The National Cyber Security Centre (NCSC) has rewritten the Cyber Assessment Framework (CAF), aiming to make it suitable for a wider range of users.
It said that CAF 3.0, which is relevant to organisations supporting public safety or national infrastructure, uses more everyday language than earlier versions, with less use of the terminology in the Network and Information Systems (NIS) Directive.
There have been no changes to the structure or technical content, and it has been developed in consultation with NIS regulators and other interested parties.
The framework provides a systematic approach to assessing the management of cyber risks to essential functions. It can be used by the responsible organisation itself or by an independent external entity, notably a regulator or organisation acting on its behalf.
It includes the 14 NCSC cyber security and resilience principles and 39 individual assessments. There are also four objectives: managing security risk; protecting against cyber attack; detecting cyber security events; and minimising the impact of incidents.
NCSC added that regulated organisations should always consult with their regulator on the use of CAF.
Image: Harland Quarrington/MoD, Open Government Licence v1.0 through Wikimedia