Chris Smyth

Chris Smyth

Senior Consultant, Cyber security

Increasing cyber threats

In today's digital age, cyber security stands as a critical concern. According to the 2023 Cyber Security Breaches Survey by the National Cyber Security Centre (NCSC), a staggering 69% of large businesses encountered cyber-attacks within the past year. With cyber capabilities becoming increasingly accessible, the threat landscape for UK organisations continues to expand. In response, the UK Government has set forth ambitious objectives to bolster essential functions against cyber-attacks by 2025 and ensure resilience to known vulnerabilities and attack methods by 2030.

The UK Government released a means by which they could more accurately measure success against these targets with GovAssure, built on the NCSC’s Cyber Assessment Framework (CAF). This assurance approach replaces the cyber element of the Departmental Security Health Check (DSHC) and moves away from the Minimum Cyber Security Standards (MCSS).


What is GovAssure?

UK Government Security highlight that GovAssure is an assurance scheme underpinned by the CAF that utilises a five-stage process to:

  • enable organisations to accurately assess the level of cyber assurance for their critical systems against a proportionate CAF profile, highlighting priority areas for improvement.
  • allow Government Security Group (GSG) and NCSC to take a strategic view of government resilience, to help inform a strategic roadmap to truly ‘Defend as One’.


What are the benefits of GovAssure?

  • Shortcoming identification: Recognising resilience gaps within organisational context.
  • Activity prioritisation: Strategically closing gaps to meet targets.
  • Cost-efficiency: Streamlining cyber risk management for optimal resource utilisation.
  • Hardening of essential functions: Increasing resilience to known vulnerabilities and attack methods.
  • Compliance management: Aligning with organisational risk appetite, not just regulations.
  • Practice enhancement: Sharing inter-organisation good practice for improved resilience.


Why was the CAF selected above other frameworks?

There are plenty of other well-known frameworks throughout industry and public sector, such as NIST, COBIT, ISO to name a few, so why not one of those?

CAF, alongside providing the foundations and approach to establish strong security controls and practices, is excellent for facilitating both self-assessment and regulatory compliance assessment. 

Furthermore, a key aim of CAF implementation is to provide a process for achieving risk-based incremental gains, aiding with the identification (and reporting) of objective progress.

The CAF is also a homegrown framework developed by the National Cyber Security Centre. Whereas, for example, the NIST Special Publication 800-series frameworks were developed to meet the US Federal Information Modernisation Act, the CAF was developed and introduced with the aim of improving UK Government cyber security.


Improving cyber resilience, not just ticking boxes

CAF was developed under several requirements one of them being:

“Maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises.”

As a member of the CGI Cyber Practice, it is great to see a purpose-built framework designed to discourage chasing conformity and a move towards instilling activities that increase cyber resilience and reduce organisational risk. Ticking boxes can bring about some increases in cyber resilience, however, these are often not targeted, i.e. aligned to essential/critical functions, nor are they completed in pursuit of wider organisational security objectives outside of regulatory compliance. The CAF and GovAssure drive this change through the measure of outcomes, not a measure of framework adoption.


How can CGI assist with GovAssure?

Recognising the difficulties in adopting new frameworks, at CGI we offer support from a diverse pool of experts. Our focus is on achieving cyber resilience by pinpointing vulnerabilities, prioritising actions, and fostering continuous improvement. We are also well versed at mapping against/between frameworks. Acknowledging organisations may be better served by another framework, and that some may be measured against them for 3rd party obligations, we can work with existing cyber framework implementations to deliver against GovAssure, avoiding avoid any unnecessary organisational change or re-work.

If you would like to know more about GovAssure and our CGI GovAssure CAF service offerings please read our brochure, or feel free to get in touch.

About this author

Chris Smyth

Chris Smyth

Senior Consultant, Cyber security

Chris is an information security manager who specialises in governance, risk management and compliance as part of CGI’s UK cyber practice. Building on his experience providing consultancy to Defence, Chris is currently diversifying to provide Government organisations with expertise to address their key risks, allowing ...