Making sense of the NCSC CAF Framework: and why it deserves a seat at your board table

IT directors and CISOs face a persistent challenge: translating complex security requirements into language that speaks to board-level decision makers.

The NCSC’s Cyber Assessment Framework (CAF) is a critical bridge between technical security teams and business leadership.

Working in a regulated sector? Whether you’re meeting supply chain requirements, winning enterprise contracts, or simply proving your security credentials to stakeholders, CAF is increasingly important.

Yet many security leaders are uncertain about its practical application.

Is it mandatory for your organisation? How’s it different from other frameworks? And how can you best use it for both compliance and competitive advantage? We explain all below.

What exactly is the CAF Framework?

The Cyber Assessment Framework (CAF) is the NCSC’s assessment tool that organisations use to measure their cyber defences against industry benchmarks and regulatory requirements.

Rather than another tick-box compliance exercise, CAF provides a practical lens for examining whether your security controls actually work when attackers come knocking. It breaks down cyber resilience into digestible chunks that even your most tech-averse board member can grasp.

The framework provides a systematic and comprehensive approach to assessing how well cyber risks to essential functions are being managed. Built on four high-level objectives and 14 underlying principles, CAF takes an outcome-focused approach. It specifies what needs to be achieved rather than giving a rigid checklist of actions.

Is it guidance, regulation, or something else?

CAF is a framework (not a law) that regulators can choose to adopt and adapt for their sectors. The NCSC developed it as the national technical authority for cyber security, expecting it to support effective cyber regulation across sectors. But the NCSC itself doesn’t do any regulation. They’re the architects, not the enforcers.

What does this mean for your organisation? CAF adoption varies significantly across sectors and is changing rapidly.

While recent moves by UK government and utilities regulators show stricter CAF enforcement for critical infrastructure, many SMBs encounter CAF through different routes. These can be enterprise customers requiring supply chain assurance, tender requirements, or voluntary adoption to demonstrate security maturity.

If you’re in a regulated industry, your regulator decides whether CAF assessments are required and how they fit into your compliance obligations. These requirements can change with regulatory updates.

Rather than forcing every organisation into the same rigid mould, the CAF allows sector-specific interpretations while maintaining consistent, high-quality security outcomes.

CAF profiles

Not every organisation needs fortress-level security for every function. CAF profiles are sets of expectations or requirements defined by your regulator (not formal CAF artifacts) that specify which security outcomes matter most for your sector. A profile might require some outcomes at ‘achieved’, others at ‘partially achieved’, and mark some as ‘not applicable’.

While major regulators like Ofgem, FCA, and Ofwat set formal profiles for their sectors, many businesses encounter CAF requirements through their commercial relationships.

For instance, if you’re supplying services to a bank, they might require you to demonstrate CAF alignment as part of their supply chain security. Enterprise clients might ask smaller suppliers to show they meet specific CAF outcomes relevant to the services they provide.

This flexibility means you can adopt CAF proportionately. A small tech firm might focus on the outcomes most relevant to protecting client data, while a manufacturer might prioritise different aspects based on their operational risks.

Why the NCSC created CAF

The framework emerged from a clear need to protect the UK’s critical infrastructure from increasingly sophisticated threats.

But here’s what makes it valuable for businesses of all sizes: CAF has evolved beyond its original scope to become the UK’s de facto standard for demonstrating cyber security maturity.

The NCSC built CAF to bridge the chasm between security specialists drowning in technical detail and business leaders who need clear, actionable intelligence. It transforms “we need endpoint detection and response with behavioural analytics” into “we need to spot intruders before they steal customer data.”

The framework meets seven core requirements that keep it practical and flexible. It:

• Assists in carrying out meaningful cyber resilience assessments
• Maintains an outcome-focused approach (avoiding tick-box exercises)
• Works alongside existing security standards and guidance
• Identifies effective improvement activities
• Remains sector-agnostic at its core
• Extends to accommodate sector-specific needs
• Enables meaningful security targets that reflect proportionate risk management

The framework stays relevant because of its outcome-focused design. Rather than prescribing specific technologies that become obsolete, it defines what an acceptable security status looks like, and lets organisations choose appropriate solutions for their context and budget.

You can see this ethos reflected in the CAF version 4.0, launched in August 2025. Its new updates are centred around:

• Understanding attacker behaviour and motivations
• Secure practices in software development
• More modern methods for proactive threat detection and security monitoring
• Dealing with AI-driven cyber risks

These updates benefit organisations of all sizes, helping them stay ahead of emerging threats without requiring enterprise-level resources.

The objectives of a CAF assessment

At its heart, CAF breaks down into manageable components.

The framework is built on four key objectives that every organisation needs to address. Each one contains several principles defining a broad security outcome (14 in total).

These then split into contributing outcomes: 41 in total across the framework. These are practical security capabilities your organisation either has, partially has, or lacks.

Here are the four key objectives and the principles they contain:

A) Managing Security Risk – Understanding and systematically addressing risks to your essential functions

• Governance: Executive accountability and clear security roles
• Risk Management: Understanding what matters most to your business
• Asset Management: Knowing what you’ve got and why it matters
• Supply Chain: Managing the risks your suppliers bring

B) Protecting Against Cyber Attack: Implementing appropriate safeguards to protect your critical assets

• Service Protection Policies and Processes: Clear policies that people actually follow
• Identity and Access Control: Ensuring only the right people access the right things
• Data Protection: Keeping your sensitive information secure
• System Security: Hardening your systems against attack
• Resilient Networks and Systems: Building in redundancy and recovery
• Staff Awareness and Training: Turning your people into a security asset

C) Detecting Cyber Security Events: Making sure you know when something’s wrong

• Security Monitoring: Watching for signs of trouble
• Proactive Security Event Discovery: Hunting for threats before they find you

D) Minimising the Impact of Cyber Security Incidents: Being ready to respond and recover when attacks succeed

• Response and Recovery Planning: Being ready when attacks succeed
• Lessons Learned: Getting stronger after each incident

How a CAF assessment works

The framework uses Indicators of Good Practice (IGPs) to assess each contributing outcome. IGPs are expert-informed benchmarks that help assessors judge whether you’re achieving, partially achieving, or not achieving each outcome. They’re deliberately flexible rather than rigid pass/fail criteria.

In practice, an assessment involves systematically reviewing your security controls against each contributing outcome. Assessors examine documentation, interview key personnel, review technical configurations, and test security processes. For example, when assessing your incident management capabilities, they’ll look at your response procedures, review past incident reports, test escalation paths, and verify that your team understands their roles during a breach.

The assessor gathers evidence for each IGP, building a wide-ranging picture of your security posture. Expect deep dives into your security architecture, hands-on validation of controls, and probing questions about how security decisions get made in your organisation.

The colour-coded system (green for achieved, amber for partially achieved, red for not achieved) gives instant visual clarity on your security posture. Achieving all 41 outcomes as green isn’t the minimum standard, though. It represents a security level well beyond basic cyber hygiene. (That said, some regulators might use different scoring methods like weightings or other representations for more nuanced assessment.)

Self-assessment vs. independent validation

CAF assessments come in two flavours: self-assessment by your own team, or independent assessment by external experts. Self-assessment offers familiarity with your environment but it risks confirmation bias and knowledge gaps. Independent assessment is more objective and brings fresh perspectives, but does need external investment.

Many organisations find value in combining both approaches. So you might have regular self-assessments to maintain awareness, with occasional independent validation to make sure you’re not missing critical blind spots.

For SMBs, independent validation can be particularly valuable when preparing for growth, entering new markets, or building credibility with enterprise customers.

Turning security sceptics into believers

Here’s a familiar challenge for a CISO: convincing the CFO that investing in “invisible” protection beats explaining a data breach to customers. The CAF is really useful here. It helps convince business-minded decision-makers towards incorporating cyber security into strategic planning by framing technical risks in business terms.

The framework translates technical risks into business language. Poor access controls are shown in light of the regulatory fines they risk. Shoddy incident response can be seen as extended downtime (and therefore, potential loss of revenue). When execs see these connections, security budgets can make a lot more sense.

How Flare illuminates your security reality

This is where Two Four Secure’s Flare Cyber Resilience Assessment enters the picture. Whether you manage an internal team or oversee external providers, Flare gives you an invaluable third-party perspective that reveals what’s actually happening in your environment.

If you’re working with internal teams, Flare validates your specialists’ work while identifying where the latest threat intel could strengthen defences. Your team gets evidence for investment requests and technical recommendations specific to your sector. And crucially, they get recognition that their efforts are valued.

If you’re trusting external providers with your security, Flare answers the question: “Are we protected, or just paying for the illusion?” The assessment reveals whether your security suite genuinely addresses your business risks or leaves exploitable blind spots.

The bottom line that matters

Flare benchmarks your security posture against both the NCSC CAF and the CIS framework (the globally-recognised security controls from the Center for Internet Security).

This dual-framework approach makes sure you’re meeting UK regulatory expectations while aligning with international best practices.

The assessment delivers insights in two formats. Your security team gets detailed technical documentation to guide improvements. Your board gets clear summaries that translate “vulnerability remediation” into “protecting shareholder value.”

An assessment like this prioritises which improvements will deliver maximum risk reduction for your environment. You’ll understand not just where security weaknesses lurk, but which ones pose genuine threats to your operations (against those that are acceptable risks in your business context).

CAF provides the framework. Flare provides the clarity. Together, they transform security from an IT burden into a business enabler that protects revenue, reputation, and resilience.

Stop wondering whether your security investment is working or not. Contact us today and we’ll help you find out.