Use this scorecard to conduct a preliminary self-assessment against the NCSC Cyber Assessment Framework (CAF). Rate each of the 14 principles across the four CAF objectives. This scorecard is a starting point — a full CAF assessment requires documented evidence against each Contributing Outcome.
Understanding your organisation's exposure to cyber risk and putting appropriate governance in place
| Principle | Name & Focus | Rating | Notes / Evidence Gap |
|---|---|---|---|
| A1 |
Governance
Board-level ownership of cyber risk; security policy; roles and responsibilities defined
|
||
| A2 |
Risk Management
Cyber risk identification, assessment, and treatment process; risk register maintained
|
||
| A3 |
Asset Management
Inventory of systems, data, and network connections; understanding of data flows and dependencies
|
||
| A4 |
Supply Chain
Understanding of supply chain dependencies; third-party risk management and assurance
|
Proportionate technical and organisational controls to protect your networks, systems, and data
| Principle | Name & Focus | Rating | Notes / Evidence Gap |
|---|---|---|---|
| B1 |
Service Protection Policies & Processes
Security policies and processes that govern how essential services are protected
|
||
| B2 |
Identity & Access Control
Understanding of who has access to what; strong authentication; least privilege principle
|
||
| B3 |
Data Security
Data classification, protection in transit and at rest, access control, backup and recovery
|
||
| B4 |
System Security
Secure configuration, patch management, vulnerability management, endpoint protection
|
||
| B5 |
Resilient Networks & Systems
Network architecture designed to limit impact of attack; segregation; resilience and redundancy
|
||
| B6 |
Staff Awareness & Training
Security culture; awareness training; role-specific training for privileged users
|
Capability to detect and understand cyber security events affecting your networks and systems
| Principle | Name & Focus | Rating | Notes / Evidence Gap |
|---|---|---|---|
| C1 |
Security Monitoring
Monitoring of systems, networks, and user activity; log collection; alert triage and review
|
||
| C2 |
Proactive Security Event Discovery
Threat hunting, vulnerability scanning, penetration testing, and cyber threat intelligence
|
Capability to respond to and recover from cyber security incidents, minimising impact to essential services
| Principle | Name & Focus | Rating | Notes / Evidence Gap |
|---|---|---|---|
| D1 |
Response & Recovery Planning
Incident response plan; defined roles; communication plan; recovery objectives documented
|
||
| D2 |
Lessons Learned
Post-incident reviews; improvements captured and tracked; testing of response capability
|