Avella | CAF Assessments

Cyber Assessment Framework (CAF)

Supporting resilience where it matters most.

The Cyber Assessment Framework (CAF) was developed by the UK’s National Cyber Security Centre (NCSC).

It provides a comprehensive and structured approach to evaluating and enhancing an organisation’s cyber resilience.

The CAF is designed to underpin compliance with the Network and Information Systems (NIS) Regulations. It also serves as a cornerstone for securing the UK's most vital services and systems.

A framework for compliance and security.

CAF’s foundational objectives.

CAF is built around four high-level objectives, mapped to 14 principles and detailed Indicators of Good Practice (IGPs). These form the foundation for assessing maturity and driving continual improvement:

Managing Security Risk

Governance, risk management, asset visibility, and supply chain assurance.

Protecting Against Cyber Attack

Technical and organisational controls, including secure configurations, user access, and network resilience.

Detecting Cyber Security Events

Monitoring, logging, and anomaly detection capabilities.

Minimising the Impact of Cyber Security Incidents

Effective response, recovery planning, and post-incident learning.

Sector-wide applicability.

Whether you're a regulated entity or simply aiming to improve resilience, the CAF provides a structured approach across public, private, and critical sectors - including:

Operators of Essential Services (OES)
Digital Service Providers (DSPs)
Critical National Infrastructure (CNI) organisations
Public sector entities
Private organisations seeking to mature their cyber resilience

Get in touch

Our CAF Advisory and Audit Services

At Avella, we are a trusted cyber security partner to some of the UK’s most critical sectors. As an NCSC-accredited Cyber Resilience Audit (CRA) provider, we combine technical depth with cross-sector experience to deliver bespoke, outcome-focused CAF services.

CAF Readiness Assessments

Baseline your current capabilities against CAF principles and IGPs. Identify risks, gaps, and quick wins to support resilience uplift and readiness.

Strategic Roadmap Development

Develop a tailored roadmap to move from current state to target maturity—balancing compliance, risk appetite, and business priorities.

Accredited, Independent CAF Audits

Delivered under the NCSC’s CRA Scheme, our audits offer expert led, independent, objective assurance and regulatory alignment for NIS-regulated entities.

Physical Security Services

Aligned to Objective E, our experts help protect physical assets by identifying and mitigating risks within your broader security ecosystem to ensure you are prepared and protected.

Policy & Procedure Development

Assisting in the development and refinement of policies, procedures, and controls that align with CAF expectations and requirements.

Cyber Defence Training and Awareness.png

Training & Cyber Awareness

Build internal capability through targeted training, executive briefings, and simulation exercises to foster a security-first culture.

Ongoing Advisory & Assurance

Stay ahead of evolving threats and maintain continuous alignment with CAF principles through regular health checks, advisory support, and board-level reporting.

Why Avella?

Our approach is pragmatic, proportionate, and aligned to real-world operational and regulatory environments—spanning both IT and Operational Technology (OT) systems.

Specialist Expertise

Deep understanding of CAF, NIS Regulations, and regulatory expectations across energy, finance, healthcare, telecoms, and government.

Integrated-Physical-and-Cyber-Experience

Sector-Aware & Outcome-Driven

Our team brings hands-on sector experience. We help you implement the right controls, tailored to your environment, to deliver real value and lasting impact.

Trusted & Accredited

As an NCSC-approved CRA provider, our assessments carry trusted credibility with regulators, boards, stakeholders, and wider organisational decision-makers.