lady hard hat yellow
Cyber Security Teal Icon

NCSC Cyber Assessment Framework (CAF)

Align your organisation’s cyber security program to the NCSC’s CAF with the guidance and support of a leading cyber security services provider. 

Improved Cyber Resilience

Meeting the outcomes of the CAF provides a good baseline for cyber security. When combined with ongoing risk management, this allows organisations to continuously improve the cyber security posture of the environment to provide ongoing protection against threats.

Access to Technical Expertise

Draw on our consultant’s wider skill sets and knowledge in specific areas and technologies, such as public cloud infrastructure.

Access to a Wider Team

As part of a consulting engagement with Bridewell, our security development and software teams are available to develop innovative approaches to address a problem. 

Assurance of a Reliable Service

By working with an NCSC-assured partner, your organisation has assurance of high-quality, thorough, recognised, bespoke cyber security advice.

Why CAF with Bridewell?

The CAF is a flexible framework intended primarily for use by organisations within the UK Critical National Infrastructure (CNI), particularly those in scope of the Network and Information Systems (NIS) Regulations as a result of the NIS Directive. However, its flexibility makes it equally applicable outside of CNI. 

Bridewell has teams of cyber security consultants with extensive experience applying the CAF across IT, cloud and OT environments. We also have a dedicated team of OT cyber security experts who have previously operated as engineers, which enables us to understand the variety of complexities and contexts relevant to implementing the CAF effectively in industrial environments. 

Bridewell has worked with governments and competent authorities to implement their overall oversight and enforcement approach, which has included developing specific versions of the CAF for specific industries.  

Bridewell has worked in many different sectors applying the CAF. This provides our consultants with an understanding of the CAF from multiple viewpoints and allows them to operate as an authority in this area. 

Bridewell’s range of end-to-end cyber security services allows us to address the technical requirements of the CAF for our clients. We have delivered numerous cyber security transformation programmes that leverage our consulting capabilities in combination with other services such as our 24x7 Managed Detection & Response (MDR) service.  

Bridewell is accredited by the Civil Aviation Authority’s (CAA) ASSURE scheme, which subjects suppliers to a rigorous and continuous assessment process to ensure their competence in delivering audits against the CAF framework. 

Bridewell has extensive experience with the CAF and has worked with organisations across industries and governments to perform assessments, develop remediation programs and also deliver managed services to satisfy specific outcomes within the framework.  

Bridewell has expertise across on-premise, cloud and Operational Technology (OT). Our consultants work across a variety of technical environments and operating contexts to ensure the cyber resilience principles outlined in the framework align with their wider business objectives. 

Bridewell provides a wide range of services to support organisations in applying the CAF across a variety of sectors. Whether the organisation needs to achieve compliance against NIS Regulations, or are just looking to enhance their cyber posture, aligning with this framework helps them both achieve and demonstrate an appropriate level of cyber resilience to manage their security risks. 

Key Challenges

Organisations seeking to align themselves with the Cyber Assessment Framework may lack the expertise and resource to conduct a complete gap analysis of their current cyber security program, and subsequently remediate and shortfalls they identified.

Even for those with significant cyber security teams in-house, the lack of prescriptive controls within the framework can also make it difficult for those with less experience to understand how to achieve the principles, outcomes, and Indicators of Good Practice (IGPs) within the CAF. 

NCSC Certified Services

How it Works

Bridewell supports clients in applying the CAF framework through a wide range of services. These include: 

  • Leading assessments against the CAF. 

  • Assisting clients with their CAF self-assessments and developing remediation programs. 

  • Operating as our client's cyber security team, fully managing the requirements of the CAF across their organisation and dealing with competent authorities. 
  • Implementing the requirements of the CAF across on-premise, cloud and OT environments. 

  • Managed Security Services to allow organisations to achieve many of the outcomes within the CAF. 



The first step is to understand the level of attainment needed against each of the CAF outcomes. Competent Authorities (CA)s typically establish this via profiles issued to Operators of Essential Services (OES)s considering multiple factors, including:

• The nature and criticality of the service provided.

• The operating environment of the service.

• The number of consumers of the service.

Indicators of Good Practice (IGPs) are then used to understand the measures required to meet the required outcome levels.

Cyber Security Insights

Ready to Take the Next Step?

We’re here to help, so to speak with our team and learn more about how Bridewell can benefit your organisation, just complete the below form and one of our experts will be in touch.

Related Cyber Security Services

Risk Management

Risk Management

Partner with Bridewell to establish a comprehensive risk management program with standards and guidelines that mitigate the probability of loss and associated impacts on your organisation. 
More Info
Cloud Security

Cloud Security

Cloud Security

Unlock the full potential of the cloud within your organisation by working with a trusted and experienced cyber security services provider. 
More Info

PCI DSS Consultancy

PCI DSS Consultancy

Meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and enhance the security of payment card data in your organisation. 
More Info