CGI is now a National Cyber Security Centre (NCSC) Cyber Resilience Audit (CRA) Assured Service Provider.
This recognition enables us to deliver independent, evidence-based Cyber Resilience Audit assessments aligned to the NCSC Cyber Assessment Framework (CAF). It also strengthens how we support organisations preparing for regulatory scrutiny across central government and Critical National Infrastructure sectors.
As regulatory expectations increase, independent cyber resilience assurance is becoming a requirement, not a choice.
What is a Cyber Resilience Audit?
A Cyber Resilience Audit is an independent assessment of your cyber security posture against the NCSC Cyber Assessment Framework. It provides assurance that:
- Cyber risks to essential services are identified and managed
- Security controls are effective in practice
- Monitoring and detection align to the threat landscape
- Incident response and recovery are operationally mature
- Governance provides clear accountability
A CRA evaluates resilience under realistic threat conditions. It does not simply confirm that policies exist.
Regulatory context: NIS, CAF and GovAssure
Organisations delivering essential services must comply with the Network and Information Systems (NIS) Regulations 2018. Regulators assess compliance using the Cyber Assessment Framework.
The forthcoming Cyber Resilience Bill is expected to expand regulatory scope, increase reporting obligations and formalise structured assurance requirements.
Within central government, GovAssure applies CAF through an annual four-stage cycle culminating in a mandatory independent audit.
Independent assessment is becoming the standard mechanism for demonstrating cyber resilience.
Baseline and Enhanced CAF
CAF assessments are conducted at two threat levels:
Baseline: Confirms resilience against commodity threats and known vulnerabilities.
Enhanced: Applies where organisations face capable, persistent and well-resourced adversaries. It requires mature governance, advanced detection capabilities and demonstrable operational resilience.
An organisation may hold ISO 27001 certification and still require additional maturity to meet Enhanced CAF expectations. CAF is outcome-based and threat-informed, focused on resilience of essential services.
How CGI supports your cyber resilience journey
As an NCSC-assured provider, we deliver end-to-end support:
Advisory and readiness:
- CAF gap analysis (Baseline and Enhanced)
- GovAssure Stage 1–3 preparation
- Evidence workshops and remediation roadmaps
- Executive briefings and crisis simulations
Independent assurance:
- NCSC-aligned Cyber Resilience Audits
- GovAssure Stage 4 independent audits
- Formal audit reporting with prioritised recommendations
We support you from preparation through independent assessment and ongoing operational resilience.
Get in touch to find out more.
