Water Company Validates CAF Compliance and Cyber Resilience Improvement Program

The Challenge 

Our client is a UK-based water company that is within scope of the NIS Regulations and required by their competent authority, the Drinking Water Inspectorate (DWI), to submit a self-assessment against the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF).  

To comply with the 16 initial outcomes set out by the DWI, our client had put a cyber resilience improvement program in place to make the necessary changes. Our client was regularly tracking their position against the outcomes and were rating themselves as Fully Achieved against 8 of the 16. 

The Solution 

Based on our extensive experience with the CAF and the water sector, this water company chose Bridewell to validate this position. Where the company had assessed itself as ‘Fully Achieved’ against an outcome, Bridewell was to assess each individual Indicator of Good Practice (IGP) to validate the position. Where the company had assessed itself as ‘Not Achieved’ against an outcome, Bridewell was to review the proposed remediation to verify if the outcome would be ‘Fully Achieved’ once delivered.  

Typically, we would perform this type of assessment by reviewing relevant documentation and interviewing key stakeholders from a range of different teams to gain full understanding of the implementation, management, and operation of cyber security measures to meet IGPs.  

However, on this occasion, the client only requested assessment through interviews with the information security team. Whilst this differed from our usual approach and meant we were unable to provide any assurance over the controls in place, the approach allowed us to quickly gain adequate understanding of the state of cyber security across the 16 outcomes.