Magma Cloud

Document: NCSC CAF Self-Check Scorecard

Framework: NCSC CAF v3.2

Version: 1.0 — June 2026

Organisation: ___________________________

Date: ___________________________

NCSC CAF Self-Check Scorecard

Use this scorecard to conduct a preliminary self-assessment against the NCSC Cyber Assessment Framework (CAF). Rate each of the 14 principles across the four CAF objectives. This scorecard is a starting point — a full CAF assessment requires documented evidence against each Contributing Outcome.

About the NCSC CAF: The Cyber Assessment Framework provides a systematic approach to assessing organisational cyber risk management. It is required for UK public sector bodies, critical national infrastructure operators, and organisations subject to NIS Regulations. The CAF covers 4 objectives and 14 principles, each with defined Contributing Outcomes used as evidence of achievement.
Rating key:
Not achieved
Partially achieved
Achieved
Not applicable

Objective A — Managing Security Risk

Understanding your organisation's exposure to cyber risk and putting appropriate governance in place

Principle Name & Focus Rating Notes / Evidence Gap
A1
Governance
Board-level ownership of cyber risk; security policy; roles and responsibilities defined
○ Not ○ Part ○ Achieved ○ N/A
A2
Risk Management
Cyber risk identification, assessment, and treatment process; risk register maintained
○ Not ○ Part ○ Achieved ○ N/A
A3
Asset Management
Inventory of systems, data, and network connections; understanding of data flows and dependencies
○ Not ○ Part ○ Achieved ○ N/A
A4
Supply Chain
Understanding of supply chain dependencies; third-party risk management and assurance
○ Not ○ Part ○ Achieved ○ N/A

Objective B — Protecting Against Cyber Attack

Proportionate technical and organisational controls to protect your networks, systems, and data

Principle Name & Focus Rating Notes / Evidence Gap
B1
Service Protection Policies & Processes
Security policies and processes that govern how essential services are protected
○ Not ○ Part ○ Achieved ○ N/A
B2
Identity & Access Control
Understanding of who has access to what; strong authentication; least privilege principle
○ Not ○ Part ○ Achieved ○ N/A
B3
Data Security
Data classification, protection in transit and at rest, access control, backup and recovery
○ Not ○ Part ○ Achieved ○ N/A
B4
System Security
Secure configuration, patch management, vulnerability management, endpoint protection
○ Not ○ Part ○ Achieved ○ N/A
B5
Resilient Networks & Systems
Network architecture designed to limit impact of attack; segregation; resilience and redundancy
○ Not ○ Part ○ Achieved ○ N/A
B6
Staff Awareness & Training
Security culture; awareness training; role-specific training for privileged users
○ Not ○ Part ○ Achieved ○ N/A

Objective C — Detecting Cyber Security Events

Capability to detect and understand cyber security events affecting your networks and systems

Principle Name & Focus Rating Notes / Evidence Gap
C1
Security Monitoring
Monitoring of systems, networks, and user activity; log collection; alert triage and review
○ Not ○ Part ○ Achieved ○ N/A
C2
Proactive Security Event Discovery
Threat hunting, vulnerability scanning, penetration testing, and cyber threat intelligence
○ Not ○ Part ○ Achieved ○ N/A

Objective D — Minimising the Impact of Cyber Security Incidents

Capability to respond to and recover from cyber security incidents, minimising impact to essential services

Principle Name & Focus Rating Notes / Evidence Gap
D1
Response & Recovery Planning
Incident response plan; defined roles; communication plan; recovery objectives documented
○ Not ○ Part ○ Achieved ○ N/A
D2
Lessons Learned
Post-incident reviews; improvements captured and tracked; testing of response capability
○ Not ○ Part ○ Achieved ○ N/A

Self-Assessment Summary

___
Not Achieved
___
Partially Achieved
___
Achieved
___
Not Applicable

Priority Gaps & Next Actions