The UK National Cyber Security Centre’s Cyber Assessment Framework, known as CAF, is designed to help organisations assess and improve cyber security and resilience. The NCSC describes CAF as a tool for improving cyber security and resilience, particularly for organisations that support important or essential services. (National Cyber Security Centre)
CAF is especially relevant because it focuses on outcomes rather than simply prescribing a list of controls. This makes it useful for assessing whether an organisation can protect critical services, detect cyber events, minimise impact, and recover effectively.
The framework is structured around high-level objectives and principles. These help organisations examine governance, risk management, asset management, supply chain security, protective controls, detection capability, response, and recovery.
For boards and executives, CAF provides a practical way to discuss cyber resilience in business terms. It encourages organisations to ask whether essential functions are understood, whether risks are managed proportionately, whether protective measures are effective, and whether response and recovery arrangements have been tested.
CAF can also support regulatory readiness, supplier assurance, internal audit, and cyber improvement planning. It is particularly useful where organisations need a structured but outcome-focused way to evaluate cyber maturity.
Key message: UK CAF helps organisations move from control checklists to evidence-based cyber resilience.
