The NCSC-CAF Framework and How to Use It

The NCSC-CAF framework, used throughout the European Union, is now available within the platform. Users can tailor the automated workflows to adapt to their organization’s specific needs and finally bring simplicity to the various EU cyber regulations they must comply with.  


What is the CAF Framework, and Do I Need to Use It? 

No surprises here – Like most frameworks, the Cyber Assessment Framework (CAF) is a self-administered questionnaire that gives guidance on cybersecurity best practices. 

The CAF framework is used throughout the EU as mandated by the Network and Information Systems (NIS) Directive. Your organization may be required to conduct a CAF Framework assessment if it is: 

  • Within the UK Critical National Infrastructure (CNI) 
  • Subject to Network and Information Systems (NIS) Regulations 
  • Managing cyber-related risks to public safety 

Check with your specific regulator for details on how the CAF Framework may impact your company. 


How to Conduct an NCSC-CAF Framework Assessment 

For each question in the self-assessment, you will choose from several answer choices: not achieved, partially achieved, or achieved. After answering all questions, you will be able to identify where your organization’s security strategy comes up short by adding together the answer scores and comparing them with Indicators of Good Practice (IGPs). 

Ideal IGP scores and other guidelines are documented on the National Cyber Security Centre (NCSC) website

The guidelines of the CAF framework are not intended to be a to-do list of rules and regulations to achieve compliance. Rather they were built on an outcome-based approach to help security teams reach specific goals without necessarily telling them how to get there. This makes the framework extremely flexible, but for some organizations, the lack of prescriptive next steps can make it a challenge to understand what to do next. 


Automate NCSC CAF Assessments with 

Some organizations, especially those with limited resources, may consider working with a consultant to help them navigate improvements to their cybersecurity program. However, that is not the only option. Critical infrastructure organizations within the European Union must juggle the various regulations from individual countries, their specific sector, and any general mandates that apply across the EU, further complicating the already burdensome assessment process. 

With automation and customizable workflows, the platform can eliminate the time-sucking manual processes that slow progress down. Start simplifying your assessment process by contacting our team today.  

Gabriela Martinez

Gabriela is the Digital Marketing Manager at As an experienced marketer in the technology industry, Gabriela helps connect organizations with solutions to keep their critical infrastructure secure. She was named Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards in 2022.

Share this post


Recent Articles

Partner Program
About Us

Contact Us