Part 3: The Redo Aka NCSC CAF Demystified
“Why is this a redo?”
This post should have come before this one mapping Microsoft tools to CAF controls and more. Why? Because before we can confidently apply tools, we need to fully understand the why and how behind the framework itself.
This post is how we break down the structure of the framework, compares it with familiar standards like ISO 27001, CIS Controls, and sets the stage for everything that follows. It supports previous posts by grounding them in context and will strengthen future entries that dive deeper into specific CAF objectives, practical Microsoft implementations, and sector-specific use cases. If you’re on the path from awareness to action, this must be a post you consume.
CAF Demystified – NCSC’s Cyber Assessment Framework Explained
How to Read the CAF Like a Pro Without Falling Asleep
If we are honest, regulations rarely spark joy, rarely. But what if I told you that the UK’s Cyber Assessment Framework (CAF), created by the NCSC, could be your organisation’s best friend as we hurtle toward mandatory cyber resilience under the UK Cyber Security and Resilience Bill?
For those who know me personally, I’m not one about selling fear and this post is not that. It’s about understanding the why, what, and how of aligning your organisation’s cyber resilience with modern regulatory expectations and in doing so, without burning out your team or blowing your budget.
Why Start With CAF?
For those who live and work within the United Kingdom you will most likely have heard of the NCSC. For those who do not or haven’t heard of them here is a quick intro to them and the CAF.
The National Cyber Security Centre (NCSC), the UK’s authority on cyber threats and resilience, created the Cyber Assessment Framework (CAF) to provide a structured, outcomes-focused approach to assessing and improving cyber security, particularly for organisations delivering essential services. Recognising that traditional compliance checklists often fall short in real-world scenarios, the NCSC designed the CAF to shift the focus from ticking boxes to demonstrating resilience. It reflects the NCSC’s mission to make the UK the safest place to live and work online by helping organisations of all sizes understand, measure, and mature their cyber defences in a practical, risk-based way. Its focus is an outcomes-based framework built to ask the hard questions, like:
-
Can you demonstrate that your supply chain is resilient?
-
Do you recover from incidents with minimal disruption?
It’s not just about having controls, it’s about knowing they work.
The Four Objectives and 14 Principles of CAF
CAF is broken into four high-level objectives, each containing several principles. Together, they cover governance, defence, response, and recovery:
| Objective | Focus | Principles |
|---|---|---|
| 1. Managing Security Risk | Leadership, Governance, Risk | A1-A4 |
| 2. Protecting Against Cyber Attack | Technical & Physical Controls | B1-6 |
| 3. Detecting Cyber Security Events | Security Monitoring | C1-2 |
| 4. Minimising Impact of Incidents | Response, Recovery, Resilience | D1-2 |
Each principle includes desired outcomes and indicators of good practice (IGPs), which help you understand what good looks like.
A Deeper Dive…
The Cyber Assessment Framework (CAF) is structured around 4 top-level objectives, each made up of principles that represent the foundational elements of good cyber resilience. Below is a breakdown of each principle, grouped by objective, with a short explanation of the deeper focus behind them.
| Objective | Principle | Title | What It Really Means |
|---|---|---|---|
| 1. Managing Security Risk | A1 | Governance | Does your leadership take ownership of cyber risk? It’s about embedding cyber into business governance, not just IT. |
| A2 | Risk Management | Do you have a structured, organisation-wide approach to identifying and managing cyber risks—beyond just technical threats? | |
| A3 | Asset Management | Can you confidently identify, classify, and prioritise all information assets, including data, systems, and suppliers? | |
| A4 | Supply Chain | Do you assess and manage cyber risks introduced by suppliers and service providers? This principle is critical in today’s interconnected world. | |
| 2. Protecting Against Cyber Attack | B1 | Service Protection Policies & Processes | Are there policies that govern how systems and services are protected? This includes change control, configuration, and patching. |
| B2 | Identity & Access Control | Who has access to what, and how is it controlled? Think: strong authentication, least privilege, and identity governance. | |
| B3 | Data Security | How do you protect data throughout its lifecycle—from creation and storage to transfer and deletion? Encryption, backups, and classification live here. | |
| B4 | System Security | Are your systems designed, built, and maintained to resist attacks? Includes hardening, secure builds, and regular assessments. | |
| B5 | Resilient Networks & Systems | Can your infrastructure withstand, adapt to, and recover from disruption? Think redundancy, segmentation, and failover strategies. | |
| B6 | Staff Awareness & Training | Are your people your strongest link or your weakest? This principle measures training effectiveness and cyberculture maturity. | |
| 3. Detecting Cyber Security Events | C1 | Security Monitoring | Are you actively monitoring systems to detect potential security events? This includes real-time alerting, effective logging strategies, and the use of detection technologies such as SIEMs, EDR/XDR, and anomaly-based systems. |
| C2 | Proactive Security Event Discovery | Do you have the capability to detect unusual or malicious activity in your systems and networks? This principle focuses on identifying behaviours that deviate from the norm—such as lateral movement or privilege escalation—and supports rapid incident detection. | |
| 4. Minimising the Impact of Cyber Security Incidents | D1 | Response & Recovery Planning | Do you have well-defined, regularly tested plans to respond to and recover from incidents? This includes containment, communication strategies, continuity of critical services, and restoring normal operations efficiently. |
| D2 | Lessons Learned | After an incident, do you systematically review what happened, why it happened, and how to improve? This principle covers post-incident analysis, feeding insights into governance, training, system improvements, and future testing. |
Why This Structure Matters
Each principle isn’t a standalone checkbox, it’s part of a maturity journey. The CAF encourages organisations to assess how well these principles are embedded into their day-to-day operations and whether they are effective under real-world conditions.
The framework recognises that security isn’t one-size-fits-all. Instead, it offers flexibility to tailor implementations based on your risk profile, sector, and scale, making it a practical choice for everything from SMEs to large national infrastructure providers.
This deeper dive gives you the vocabulary and understanding you’ll need as we explore how Microsoft technologies and other tools, can help operationalise these principles in the real world.
CAF vs ISO 27001 vs CIS Controls
If you’re already using ISO 27001 or CIS Controls, here’s the good news: You’re not starting from scratch. But you’re also not done yet.
| Framework | Strengths | Gaps vs CAF |
|---|---|---|
| ISO 27001 | Globally recognised, management-focused, audit-ready | Light on operational outcomes, vague on supply chain |
| CIS Controls | Practical, control-heavy, highly prescriptive | Lacks strategic governance and leadership focus |
| CAF | Outcome-driven, balances strategy & operations | Requires internal interpretation, less prescriptive tooling |
Think of CAF as the glue that binds your policies to your tech. It asks not only do you have it, but does it work when it matters?
Mapping ISO 27001 to CAF (Quick Reference)
As mentioned previously, if your organisation is already certified to ISO/IEC 27001, you’re not starting from scratch, far from it. ISO provides a strong governance and policy framework, which maps well to many CAF principles. However, the CAF goes deeper, the mapping below will help guide you on some of the potential reuse cases. This is not an exhaustive list and I would encourage further research to ensure the maximum reusability of ISO or any other framework against the CAF.
| ISO/IEC 27001:2022 Clause | CAF Principle | CAF Reference | Notes |
|---|---|---|---|
| 5 – Leadership | Governance | A1 | Executive accountability, cyber as a leadership concern |
| 6 – Planning | Risk Management | A2 | Risk-based approach, threat modelling, prioritisation |
| 7 – Support | Asset Management | A3 | Asset identification, classification, ownership |
| Staff Awareness & Training | B6 | Culture, awareness, education, phishing simulation | |
| 8 – Operation | Supply Chain | A4 | Third-party assurance, SLAs, procurement due diligence |
| Service Protection Policies | B1 | Operational security policies, change management | |
| Identity & Access Control | B2 | Authentication, authorisation, privileged access | |
| Data Security | B3 | Data lifecycle protection, encryption, classification | |
| System Security | B4 | Secure configuration, vulnerability management, patching | |
| Resilient Networks & Systems | B5 | Redundancy, fault tolerance, segmentation | |
| 9 – Performance Evaluation | Security Monitoring | C1 | Logging, alerting, SIEM, centralised monitoring |
| Proactive Security Event Discovery | C2 | Threat hunting, anomaly detection, behaviour analytics | |
| 10 – Improvement | Lessons Learned | D2 | Post-incident reviews, reporting, continuous improvement |
Final Thoughts
CAF is more than just a framework—it’s a conversation starter for how your organisation proves its resilience. As ransomware attacks surge and regulatory expectations tighten, a proactive approach to cyber governance isn’t just wise—it’s necessary.
Whether you’re an IT lead or a business exec, it’s time to face your cyber reflection. Because before the audit… comes the mirror.
Bonus: Markdown Self-Assessment Template
Starting to collect your evidence or your current posture doesn’t need to be complicated, start simple and gain momentum. Below is a simple markdown template to get you started!
# CAF Self-Assessment Template
## Organisation Name: [Enter Name]
## Assessor: [Enter Name & Role]
## Date: [YYYY-MM-DD]
---
## Objective A:
### Principle: A1 Governance
- [ ] Governance roles are defined
- [ ] Cyber risk is regularly reviewed by leadership
- Notes:
### Principle: A2 Risk Management
- [ ] A formal cyber risk process exists
- [ ] Risk appetite is documented and aligned with objectives
- Notes:
...repeat for all 14 principles...
## Summary Score:
- Met: [X]
- Partially Met: [Y]
- Not Met: [Z]
## Action Plan:
- [ ] [Remedial Action 1]
- [ ] [Remedial Action 2]
Posts in this series
- Part 3: The Redo Aka NCSC CAF Demystified
- Part 2: Assessing Your Cyber Posture – Where Are You Today?
- The Big Shift - UK Cybersecurity Resilience Bill