Skip to main content

NCSC Cyber Assessment Framework (CAF)

This article explains how you can use Risk Ledger to demonstrate your own organisation's compliance to the CAF (focussed on principle A5 supply chain) as well as assess your suppliers against CAF.

Ish Ladak avatar
Written by Ish Ladak
Updated this week

Background

The UK National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) to help organisations, especially those operating essential services, assess and enhance their cyber security resilience.

The CAF sets out four top-level objectives, each supported by several principles and contributing outcomes. These outcomes represent the conditions that, if met, provide confidence that the organisation is managing cyber risks effectively. The top-level objectives are:

  1. Managing security risk

  2. Protecting against cyber attack

  3. Detecting cyber security events

  4. Minimising the impact of incidents

Each top-level objective consists of principles, and each principle is fulfilled through achieving contributing outcomes. To support an assessment, NCSC provides Indicators of Good Practice (IGPs) for each contributing outcome. IGPs act as examples of the types of behaviours that might be observed for each level of achievement (e.g. Not Achieved, Partially Achieved, Achieved).

Importantly, the CAF is principle-based and therefore does not prescribe specific technical controls or implementation methods. Instead, organisations are expected to demonstrate that their approach is effective and proportionate to their specific context, risk profile, and regulatory requirements.

How Risk Ledger Can Help

Risk Ledger’s Supplier Assessment Framework (SAF) is a standardised set of security controls aligned with well-known industry frameworks representing best practices to reduce supplier cyber risk. A controls-based approach allows you to quickly and efficiently assess the cyber security posture of your suppliers at scale, across your entire supply chain. This has the added benefit of serving as a centralised and consolidated set of data that can be used to generate a body of evidence for CAF assessments.

There are two primary ways Risk Ledger can support CAF assessments:

  1. Supporting an organisation’s CAF assessment. Risk Ledger helps organisations demonstrate IGPs for their CAF assessment, specifically against Principle A4, Supply Chain.

  2. Supporting the CAF assessments of an organisation's suppliers. By leveraging suppliers’ SAF responses and supporting documentation, organisations can assess current maturity and track the progress towards suppliers’ achievement and demonstration of IGPs and contributing outcomes.

The Risk Ledger platform enables you to efficiently identify and use information to support your assessment. Specifically, the platform provides:

  • A consistent, structured knowledge base across all suppliers

  • Supplier answers and supporting documentation as evidence for CAF contributing outcomes

  • Visibility of supply chain dependencies through network mapping

  • The ability to engage directly with suppliers to request clarification or additional evidence

This evidence does not replace an assessment. Rather, it provides the information needed to support your self-assessment and any independent reviews by external auditors or oversight bodies.

Supporting your CAF assessment: Principle A4, Supply Chain

Risk Ledger is particularly well-suited to support assessments against Principle A4, Supply Chain, which states:

"The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on suppliers. This includes ensuring that appropriate measures are employed where third-party services are used."

This principle has two contributing outcomes:

  • A4.a Supply Chain: You understand and effectively manage the risks associated with suppliers to the security of network and information systems supporting the operation of your essential function(s).

  • A4.b Secure Software Development and Support: You actively maximise the use of secure and supported software, whether developed internally or sourced externally, within network and information systems supporting the operation of your essential function(s).

A4.a: Supply Chain

This contributing outcome assesses whether you can demonstrate a comprehensive understanding and effective management of supply chain risks. The combination of supplier answers, the supply chain network map, and your internal governance processes provide evidence that you demonstrate many of the IGPs.

For example, one IGP listed at the Achieved level states:

"You have a deep understanding of your supply chain, including subcontractors and the wider risks it faces."

There is no specific individual or set of controls that prove this. Instead, it is demonstrated through your overall understanding of your supply chain, supported by:

  • The ability to visualise third-, fourth-, and nth-party relationships through the network map

  • Visibility of supplier compliance with your security policies, with the added ability to identify and group suppliers by different criteria (e.g. criticality, hosting of PII, etc.)

  • Identification of risks and issues raised with suppliers through Risk Ledger

Some information relevant to A4.a may exist outside Risk Ledger. For example, another IGP states:

"Critical suppliers to network and information systems supporting your essential function(s) can demonstrate appropriate and proportionate levels of cyber security within the context of capable and well-resourced threat actors."

While supplier compliance scores, labels, risks raised, and Product-Level Answers may form part of this picture, mapping your essential functions to specific suppliers and services often sits within internal documentation on business continuity or operational resilience. Linking that internal mapping to Risk Ledger data provides a comprehensive, evidence-based view of supplier dependencies and risk.

A4.b: Secure Software Development and Support

This contributing outcome focuses on ensuring that the software supporting your essential functions is secure and actively maintained by the vendor.

Risk Ledger’s Domain E: Software Development provides visibility into a supplier’s approach to secure software development, including:

  • Policies and practices relating to the software development lifecycle

  • Architecture design of the development network

  • Implementation of well-known industry frameworks for secure software development

  • Vulnerability testing

However, some IGPs for A4.b relate to your internal development environments or require granular details from suppliers such as demonstrating the complete provenance of software, often referred to as Software Bill of Materials (SBOM).

Gathering evidence for these IGPs may require engaging with suppliers through the Discussions feature to request additional information and documentation.

Assessing CAF Status Across Your Suppliers

Organisations can assess CAF status across multiple suppliers. Given that suppliers complete the SAF and upload documentation into Risk Ledger, this provides a standardised and scalable way to collect evidence across all your suppliers. It enables you to see how CAF status may vary across your supplier network, and identify and prioritise suppliers that may require additional support to improve their CAF posture.

This approach provides several benefits:

  1. Tailored Policies. Create policies that reflect specific needs, taking into consideration factors such as sector, data sensitivity, and regulatory priorities.

  2. Scalable oversight. Apply policies at scale to quickly identify and raise risks with non-compliant suppliers.

  3. Centralised evidence. Suppliers’ answers and documentation are stored in one secure platform, simplifying the assessment process and eliminating the need to manage evidence collection separately for each entity.

  4. Streamlined communication. All discussions and follow-ups are centralised in the platform, avoiding the need to search through emails for responses.

It is important to note that Risk Ledger will not generate a CAF assessment for each supplier. Instead, the SAF answers and documentation provide a body of evidence that you can use to determine whether any IGPs have been achieved and demonstrated, and therefore the assessment level of each contributing outcome (e.g., Achieved, Partially Achieved, or Not Achieved).

The CAF is designed to be flexible, allowing organisations to prioritise different contributing outcomes based on sector, resilience goals, and regulatory requirements. Additionally, organisations can focus on the outcomes that are needed for resilience in their particular sector. Finally, different levels of rigour can be applied to different suppliers based on size, role, and resources. This flexibility enables you to determine the appropriate level and detail of evidence needed to assess each IGP and contributing outcome.

This flexibility is also why Risk Ledger does not perform a CAF assessment for you directly. Instead, Risk Ledger accelerates the first stage of the process - helping you understand the security controls a supplier has in place - so that you can conduct your own assessment in a way that fits within your own context and risk appetite.

An Example: A1.a Board Direction

Step One: Identify Priority CAF Outcomes

Decide which CAF principles and contributing outcomes are most critical for your suppliers to demonstrate resilience. These will be the outcomes you will focus on for this (and possibly other) suppliers.

Step Two: Determine Relevant Controls

Identify which SAF Controls will provide you with the responses and documentation needed for your assessment. This is not a one-to-one mapping: meeting a specific control (or set of controls) does not automatically mean an IGP is demonstrated or that a contributing outcome is achieved. However, these controls can be the basis of your evidence and help identify where further supplier engagement or evidence may be required.

Example: A1.a Board Direction:

"You have effective organisational security management led at board level and articulated clearly in corresponding policies."

Evidence can be gathered from some SAF controls, including:

  • A1. Does your organisation conduct an annual independent information security review and act upon the findings?

  • A2. Does your organisation have an appointed person responsible for information security, such as a CISO?

  • A16. Are your organisation's information security policies reviewed and approved by senior management at least annually?

  • A17. Has your organisation documented senior management roles and responsibilities for security within your organisation?

These controls, together with the other questions in the Security Governance domain, can help you understand the overall governance maturity of a supplier.

However, these controls are designed to address governance topics across multiple frameworks, and therefore cannot have a one-to-one mapping with CAF IGPs.

Therefore, simply answering “Yes” to these controls may not confirm that any IGPs for A1.a have been met. To fully assess this, you may need to:

  • Understand the specific management structure of the supplier (i.e., whether there is a formal board or a different governance hierarchy)

  • Clarify whether the person named in SAF A2 is the person accountable for security or if that responsibility lies elsewhere.

  • Determine how frequently risks are reviewed (i.e., the frequency of Audit and Risk Committees)

The extent of any additional investigation should be proportionate according to the suppliers’ size, role, and available resources.

Step Three: Define Evidence Requirements

Instruct suppliers on the documentation required when providing their SAF responses. This documentation can be used to not only validate their response, but also to provide additional context and evidence needed to support your CAF assessment. By using Discussions to share consistent guidance across your supplier network, you can standardise the quality of evidence received, reduce the time spent chasing missing information, and make it easier to assess CAF status across all suppliers.

Summary

Risk Ledger can support your organisation’s CAF assessment by providing a baseline body of evidence to demonstrate your achievement level against Principle A4: Supply Chain. Many clients have had this outcome assessed as Achieved by using the platform to demonstrate the relevant IGPs. Additionally, by connecting to your suppliers, you can use Risk Ledger to gather structured evidence at scale.

While Risk Ledger does not provide an automatic CAF assessment in either use case, it enables you to generate a comprehensive body of evidence, allowing you to conduct consistent assessments and track progress of your suppliers in a single place. And through this, many organisations using Risk Ledger have been able to demonstrate ‘achieved’ status for principle A4 to their auditor.

💡 If there is anything we haven't covered, please feel free to contact us at support@riskledger.com or alternatively, select the Chat icon in the bottom right corner.

Did this answer your question?