This guide explains how to prepare for a CAF assessment in a structured, evidence-led way, covering contributing outcomes, Indicators of Good Practice, shared evidence and QA.
Short answer: To prepare for a CAF assessment, organisations should map evidence to each contributing outcome, understand how Indicators of Good Practice affect scoring, pace the assessment across all objectives, review shared evidence carefully and build in quality assurance before submission. The strongest submissions are clear, evidence-led and consistent across all outcome.
What Is the Cyber Assessment Framework?
The Cyber Assessment Framework, or CAF, is the UK National Cyber Security Centre’s framework for assessing cyber resilience. It helps organisations understand whether they are managing cyber risks effectively and whether essential services can continue operating during adverse cyber events.
The CAF is outcome-focused rather than a simple compliance checklist. Assessors review contributing outcomes and Indicators of Good Practice (IGPs) to determine whether each area is achieved, partially achieved or not achieved. CAF-based assessments may be completed as self-assessments or by an independent external entity, such as a regulator, cyber oversight body or suitably qualified assessor.
Who Needs to Complete a CAF Assessment?
The CAF is primarily designed for organisations operating essential services or supporting functions that are important to the UK’s resilience. This includes sectors such as energy, healthcare, transport, digital infrastructure, government and other regulated or high-impact environments.
In practice, organisations may complete a CAF assessment because they are subject to regulatory requirements, preparing for external oversight, supporting a critical service, participating in GovAssure or using the framework internally to improve cyber security and resilience.
How Does a CAF Assessment Work?
A CAF assessment reviews how well an organisation is meeting expected cyber security and resilience outcomes. The framework is structured around four high-level objectives, principles, contributing outcomes and Indicators of Good Practice. In CAF v4.0, the framework contains 41 contributing outcomes, so preparation needs to be structured, evidence-led and carefully quality assured.
For each contributing outcome, the assessor considers the organisation’s explanation, supporting evidence and relevant IGPs before assigning an assessment status. The outcome is not simply a tick-box exercise: evidence quality, context, consistency and professional judgement all matter.
How Should Organisations Prepare for a CAF Assessment?
The points below are the issues I see most often from an assessor’s perspective. They illustrate what you can do before submission to stay clear of trouble.
1. Pace the Assessment Across All Contributing Outcomes
First things first: pace yourself. A CAF assessment covers a large number of contributing outcomes, and completing it is often accompanied by a tight deadline. Trying to pull all your evidence together at the end creates unnecessary pressure for contributors, reviewers and external auditors.
Set a realistic target for how many contributing outcomes you’ll map evidence to each week and track progress against it. This helps you identify bottlenecks early, gives evidence owners enough time to respond and reduces the risk of a rushed, thin submission.
2. Understand How CAF IGP Logic Affects Scoring
Secondly, be very careful with IGP logic. It is not always intuitive, and even experienced assessors can make mistakes if they rush through it.
As a rule of thumb, your claimed status needs to be supported by the relevant IGPs and the evidence provided. A common mistake is to focus only on the “Achieved” IGPs and treat “Partially Achieved” indicators as less important. They are not. If an organisation wants a middle-road verdict, it still needs to show that the relevant partially achieved indicators are properly supported.
- A single “Not Achieved” indicator may materially affect the overall outcome if it shows that an essential expectation is not being met.
- An “Achieved” outcome needs strong, consistent evidence across the relevant achieved indicators.
- A “Partially Achieved” outcome still needs evidence; it should not be treated as a default or low-effort position.
3. Map Evidence to Each Contributing Outcome
Thirdly, make sure your evidence folder lines up fully with what is being claimed in each contributing outcome submission. There have been many occasions where a submitter has given a detailed and impressive explanation of processes, with documentation cited throughout, only for the relevant documents not to have been uploaded at all.
Before you submit make sure to open every document you reference and confirm it’s actually there and up to date. This prevents avoidable delays later in the assessment. Evidence mapping should be one of the first things you do after analysing a contributing outcome, even before marking specific IGPs as achieved or not achieved.
If evidence is missing or inadequate, fix it before you submit. If an assessor like me can’t find it, the outcome gets marked down, with commentary explaining why.
4. Review Evidence Used Across Multiple Objectives
A related point: shared evidence deserves its own review. The same document is often cited across multiple contributing outcomes, and sometimes across multiple objectives.
Where this happens, read the document in full and take notes against every contributing outcome it underpins. This saves time, reduces frustration and strengthens the review because you are better equipped to spot discrepancies in your own explanations, assumptions or logic.
5. Build Quality Assurance into the Process
Finally, build quality assurance into the assessment process from the start. QA should not be something that happens only when everyone is tired and the deadline is close.
Mistakes can be as minor as a typo, but they can also be as significant as misreading an important sentence and selecting the wrong contributing outcome status. No matter how many times you have completed a CAF assessment, assume that something may have been overlooked. A fresh pair of eyes is the best way to ensure the CAF submission has been reviewed thoroughly before it reaches an assessor.
CAF Assessment Preparation Checklist
Before submitting your CAF assessment, check that you have:
- Confirmed which CAF version, profile or sector interpretation applies
- Identified all relevant contributing outcomes
- Assigned owners for each outcome
- Mapped evidence to every claim
- Checked that shared evidence supports each outcome it is used for
- Reviewed IGP logic before assigning statuses
- Documented gaps, assumptions and compensating controls
- Completed independent QA before submission
Common CAF Assessment Mistakes to Avoid
- Leaving evidence collection until late in the process
- Citing documents that have not been uploaded or are no longer current
- Assuming a policy is enough without evidence that it is implemented
- Misinterpreting how IGPs affect the contributing outcome status
- Using the same evidence across multiple outcomes without checking whether it really supports each claim
- Writing inconsistent explanations across objectives
- Failing to QA the submission before external review
How Bridewell Can Help with CAF Assessments
Bridewell supports organisations throughout the CAF assessment lifecycle, from readiness reviews and evidence mapping through to independent assessment support, gap analysis and remediation planning.
Our consultants can help you understand the applicable CAF requirements, identify evidence gaps, prepare contributors and build a defensible assessment submission.
Speak to Bridewell’s CAF specialists to understand your readiness and prioritise the actions that matter most.
CAF Assessment FAQs
What is a CAF assessment?
A CAF assessment evaluates an organisation’s cyber resilience against the NCSC Cyber Assessment Framework. It reviews whether the organisation is achieving relevant cyber security and resilience outcomes, using contributing outcomes and Indicators of Good Practice as assessment inputs.
How do I prepare for a CAF assessment?
Prepare by mapping evidence to each contributing outcome, checking how IGPs affect scoring, reviewing shared evidence across objectives, identifying gaps early and completing quality assurance before submission.
What are IGPs in the CAF?
IGPs, or Indicators of Good Practice, are examples of the practices and characteristics assessors use to judge whether a contributing outcome is achieved, partially achieved or not achieved. IGPs inform expert judgement rather than operating as an inflexible checklist.
What evidence is needed for a CAF assessment?
Evidence should show that claimed controls, governance arrangements and processes are implemented, maintained and relevant to the contributing outcome being assessed. Examples may include policies, risk records, governance minutes, technical standards, process documents, incident records and assurance outputs.
What are common CAF assessment mistakes?
Common mistakes include missing evidence, unsupported claims, misinterpreting IGP scoring logic, inconsistent explanations across outcomes, relying too heavily on shared documents without reviewing them properly and failing to quality assure the submission before review.
Is the CAF a compliance checklist?
No. The CAF is outcome-focused. It uses objectives, principles, contributing outcomes and Indicators of Good Practice to support an assessment of cyber security and resilience, but evidence quality and assessor judgement remain important.
Umar Uddin
Senior Consultant
