top of page
Cyber Assessment Framework .jpg

Cyber Assessment Framework (CAF)

Supporting resilience where it matters most.

The Cyber Assessment Framework (CAF) was developed by the UK’s National Cyber Security Centre (NCSC).

It provides a comprehensive and structured approach to evaluating and enhancing an organisation’s cyber resilience.

 

The CAF is designed to underpin compliance with the Network and Information Systems (NIS) Regulations. It also serves as a cornerstone for securing the UK's most vital services and systems.

A framework for compliance and security.

CAF’s foundational objectives.

CAF is built around four high-level objectives, mapped to 14 principles and detailed Indicators of Good Practice (IGPs). These form the foundation for assessing maturity and driving continual improvement:

Managing-Security-Risk-.png
Managing Security Risk

Governance, risk management, asset visibility, and supply chain assurance.

Protecting-Against-Cyber-Attack-.png
Protecting Against Cyber Attack

Technical and organisational controls, including secure configurations, user access, and network resilience.

Detecting-Cyber-Security-Events-.png
Detecting Cyber Security Events

Monitoring, logging, and anomaly detection capabilities.

Minimising-the-Impact-of-Cyber-Security-Incidents-.png
Minimising the Impact of Cyber Security Incidents

Effective response, recovery planning, and post-incident learning.

UK Critical National Infrastructure.jpg

Sector-wide applicability.

Whether you're a regulated entity or simply aiming to improve resilience, the CAF provides a structured approach across public, private, and critical sectors - including: 

  • Operators of Essential Services (OES)

  • Digital Service Providers (DSPs)

  • Critical National Infrastructure (CNI) organisations

  • Public sector entities

  • Private organisations seeking to mature their cyber resilience

Our CAF Advisory and Audit Services

At Avella, we are a trusted cyber security partner to some of the UK’s most critical sectors. As an NCSC-accredited Cyber Resilience Audit (CRA) provider, we combine technical depth with cross-sector experience to deliver bespoke, outcome-focused CAF services.

CAF-Readiness-Assessments.png
CAF Readiness Assessments

Baseline your current capabilities against CAF principles and IGPs. Identify risks, gaps, and quick wins to support resilience uplift and readiness.

Strategic-Roadmap-Development.png
Strategic Roadmap Development

Develop a tailored roadmap to move from current state to target maturity—balancing compliance, risk appetite, and business priorities.

Accredited,-Independent-CAF-Audits.png
Accredited, Independent CAF Audits

Delivered under the NCSC’s CRA Scheme, our audits offer expert led, independent, objective assurance and regulatory alignment for NIS-regulated entities.

Physical-security-services.png
Physical Security Services

Aligned to Objective E, our experts help protect physical assets by identifying and mitigating risks within your broader security ecosystem to ensure you are prepared and protected.

Regulatory-Compliance.png
Policy & Procedure Development

Assisting in the development and refinement of policies, procedures, and controls that align with CAF expectations and requirements.

Cyber Defence Training and Awareness.png
Training & Cyber Awareness

Build internal capability through targeted training, executive briefings, and simulation exercises to foster a security-first culture.

Ongoing-Advisory-&-Assurance.png
Ongoing Advisory & Assurance

Stay ahead of evolving threats and maintain continuous alignment with CAF principles through regular health checks, advisory support, and board-level reporting.

Why Avella?

Our approach is pragmatic, proportionate, and aligned to real-world operational and regulatory environments—spanning both IT and Operational Technology (OT) systems.

Regulatory-Compliance.png
Specialist Expertise

Deep understanding of CAF, NIS Regulations, and regulatory expectations across energy, finance, healthcare, telecoms, and government.

Integrated-Physical-and-Cyber-Experience.png
Sector-Aware & Outcome-Driven

Our team brings hands-on sector experience. We help you implement the right controls, tailored to your environment, to deliver real value and lasting impact.

Trusted-Industry-Advisors.png
Trusted & Accredited

As an NCSC-approved CRA provider, our assessments carry trusted credibility with regulators, boards, stakeholders, and wider organisational decision-makers.

Boutique-Service,-Enterprise-Impact.png
Boutique Service, Enterprise Impact

Agile, responsive, and collaborative - everything we do is tailored to your business, risk landscape, and operational context.

Avella logomark.png

Speak to our experts, today.

Get in touch to discuss how we can strengthen your security and resilience.

phone.png

+ 44 (0) 845 86 22 365

location.png

80 Strand,

London, WC2R 0RL,

United Kingdom

Let's talk security. Secure your future.
bottom of page