Information & Cyber Security

NCSC Cyber Assessment Framework (CAF)

Strengthen cyber resilience, manage risk to essential functions and demonstrate compliance with NCSC expectations

What is the NCSC Cyber Assessment Framework?

The Cyber Assessment Framework (CAF) is a UK‑developed framework from the National Cyber Security Centre (NCSC) to help organisations assess whether their cyber security and resilience measures adequately protect their essential functions.

Unlike prescriptive standards, the CAF focuses on outcomes, helping organisations understand how well they:

– Manage cyber risk
– Protect against cyber attack
– Detect security events
– Minimise the impact of incidents

The CAF is widely used across regulated sectors such as energy, healthcare, transport, government, digital infrastructure and other operators of essential services.

Padlock representing ISO 27001 certification for information security

How CAF can benefit your organisation

Regulatory Confidence

Demonstrate compliance with NCSC and regulator expectations under the NIS Regulations

Improved Cyber Resilience

Ensure essential services continue to operate despite cyber threats

Risk-Based Decision Making

Focus investment on areas that genuinely reduce risk to critical functions

Stronger Governance & Accountability

Embed clear ownership, oversight and decision‑making for cyber risk at all levels of the organisation

Clear Maturity Insight

Understand where your business is positioned against CAF profiles (Basic or Enhanced)

Improved Incident Preparedness & Recovery

Strengthen your ability to detect, respond to and recover from cyber incidents, reducing disruption to essential services

Our NCSC CAF Support Services

CAF Gap Analysis and Maturity Assessment

Assess current practices against CAF Objectives, Principles and Contributing Outcomes

Gap analysis

Risk-Based Improvement Plan

Develop a prioritised roadmap aligned to organisational risk and regulatory expectations

Find out more

Evidence and Assurance Support

Help prepare documentation and evidence for internal review or external assessment

Find out more

Maintain & Improve

Support ongoing maturity improvements as threats, guidance and CAF versions evolve

Managing Compliance

Why choose Teamwork IMS?

Experienced Professionals

Teamwork IMS is a leading provider of Compliance and Sustainability solutions to a wide range of business sectors worldwide. Our solutions support compliance, expedite ISO certification, promote sustainability and drive improvement initiatives. Our team of professionals includes MBCI, GDPR, ISEP, ESOS and ISO Lead Assessors, CMIOSH, CISSP, PCI Security Standards Council QSA qualified consultants.

Multi-disciplinary team

Our knowledge and experience across a broad base of management and technical Standards make us uniquely equipped to help organisations to develop an information security management system and integrate with existing management systems to achieve significant savings and efficiencies.

Part of your business

The continued success of both the project delivery and maintenance phases of our Compliance and Sustainability programmes is built on two key principles:

– The exceptional insight of our consultants, who consistently go beyond the Standards and services to identify, define, and align with the core business drivers that truly matter to our clients

– Our unique ability to integrate effortlessly with our clients’ teams, fostering collaboration and trust, and becoming a valued extension of their operations.

Global credentials

We have developed and led IAF National accredited ISO as well as other Standard and compliance-based service improvement programmes for private and public-sector organisations across an international client base.

How can Teamwork IMS help?

Experienced cyber and compliance consultants
Practical, proportionate CAF interpretation
Alignment with ISO 27001, NIS and regulatory frameworks
Clear, jargon‑free advice
Supportive approach
Focus on outcomes, not tick‑box compliance

Related Standards

Frequently asked questions

What is the NCSC Cyber Assessment Framework (CAF)?

The NCSC Cyber Assessment Framework (CAF) is a UK Government framework designed to help organisations understand, assess and improve their cyber security and resilience. It focuses on ensuring that essential functions and services continue to operate, even in the face of cyber incidents.

Rather than prescribing specific technical controls, CAF is outcome‑based. It assesses how effectively an organisation manages cyber risk across four high‑level objectives: governance and risk management, protection against cyber attack, detection of security events, and minimising the impact of incidents. This approach allows organisations to take a proportionate, risk‑led view of cyber security that reflects their actual operational needs.

CAF is widely used across sectors such as healthcare, energy, transport, digital infrastructure and government and is increasingly adopted as a benchmark for good cyber resilience beyond regulated environments.

Do we need to be regulated to use the CAF?

No. While the CAF was created to support organisations regulated under the NIS Regulations and those operating Critical National Infrastructure (CNI), it is not limited to regulated organisations.

Many public sector bodies and private organisations adopt CAF voluntarily as a way to benchmark their cyber resilience, understand gaps and demonstrate good governance to customers, partners and stakeholders. Because CAF focuses on outcomes rather than certification, it can be applied flexibly across a wide range of organisational sizes and maturity levels.

For organisations that are not regulated, CAF provides a credible, government‑backed framework that supports risk‑based decision‑making and long‑term resilience planning.

How does CAF differ from standards like ISO 27001 or Cyber Essentials?

CAF differs from ISO 27001 and Cyber Essentials in that it is not a certifiable standard and does not prescribe a fixed set of controls. Instead, it defines what “good” looks like in terms of cyber resilience outcomes and expects organisations to demonstrate that these outcomes are being achieved.

ISO 27001 provides a structured Information Security Management System (ISMS) and Cyber Essentials focuses on baseline technical controls. Both can be extremely valuable in supporting CAF outcomes and are often used as evidence sources within CAF assessments.

Many organisations successfully use CAF alongside ISO 27001 and Cyber Essentials, using CAF as the overarching resilience framework and the other standards to implement and maintain practical controls.

How can Teamwork IMS support our CAF journey?

Teamwork IMS provides practical, proportionate support to help organisations navigate CAF without unnecessary complexity. We start by understanding your organisation, your essential services and your risk profile, ensuring that CAF activities are focused on what really matters to your operations.

Our support includes CAF gap assessments, maturity reviews, improvement planning and evidence preparation. We also help organisations align CAF with existing standards such as ISO 27001, Business Continuity and Cyber Essentials, avoiding duplication and maximising value from existing investments.

Most importantly, we take a collaborative, plain‑English approach, helping you embed CAF outcomes into everyday practices rather than treating them as a one‑off compliance exercise.

What is CAF 4.0 and how does it differ from earlier versions?

CAF 4.0 is the latest iteration of the NCSC Cyber Assessment Framework and reflects the evolving cyber threat landscape and increased regulatory expectations. While the four high‑level objectives remain unchanged, CAF 4.0 raises the bar on how organisations are expected to demonstrate effective cyber resilience.

Greater emphasis is placed on threat‑informed assurance, meaning organisations must show they understand the types of attackers they face and that their controls are effective against more capable and persistent threats. CAF 4.0 also increases expectations around security monitoring, detection capabilities and the use of intelligence to identify emerging risks.

Organisations transitioning to CAF 4.0 may need stronger evidence, clearer links between risk, controls and outcomes and more mature monitoring and response processes. Teamwork IMS can help interpret these changes and support a structured, risk‑based transition to CAF 4.0.