NCSC Cyber Assessment Framework (CAF)


The Network and Information Systems (NIS) Regulations came into force in May 2018, transposing the EU’s Directive on security of network and information systems into UK law. NIS Regulation seeks to improve cyber security and cyber resilience within those organisations critical to the UK infrastructure, operating in following sectors: Energy, Transport, Health, Drinking water supply and distribution and Digital infrastructure.

Organisations in scope of the regulations are required to take appropriate and proportionate measures to manage risks posed to the security of their network and information systems.

They also need to prevent and minimise the impact of incidents which affect the security of their network and information systems, with a view to ensuring the continuity of services.

The Cyber Assessment Framework (CAF)

A Flexible Framework

The CAF is, therefore, tremendously flexible in its application, making it a suitable cyber security framework for organisations operating in a wide range of sectors.

This has resulted in its ubiquitous adoption by competent authorities responsible for enforcing the NIS Regulation across the UK’s critical national infrastructure.

Having said that, the lack of prescriptive controls can also make it difficult for those less experienced in cyber security to understand how to achieve the principles, outcomes, and IGPs within the CAF.

Supporting Security

To support organisations in both achieving and demonstrating an appropriate level of cyber resilience to manage their security risks, the National Cyber Security Centre (NCSC) produced the CAF.

Consisting of 14 cyber security & resilience principles, the CAF supports the selection and operation of appropriate security measures.

Rather than a set of prescriptive rules that must be met, the principles consist of contributing outcomes that, if achieved, would provide a level of cyber security that far exceeds the bare minimum ‘basic cyber hygiene’ level.

CAF Outcomes

The way in which the outcomes are achieved will depend on multiple factors, including:

• The nature and criticality of the service the system underpins
• The environment it is operating in
• The technology used by the system

As the outcomes can be met in many ways, the CAF includes further guidance with Indicators of Good Practice (IGPs). 

These are individually defined for each outcome, to guide the identification of appropriate security measures.

The Cyber Assessment Framework (CAF)

CAF Cyber Security Consultants

Bridewell Consulting possess extensive experience in the application of the CAF Framework within a variety of environments. These include SCADA systems, complex database platforms, communication systems and IT infrastructure, across water, aviation, rail, and energy sectors.

Bridewell are a cyber security company which is accredited by the Civil Aviation Authority’s (CAA) ASSURE scheme. This scheme subjects suppliers to a rigorous and continuous assessment process to ensure their competence for delivering cyber security audits against the CAF.

Supporting our clients with a wide range of services:

  • Performing self-assessments for organisations
  • Providing gap analysis solutions against the CAF and the development of remediation programs
  • Managed Security Services to allow organisations to achieve outcomes within the CAF

These services could either not be possible for the organisation to conduct in-house, or because they would prefer specialist cyber security consultants to deliver them.

What Sets us Apart?

Our comprehensive range of services is designed to handle the complexity of today’s data-intensive way of life, as well as its increasing regulatory burden. Our success is based on: 

  • A deep understanding of IT infrastructure frameworks, cloud technologies and cloud security
  • An ability to design, implement and deploy for businesses of all sizes
  • A firm grasp of the business realities faced by enterprises in multiple sectors
  • Comprehensive ISO27001, ISO9001 and Cyber Essentials certification
  • A sophisticated menu of security solutions for Office 365, AWS and Microsoft Azure
  • Managed services capability through our Security Operations Centre
Ready to Take the Next Step?

We’re here to help, so to speak with our team and learn more about how Bridewell can benefit your organisation, just complete the below form and one of our experts will be in touch.

Bridewell Consulting may contact you from time to time to keep you informed of security news and events.

You will always have an option to change your preferences or unsubscribe in line with our Privacy Policy.

Other Services

Let’s talk. Speak to our experts to see how we can work together, keeping your business protected and productive.