On April 18, 2024, the National Cyber Security Centre (NCSC) published the latest version of its Cyber Assessment Framework (CAF). In particular, the CAF provides a systematic approach to assessing the extent to which cyber risks to essential functions are being managed by an organization. 

The CAF is structured around the following four objectives, each tailored to address specific aspects of cybersecurity:

• managing security risk;
• protecting against cyber attacks;
• detecting cyber security events; and
• minimizing the impact of cyber security incidents.

For organizations to assess how well they meet the objectives, the CAF provides a detailed method involving an assessment of all contributing outcomes for a given objective. This is facilitated by a series of Indicators of Good Practice (IGPs) and each contributing outcome is linked to a set of IGPs. 

Additionally, the CAF emphasizes a principle-based approach to cybersecurity, where each top-level security and resilience principle defines a broad outcome important for safeguarding an organization's cyber environment. Recognizing that the application of each principle will differ based on specific organizational circumstances, the CAF outlines a structure where each principle is divided into several lower-level contributing cyber security and resilience outcomes. These outcomes collectively represent the specific goals that need to be achieved to fully satisfy the overarching principle.

The NCSC explained that the CAF principles, outcomes, and IGPs are interdependent and that a change in an IGP requires an evaluation of the effects on other areas of the CAF. Notably, the CAF acknowledges the cybersecurity challenges posed by artificial intelligence (AI) technologies used in automated functions and automated decision-making processes. The NCSC noted that it would consider the impact of AI in more detail in future iterations of the CAF.

You can read the press release here and the CAF here.