NCSC Cyber Assessment Framework, version 4.0

Cyber Assessment Framework and GovAssure Readiness

The Cyber Assessment Framework is now the standard the UK government and regulators measure you against. Whether you face a GovAssure review or a NIS assessment from your regulator, the question is the same: can you evidence the outcomes, not just describe them? We get you ready. We score you against the framework, find the gaps, prove the technical controls, and hand you a clear plan to close them.

Get CAF ready Book a CAF scoping call
  • Grounded in the NCSC Cyber Assessment Framework, current to version 4.0.
  • Readiness, gap analysis and remediation for GovAssure and NIS.
  • Technical outcomes evidenced by CREST-qualified and Cyber Scheme testers, not just reviewed on paper.
  • An IASME Certification Body since 2014. Real assessment heritage.
  • North East based. Delivered UK-wide.
The framework

What the CAF is

The NCSC's method for judging how resilient your essential functions are to cyber attack. Written as outcomes, not a checklist. It asks what you have achieved, then expects evidence.

It is built on 4 objectives and 14 principles. Each principle breaks down into contributing outcomes, scored against Indicators of Good Practice as Achieved, Partially Achieved or Not Achieved.

  1. Managing security risk

    Governance, risk management, asset management, supply chain.

  2. Protecting against cyber attack

    Policies and processes, identity and access control, data security, system security, resilient networks, staff awareness and training.

  3. Detecting cyber security events

    Security monitoring, and threat hunting.

  4. Minimising the impact of incidents

    Response and recovery planning, and lessons learned.

The NCSC Cyber Assessment Framework (CAF) has 4 objectives and 14 principles, scored as Achieved, Partially Achieved or Not Achieved. The current version is CAF v4.0, released August 2025.

The scheme

What GovAssure is

The UK government's cyber security assurance scheme. Run by the Government Security Group in the Cabinet Office with the NCSC, launched in 2023 under the Government Cyber Security Strategy 2022 to 2030. It measures government organisations' critical systems against the CAF, every year, in five stages.

  1. Organisational context

    Define your essential services, mission and threat picture.

  2. In-scope systems

    Identify your critical systems and assign each a government CAF profile: Baseline or Enhanced.

  3. CAF self-assessment

    Assess those systems against the framework.

  4. Independent Assurance Review

    An independent reviewer validates the self-assessment.

  5. Targeted Improvement Plan

    Gaps are turned into a plan to close them.

Where we fit, stated plainly

From April 2026, the Stage 4 Independent Assurance Review can only be delivered by a provider on the NCSC Cyber Resilience Audit scheme. That is a deliberately independent role, and it is not ours. We work Stages 1, 2, 3 and 5: we get you ready, score you honestly, evidence your controls, and build the improvement plan, so the independent review is a confirmation, not a surprise.

The audience

Who needs this

Government departments and ALBs

Central government departments and arm's length bodies facing an annual GovAssure review against a Baseline or Enhanced profile.

Operators of essential services

Assessed against the CAF by a sector regulator under the NIS Regulations: energy, health, water, transport, digital infrastructure and more.

Critical national infrastructure

CNI operators, and the widening pool of organisations being drawn in as UK cyber legislation expands.

Suppliers to government and CNI

Asked to demonstrate CAF-aligned controls through supply-chain assurance.

The work

What we do

We do the readiness work, the largest and most useful part of the journey. Then we hand over cleanly.

Start with a CAF gap analysis

  1. Scope and define your profile

    We help you identify your essential functions and in-scope systems, and pin the right target: Baseline or Enhanced. Get this wrong and everything downstream is wrong.

  2. Assess against all 14 principles

    A structured review across Objectives A to D, scoring each contributing outcome Achieved, Partially Achieved or Not Achieved, the way an assessor will.

  3. Evidence the technical controls, not just the policies

    This is where we are different. Our CREST-qualified and Cyber Scheme testers prove the Objective B and C outcomes, system security, access control, monitoring, by testing them, not just reading the documentation.

  4. Hand you the heatmap

    A clear CAF scoring picture and a board-ready summary: where you stand against your target profile, and what matters most.

  5. Build the remediation roadmap

    Prioritised, RAG-rated actions mapped to your deadline, with each gap tied to the evidence an assessor will want to see.

  6. Support the uplift

    We help you close the gaps and get review-ready, then hand over to your independent CRA assessor with nothing left to explain.

The services

Our CAF readiness services

Service What it is Best for
CAF briefing A working session on the framework, your profile and what a review will expect. First exposure to CAF or GovAssure.
CAF gap analysis Full scoring against the 14 principles, a heatmap, and a prioritised roadmap. Knowing exactly where you stand.
Technical control validation CREST-qualified and Cyber Scheme testers evidence the Objective B and C outcomes. Proving controls, not just claiming them.
Remediation and uplift Hands-on help closing the gaps to your target profile. Getting from amber to green before review.
Audit-ready handover A clean, evidenced position passed to your independent CRA assessor. Going into Stage 4 with confidence.
The partner

Why get CAF ready with Layer 7

Most CAF readiness is documentation led. A consultant reads your policies and marks a spreadsheet. That is half the job. We prove the technical outcomes the framework demands, and we are honest about where the independent review begins.

We evidence, we don't just review

As an assessment body since 2014, with in-house CREST-qualified and Cyber Scheme testers, we prove the technical outcomes the framework demands. Tested controls, not asserted ones.

We are honest about the lines

We do readiness and remediation, and we say plainly that the independent review is a separate, CRA-gated role. No blurring the assessor and the assessed.

We speak plainly

CRA, CAA ASSURE, GovAssure, NIS: we cut through the acronyms so you know exactly what applies to you and what does not.

We do the whole lifecycle

Secure, assure and manage, under one roof. Cyber Essentials sets the baseline, CAF readiness takes you further, penetration testing proves it.

A Certification Body since 2014: one of the longest-standing in the UK. Government-grade rigour, made practical.

The process

How it works

Five steps, fixed price, clear deliverables. We get you audit-ready, then hand over cleanly to your independent assessor.

Book a CAF scoping call

  1. Scope

    We confirm whether you are GovAssure, NIS or supplier-driven, and fix your target profile. Fixed price, clear deliverables.

  2. Assess

    We score you against all 14 principles and evidence the technical outcomes.

  3. Report

    A CAF heatmap, a board-ready summary, and a prioritised remediation roadmap.

  4. Uplift

    We help you close the gaps that matter most before your review.

  5. Hand over

    A clean, evidenced position, ready for your independent CRA assessor.

Across the lifecycle

Beyond CAF readiness

CAF connects to the rest of what we do. Cyber Essentials proves the baseline controls and maps onto parts of Objective B, penetration testing evidences the technical outcomes, and supply chain assurance extends the same rigour to your suppliers, which is exactly what CAF Principle A4 expects. One firm, across the lifecycle.

The baseline Cyber Essentials and Cyber Essentials Plus See Cyber Essentials → Evidence the outcomes CREST and Cyber Scheme penetration testing See penetration testing → Extend the rigour Supply chain assurance See supply chain assurance →
Questions

CAF and GovAssure FAQs

What is the Cyber Assessment Framework (CAF)?

The CAF is the NCSC's outcomes-based method for assessing how resilient an organisation's essential functions are to cyber attack. It has 4 objectives and 14 principles, scored as Achieved, Partially Achieved or Not Achieved against Indicators of Good Practice. The current version is CAF v4.0, released August 2025.

What is GovAssure?

GovAssure is the UK government's annual cyber assurance scheme, run by the Government Security Group with the NCSC since 2023. It assesses government organisations' critical systems against the CAF, across five stages, from scoping to a Targeted Improvement Plan.

Is GovAssure mandatory, and who needs to comply?

GovAssure applies to central government departments and selected arm's length bodies, which undergo an annual independent review against a Baseline or Enhanced CAF profile. Operators of essential services face CAF assessment separately, through their sector regulator under the NIS Regulations.

What are the stages of GovAssure?

Five: organisational context; identifying in-scope systems and assigning a Baseline or Enhanced CAF profile; CAF self-assessment; an Independent Assurance Review; and a Targeted Improvement Plan to close the gaps.

What is a CAF gap analysis?

A structured review that scores your organisation against all 14 CAF principles, shows where you stand against your target profile as a heatmap, and gives you a prioritised roadmap to reach it. It is how you find the gaps before an assessor does.

What changed in CAF 4.0?

CAF v4.0, released August 2025, added a stronger focus on attacker methods and threat-informed risk, a new section on secure software development, updated security monitoring and threat hunting, and improved coverage of AI-related cyber risks. It remains 4 objectives and 14 principles.

What is the difference between the CAF and ISO 27001?

The CAF is outcomes-based, non-certifiable and aligned to sector threats; you demonstrate achieved outcomes. ISO 27001 is process-based and certifiable against a defined management system. They overlap and can be mapped, but they are not the same thing.

Can Layer 7 carry out our GovAssure independent review?

No, and we will tell you so plainly. From April 2026 the Stage 4 Independent Assurance Review can only be delivered by a provider on the NCSC Cyber Resilience Audit scheme. We do the readiness, gap analysis, technical evidencing and remediation, then hand over to your independent assessor.

How is CAF different from Cyber Essentials Plus?

Cyber Essentials Plus proves five baseline technical controls through a hands-on audit. The CAF is far broader and outcomes-based, covering governance, risk, supply chain, detection and incident response across 14 principles. Cyber Essentials is a strong foundation that maps onto parts of CAF Objective B.

How long does CAF readiness take?

It depends on the number of in-scope systems and your target profile. A gap analysis for a mid-sized organisation is typically a few weeks; remediation runs longer, driven by the gaps found. We scope and fix the price up front.

Walk into your CAF review already knowing the answer

We score you against the framework, prove the technical controls, and hand you a clear plan to close the gaps. So your independent review confirms what you already know, from an assessment body that has done this since 2014.

Get CAF ready Book a scoping call