Cyber Assessment Framework V3.

Version as of 15th April 2024

 Crown Copyright 2024

Contents

The CAF - A tool for assessing cyber resilience ................................................................................... 3

CAF Requirements .............................................................................................................................. 3
CAF Principles and contributing outcomes ......................................................................................... 3
Using IGPs ........................................................................................................................................... 4
Setting target levels of cyber security and resilience ......................................................................... 5
Making the CAF sector specific ........................................................................................................... 5
The Cyber Assessment Framework ..................................................................................................... 6
CAF - Objective A - Managing security risk ..................................................................................... 6
CAF - Objective B - Protecting against cyber attack ...................................................................... 12
CAF - Objective C - Detecting cyber security events ..................................................................... 31
CAF - Objective D - Minimising the impact of cyber security incidents ........................................ 37

Please Note: A list of all changes made between CAF V3.1 and V3.2, and all previous versions of the
CAF are available on the NCSC website.

2 of 40
The CAF - A tool for assessing cyber resilience
The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to
assessing the extent to which cyber risks to essential function(s) are being managed by the
organisation responsible. CAF-based assessments can be carried out either by the responsible
organisation itself (self-assessment) or by an independent external entity, possibly a regulator /
cyber oversight body or a suitably qualified organisation acting on behalf of a regulator, such as an
NCSC assured commercial service provider.

The NCSC CAF cyber security and resilience objective and principles provide the foundations of the
CAF. The 4 high-level objectives and the 14 principles are written in terms of outcomes, i.e.
specification of what needs to be achieved rather than a checklist of what needs to be done. The
CAF adds additional levels of detail to the top-level principles, including a collection of structured
sets of Indicators of Good Practice (IGPs) as described in more detail below.

It should be noted that NCSC developed the CAF in its role as national technical authority for cyber
security, with an expectation that it would be used, amongst other things, as a tool to support
effective cyber regulation. NCSC itself has no regulatory responsibilities, and organisations subject to
cyber regulation should consult with their regulators to learn whether they should use the CAF in the
context of meeting regulatory requirements.

CAF Requirements
The CAF has been developed to meet the following set of requirements:

1. provide a suitable framework to assist in carrying out cyber resilience assessments.

2. maintain the outcome-focused approach of the NCSC cyber security and resilience principles
and discourage assessments being carried out as tick-box exercises.

3. be compatible with the use of appropriate existing cyber security guidance and standards.

4. enable the identification of effective cyber security and resilience improvement activities.

5. exist in a common core version which is sector-agnostic.

6. be extensible to accommodate sector-specific elements as may be required.

7. enable the setting of meaningful target security levels for organisations to achieve, possibly
reflecting a regulator view of appropriate and proportionate security.

8. be as straightforward and cost-effective to apply as possible.

CAF Principles and contributing outcomes

Each top-level NCSC security and resilience principle defines a broad cyber security outcome. The
precise approach organisations should adopt to achieve each principle is not specified as this will
vary according to organisational circumstances. However, each principle can be broken down into a
collection of lower-level contributing cyber security and resilience outcomes, all of which will
normally need to be achieved to fully satisfy the top-level principle.

3 of 40
An assessment of the extent to which an organisation is meeting a particular principle is
accomplished by assessing all the contributing outcomes for that principle. In order to inform
assessments at the level of contributing outcomes:

1. each contributing outcome is associated with a set of indicators of good practice (IGPs) and,

2. using the relevant IGPs, the circumstances under which the contributing outcome is judged
‘achieved’, ’not achieved’ or (in some cases) ‘partially achieved’ are described.

For each contributing outcome the relevant IGPs have conveniently been arranged into table format.
The resulting tables, referred to as IGP tables, constitute the basic building blocks of the CAF. In this
way, each principle is associated with several tables of IGPs, one table per contributing outcome.

Using IGPs
Assessment of contributing outcomes is primarily a matter of expert judgement and the IGPs do not
remove the requirement for the informed use of cyber security expertise and sector knowledge.
IGPs will usually provide good starting points for assessments but should be used flexibly and in
conjunction with the NCSC guidance associated with the top-level cyber security and resilience
principles. Conclusions about an organisation’s cyber security and resilience should only be drawn
after considering additional relevant factors and special circumstances.

The ‘achieved’ (GREEN) column of an IGP table defines the typical characteristics of an
organisation fully achieving that outcome. It is intended that all the indicators would normally be
present to support an assessment of ‘achieved’. The exception would be when an IGP may not be
applicable if there are compensating measures that would meet the requirements of the relevant
objective.

The ‘not achieved’ (RED) column of an IGP table defines the typical characteristics of an
organisation not achieving that outcome. It is intended that the presence of any one indicator would
normally be sufficient to justify an assessment of ‘not achieved’.

When present, the ‘partially achieved’ (AMBER) column of an IGP table defines the typical
characteristics of an organisation partially achieving that outcome. It is also important that the
partial achievement is delivering specific worthwhile cyber security and resilience benefits. An
assessment of ‘partially achieved’ should represent more than giving credit for doing something
vaguely relevant.

The following table summarises the key points relating to the purpose and nature of IGPs.

IGPs are… IGPs are not…

Purpose …intended to help inform expert …a checklist to be used in an inflexible

judgement. assessment process.

Scope …important examples of what an … an exhaustive list covering everything

assessor will normally need to consider, an assessor needs to consider.
which may need to be supplemented in
some cases.

Applicability …designed to be widely applicable …guaranteed to apply verbatim to all

across different organisations, but organisations.
applicability needs to be established.

4 of 40
Setting target levels of cyber security and resilience
The result of applying the CAF is 39 individual assessments, each one derived from making a
judgement on the extent to which a set of IGPs reflects the circumstances of the organisation being
assessed. The CAF has been designed in such a way that a result in which all 39 contributing
outcomes were assessed as ‘achieved’ would indicate a level of cyber security some way beyond the
bare minimum ‘basic cyber hygiene’ level.

A cyber oversight body will need to set target levels of cyber resilience for organisations within their
sector. One way of setting these target levels is in relation to the ability to withstand specified
categories of cyber attacks (e.g. resilience to basic capability attacks, moderate capability attacks
etc.) and the CAF has been designed to support this approach via the idea of CAF profiles.
The NCSC has worked with regulators and other organisations with a cyber resilience oversight role
on an approach to interpreting CAF output based on identifying those contributing outcomes
considered most important to achieve in order to manage security risks to that organisation’s
essential functions. Those prioritised contributing outcomes would correspond to an initial view of
appropriate and proportionate cyber security for that organisation. The subset of contributing
outcomes identified as the most important in this way would represent an example of a CAF
profile – something that could be used as the basis for setting a target for organisations to achieve.
In practice a CAF profile consists of a mixture of some contributing outcomes to be met at
‘achieved’, some at ‘partially achieved’ and perhaps some (representing cyber security capabilities
not appropriate at the level of the profile) identified as ‘not applicable’.
It is not the responsibility of the NCSC to mandate what represents appropriate and proportionate
(as defined in the NIS Regulations) cyber security and resilience. Any target set for organisations to
achieve in terms of CAF results is for the relevant cyber oversight body to define.

Making the CAF sector specific

The common core of the CAF (consisting of principles, contributing outcomes and indicators of good
practice) is sector agnostic in the sense that it is designed to be generally applicable to all
organisations responsible for essential functions across all key sectors. It is possible that there will be
a need for some sector specific aspects of the CAF, which could include the following:

i) Sector-specific CAF Profiles

Some target profiles may well be sector specific. As mentioned in the section on setting target levels,
it will be a decision for the relevant cyber oversight body to put an interpretation on CAF results,
which may be from a regulatory perspective.

ii) Sector-specific Interpretations of Contributing Outcomes/IGPs

It may be necessary in some cases for a sector-specific interpretation of contributing outcomes
and/or IGPs to better clarify meaning within the sector.

iii) Sector-specific Additional Contributing Outcomes/IGPs

There may be circumstances in which sector-specific cyber security requirements cannot be
adequately covered by an interpretation of a generic contributing outcome or IGP. In these cases, an
additional sector-specific contributing outcome or IGP may need to be defined.

The NCSC will continue to work with the full range of CAF stakeholders to determine if sector-
specific aspects of the CAF are required, and to assist in introducing changes as necessary.

5 of 40
The Cyber Assessment Framework
CAF - Objective A - Managing security risk
Appropriate organisational structures, policies, processes and procedures in place to understand,
assess and systematically manage security risks to the network and information systems supporting
essential functions.

Principle A1 Governance
The organisation has appropriate management policies, processes and procedures in place to govern its
approach to the security of network and information systems.

A1.a Board Direction

You have effective organisational security management led at board level and articulated clearly in
corresponding policies.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

The security of network and information systems
related to the operation of essential function(s) is
not discussed or reported on regularly at board-
level.
Board-level discussions on the security of network
and information systems are based on partial or
out-of-date information, without the benefit of
expert guidance.
The security of network and information systems
supporting your essential function(s) are not driven
effectively by the direction set at board-level.
Senior management or other pockets of the
organisation consider themselves exempt from
some policies or expect special accommodations to
be made.
Your organisation's approach and policy relating
to the security of network and information systems
supporting the operation of your essential
function(s) are owned and managed at board-level.
These are communicated, in a meaningful way, to
risk management decision-makers across the
organisation.
Regular board-level discussions on the security of
network and information systems supporting the
operation of your essential function(s) take place,
based on timely and accurate information and
informed by expert guidance.
There is a board-level individual who has overall
accountability for the security of network and
information systems and drives regular discussion
at board-level.
Direction set at board-level is translated into
effective organisational practices that direct and
control the security of the network and information
systems supporting your essential function(s).

6 of 40
A1.b Roles and Responsibilities
Your organisation has established roles and responsibilities for the security of network and information
systems at all levels, with clear and well-understood channels for communicating and escalating risks.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

Key roles are missing, left vacant, or fulfilled on an
ad-hoc or informal basis.
Staff are assigned security responsibilities but
without adequate authority or resources to fulfil
them.
Staff are unsure what their responsibilities are for
the security of the essential function(s).
Key roles and responsibilities for the security of
network and information systems supporting your
essential function(s) have been identified. These
are reviewed regularly to ensure they remain fit for
purpose.
Appropriately capable and knowledgeable staff fill
those roles and are given the time, authority, and
resources to carry out their duties.
There is clarity on who in your organisation has
overall accountability for the security of the
network and information systems supporting your
essential function(s).

A1.c Decision-making
You have senior-level accountability for the security of network and information systems, and delegate
decision-making authority appropriately and effectively. Risks to network and information systems related
to the operation of your essential function(s) are considered in the context of other organisational risks.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

What should be relatively straightforward risk
decisions are constantly referred up the chain, or
not made.
Risks are resolved informally (or ignored) at a local
level when the use of a more formal risk reporting
mechanism would be more appropriate.
Decision-makers are unsure of what senior
management's risk appetite is, or only understand
it in vague terms such as "averse" or "cautious".
Organisational structure causes risk decisions to be
made in isolation. (e.g. engineering and IT don't
talk to each other about risk).
Risk priorities are too vague to make meaningful
distinctions between them. (e.g. almost all risks are
rated 'medium' or 'amber').
Senior management have visibility of key risk
decisions made throughout the organisation.
Risk management decision-makers understand
their responsibilities for making effective and
timely decisions in the context of the risk appetite
regarding the essential function(s), as set by senior
management.
Risk management decision-making is delegated and
escalated where necessary, across the
organisation, to people who have the skills,
knowledge, tools and authority they need.
Risk management decisions are regularly reviewed
to ensure their continued relevance and validity.

7 of 40
Principle A2 Risk Management
The organisation takes appropriate steps to identify, assess and understand security risks to the network
and information systems supporting the operation of essential functions. This includes an overall
organisational approach to risk management.
A2.a Risk Management Process
Your organisation has effective internal processes for managing risks to the security of network and
information systems related to the operation of your essential function(s) and communicating associated
activities.
Not Achieved
At least one of the following
statements is true
Risk assessments are not based on
a clearly defined set of threat
assumptions.
Risk assessment outputs are too
complex or unwieldy to be
consumed by decision-makers
and are not effectively
communicated in a clear and timely
manner.
Risk assessments for network and
information systems supporting
your essential function(s) are a
"one-off" activity or not done at all.
The security elements of projects or
programmes are solely dependent
on the completion of a risk
management assessment without
any regard to the outcomes.
There is no systematic process in
place to ensure that identified
security risks are managed
effectively.
Systems are assessed in isolation,
without consideration of
dependencies and interactions with
other systems. (e.g. interactions
between IT and OT environments).
Security requirements and
mitigations are arbitrary or are
applied from a control catalogue
without consideration of how they
contribute to the security of the
essential function(s).
Partially Achieved
All the following statements
are true
Your organisational process
ensures that security risks to
network and information
systems relevant to essential
function(s) are identified,
analysed, prioritised, and
managed.
Your risk assessments are
informed by an
understanding of the
vulnerabilities in the network
and information systems
supporting your essential
function(s).
The output from your risk
management process is a
clear set of security
requirements that will
address the risks in line with
your organisational approach
to security.
Significant conclusions
reached in the course of your
risk management process are
communicated to key
security decision-makers and
accountable individuals.
You conduct risk assessments
when significant events
potentially affect the
essential function(s), such as
replacing a system or a
change in the cyber security
threat.
8 of 40
Achieved
All the following statements are
true
Your organisational process
ensures that security risks to
network and information systems
relevant to essential function(s)
are identified, analysed,
prioritised, and managed.
Your approach to risk is focused
on the possibility of adverse
impact to your essential
function(s), leading to a detailed
understanding of how such
impact might arise as a
consequence of possible attacker
actions and the security
properties of your network and
information systems.
Your risk assessments are based
on a clearly understood set of
threat assumptions, informed by
an up-to-date understanding of
security threats to your essential
function(s) and your sector.
Your risk assessments are
informed by an understanding of
the vulnerabilities in the network
and information systems
supporting your essential
function(s).
The output from your risk
management process is a clear
set of security requirements that
will address the risks in line with
your organisational approach to
security.
 Risks remain unresolved on a
register for prolonged periods of
time awaiting senior decision-
making or resource allocation to
resolve.
You perform threat analysis
and understand how generic
threats apply to your
organisation.
Significant conclusions reached in
the course of your risk
management process are
communicated to key security
decision-makers and accountable
individuals.
Your risk assessments
are dynamic and updated in the
light of relevant changes which
may include technical changes to
network and information
systems, change of use and new
threat information.
The effectiveness of your risk
management process is reviewed
regularly, and improvements
made as required.
You perform detailed threat
analysis and understand how this
applies to your organisation in
the context of the threat to your
sector and the wider CNI.

A2.b Assurance
You have gained confidence in the effectiveness of the security of your technology, people, and processes
relevant to your essential function(s).

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

A particular product or service is seen as a "silver
bullet" and vendor claims are taken at face value.
Assurance methods are applied without
appreciation of their strengths and limitations,
such as the risks of penetration testing in
operational environments.
Assurance is assumed because there have been no
known problems to date.
You validate that the security measures in place to
protect the network and information systems
are effective and remain effective for the lifetime
over which they are needed.
You understand the assurance methods available
to you and choose appropriate methods to gain
confidence in the security of essential function(s).
Your confidence in the security as it relates to your
technology, people, and processes can be
justified to, and verified by, a third party.
Security deficiencies uncovered by assurance
activities are assessed, prioritised and remedied
when necessary in a timely and effective way.
The methods used for assurance are reviewed to
ensure they are working as intended and remain
the most appropriate method to use.

9 of 40
Principle A3 Asset Management
Everything required to deliver, maintain or support network and information systems necessary for the
operation of essential functions is determined and understood. This includes data, people and systems, as
well as any supporting infrastructure (such as power or cooling).

A3.a Asset Management

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

Inventories of assets relevant to the essential
function(s) are incomplete, non-existent, or
inadequately detailed.
Only certain domains or types of asset are
documented and understood. Dependencies
between assets are not understood (such as the
dependencies between IT and OT).
Information assets, which could include personally
identifiable information and / or important / critical
data, are stored for long periods of time with no
clear business need or retention policy.
Knowledge critical to the management, operation,
or recovery of the essential function(s) is held by
one or two key individuals with no succession plan.
Asset inventories are neglected and out of date.
All assets relevant to the secure operation of
essential function(s) are identified and inventoried
(at a suitable level of detail). The inventory is kept
up-to-date.
Dependencies on supporting infrastructure (e.g.
power, cooling etc) are recognised and recorded.
You have prioritised your assets according to their
importance to the operation of the essential
function(s).
You have assigned responsibility for managing all
assets, including physical assets, relevant to the
operation of the essential function(s).
Assets relevant to the essential function(s) are
managed with cyber security in mind throughout
their lifecycle, from creation through to eventual
decommissioning or disposal.

Principle A4 Supply Chain

The organisation understands and manages security risks to network and information systems supporting
the operation of essential functions that arise as a result of dependencies on external suppliers. This
includes ensuring that appropriate measures are employed where third party services are used.

A4.a Supply Chain

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements are All the following statements are
statements is true true true

You do not know what data
belonging to you is held by
suppliers, or how it is
managed.
Elements of the supply chain
for essential function(s) are
subcontracted and you have
You understand the general risks
suppliers may pose to your
essential function(s).
You know the extent of your
supply chain that supports your
essential function(s), including
sub-contractors.
You have a deep understanding of
your supply chain, including sub-
contractors and the wider risks it
faces. You consider factors such as
supplier’s partnerships,
competitors, nationality and other
organisations with which they sub-
contract. This informs your risk

10 of 40
little or no visibility of the
sub-contractors.
You have no understanding
of which contracts are
relevant and / or relevant
contracts do not specify
appropriate security
obligations.
Suppliers have access to
systems that provide your
essential function(s) that is
unrestricted, not monitored
or bypasses your own
security controls.
You understand which contracts
are relevant and you include
appropriate security obligations in
relevant contracts.
You are aware of all third-party
connections and have assurance
that they meet your
organisation’s security
requirements.
Your approach to security
incident management considers
incidents that might arise in your
supply chain.
You have confidence that
information shared with suppliers
that is necessary for the
operation of your essential
function(s) is
appropriately protected from
well-known attacks and known
vulnerabilities.
11 of 40
assessment and procurement
processes.
Your approach to supply chain risk
management considers the risks to
your essential function(s) arising
from supply chain subversion by
capable and well-resourced
attackers.
You have confidence that
information shared with suppliers
that is essential to the operation of
your function(s) is appropriately
protected from sophisticated
attacks.
You understand which contracts are
relevant and you include
appropriate security obligations in
relevant contracts. You have a
proactive approach to contract
management which may include a
contract management plan for
relevant contracts.
Customer / supplier ownership of
responsibilities is laid out in
contracts.
All network connections and data
sharing with third parties are
managed effectively and
proportionately.
When appropriate, your
incident management process and
that of your suppliers provide
mutual support in the resolution of
incidents.
CAF - Objective B - Protecting against cyber attack
Proportionate security measures are in place to protect the network and information systems
supporting essential functions from cyber attack.

Principle B1 Service Protection Policies, Processes and Procedures

The organisation defines, implements, communicates and enforces appropriate policies, processes and
procedures that direct its overall approach to securing systems and data that support operation of
essential functions.

B1.a Policy, Process and Procedure Development

You have developed and continue to improve a set of cyber security and resilience policies, processes and
procedures that manage and mitigate the risk of adverse impact on your essential function(s).

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements are All the following statements are
statements is true true true

Your policies, processes and
procedures are absent or
incomplete.
Policies, processes and
procedures are not applied
universally or consistently.
People often or routinely
circumvent policies, processes
and procedures to achieve
business objectives.
Your policies, processes and
procedures document your
overarching security governance
and risk management approach,
technical security practice and
specific regulatory compliance.
You review and update policies,
processes and procedures in
response to major cyber security
incidents.
You fully document your
overarching security governance
and risk management approach,
technical security practice and
specific regulatory compliance.
Cyber security is integrated and
embedded throughout policies,
processes and procedures and
key performance indicators are
reported to your executive
management.

Your organisation’s security Your organisation’s policies,

governance and risk processes and procedures are
management approach has no developed to be practical, usable
bearing on your policies, and appropriate for your
processes and procedures. essential function(s) and your
technologies.
System security is totally reliant
on users' careful and consistent Policies, processes and
application of manual security procedures that rely on user
processes. behaviour are practical,
appropriate and achievable.
Policies, processes and
procedures have not been You review and update policies,
reviewed in response to major processes and procedures at
changes (e.g. technology or suitably regular intervals to
regulatory framework), or within ensure they remain relevant.
a suitable period. This is in addition to reviews
following a major cyber security
Policies, processes and incident.
procedures are not readily
available to staff, too detailed to Any changes to the essential
function(s) or the threat it faces

12 of 40
 remember, or too hard to
understand.
B1.b Policy, Process and Procedure Implementation
You have successfully implemented your security policies, processes and procedures and can demonstrate
the security benefits achieved.
Not Achieved
At least one of the following
statements is true
Policies, processes and
procedures are ignored or only
partially followed.
How your policies, processes and
procedures support the
resilience of your essential
function(s) is not well
understood.
Staff are unaware of their
responsibilities under your
policies, processes and
procedures.
You do not attempt to detect
breaches of policies, processes
and procedures.
Policies, processes and
procedures lack integration with
other organisational policies,
processes and procedures.
Your policies, processes and
procedures are not well
communicated across your
organisation.
Partially Achieved
All the following statements are
true
Most of your policies, processes
and procedures are followed and
their application is monitored.
Your policies, processes and
procedures are integrated with
other organisational policies,
processes and procedures,
including HR assessments of
individuals' trustworthiness.
All staff are aware of their
responsibilities under your
policies, processes and
procedures.
All breaches of policies,
processes and procedures with
the potential to adversely impact
the essential function(s) are fully
investigated. Other breaches are
tracked, assessed for trends and
action is taken to understand
and address.
13 of 40
triggers a review of policies,
processes and procedures.
Your systems are designed so
that they remain secure even
when user security policies,
processes and procedures
are not always followed.
Achieved
All the following statements are
true
All your policies, processes and
procedures are followed, their
correct application and
security effectiveness is
evaluated.
Your policies, processes and
procedures are integrated with
other organisational policies,
processes and procedures,
including HR assessments of
individuals' trustworthiness.
Your policies, processes and
procedures are effectively
and appropriately
communicated across all levels
of the organisation resulting in
good staff awareness of their
responsibilities.
Appropriate action is taken to
address all breaches of policies,
processes and procedures with
potential to adversely impact
the essential function(s)
including aggregated breaches.
Principle B2 Identity and Access Control
The organisation understands, documents and manages access to network and information systems
supporting the operation of essential functions. Users (or automated functions) that can access data or
systems are appropriately verified, authenticated and authorised.

B2.a Identity Verification, Authentication and Authorisation

You robustly verify, authenticate and authorise access to the network and information systems supporting
your essential function(s).

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements are All the following statements are
statements is true true true

Initial identity verification is not
robust enough to provide an
acceptable level of confidence of
a user’s identity profile.
Authorised users and systems
with access to networks or
information systems on which
your essential function(s)
depends cannot be individually
identified.
Unauthorised individuals or
devices can access your network
or information systems on which
your essential function(s)
depends.
The number of authorised users
and systems that have access to
your network and information
systems are not limited to the
minimum necessary.
Your approach to authenticating
users, devices and systems does
not follow up to date best
practice.
Your process of initial identity
verification is robust enough to
provide a reasonable level of
confidence of a user’s identity
profile before allowing an
authorised user access to
network and information
systems that support your
essential function(s).
All authorised users and systems
with access to network or
information systems on which
your essential function(s)
depends are individually
identified and authenticated.
The number of authorised users
and systems that have access to
essential function(s) network
and information systems is
limited to the minimum
necessary.
You use additional
authentication mechanisms,
such as multi-factor (MFA),
for privileged access to all
network and information
systems that operate or support
your essential function(s).
You individually authenticate
and authorise all remote access
to all your network and
information systems that
support your essential
function(s).
Your process of initial identity
verification is robust enough to
provide a high level of
confidence of a user’s identity
profile before allowing an
authorised user access to
network and information
systems that support your
essential function(s).
Only authorised and individually
authenticated users can
physically access and logically
connect to your network or
information systems on which
your essential function(s)
depends.
The number of authorised users
and systems that have access to
all your network and information
systems supporting the essential
function(s) is limited to the
minimum necessary.
You use additional
authentication mechanisms,
such as multi-factor
(MFA), for all user access,
including remote access, to all
network and information
systems that operate or support
your essential function(s).
The list of users and systems
with access to network and
information systems supporting
and delivering the essential
function(s) is reviewed on a

14 of 40

B2.b Device Management
You fully know and have trust in the devices that are used to access your networks, information systems
and data that support your essential function(s).
Not Achieved
At least one of the following
statements is true
Users can connect to your
network and information
systems supporting your
essential function(s) using
devices that are not corporately
owned and managed.
Privileged users can perform
privileged operations from
devices that are not corporately
owned and managed.
You have not gained assurance
in the security of any third-party
devices or networks connected
to your systems.
Physically connecting a device to
your network and information
systems gives that device access
without device or user
authentication.
The list of users and systems
with access to network and
information systems supporting
and delivering the essential
function(s) is reviewed on a
regular basis, at least annually.
Your approach to authenticating
users, devices and systems
follows up to date best practice.
Partially Achieved
All the following statements are
true
Only corporately owned and
managed devices can access
your essential function(s)
network and information
systems.
All privileged operations are
performed from corporately
owned and managed devices.
These devices provide sufficient
separation, using a risk-based
approach, from the activities of
standard users.
You have sought to understand
the security properties of third-
party devices and networks
before they can be connected to
your systems. You have taken
appropriate steps to mitigate
any risks identified.
The act of connecting to a
network port or cable does not
grant access to any systems.
You are able to detect unknown
devices being connected to your
network and information
systems and investigate such
incidents.
15 of 40
regular basis, at least every six
months.
Your approach to authenticating
users, devices and systems
follows up to date best practice.
Achieved
All the following statements are
true
All privileged operations
performed on your network and
information systems supporting
your essential function(s) are
conducted from highly trusted
devices, such as Privileged
Access Workstations, dedicated
solely to those operations.
You either obtain independent
and professional assurance of
the security of third-party
devices or networks before they
connect to your network and
information systems, or you only
allow third-party devices or
networks that are dedicated to
supporting your network and
information systems to connect.
You perform certificate-based
device identity management and
only allow known devices to
access systems necessary for the
operation of your essential
function(s).
You perform regular scans to
detect unknown devices and
investigate any findings.
B2.c Privileged User Management
You closely manage privileged user access to network and information systems supporting your essential
function(s).
Not Achieved
At least one of the following
statements is true
The identities of the individuals
with privileged access to
network and information
systems (infrastructure,
platforms, software,
configuration etc) supporting
your essential function(s) are not
known or not managed.
Privileged user access to
network and information
systems supporting your
essential function(s) is via weak
authentication mechanisms (e.g.
only simple passwords).
The list of privileged users has
not been reviewed recently (e.g.
within the last 12 months).
Privileged user access is granted
on a system-wide basis rather
than by role or function(s).
Privileged user access to your
essential function(s) is via
generic, shared or default name
accounts.
Where there are “always on”
terminals which can perform
privileged actions (such as in a
control room), there are no
additional controls (e.g. physical
controls) to ensure access is
appropriately restricted.
There is no logical separation
between roles that an individual
may have and hence the actions
they perform (e.g. access to
corporate email and
privilege user actions).
Partially Achieved
All the following statements are
true
All privileged user access to
network and information
systems supporting your
essential function(s) requires
strong authentication, such as
multi-factor (MFA).
The identities of the individuals
with privileged access to
network and information
systems (infrastructure,
platforms, software,
configuration etc) supporting
your essential function(s) are
known and managed. This
includes third parties.
Activity by privileged users is
routinely reviewed and validated
(e.g. at least annually).
Privileged users are only granted
specific privileged user access
rights which are essential to
their business role or function.
16 of 40
Achieved
All the following statements are
true
Privileged user access to
network and information
systems supporting your
essential function(s) is carried
out from dedicated separate
accounts that are closely
monitored and managed.
The issuing of temporary, time-
bound rights for privileged user
access and / or external third-
party support access is in place.
Privileged user access rights are
regularly reviewed and always
updated as part of your joiners,
movers and leavers process.
All privileged user activity is
routinely reviewed, validated
and recorded for offline analysis
and investigation.
B2.d Identity and Access Management (IdAM)
You closely manage and maintain identity and access control for users, devices and systems accessing the
network and information systems supporting your essential function(s).
Not Achieved
At least one of the following
statements is true
Greater access rights are granted
than necessary.
Identity validation and
requirement for access of a user,
device or systems is not carried
out.
User access rights are not
reviewed when users change
roles.
User access rights remain active
when users leave your
organisation.
Access rights granted to devices
or systems to access other
devices and systems are not
reviewed on a regular basis (at
least annually).
Partially Achieved
All the following statements are
true
You follow a robust procedure to
verify each user and issue the
minimum required access rights.
You regularly review access
rights and those no longer
needed are revoked.
User access rights are reviewed
when users change roles via your
joiners, leavers and movers
process.
All user, device and system
access to the systems supporting
the essential function(s) is
logged and monitored, but it is
not compared to other log data
or access records.
17 of 40
Achieved
All the following statements are
true
You follow a robust procedure to
verify each user and issue the
minimum required access rights,
and the application of the
procedure is regularly audited.
User access rights are reviewed
both when people change roles
via your joiners, leavers and
movers process and at regular
intervals - at least annually.
All user, device and systems
access to the systems supporting
the essential function(s) is
logged and monitored.
You regularly review access logs
and correlate this data with
other access records and
expected activity.
Attempts by unauthorised users,
devices or systems to connect to
the systems supporting the
essential function(s) are alerted,
promptly assessed and
investigated.
Principle B3 Data Security
Data stored or transmitted electronically is protected from actions such as unauthorised access,
modification, or deletion that may cause an adverse impact on essential functions. Such protection
extends to the means by which authorised users, devices and systems access critical data necessary for
the operation of essential functions. It also covers information that would assist an attacker, such as
design details of network and information systems.

B3.a Understanding Data

You have a good understanding of data important to the operation of your essential function(s), where it
is stored, where it travels and how unavailability or unauthorised access, modification or deletion would
adversely impact the essential function(s). This also applies to third parties storing or accessing data
important to the operation of your essential function(s).

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements are All the following statements are
statements is true true true

You have incomplete knowledge
of what data is used by and
produced in the operation of the
essential function(s).
You have not identified the
important data on which your
essential function(s) relies.
You have not identified who has
access to data important to the
operation of the essential
function(s).
You have not clearly articulated
the impact of data compromise
or lack of availability.
You have identified and
catalogued all the data
important to the operation of
the essential function(s), or that
would assist an attacker.
You have identified and
catalogued who has access to
the data important to the
operation of the essential
function(s).
You regularly review location,
transmission, quantity and
quality of data important to the
operation of the essential
function(s).
You have identified all mobile
devices and media that hold
data important to the operation
of the essential function(s).
You understand and document
the impact on your essential
function(s) of all relevant
scenarios, including
unauthorised data access,
modification or deletion,
or when authorised users are
unable to appropriately access
this data.
You have identified and
catalogued all the data
important to the operation of
the essential function(s), or that
would assist an attacker.
You have identified and
catalogued who has access to
the data important to the
operation of the essential
function(s).
You maintain a current
understanding of the location,
quantity and quality of data
important to the operation of
the essential function(s).
You take steps to remove or
minimise unnecessary copies or
unneeded historic data.
You have identified all mobile
devices and media that may hold
data important to the operation
of the essential function(s).
You maintain a current
understanding of the data links
used to transmit data that is
important to your essential
function(s).

You occasionally validate these You understand the context,

documented impact statements. limitations and dependencies of
your important data.

18 of 40

B3.b Data in Transit
You have protected the transit of data important to the operation of your essential function(s). This
includes the transfer of data to third parties.
Not Achieved
At least one of the following
statements is true
You do not know what all your
data links are, or which carry
data important to the operation
of the essential function(s).
Data important to the operation
of the essential function(s)
travels without technical
protection over non-trusted or
openly accessible carriers.
Critical data paths that could fail,
be jammed, be overloaded, etc.
have no alternative path.
Partially Achieved
All the following statements are
true
You have identified and
protected (effectively and
proportionately) all the data
links that carry data important to
the operation of your essential
function(s).
You apply appropriate technical
means (e.g. cryptography) to
protect data that travels
over non-trusted or openly
accessible carriers, but you have
limited or no confidence in the
robustness of the protection
applied.
19 of 40
You understand and document
the impact on your essential
function(s) of all relevant
scenarios, including
unauthorised data access,
modification or deletion,
or when authorised users are
unable to appropriately
access this data.
You validate these documented
impact statements regularly, at
least annually.
Achieved
All the following statements are
true
You have identified and
protected (effectively and
proportionately) all the data
links that carry data important to
the operation of your essential
function(s).
You apply appropriate physical
and / or technical means to
protect data that travels over
non-trusted or openly accessible
carriers, with justified
confidence in the robustness of
the protection applied.
Suitable alternative transmission
paths are available where there
is a significant risk of impact on
the operation of the essential
function(s) due to resource
limitation (e.g. transmission
equipment or function failure, or
important data being blocked or
jammed).
B3.c Stored Data
You have protected stored soft and hard copy data important to the operation of your essential
function(s).
Not Achieved
At least one of the following
statements is true
You have no, or limited,
knowledge of where data
important to the operation of
the essential function(s) is
stored.
You have not protected
vulnerable stored data
important to the operation of
the essential function(s) in a
suitable way.
Backups are incomplete,
untested, not adequately
secured or could be inaccessible
in a disaster recovery or business
continuity situation.
Partially Achieved
All the following statements are
true
All copies of data important to
the operation of your essential
function(s) are necessary. Where
this important data is
transferred to less secure
systems, the data is provided
with limited detail and / or as
a read-only copy.
You have applied suitable
physical and / or technical
means to protect this important
stored data from unauthorised
access, modification or deletion.
If cryptographic protections are
used, you apply suitable
technical and procedural
means, but you have limited or
no confidence in the robustness
of the protection applied.
You have suitable, secured
backups of data to allow
the operation of the essential
function(s) to continue should
the original data not be
available. This may include off-
line or segregated backups,
or appropriate alternative forms
such as paper copies.
20 of 40
Achieved
All the following statements are
true
All copies of data important to
the operation of your essential
function(s) are necessary. Where
this important data is
transferred to less secure
systems, the data is provided
with limited detail and / or as
a read-only copy.
You have applied suitable
physical and / or technical
means to protect this important
stored data from unauthorised
access, modification or deletion.
If cryptographic protections are
used you apply suitable
technical and procedural means,
and you have justified
confidence in the robustness of
the protection applied.
You have suitable, secured
backups of data to allow
the operation of the essential
function(s) to continue should
the original data not be
available. This may include off-
line or segregated backups,
or appropriate alternative forms
such as paper copies.
Necessary historic or archive
data is suitably secured in
storage.
B3.d Mobile Data
You have protected data important to the operation of your essential function(s) on mobile devices.
Not Achieved
At least one of the following
statements is true
You don’t know which mobile
devices may hold data important
to the operation of the essential
function(s).
You allow data important to the
operation of the essential
function(s) to be stored on
devices not managed by your
organisation, or to at least
equivalent standard.
Data on mobile devices is not
technically secured, or only
some is secured.
Partially Achieved
All the following statements are
true
You know which mobile devices
hold data important to the
operation of the essential
function(s).
Data important to the operation
of the essential function(s) is
stored on mobile devices only
when they have at least the
security standard aligned to your
overarching security policies.
Data on mobile devices is
technically secured.
21 of 40
Achieved
All the following statements are
true
Mobile devices that hold data
that is important to the
operation of the essential
function(s) are catalogued, are
under your organisation's
control and configured according
to best practice for the platform,
with appropriate technical and
procedural policies in place.
Your organisation can remotely
wipe all mobile devices holding
data important to the operation
of the essential function(s).
You have minimised this data on
these mobile devices. Some
data may be automatically
deleted off mobile devices after
a certain period.
B3.e Media / Equipment Sanitisation

Before reuse and / or disposal you appropriately sanitise devices, equipment and removable media
holding data important to the operation of your essential function(s).

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements All the following statements are
statements is true are true true

Some or all devices, equipment
or removable media that hold
data important to the operation
of the essential function(s) are
reused or disposed of without
sanitisation of that data.
Data important to the
operations of the essential
function(s) is removed from all
devices, equipment and
removable media before reuse
and / or disposal.
You catalogue and track all devices
that contain data important to the
operation of the essential
function(s) (whether a specific
storage device or one with integral
storage).
Data important to the operation of
the essential function(s) is removed
from all devices, equipment and
removable media before reuse and
/ or disposal using an assured
product or service.

Principle B4 System Security

Network and information systems and technology critical for the operation of essential functions are
protected from cyber attack. An organisational understanding of risk to essential functions informs the
use of robust and reliable protective security measures to effectively limit opportunities for attackers to
compromise networks and systems.

B4.a Secure by Design

You design security into the network and information systems that support the operation of your essential
function(s). You minimise their attack surface and ensure that the operation of your essential function(s)
should not be impacted by the exploitation of any single vulnerability.

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements are All the following statements are
statements is true true true

Systems essential to the You employ appropriate You employ appropriate

operation of the essential
function(s) are not appropriately
segregated from other systems.
Internet access is available from
network and information
systems supporting your
essential function(s).
expertise to design network and
information systems.
You design strong boundary
defences where your network
and information systems
interface with other
organisations or the world at
large.
expertise to design network and
information systems.
Your network and information
systems are segregated into
appropriate security zones (e.g.
systems supporting the essential
function(s) are segregated in a

22 of 40

Data flows between network
and information systems
supporting your essential
function(s) and other systems
are complex, making it hard
to discriminate between
legitimate and illegitimate /
malicious traffic.
Remote or third-party accesses
circumvent some network
controls to gain more direct
access to network and
information systems supporting
the essential function(s).
B4.b Secure Configuration
You securely configure the network and information systems that support the operation of your essential
function(s).
Not Achieved
At least one of the following
statements is true
You haven't identified the assets
that need to be carefully
configured to maintain the
security of the essential
function(s).
Policies relating to the security
of operating system builds or
configuration are not applied
consistently across your network
and information systems relating
to your essential function(s).
Configuration details are not
recorded or lack enough
information to be able to rebuild
the system or device.
The recording of security
changes or adjustments that
You design simple data flows
between your network and
information systems and any
external interface to enable
effective monitoring.
You design to make network and
information system recovery
simple.
All inputs to network and
information systems supporting
your essential function(s) are
checked and validated at the
network boundary where
possible, or additional
monitoring is in place for
content-based attacks.
Partially Achieved
All the following statements are
true
You have identified and
documented the assets that
need to be carefully configured
to maintain the security of the
essential function(s).
Secure platform and device
builds are used across the
estate.
Consistent, secure and minimal
system and device
configurations are applied across
the same types of environment.
Changes and adjustments to
security configuration at security
boundaries with the network
and information systems
supporting your essential
23 of 40
highly trusted, more secure
zone).
The network and information
systems supporting your
essential function(s) are
designed to have simple data
flows between components to
support effective security
monitoring.
The network and information
systems supporting your
essential function(s) are
designed to be easy to recover.
Content-based attacks are
mitigated for all inputs to
network and information
systems that affect the essential
function(s) (e.g. via
transformation and inspection).
Achieved
All the following statements are
true
You have identified,
documented and actively
manage (e.g. maintain security
configurations, patching,
updating according to good
practice) the assets that need to
be carefully configured to
maintain the security of the
essential function(s).
All platforms conform to your
secure, defined baseline build,
or the latest known good
configuration version for that
environment.
You closely and effectively
manage changes in your
environment, ensuring that
network and system
 affect your essential function(s)
is lacking or inconsistent.
Generic, shared, default name
and built-in accounts have not
been removed or disabled.
B4.c Secure Management
You manage your organisation's network and information systems that support the operation of your
essential function(s) to enable and maintain security.
Not Achieved
At least one of the following
statements is true
Your systems and devices
supporting the operation of the
essential function(s) are
administered or maintained
from devices that are not
corporately owned and
managed.
You do not have good or current
technical documentation of your
network and information
systems.
function(s) are approved and
documented.
You verify software before
installation is permitted.
Generic, shared, default name
and built-in accounts have been
removed or disabled. Where this
is not possible, credentials to
these accounts have been
changed.
Partially Achieved
All the following statements are
true
Your systems and devices
supporting the operation of the
essential function(s) are only
administered or maintained by
authorised privileged users from
devices sufficiently separated,
using a risk-based approach,
from the activities of standard
users.
Technical knowledge about
network and information
systems, such as documentation
and network diagrams, is
regularly reviewed and updated.
24 of 40
configurations are secure and
documented.
You regularly review and
validate that your network and
information systems have the
expected, secure settings and
configuration.
Only permitted software can be
installed.
Standard users are not able to
change settings that would
impact security or the business
operation.
If automated decision-making
technologies are in use, their
operation is well understood,
and decisions can be replicated.
Generic, shared, default name
and built-in accounts have been
removed or disabled. Where this
is not possible, credentials to
these accounts have been
changed.
Achieved
All the following statements are
true
Your systems and devices
supporting the operation of the
essential function(s) are only
administered or maintained by
authorised privileged users from
highly trusted devices, such as
Privileged Access Workstations,
dedicated solely to those
operations.
You regularly review and update
technical knowledge about
network and information
systems, such as documentation

B4.d. Vulnerability Management
You manage known vulnerabilities in your network and information systems to prevent adverse impact on
your essential function(s).
Not Achieved
At least one of the following
statements is true
You do not understand the
exposure of your essential
function(s) to publicly-known
vulnerabilities.
You do not mitigate externally
exposed vulnerabilities
promptly.
You have not recently tested to
verify your understanding of the
vulnerabilities of the network
and information systems that
support your essential
function(s).
You have not suitably mitigated
systems or software that is no
longer supported.
You are not pursuing
replacement for unsupported
systems or software.
You prevent, detect and remove
malware, and unauthorised
software. You use technical,
procedural and physical
measures as necessary.
Partially Achieved
All the following statements
below are true
You maintain a current
understanding of the exposure
of your essential function(s) to
publicly-known vulnerabilities.
Announced vulnerabilities for all
software packages, network and
information systems used to
support your essential
function(s) are tracked,
prioritised and externally
exposed vulnerabilities are
mitigated (e.g. by patching)
promptly.
Some vulnerabilities that are not
externally exposed have
temporary mitigations for an
extended period.
You have temporary mitigations
for unsupported systems and
software while pursuing
migration to supported
technology.
You regularly test to fully
understand the vulnerabilities of
the network and information
systems that support the
operation of your essential
function(s).
25 of 40
and network diagrams, and
ensure they are securely stored.
You prevent, detect and remove
malware, and unauthorised
software. You use technical,
procedural and physical
measures as necessary.
Achieved
All the following statements are
true
You maintain a current
understanding of the exposure
of your essential function(s) to
publicly-known vulnerabilities.
Announced vulnerabilities for all
software packages, network and
information systems used to
support your essential
function(s) are tracked,
prioritised and mitigated (e.g. by
patching) promptly.
You regularly test to fully
understand the vulnerabilities of
the network and information
systems that support the
operation of your essential
function(s) and verify this
understanding with third-party
testing.
You maximise the use of
supported software, firmware
and hardware in your network
and information systems
supporting your essential
function(s).
Principle B5 Resilient Networks and Systems
The organisation builds resilience against cyber attack and system failure into the design,
implementation, operation and management of systems that support the operation of essential functions.

B5.a Resilience Preparation

You are prepared to restore the operation of your essential function(s) following adverse impact.

Not Achieved Partially Achieved Achieved

Any of the following statements All the following statements are All the following statements are
are true true true

You have limited understanding
of all the elements that are
required to restore operation of
the essential function(s).
You have not completed
business continuity and disaster
recovery plans for network and
information systems, including
their dependencies, supporting
the operation of the essential
function(s).
You have not fully assessed the
practical implementation of your
business continuity and disaster
recovery plans.
You know all network and
information systems, and
underlying technologies, that are
necessary to restore the
operation of the essential
function(s) and understand
their interdependence.
You know the order in which
systems need to be recovered
to efficiently and effectively
restore the operation of the
essential function(s).
You have business continuity
and disaster recovery plans that
have been tested for practicality,
effectiveness and completeness.
Appropriate use is made
of different test methods (e.g.
manual fail-over, table-top
exercises, or red-teaming).
You use your security awareness
and threat intelligence sources
to identify new or heightened
levels of risk, which result in
immediate and potentially
temporary security measures to
enhance the security of your
network and information
systems (e.g. in response to a
widespread outbreak of very
damaging malware).

26 of 40
B5.b Design for Resilience
You design the network and information systems supporting your essential function(s) to be resilient to
cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.
Not Achieved
At least one of the following
statements is true
Network and information
systems supporting the
operation of your essential
function(s) are not appropriately
segregated.
Internet services, such as
browsing and email, are
accessible from network and
information systems supporting
the essential function(s).
You do not understand or lack
plans to mitigate all resource
limitations that could adversely
affect your essential function(s).
Partially Achieved
All the following statements are
true
Network and information
systems supporting the
operation of your essential
function(s) are logically
separated from your business
systems (e.g. they reside on the
same network as the rest of the
organisation but within a DMZ).
Internet services are not
accessible from network and
information systems supporting
the essential function(s).
Resource limitations (e.g.
network bandwidth, single
network paths) have been
identified but not fully mitigated.
27 of 40
Achieved
All the following statements are
true
Network and information
systems supporting the
operation of your essential
function(s) are segregated from
other business and external
systems by appropriate technical
and physical means (e.g.
separate network and system
infrastructure with independent
user administration). Internet
services are not accessible from
network and information
systems supporting the essential
function(s).
You have identified and
mitigated all resource limitations
(e.g. bandwidth limitations and
single network paths).
You have identified and
mitigated any geographical
constraints or weaknesses. (e.g.
systems that your essential
function(s) depends upon
are replicated in another
location, important network
connectivity has alternative
physical paths and service
providers).
You review and update
assessments of dependencies,
resource and geographical
limitations and mitigations when
necessary.
B5.c Backups
You hold accessible and secured current backups of data and information needed to recover operation of
your essential function(s).
Not Achieved
At least one of the following
statements is true
Backup coverage is incomplete
and does not include all relevant
data and information needed to
restore the operation of your
essential function(s).
Backups are not frequent
enough for the operation of your
essential function(s) to be
restored effectively.
Your restoration process does
not restore your essential
function(s) in a suitable time
frame.
Partially Achieved
All the following statements are
true
You have appropriately secured
backups (including data,
configuration information,
software, equipment, processes
and knowledge). These backups
will be accessible to recover
from an extreme event.
You routinely test backups to
ensure that the backup process
function(s) correctly and the
backups are usable.
28 of 40
Achieved
All the following statements are
true
Your comprehensive, automatic
and tested technical and
procedural backups are secured
at centrally accessible or
secondary sites to recover from
an extreme event.
Backups of all important data
and information needed to
recover the essential function(s)
are made, tested, documented
and routinely reviewed.
Principle B6 Staff Awareness and Training
Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively
in relation to the security of network and information systems supporting the operation of essential
functions.
B6.a Cyber Security Culture
You develop and maintain a positive cyber security culture.
Not Achieved
At least one of the following
statements is true
People in your organisation
don't understand what they
contribute to the cyber security
of the essential function(s).
People in your organisation
don't know how to raise a
concern about cyber security.
People believe that reporting
issues may get them into
trouble.
Your organisation's approach to
cyber security is perceived by
staff as hindering the business of
the organisation.
Partially Achieved
All the following statements are
true
Your executive management
understand and widely
communicate the importance of
a positive cyber security culture.
Positive attitudes, behaviours
and expectations are described
for your organisation.
All people in your organisation
understand the contribution
they make to the essential
function(s) cyber security.
All individuals in your
organisation know who to
contact and where to access
more information about cyber
security. They know how to raise
a cyber security issue.
29 of 40
Achieved
All the following statements are
true
Your executive management
clearly and effectively
communicates the organisation's
cyber security priorities and
objectives to all staff. Your
organisation displays positive
cyber security attitudes,
behaviours and expectations.
People in your organisation
raising potential cyber security
incidents and issues are treated
positively.
Individuals at all levels in your
organisation routinely report
concerns or issues about cyber
security and are recognised for
their contribution to keeping the
organisation secure.
Your management is seen to be
committed to and actively
involved in cyber security.
Your organisation communicates
openly about cyber security,
with any concern being taken
seriously.
People across your organisation
participate in cyber security
activities and improvements,
building joint ownership and
bringing knowledge of their area
of expertise.
B6.b Cyber Security Training
The people who support the operation of your essential function(s) are appropriately trained in cyber
security. A range of approaches to cyber security training, awareness and communications are employed.
Not Achieved
At least one of the following
statements is true
There are teams who operate
and support your essential
function(s) that lack any cyber
security training.
Cyber security training is
restricted to specific roles in
your organisation.
Cyber security training records
for your organisation are lacking
or incomplete.
Partially Achieved
All the following statements are
true
You have defined appropriate
cyber security training and
awareness activities for all roles
in your organisation, from
executives to the most junior
roles.
You use a range of teaching and
communication techniques for
cyber security training and
awareness to reach the widest
audience effectively.
Cyber security information is
easily available.
30 of 40
Achieved
All the following statements are
true
All people in your organisation,
from the most senior to the
most junior, follow appropriate
cyber security training paths.
Each individuals cyber security
training is tracked and refreshed
at suitable intervals.
You routinely evaluate your
cyber security training and
awareness activities to ensure
they reach the widest audience
and are effective.
You make cyber security
information and good practice
guidance easily accessible,
widely available and you know it
is referenced and used within
your organisation.
CAF - Objective C - Detecting cyber security events
Capabilities exist to ensure security defences remain effective and to detect cyber security events
affecting, or with the potential to affect, essential function(s).

Principle C1 Security Monitoring

The organisation monitors the security status of the network and information systems supporting the
operation of essential functions in order to detect potential security problems and to track the ongoing
effectiveness of protective security measures.

C1.a Monitoring Coverage

The data sources that you include in your monitoring allow for timely identification of security events
which might affect the operation of your essential function(s).

Not Achieved Partially Achieved Achieved

At least one of the following All the following All the following statements are true
statements is true statements are true

Data relating to the security Data relating to the Monitoring is based on an

and operation of your
essential function(s) is not
collected.
You do not confidently
detect the presence or
absence of Indicators of
Compromise (IoCs) on your
essential function(s), such as
known malicious command
and control signatures (e.g.
because applying the
indicator is difficult or your
log data is not sufficiently
detailed).
You are not able to audit the
activities of users in relation
to your essential function(s).
You do not capture any
traffic crossing your network
boundary including as a
minimum IP connections.
security and operation of understanding of your networks,
some areas of your common cyber attack methods and
essential function(s) is what you need awareness of in order
collected but coverage is to detect potential security incidents
not comprehensive. that could affect the operation of your
essential function(s) (e.g. presence of
You easily detect the malware, malicious emails, user policy
presence or absence of violations).
IoCs on your essential
function(s), such as Your monitoring data provides enough
known malicious detail to reliably detect security
command and control incidents that could affect the
signatures. operation of your essential function(s).
Some user monitoring is You easily detect the presence or
done, but not covering a absence of IoCs on your essential
fully agreed list of function(s), such as known malicious
suspicious or undesirable command and control signatures.
behaviour.
Extensive monitoring of user activity in
You monitor traffic relation to the operation of your
crossing your network essential function(s) enables you to
boundary (including IP detect policy violations and an agreed
address connections as a list of suspicious or undesirable
minimum). behaviour.
You have extensive monitoring
coverage that includes host-based
monitoring and network gateways.
All new systems are considered as
potential monitoring data sources to
maintain a comprehensive monitoring
capability.

31 of 40
C1.b Securing Logs
You hold log data securely and grant appropriate access only to accounts with business a need. No system
or user should ever need to modify or delete master copies of log data within an agreed retention period,
after which it should be deleted.
Not Achieved
At least one of the following
statements is true
It is possible for log data to be
easily edited or deleted by
unauthorised users or
malicious attackers.
There is no controlled list
of the users and systems that
can view and query log data.
There is no monitoring of the
access to log data.
There is no policy for accessing
log data.
Log data is not synchronised,
using an accurate common
time source.
Partially Achieved
All the following statements are
true
Only authorised staff can view log
data for investigations.
Authorised users and systems can
appropriately access log data.
There is some monitoring of
access to log data (e.g. copying,
deleting, modifying or viewing).
32 of 40
Achieved
All the following statements are
true
The integrity of log data is
protected, or any modification is
detected and attributed.
The logging architecture has
mechanisms, policies, processes
and procedures to ensure that it
can protect itself from threats
comparable to those it is trying to
identify. This includes protecting
the essential function(s) itself,
and the data within it.
Log data analysis and
normalisation is only performed
on copies of the data keeping the
master copy unaltered.
Log data is synchronised, using an
accurate common time source, so
that separate datasets can be
correlated in different ways.
Access to log data is limited to
those with business need and no
others.
All actions involving all log data
(e.g. copying, deleting, modifying
or viewing) can be traced back to
a unique user.
Legitimate reasons for accessing
log data are given in use policies.
C1.c Generating Alerts
Evidence of potential security incidents contained in your monitoring data is reliably identified
and triggers alerts.
Not Achieved
At least one of the following
statements is true
Alerts from third party security
software are not investigated (e.g.
Anti-Virus (AV) providers).
Logs are distributed across devices
with no easy way to access them
other than manual login or
physical action.
The resolution of alerts to a
network asset or system is not
performed.
Security alerts relating to essential
function(s) are not prioritised.
Logs are reviewed infrequently.
Partially Achieved
All the following statements
are true
Alerts from third party
security software are
investigated, and action
taken.
Some, but not all, log data can
be easily queried with search
tools to aid investigations.
The resolution of alerts to a
network asset or system is
performed regularly.
Security alerts relating to
some essential function(s) are
prioritised.
Logs are reviewed at regular
intervals.
33 of 40
Achieved
All the following statements are
true
Log data is enriched with other
network knowledge and data
when investigating certain
suspicious activity or alerts.
A wide range of signatures and
indicators of compromise is used
for investigations of suspicious
activity and alerts.
Alerts can be easily resolved to
network assets using knowledge
of networks and systems. The
resolution of these alerts is
performed in almost real time.
Security alerts relating to all
essential function(s) are
prioritised and this information
is used to support incident
management.
Logs are reviewed almost
continuously, in real time.
Alerts are tested to ensure that
they are generated reliably and
that it is possible to distinguish
genuine security incidents from
false alarms.
C1.d Identifying Security Incidents
You contextualise alerts with knowledge of the threat and your systems, to identify those security
incidents that require some form of response.
Not Achieved
At least one of the following
statements is true
Your organisation has no sources
of threat intelligence.
You do not apply updates in a
timely way, after receiving them
(e.g. AV signature updates, other
threat signatures or Indicators of
Compromise (IoCs)).
You do not receive signature
updates for all protective
technologies such as AV and IDS
or other software in use.
You do not evaluate the
usefulness of your threat
intelligence or share feedback
with providers or other users.
Partially Achieved
All the following statements are
true
Your organisation uses some
threat intelligence services, but
you don't necessarily choose
sources or providers specifically
because of your business needs,
or specific threats in your sector
(e.g. sector-based infoshare, ICS
software vendors, anti-virus
providers, specialist threat intel
firms, special interest groups).
You receive updates for all your
signature based protective
technologies (e.g. AV, IDS).
You apply some updates,
signatures and IoCs in a timely
way.
You know how effective your
threat intelligence is (e.g. by
tracking how threat intelligence
helps you identify security
problems).
34 of 40
Achieved
All the following statements are
true
You have selected threat
intelligence sources or services
using risk-based and threat-
informed decisions based
on your business needs and
sector (e.g. vendor reporting
and patching, strong anti-virus
providers, sector and
community-based infoshare,
special interest groups).
You apply all new signatures
and IoCs within a reasonable
(risk-based) time of receiving
them.
You receive signature updates
for all your protective
technologies (e.g. AV, IDS).
You track the effectiveness of
your intelligence feeds and
actively share feedback on the
usefulness of IoCs and any
other indicators with the threat
community (e.g. sector
partners, threat intelligence
providers, government
agencies).
C1.e Monitoring Tools and Skills
Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and
reporting requirements, expected threats and the complexities of the network or system data they need to
use. Monitoring staff have knowledge of the essential function(s) they need to protect.
Not Achieved
At least one of the following
statements is true
There are no staff who perform a
monitoring function.
Monitoring staff do not have the
correct specialist skills.
Monitoring staff are not capable
of reporting against governance
requirements.
Monitoring staff lack the skills to
successfully perform some
significant parts of the defined
workflow.
Monitoring tools are only able to
make use of a fraction of log data
being collected.
Monitoring tools cannot be
configured to make use of new
logging streams, as they come
online.
Monitoring staff have a lack of
awareness of the essential
function(s) the organisation
provides, what assets relate to
those functions and hence the
importance of the log data and
security events.
Partially Achieved
All the following statements are
true
Monitoring staff have some
investigative skills and a basic
understanding of the data they
need to work with.
Monitoring staff can report to
other parts of the organisation
(e.g. security directors,
resilience managers).
Monitoring staff are capable of
following most of the required
workflows.
Your monitoring tools can make
use of logging that would
capture most unsophisticated
and untargeted attack types.
Your monitoring tools work with
most log data, with some
configuration.
Monitoring staff are aware of
some essential function(s) and
can manage alerts relating to
them.
35 of 40
Achieved
All the following statements are
true
You have monitoring staff, who
are responsible for the analysis,
investigation and reporting of
monitoring alerts covering both
security and performance.
Monitoring staff have defined
roles and skills that cover all
parts of the monitoring and
investigation process.
Monitoring staff follow policies,
processes and procedures that
address all governance reporting
requirements, internal and
external.
Monitoring staff are empowered
to look beyond the fixed process
to investigate and understand
non-standard threats, by
developing their own
investigative techniques and
making new use of data.
Your monitoring tools make use
of all log data collected to
pinpoint activity within an
incident.
Monitoring staff and tools drive
and shape new log data
collection and can make wide
use of it.
Monitoring staff are aware of
the operation of essential
function(s) and related assets
and can identify and prioritise
alerts or investigations that
relate to them.
Principle C2 Proactive Security Event Discovery
The organisation detects, within network and information systems, malicious activity affecting, or with
the potential to affect, the operation of essential functions even when the activity evades standard
signature based security prevent/detect solutions (or when standard solutions are not deployable).
C2.a System Abnormalities for Attack Detection
You define examples of abnormalities in system behaviour that provide practical ways of detecting
malicious activity that is otherwise hard to identify.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

Normal system behaviour is insufficiently
understood to be able to use system
abnormalities to detect malicious activity.
You have no established understanding of what
abnormalities to look for that might signify
malicious activities.
Normal system behaviour is fully understood to such
an extent that searching for system abnormalities is a
potentially effective way of detecting malicious activity
(e.g. You fully understand which systems should and
should not communicate and when).
System abnormality descriptions from past attacks and
threat intelligence, on yours and other networks, are
used to signify malicious activity.
The system abnormalities you search for consider the
nature of attacks likely to impact on the network and
information systems supporting the operation of your
essential function(s).
The system abnormality descriptions you use are
updated to reflect changes in your network and
information systems and current threat intelligence.

C2.b Proactive Attack Discovery

You use an informed understanding of more sophisticated attack methods and of normal system
behaviour to monitor proactively for malicious activity.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

You do not routinely search for system
abnormalities indicative of malicious activity.
You routinely search for system abnormalities
indicative of malicious activity on the network and
information systems supporting the operation of your
essential function(s), generating alerts based on the
results of such searches.
You have justified confidence in the effectiveness of
your searches for system abnormalities indicative of
malicious activity.

36 of 40
CAF - Objective D - Minimising the impact of cyber security incidents
Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of
essential functions, including the restoration of those function(s) where necessary.

Principle D1 Response and Recovery Planning

There are well-defined and tested incident management processes in place, that aim to ensure continuity
of essential function(s) in the event of system or service failure. Mitigation activities designed to contain
or limit the impact of compromise are also in place.

D1.a Response Plan

You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes
account of your essential function(s) and covers a range of incident scenarios.

Not Achieved Partially Achieved Achieved

At least one of the following All the following statements are All the following statements are
statements is true true true

Your incident response plan
is not documented.
Your incident response plan
does not include your
organisations identified
essential function(s).
Your incident response plan
is not well understood by
relevant staff.
Your incident response plan
covers your essential function(s).
Your incident response plan
comprehensively covers scenarios
that are focused on likely impacts
of known and well understood
attacks only.
Your incident response plan is
understood by all staff who are
involved with your organisation's
response function.
Your incident response plan is
documented and shared with all
relevant stakeholders.
Your incident response plan is
based on a clear understanding of
the security risks to the network
and information systems
supporting your essential
function(s).
Your incident response plan is
comprehensive (i.e. covers the
complete lifecycle of an incident,
roles and responsibilities, and
reporting) and covers likely
impacts of both known attack
patterns and of possible attacks,
previously unseen.
Your incident response plan is
documented and integrated with
wider organisational business
plans and supply chain response
plans, as well as dependencies on
supporting infrastructure (e.g.
power, cooling etc).
Your incident response plan is
communicated and understood by
the business areas involved with
the operation of your essential
function(s).

37 of 40
D1.b Response and Recovery Capability
You have the capability to enact your incident response plan, including effective limitation of impact on
the operation of your essential function(s). During an incident, you have access to timely information on
which to base your response decisions.
Not Achieved
At least one of the following statements is true
Inadequate arrangements have been made to
make the right resources available to implement
your response plan.
Your response team members are not equipped
to make good response decisions and put them
into effect.
Inadequate back-up mechanisms exist to allow
the continued operation of your essential
function(s) during an incident.
38 of 40
Achieved
All the following statements are true
You understand the resources that will likely be
needed to carry out any required response activities,
and arrangements are in place to make these resources
available.
You understand the types of information that will likely
be needed to inform response decisions and
arrangements are in place to make this information
available.
Your response team members have the skills and
knowledge required to decide on the response actions
necessary to limit harm, and the authority to carry
them out.
Key roles are duplicated, and operational delivery
knowledge is shared with all individuals involved in the
operations and recovery of the essential function(s).
Back-up mechanisms are available that can be readily
activated to allow continued operation of your
essential function(s), although possibly at a reduced
level, if primary network and information systems fail
or are unavailable.
Arrangements exist to augment your organisation’s
incident response capabilities with external support if
necessary (e.g. specialist cyber incident responders).
D1.c Testing and Exercising
Your organisation carries out exercises to test response plans, using past incidents that affected your (and
other) organisation, and scenarios that draw on threat intelligence and your risk assessment.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

Exercises test only a discrete part of the process
(e.g. that backups are working), but do not
consider all areas.
Incident response exercises are not routinely
carried out or are carried out in an ad-hoc way.
Outputs from exercises are not fed into the
organisation's lessons learned process.
Exercises do not test all parts of the response
cycle.
Exercise scenarios are based on incidents experienced
by your and other organisations or are composed
using experience or threat intelligence.
Exercise scenarios are documented, regularly
reviewed, and validated.
Exercises are routinely run, with the findings
documented and used to refine incident response
plans and protective security, in line with the lessons
learned.
Exercises test all parts of your response cycle relating
to your essential function(s) (e.g. restoration of
normal function(s) levels).

Principle D2 Lessons Learned

When an incident occurs, steps are taken to understand its root causes and to ensure appropriate
remediating action is taken to protect against future incidents.

D2.a Incident Root Cause Analysis

When an incident occurs, steps must be taken to understand its root causes and ensure appropriate
remediating action is taken.

Not Achieved Achieved

At least one of the following statements is true All the following statements are true

You are not usually able to resolve incidents to a
root cause.
You do not have a formal process for investigating
causes.
Root cause analysis is conducted routinely as a key
part of your lessons learned activities following an
incident.
Your root cause analysis is comprehensive, covering
organisational process issues, as well as
vulnerabilities in your networks, systems or software.
All relevant incident data is made available to the
analysis team to perform root cause analysis.

39 of 40
D2.b Using Incidents to Drive Improvements
Your organisation uses lessons learned from incidents to improve your security measures.
Not Achieved
At least one of the following statements is true
Following incidents, lessons learned are not
captured or are limited in scope.
Improvements arising from lessons learned
following an incident are not implemented or not
given sufficient organisational priority.
40 of 40
Achieved
All the following statements are true
You have a documented incident review
process/policy which ensures that lessons learned
from each incident are identified, captured,
and acted upon.
Lessons learned cover issues with reporting, roles,
governance, skills and organisational processes as
well as technical aspects of network and
information systems.
You use lessons learned to improve security
measures, including updating and retesting
response plans when necessary.
Security improvements identified as a result of
lessons learned are prioritised, with the highest
priority improvements completed quickly.
Analysis is fed to senior management and
incorporated into risk management and continuous
improvement.