UK Cyber Assessment Framework (CAF) v3.1
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
UK CAF v3.1 (Cyber Assessment Framework) is a cybersecurity framework developed by the UK National Cyber Security Centre (NCSC) for assessing the cyber resilience of organizations responsible for critical national infrastructure and essential services.
Why it Matters
UK CAF v3.1 provides a structured framework for assessing and improving cyber resilience in essential services and critical infrastructure. Key benefits include:
- Strengthen cybersecurity governance
Establish systematic security controls and oversight aligned to NCSC's authoritative framework for critical infrastructure protection.
- Enhance regulatory compliance
Support compliance with UK NIS Regulations requirements for operators of essential services.
- Improve risk management
Apply CAF's structured approach to identifying and addressing cybersecurity risks in critical operational environments.
- Increase audit readiness
Maintain documentation and evidence of security control implementation to support CAF assessments and regulatory reviews.
How it Works
UK CAF v3.1 structures cyber resilience assessment across four objectives — managing security risk, protecting against cyber attack, detecting cyber security events, and minimising impact of incidents — with contributing outcomes and indicators of good practice.
Key Elements
- Four Cyber Resilience Objectives
Organizes requirements around managing risk, protecting systems, detecting events, and minimizing incident impact.
- Contributing Outcomes
Defines specific security outcomes organizations should achieve within each of the four objectives.
- Indicators of Good Practice
Provides observable indicators enabling organizations and regulators to assess achievement of security outcomes.
- NIS Regulations Alignment
Structured to support assessment against UK NIS Regulations requirements for essential service operators.
Framework Scope
UK CAF v3.1 is used by operators of essential services, critical national infrastructure operators, and their regulators for cyber resilience assessment and improvement.
Framework Objectives
UK CAF v3.1 establishes a structured framework for assessing and improving cyber resilience in critical infrastructure and essential services.
- Protect critical infrastructure through assessment and improvement against the four CAF objectives
- Strengthen cybersecurity governance and oversight in essential service environments
- Support compliance with UK NIS Regulations requirements
- Enable structured cyber resilience assessment and continuous improvement
- ClassicifationCategoryOperational ResilienceDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeFrameworkLegal InstrumentFrameworkSectorCross-SectorIndustryCross-Industry
- Region / PublisherRegionUnited KingdomRegion DetailUnited KingdomPublisherNational Cyber Security Centre (NCSC)
- VersioningVersionCAF v3.1Effective DateJune 2024Issue DateFebruary 2024
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The Cyber Assessment Framework is published by the UK National Cyber Security Centre and is publicly available through official UK government resources.
How SmartSuite Supports EMEA UK CAF v3.1
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
CAF Outcome Mapping
Map CAF outcomes to controls, owners, and evidence sources.
Self-Assessment and Gap Tracking
Run assessments, record scores, and convert gaps into a prioritized roadmap.
Evidence and Verification Hub
Centralize proof for governance, protection, detection, response, and recovery.
Resilience Tests and Exercises
Schedule resilience tests and exercises and capture results and lessons learned.
Provider Risk, Monitoring, and Contingency Planning
Track provider risk, monitoring, and contingency planning evidence.
Leadership Reporting
Report maturity, gaps, and progress by outcome and business unit.
Related frameworks
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
DORA is an EU regulation requiring financial firms to manage ICT risks, report incidents, test security, and oversee third-party providers.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
Cyber Essentials is a UK government-backed certification specifying basic controls to protect organizations against common cyber threats.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
Frequently Asked Questions For UK Cyber Assessment Framework (CAF) v3.1
The UK Cyber Assessment Framework (CAF) v3.1 is used to help organizations assess, manage, and improve their cyber resilience in line with regulatory requirements. It provides a structured approach for evaluating cybersecurity controls, operational resilience, and incident response capabilities, especially for critical national infrastructure.
The UK CAF itself is not a certification, nor is it universally mandatory. However, regulators may require organizations in critical sectors to demonstrate adherence to the CAF as part of their regulatory compliance, and it is often referenced during audits or sector-specific inspections.
The CAF primarily applies to organizations operating critical infrastructure or essential services within the UK, as defined by relevant regulators. It may also be used by other organizations seeking to benchmark their cybersecurity practices or meet sector-specific compliance obligations.
The framework is structured around high-level objectives covering areas such as managing security risk, protecting systems, detecting cyber events, and minimizing the impact of cybersecurity incidents. Each objective is supported by indicators of good practice, which guide organizations in achieving consistent security outcomes.
Organizations typically implement the CAF through self-assessments or regulator-led reviews, examining their current security controls against the framework’s objectives and indicators. This process involves identifying gaps, prioritizing improvements, and ensuring that cyber risk management aligns with regulatory and business needs.
The UK CAF aligns closely with widely used cybersecurity standards, such as ISO 27001 and NIST CSF, but is adapted for the UK regulatory context and critical services. It provides a consistent, outcome-focused framework for evidence-based assessment that can complement other compliance programs.
Maintaining compliance with the CAF requires continuous monitoring, regular gap assessments, updating risk management processes, and documenting evidence of cybersecurity practices and improvements. Organizations should also be prepared for periodic regulatory reviews and demonstrate progress on remediation activities.
SmartSuite can help organizations operationalize the CAF by mapping objectives to specific cybersecurity policies and controls, managing risk assessments, tracking remediation efforts and control implementation, collecting compliance evidence, and supporting audit readiness. Its reporting capabilities enable ongoing monitoring and demonstration of compliance with the framework’s requirements.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.