The Cyber Assessment Framework (CAF), developed by the UK’s National Cyber Security Centre (NCSC), sets out an outcomes-based method for assessing how well cyber risks to essential functions are being managed. It is structured around four security objectives and fourteen cyber security principles, supported by defined outcomes and indicators of good practice. CAF enables organisations to identify weaknesses across people, process, and technology, and to target improvement activity in line with recognised national standards.

We provide independent NCSC Cyber Assessment Framework (CAF) services delivered by experienced cyber governance and assurance specialists. Our assessments give a clear view of current capability, highlight gaps that affect resilience, and focus remediation on areas that deliver the greatest reduction in risk. This includes improving incident detection and response, strengthening supply-chain assurance, and establishing consistent, repeatable assurance processes that stand up to scrutiny.

We support organisations across the full CAF lifecycle, including structured assessments, governance and control reviews, remediation planning, and ongoing assurance. Whether supporting internal self-assessment or providing independent assurance, our services improve board-level visibility, support risk-based investment decisions, and help reduce the likelihood and impact of cyber incidents affecting essential functions.

Our Service Includes; 

• Comprehensive CAF scoping aligned to essential functions.
• Governance, risk and supply‑chain assessment activities.
• Technical control validation across CAF principles.
• Evidence‑based analysis against IGPs and outcomes.
• Gap analysis and cyber maturity profiling.
• Remediation roadmap and prioritised actions.
• Interviews, documentation reviews and system walkthroughs.
• Threat‑informed assessment using CAF 4.0 updates.
• Follow‑up assurance and re‑validation checks.
• Continuous improvement support and governance embedding.

The Cyber Assessment Framework (CAF) is designed for organisations delivering essential services across sectors such as energy, healthcare, transport, digital infrastructure, and government. It supports both self-assessment and independent oversight, helping organisations meet regulatory obligations such as the NIS Regulations by assessing cyber security and resilience against defined CAF outcomes.

CAF Profiles set target levels of cyber resilience based on the capability of likely threat actors. The Basic Profile applies across all sectors and addresses common cyber threats, while Enhanced Profiles are sector-specific and reflect the need to defend against more capable, well-resourced attackers using sophisticated techniques.

Why Choose Us?

As an established cyber security consultancy, we have extensive experience providing information assurance and cyber resilience advice to government and third-party suppliers, aligned with best practice, UK government protective security policy, and recognised assurance frameworks including the NCSC Cyber Assessment Framework and the Security Policy Framework.