Cyber Assessment Framework (CAF) – NCSC Guidance Collection
The NCSC's primary sector-specific cyber resilience guidance framework, explicitly designed for organisations operating essential services in energy, healthcare, transport, digital infrastructure and government. It provides sector-specific profiles (Basic and Enhanced) and is directly cited in the Cyber Security and Resilience Bill policy statement as the tool supporting NIS-regulated operators; v4.0 was published August 2025.
Cyber Assessment Framework | National Cyber Security Centre
icons/chevron/16px/black
Skip to main content
Guidance
Cyber Assessment Framework
The CAF is a collection of cyber security guidance for organisations that play a vital role in the day-to-day life of the UK, with a focus on essential functions.
Pages
Page 1 of 25
iStock.com/ThinkNeo
Cyber Security and Resilience Bill to strengthen regulation of critical sectors
The NCSC welcomes the introduction of the Cyber Security and Resilience Bill to Parliament and its potential in closing the widening gap between the cyber threats the UK faces and our ability to defend against them in critical sectors.
Read the blog
by Jonathan Ellison, NCSC Director of National Resilience exploring how the Cyber Security and Resilience Bill will support affected sectors.
Learn more
On this page:
Introduction
What is the CAF?
Who is the CAF for?
The CAF collection
Changelog, latest and previous CAF versions
Introduction
Cyber incidents can result in a number of different consequences, depending on the nature of the network and information systems targeted and intention of the perpetrators. Circumstances in which the possible consequences of cyber incidents are extremely serious or even, perhaps catastrophic, generally require very robust levels of cyber security and resilience. It is for these circumstances that the NCSC has developed the Cyber Assessment Framework (CAF) collection.
The CAF collection consists of the CAF itself together with a range of linked guidance and some background on its intended use. It is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified vitally important functions performed by that organisation, functions that are at risk of disruption as a result of a serious cyber incident.
What is the CAF?
The Cyber Assessment Framework (CAF) is a tool to help organisations assess and improve their cyber security and resilience, managing cyber risks and protecting essential services from cyber threats.
Who is the CAF for?
The CAF is primarily designed for organisations operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government. It supports both internal assessments and external oversight bodies, helping organisations meet legal and regulatory requirements like the NIS Regulations. It does this by providing a framework for assessing how well an organisation is meeting expected cyber security and resilience outcomes described within a CAF Profile.
A CAF Profile is a target level for cyber security and resilience in response to threat actors with a particular level of attack capability. There are two types of CAF Profiles, Basic and Enhanced. The Basic Profile sets out the target level for all sectors when faced with attackers with a basic level of attack capability. This typically includes attack scenarios that would involve common cyber attacks. An Enhanced Profile is different as it is sector specific and builds upon the Basic Profile by representing a cyber security and resilience target level appropriate for situations where an organisation typically faces attackers that are more capable, better resourced and can undertake more sophisticated attacks.
The CAF collection
The CAF collection is for all organisations that are responsible for securing critical network and information systems that keep our businesses, citizens and public services protected.
More particularly:
Organisations subject to the
Network and Information (NIS) Regulations
Organisations within the UK Critical National Infrastructure (CNI)
Organisations managing cyber-related risks to public safety
Public sector organisations that support core government functions
Other organisations / sectors that may find the CAF a useful tool
It is intended that the CAF collection will be of particular interest to cyber oversight bodies, organisations (such as cyber regulators) that have responsibility for the cyber security and resilience of a sector. The CAF collection is intended to assist such organisations to carry out some of their core oversight responsibilities. Any oversight body considering the use of the CAF in their sector is invited to contact the NCSC to discuss possible additional available support through the
Support to Regulation
mailbox.
This collection contains:
An overview and introduction of the CAF collection
An introduction to the CAF including guidance on the use of the CAF
The wider context of the CAF when considering the Network and Information Systems (NIS) Regulations, CNI, how the NCSC works with cyber regulators and GovAssure
The CAF – a set of objectives and underlying principles, outcomes and indicators of good practice (IGPs)
Relevant guidance on the application of the objectives and principles
Additional linked guidance and references
Changelog, latest and previous CAF versions
The latest version of the CAF, and all previous versions are
available to download on the Changelog page
.
Links to guidance that complement the CAF have been included and can be found in the
consolidated view of CAF guidance
and in the additional information section of the individual principles.
Downloads
615.02 KB
Cyber Assessment Framework version 4.0
Fourth iteration of the Framework used to assess the cyber security of UK CNI and related sectors
Published
Publish date
18 April 2024
Reviewed
6 August 2025
Version
4.0
Written for
Written for
Public sector
Cyber security professionals
Large organisations
Share and print this article
Share
Share
Close share options
Share on
Share on
Share on
X
Copy Link
Was this article helpful?
Yes
the article was helpful
No
the article was not helpful
Close Feedback Form
Back to top
Share
Close share options
Share on
Share on
Share on
X
Copy Link
Also see
Blog Post
Publish date
6 Aug 2025
Cyber Assessment Framework v4.0 released in response to growing threat
Updates to the CAF helps providers of essential services to better manage their cyber risks.
Blog Post
Publish date
30 Oct 2024
Cyber Resilience Audit (CRA) scheme launches for assured CAF-based audits
NCSC-assured CRA service now offering Cyber Assessment Framework based audits and more applications invited from potential service providers.
Blog Post
Publish date
15 Aug 2024
Cyber Resilience Audit scheme open to applications
A new NCSC scheme assuring providers of CAF-based audits is now open for potential members.