+44 3301 333 307 magma@magmacloud.co.uk
Compliance

NCSC CAF in plain English:
what UK organisations actually need to evidence

The Cyber Assessment Framework sets out what good looks like — but translating its 14 principles into practice is where organisations get stuck. This article walks through each one and explains what “achieved” actually means.

The NCSC Cyber Assessment Framework (CAF) is the UK's primary tool for evaluating the cyber security of organisations operating essential services and critical national infrastructure. It's also increasingly used by public sector organisations — local authorities, NHS bodies, higher education — as the reference framework for cyber security governance, even where they're not formally in scope for NIS regulations.

The problem is that the CAF is written in the language of security professionals, not operational managers. Fourteen principles, dozens of contributing outcomes, hundreds of indicators of good practice. Most organisations that engage with it do so through a formal assessment — but even then, the evidence-gathering process often feels like guesswork.

This article walks through each of the four objectives and their constituent principles, and explains — in plain terms — what the assessors are actually looking for.

Objective A: Managing Security Risk

This objective is about governance — the structures, processes, and decisions that shape how your organisation manages cyber risk. It's the foundation everything else sits on.

A1 — Governance

Assessors want to see that someone with real authority owns cyber security — not just on paper, but in practice. That means documented responsibilities, a named individual at the leadership level, and evidence that cyber risk is considered in business decisions. A policy document alone is not sufficient; you need to show that the governance framework is active and that decisions are being made within it.

A2 — Risk Management

You need a process for identifying, assessing, and treating cyber risks — and evidence that it's being used. This doesn't have to be sophisticated. What it does have to be is consistent and documented. A risk register that was created three years ago and never reviewed is not evidence of risk management; it's evidence of a risk register.

A3 — Asset Management

You need to know what you have. Assessors are looking for a documented inventory of your critical systems and data assets — maintained, not theoretical. Organisations consistently underestimate how hard this is in practice, particularly in environments with significant technical debt or distributed IT ownership.

A4 — Supply Chain

Your suppliers are part of your attack surface. A4 asks you to demonstrate that you have visibility of your key suppliers' security practices and that you're applying appropriate oversight. For most organisations, this means a combination of contractual requirements, supplier questionnaires, and periodic review — not a full audit of every third party, but proportionate assurance for your most critical dependencies.

Objective B: Protecting Against Cyber Attack

This is the largest objective — six principles covering the technical and organisational controls that reduce the likelihood and impact of a successful attack.

B1 — Service Protection Policies and Processes

You need policies that are proportionate to your risk profile and evidence that they're being followed. Policies that exist in a document management system but aren't actively enforced don't satisfy this principle. Assessors are looking for evidence that policies are communicated, understood, and applied in practice.

B2 — Identity and Access Control

This is one of the highest-impact principles in the CAF. Assessors want to see least-privilege access, multi-factor authentication for privileged accounts, a joiners/movers/leavers process that actually works, and evidence that access rights are reviewed periodically. Many organisations have partial controls here — MFA on some systems, manual leavers processes, no systematic access reviews. Partial doesn't satisfy the principle.

B3 — Data Security

Data classification, encryption in transit and at rest, and controls around the handling of sensitive data. For most organisations, the gap here is classification: data is protected in some ways, but nobody has systematically worked out what needs protecting most and why. Without classification, you can't apply proportionate controls.

B4 — System Security

Patching, configuration hardening, and reduction of attack surface. Assessors want to see that you have a systematic approach to keeping systems up to date and that you know when you're operating with known vulnerabilities. The reality in many organisations is a patching process that works reasonably well for some systems and is essentially absent for others.

B5 — Resilient Networks and Systems

Can your critical services withstand or recover from a cyber attack without catastrophic failure? This includes network segmentation, backup and recovery capability, and evidence that you've tested your resilience assumptions. Backups that have never been tested are a common gap — and a common discovery during actual incidents.

B6 — Staff Awareness and Training

People are consistently the most exploited attack vector. B6 asks for a training and awareness programme that goes beyond the annual click-the-button compliance module. Assessors want to see role-appropriate training, evidence that the training is effective, and a culture where staff feel able to report incidents without fear.

Objective C: Detecting Cyber Security Events

C1 — Security Monitoring

You need the capability to detect attacks and anomalous activity — and evidence that you're actually monitoring. This is the principle where many organisations have the biggest gap. Security event logging and monitoring is expensive to do well, and cheap implementations often don't generate the signal-to-noise ratio needed to be useful. Assessors want to see what you're monitoring, why, and how alerts are reviewed and acted on.

C2 — Anomaly Detection

Monitoring is a prerequisite; this principle asks whether you have the capability to detect behaviour that deviates from baseline — not just known signatures. This typically requires more sophisticated tooling and, critically, baselining work that most organisations haven't done.

Objective D: Minimising the Impact of Cyber Security Incidents

D1 — Response and Recovery Planning

You need a documented incident response plan — one that includes cyber incidents specifically, not just general business continuity. Assessors want to see that the plan is tested, that roles and responsibilities are clear, and that there's a process for escalation and communication. An untested plan is a hypothesis, not a capability.

D2 — Lessons Learned

After incidents, exercises, and near-misses: do you learn from them? This principle is about the feedback loop — evidence that incidents are reviewed, that findings are acted on, and that the organisation's security posture improves over time as a result. It's the principle that separates organisations that are genuinely improving from those that are maintaining the appearance of security.

The evidence gap

The CAF is an outcomes-based framework. It doesn't mandate specific tools or approaches — it asks whether the outcomes are being achieved. This is both its strength and the source of most organisations' confusion: there's no checklist to tick, and the assessor's judgment matters significantly.

The most common gap is not in controls — it's in evidence. Organisations often have better security than their documentation suggests, because the people doing the work haven't been building an evidence trail. Closing this gap is often the largest part of a CAF readiness programme.

Need a structured CAF assessment?

Magma Cloud delivers structured NCSC CAF assessments across all 14 principles, with a clear evidence gap analysis and a prioritised remediation plan. We've run these assessments for public sector organisations, combined authorities, and universities.

NCSC CAF Assessment Book Ignite Assessment

You can also download our NCSC CAF self-check scorecard — a structured tool for working through all 14 principles yourself before a formal assessment.