.

Consistency: manual preparation varies by reviewer and project. CyConex applies repeatable assessment logic and evidence handling.

Confidence: it is difficult to see how strong the evidence base is manually. CyConex provides confidence indicators showing where evidence is strong, partial or weak.

Continuous assurance: manual evidence is often recreated for each assessment. CyConex maintains evidence and mappings over time.

The purpose of CyConex is not to replace the assessor. It is to reduce the manual burden of preparing, reading, organising and mapping evidence so that organisations and assessors can focus on judgement, risk and improvement.

What good CAF evidence looks like

Good evidence is relevant, current, scoped and defensible.

For example, a cyber security governance policy may be useful, but it is unlikely to be sufficient on its own. Stronger governance evidence might include:

approved policy documents

board or committee minutes

cyber risk reports

named risk owners

decision records

budget or resourcing evidence

assurance findings

remediation tracking

evidence that risks are escalated and reviewed

Similarly, access control evidence might include:

access control policy

privileged access procedures

identity provider configuration

joiner, mover and leaver records

access review outputs

privileged account review evidence

MFA configuration

exception records

monitoring alerts

remediation actions from previous reviews

The strongest evidence shows not only that a control has been designed, but that it operates in practice.

This distinction is vital for CAF assessment readiness. It is often the difference between an organisation believing it is prepared and being able to demonstrate that preparation to an assessor.

Common CAF preparation pitfalls

Organisations preparing for CAF assessments often encounter similar problems.

Treating CAF as a checklist

CAF is outcome-based. A checklist can help with organisation, but it should not become a substitute for assessment judgement. The real question is whether the outcome is achieved and evidenced.

Collecting too much irrelevant evidence

More evidence is not always better. Large volumes of weak or irrelevant evidence can make assessment harder. Evidence should be selected and mapped because it supports a specific outcome.

Relying only on policy documents

Policies are important, but they often show intent rather than implementation. Assessors will usually need evidence that processes are operating in practice.

Ignoring scope

Evidence must relate to the service, system or function being assessed. Generic enterprise policies may be useful, but they may not prove that the scoped environment is properly controlled.

Failing to explain judgement

It is not enough to say that evidence exists. Organisations should explain why the evidence supports a particular CAF outcome and what level of confidence it provides.

Leaving remediation too late

CAF preparation should identify gaps early enough for improvement. If gaps are discovered only during formal assessment, the organisation has less time to respond.

How CyConex supports CAF assessment readiness

CyConex helps organisations prepare for CAF assessments by making evidence easier to manage, analyse and explain.

Rather than treating evidence management as a spreadsheet exercise, CyConex supports a more structured assurance workflow:

Organisations create a project for the assessment or assurance activity.

Evidence is uploaded and organised within the project.

Relevant control frameworks, such as CAF, can be selected.

Evidence is analysed and mapped against relevant requirements.

Coverage gaps and weak areas are identified.

Findings can be reviewed by human users.

Reports and outputs can be produced to support assessment preparation.

Evidence and findings can be maintained for future assurance activity.

This gives organisations a clearer understanding of their readiness before engaging in formal assessment or external review.

For assessors, CyConex can reduce the time spent searching through documents and manually cross-referencing evidence. For organisations being assessed, it provides earlier insight into likely gaps and reduces the risk of being surprised during assessment.

The benefit is not simply speed. It is confidence.

CyConex helps organisations understand what evidence they have, what it supports, where it is weak, and what needs to improve.

CAF assessment preparation checklist

A practical CAF readiness checklist should include the following areas:

Confirm the assessment scope and boundaries

Identify the relevant service, system or essential function

Confirm which CAF version or profile applies

Identify stakeholders and evidence owners

Map assets, suppliers and dependencies

Gather policies, procedures and technical records

Collect governance and risk management evidence

Collect operational evidence, such as logs, tickets and review records

Map evidence to CAF principles and outcomes

Assess evidence strength and relevance

Identify missing or weak evidence

Produce a gap analysis

Agree remediation actions

Assign owners and deadlines

Prepare assessment-ready reports

Maintain evidence for ongoing assurance

This checklist should be treated as a management tool, not a substitute for assessment judgement.

Frequently asked questions

Is the NCSC CAF assessment process mandatory?

CAF is used in a range of regulatory, public sector and assurance contexts, particularly where organisations provide or support important services. Whether it is mandatory depends on the sector, regulator, contract, oversight body or assurance scheme involved. Organisations should confirm their specific obligations with the relevant regulator, customer or oversight body.

Is CAF the same as Cyber Essentials?

No. Cyber Essentials is a specific certification scheme focused on a defined set of technical controls. CAF is broader and outcome-focused. It considers governance, risk management, protection, detection, response and resilience. Cyber Essentials may support aspects of CAF, but it does not replace a CAF assessment.

Can a CAF assessment be completed using only documents?

Usually not. Documents are important, but strong assessment evidence often includes operational records, technical outputs, meeting minutes, review evidence, logs, tickets, dashboards, test results and remediation tracking. CAF assessment is concerned with whether outcomes are achieved in practice.

How often should organisations review CAF evidence?

Organisations should review CAF evidence regularly and whenever there are significant changes to systems, services, suppliers, threats, incidents or organisational responsibilities. For many organisations, annual review is a sensible minimum, but higher-risk services may require more frequent assurance activity.

Can CyConex replace a human assessor?

No. CyConex is designed to support assessment preparation and evidence analysis, not replace professional judgement. Human assessors and internal assurance professionals remain essential for interpretation, challenge, context and accountability. CyConex reduces manual effort and improves visibility so that human judgement can be applied more effectively.

Conclusion

The NCSC CAF assessment process is demanding because it asks organisations to demonstrate cyber resilience through evidence. It is not enough to have policies, tools or technical controls. Organisations need to show that the right outcomes are being achieved, that evidence supports those outcomes, and that gaps are understood and being addressed.

For many organisations, the hardest part is not cyber security activity itself. It is turning scattered evidence into clear, defensible assurance.

CyConex helps solve that problem. By supporting evidence ingestion, mapping, gap analysis and assessment-ready reporting, CyConex gives organisations a clearer view of their CAF readiness and helps reduce the cost, effort and uncertainty of assessment preparation.

The result is a better prepared organisation, a stronger evidence base and greater confidence before formal assessment begins.

More to read

ArticleYour Own Personal Assessor: How Agentic Assurance Changes Cyber Certification PreparationArticleWhy Evidence Mapping Is the Hardest Part of Cyber AssuranceArticleThe NCSC Cyber Assessment Framework: Turning Cyber Resilience into Measurable Assurance