Cyber Horizon
Back to Blog
UK CAFCritical InfrastructureUK

The UK Cyber Assessment Framework (CAF): A Practical Guide

28 June 2026·8 min read·Cyber Horizon Team

The Cyber Assessment Framework (CAF) is the NCSC’s method for assessing how well an organisation manages cyber risk to its essential functions. If you operate UK critical infrastructure, fall under the NIS Regulations, or are a government department in the GovAssure regime, the CAF is the lens your regulator looks at you through — and unlike checklist standards, it is unapologetically outcome-based.

The structure: 4 objectives, 14 principles

ObjectivePrinciples
A — Managing security riskGovernance; risk management; asset management; supply chain.
B — Protecting against cyber attackService protection policies & processes; identity & access control; data security; system security; resilient networks & systems; staff awareness and training.
C — Detecting cyber security eventsSecurity monitoring; proactive security event discovery.
D — Minimising the impact of incidentsResponse and recovery planning; lessons learned.

Each principle breaks into contributing outcomes (39 in all), and each outcome is assessed as Achieved, Partially Achieved or Not Achieved using published Indicators of Good Practice (IGPs).

Why “outcome-based” changes the game

Checklist frameworks ask “do you have a policy?”. The CAF asks “is the outcome actually achieved — and can you show it?”. The IGPs describe what good looks like, but they are indicators, not requirements: you can meet an outcome a different way, and you can fail it while ticking every box. Two consequences follow:

  • Evidence beats documentation. An assessor wants to see monitoring that catches things and recovery plans that have been exercised — not shelfware.
  • Your target profile matters. Regulators set which outcomes must be Achieved vs Partially Achieved for your sector; know your profile before you gap-assess.

Who uses the CAF

  • Operators of essential services under the NIS Regulations — energy, water, transport, health, digital infrastructure — assessed by their sector regulator.
  • Central government departments via GovAssure, which reviews systems against CAF profiles.
  • CNI operators and, increasingly, public bodies (e.g. in health and local government) adopting the CAF as their assurance baseline.
  • Suppliers into all of the above — expect CAF-shaped questions in due-diligence even if you’re not directly regulated.

CAF vs ISO 27001 vs Cyber Essentials

They answer different questions. Cyber Essentials verifies five baseline technical controls. ISO 27001 certifies that a management system exists and operates. The CAF assesses whether security outcomes for your essential function are genuinely achieved. They stack well: an ISO 27001 ISMS gives you the machinery (risk, assets, incidents, evidence) that CAF assessments draw on — but expect the CAF to probe operational reality harder, especially monitoring (Objective C) and exercised response (Objective D), the two areas most organisations score weakest.

Preparing for a CAF assessment

  • Define the essential function first — scope flows from what the function depends on, not from your org chart.
  • Get the target profile from your regulator and gap-assess outcome by outcome against the IGPs.
  • Prioritise Objectives C and D: demonstrable monitoring coverage and an incident-response plan exercised in the last year.
  • Interrogate supply-chain risk (Principle A4) — recent updates put heavier weight on supplier assurance.
  • Keep evidence per contributing outcome, mapped once to your control library so ISO/CE evidence is reused, not recreated.
  • Self-assess honestly; assessors respect a candid Partially Achieved with a plan far more than an inflated Achieved.

The bottom line

The CAF is the UK’s most consequential assurance framework for critical services, and it rewards exactly one thing: security that demonstrably works. Build your programme on a shared control library, keep living evidence, and the CAF becomes a view over work you’ve already done.

Assess once, answer the CAF and 71 other frameworks

Cyber Horizon maps the UK CAF into the same control library as ISO 27001, Cyber Essentials and NIS2 — with evidence, incidents and exercises tracked where assessors expect to find them.

Book a Demo