+44 3301 333 307 magma@magmacloud.co.uk
Assessment

NCSC CAF Assessment
& Compliance

Independent NCSC Cyber Assessment Framework (CAF) assessment for UK public sector, CNI, and regulated organisations. All 14 principles. Structured scoring. Evidence gap analysis. A prioritised improvement plan built to prepare you for regulatory review — before the regulator asks.

From £TBC — fixed fee, scoped after your Ignite Assessment
The Challenge

CAF compliance is complex. Evidence gaps are the most common failure point.

The NCSC Cyber Assessment Framework is comprehensive and demanding — 14 principles across four objectives, each with indicators of good practice that require both technical controls and documented evidence. Many organisations in scope for CAF have reasonable security controls in place, but struggle with the evidence and documentation layer that regulators need to assess their achievement level. A gap between your actual security posture and your demonstrable security posture is what catches organisations out.

Our CAF assessment works through all 14 principles collaboratively with your team — scoring your current position, identifying evidence gaps, and producing a clear picture of where you are versus where you need to be. For organisations facing formal regulatory assessment, we run the independent CAF engagement as preparation — so there are no surprises when the regulator assesses you.

What We Deliver

NCSC CAF Services

What we deliver
  • Full CAF assessment across all 14 principles
  • Achievement level scoring per principle
  • Evidence gap analysis & documentation review
  • Indicator of Good Practice (IGP) mapping
  • Prioritised improvement plan
  • CAF assessment report for regulatory submission
  • Pre-assessment preparation support
  • Remediation implementation (optional)
Outcomes you can measure
  • Structured CAF scores across all principles
  • Evidence gaps closed before regulatory review
  • Regulatory-ready documentation
  • No surprises at formal assessment
  • Clear improvement roadmap
Four CAF objectives covered
  • Managing security risk
  • Protecting against cyber attack
  • Detecting cyber security events
  • Minimising impact of incidents
How It's Delivered

The Magma Cloud Lifecycle

The CAF assessment spans the first two phases of our lifecycle. If you then want to close the gaps we find, we work through the remaining phases with you — implementing controls and building evidence.

01
Strategy
02
Assess
03
Implement
04
Optimise
05
Manage
06
Assure
Related Assessments & Services
Common Questions

Frequently Asked Questions

The NCSC CAF is a framework for assessing the cyber security of organisations that operate essential services or perform sensitive public functions. It covers 14 cyber security principles across four objectives: managing security risk, protecting systems and data, detecting cyber security events, and minimising the impact of incidents. It's the required standard for many UK public sector and CNI organisations under the NIS Regulations.

The CAF is required for organisations designated as Operators of Essential Services (OES) under the NIS Regulations, and is widely adopted across UK central government, local authorities, NHS trusts, and other public sector bodies. Many regulated organisations also choose to use it as a voluntary benchmark for their cyber security programme — it's a rigorous, well-structured framework regardless of regulatory obligation.

We work through all 14 CAF principles and their associated indicators of good practice (IGPs) with your team. For each principle, we assess your current controls and evidence, score your achievement level against the CAF scoring criteria, and identify evidence gaps. The output is a structured CAF assessment report with scores, evidence gaps, and a prioritised improvement plan aligned to the CAF objectives.

A standard CAF assessment typically takes three to five weeks depending on organisational size, complexity, and the availability and quality of existing documentation and evidence. We work collaboratively with your technical leads, policy owners, and relevant stakeholders throughout — accurate scoring requires access to people and documentation, not just technology.

Yes — pre-regulatory preparation is a significant part of our CAF work. By working through the full CAF with us first, you understand your current scores, close your evidence gaps, and remediate significant control gaps before regulators assess you formally. Our assessment uses the same framework and scoring approach as regulators, so there are no surprises when formal assessment takes place. We also support you in understanding how to evidence your controls compellingly.

Start with a Free
Ignite Assessment

The Ignite Assessment

A free 30-minute call with a senior security architect. For CAF, you leave with a sense of which principles are most likely to have gaps, what the evidence challenges are likely to be, and whether a full CAF assessment engagement is the right next step. No pitch deck, no obligation.

  • Free — no charge, no catch
  • 30 minutes with a senior architect
  • CAF-specific, honest assessment
  • No obligation to proceed
NCSC CAF Specialists

Book Your
Ignite Assessment

Whether you need a full independent CAF assessment, pre-regulatory preparation, or remediation support — we'll tell you exactly where you stand against the framework.

Book Ignite Assessment