
Cyber Assessment Framework (CAF)
Supporting resilience where it matters most.
The Cyber Assessment Framework (CAF) was developed by the UK’s National Cyber Security Centre (NCSC).
It provides a comprehensive and structured approach to evaluating and enhancing an organisation’s cyber resilience.
The CAF is designed to underpin compliance with the Network and Information Systems (NIS) Regulations. It also serves as a cornerstone for securing the UK's most vital services and systems.
A framework for compliance and security.
CAF’s foundational objectives.
CAF is built around four high-level objectives, mapped to 14 principles and detailed Indicators of Good Practice (IGPs). These form the foundation for assessing maturity and driving continual improvement:

Managing Security Risk
Governance, risk management, asset visibility, and supply chain assurance.

Protecting Against Cyber Attack
Technical and organisational controls, including secure configurations, user access, and network resilience.

Detecting Cyber Security Events
Monitoring, logging, and anomaly detection capabilities.

Minimising the Impact of Cyber Security Incidents
Effective response, recovery planning, and post-incident learning.

Sector-wide applicability.
Whether you're a regulated entity or simply aiming to improve resilience, the CAF provides a structured approach across public, private, and critical sectors - including:
-
Operators of Essential Services (OES)
-
Digital Service Providers (DSPs)
-
Critical National Infrastructure (CNI) organisations
-
Public sector entities
-
Private organisations seeking to mature their cyber resilience
Our CAF Advisory and Audit Services
At Avella, we are a trusted cyber security partner to some of the UK’s most critical sectors. As an NCSC-accredited Cyber Resilience Audit (CRA) provider, we combine technical depth with cross-sector experience to deliver bespoke, outcome-focused CAF services.

CAF Readiness Assessments
Baseline your current capabilities against CAF principles and IGPs. Identify risks, gaps, and quick wins to support resilience uplift and readiness.

Strategic Roadmap Development
Develop a tailored roadmap to move from current state to target maturity—balancing compliance, risk appetite, and business priorities.

Accredited, Independent CAF Audits
Delivered under the NCSC’s CRA Scheme, our audits offer expert led, independent, objective assurance and regulatory alignment for NIS-regulated entities.

Physical Security Services
Aligned to Objective E, our experts help protect physical assets by identifying and mitigating risks within your broader security ecosystem to ensure you are prepared and protected.

Policy & Procedure Development
Assisting in the development and refinement of policies, procedures, and controls that align with CAF expectations and requirements.

Training & Cyber Awareness
Build internal capability through targeted training, executive briefings, and simulation exercises to foster a security-first culture.

Ongoing Advisory & Assurance
Stay ahead of evolving threats and maintain continuous alignment with CAF principles through regular health checks, advisory support, and board-level reporting.
Why Avella?
Our approach is pragmatic, proportionate, and aligned to real-world operational and regulatory environments—spanning both IT and Operational Technology (OT) systems.

Specialist Expertise
Deep understanding of CAF, NIS Regulations, and regulatory expectations across energy, finance, healthcare, telecoms, and government.

Sector-Aware & Outcome-Driven
Our team brings hands-on sector experience. We help you implement the right controls, tailored to your environment, to deliver real value and lasting impact.

Trusted & Accredited
As an NCSC-approved CRA provider, our assessments carry trusted credibility with regulators, boards, stakeholders, and wider organisational decision-makers.

Boutique Service, Enterprise Impact
Agile, responsive, and collaborative - everything we do is tailored to your business, risk landscape, and operational context.

Speak to our experts, today.
Get in touch to discuss how we can strengthen your security and resilience.

+ 44 (0) 845 86 22 365

80 Strand,
London, WC2R 0RL,
United Kingdom