The UK’s National Cyber Security Centre (NCSC) has developed the Cyber Assessment Framework (CAF) 4.0 to help organisations systematically manage and strengthen their cyber resilience.
But how does this help your organisation turn risk into an easy boardroom conversation, minimise costs and justify budgets?
Rob Wright explains how using the CAF with Hexiosec ASM can help…
Introduction: The critical role of the Cyber Assessment Framework (CAF)
In today’s digital landscape, the consequences of cyber incidents can be severe. Organisations responsible for essential services face relentless threats that can disrupt operations, compromise sensitive data, and undermine public trust. Recognising these risks, NCSC has developed the CAF.
As the NCSC states,
“Cyber incidents can result in a number of different consequences, depending on the nature of the network and information systems targeted and intention of the perpetrators. Circumstances in which the possible consequences of cyber incidents are extremely serious or even, perhaps catastrophic, generally require very robust levels of cyber security and resilience. It is for these circumstances that the NCSC has developed the Cyber Assessment Framework (CAF) collection.” ncsc.gov.uk
Primarily aimed at organisations operating essential services in sectors such as energy, healthcare, transport, digital infrastructure, and government, the CAF supports both internal assessments and external oversight. It helps organisations meet legal and regulatory requirements, such as the NIS Regulations, by providing a framework for evaluating how well they are achieving expected cyber security and resilience outcomes.
The CAF is not just a checklist, it’s a comprehensive tool designed to help organisations systematically assess and improve their cyber security posture.
By adopting the CAF, organisations demonstrate a commitment to UK cyber resilience that both enhances their own security and also their standing in the market as a leader in this discipline. The framework empowers business leaders to make informed decisions, ensuring accountability at every level.
But how do organisations start to adopt this tool and raise technical conversations to business decisions? CAF Objective A is the best place to start…
CAF objective A: Managing security risk
CAF Objective A is about managing security risk. Specifically, it is about putting in place “appropriate organisational structures, policies, processes and procedures… to understand, assess and systematically manage security risks to network and information systems supporting essential functions”.
CAF Objective A focuses on four key areas:
- A1 Governance – ensuring cyber risk is owned and understood at the right levels.
- A2 Risk Management – identifying and mitigating threats before they impact operations.
- A3 Asset Management – knowing what’s connected, exposed, and vulnerable.
- A4 Supply Chain – managing third-party risks that could compromise essential services.
Governance: Turning risk into a Boardroom conversation
Organisations often lack a convenient starting point in taking cyber security to board level. Any organisation working in highly targeted sectors will have spent a percentage of their IT budget on cyber security, typically >10%. Should they spend more or less? It’s a simple question but it is often difficult to provide strong justification to any answer.
Chief Information Security Officers need a clear and current view of the risks their organisation is carrying to compare with their agreed risk appetite in order to justify budget changes. To progress this, we need to reorder the CAF A objectives…
Asset management: Seeing the whole map
You can’t protect what you don’t know exists. Asset management is a cornerstone of CAF Objective A, and the ideal starting point for any organisation. You will know about your website and many of your everyday services, but what about those occasional services? Or those set up perhaps years ago and since neglected?
The simplest way to discover all your online assets is to use an Attack Surface Management tool that provides you with a view of your IT as a hacker sees it.
NCSC say:
“If you are not already maintaining a thorough register of your assets (including software versions, lifecycle tracking, and risk assessment), EASM products can help you get started quickly.” External attack surface management (EASM) - ncsc.gov.uk
Attack Surface Management tools excel here by uncovering internet-facing assets across domains and IP ranges, including shadow IT and legacy systems.
“All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.”
This needs to be used in conjunction with a tool that provides you with a similar internal view.
Notice the importance of having up-to-date information, and with modern tooling there is no reason that this can’t be daily, to discover changes that might have been made to your online estate.
Risk management: From reactive to proactive
With assets discovered, CAF Objective A2 Risk Management requires organisations to “identify and mitigate threats before they impact operations”.
Threats can come from online, email, phone or even physical access to your buildings so there is not a single technical solution that addresses all threats.
“There is no single blueprint for cyber security and therefore organisations need to take steps to determine security risks that could affect the operation of essential functions and take measures to appropriately manage those risks.”
What is important is that CAF’s principle of systematic, informed risk management is utilised.
“There should be a systematic process in place to ensure that identified risks are managed and the organisation has confidence mitigations are working effectively.”
Again, an Attack Surface Management tool can be utilised to understand your online risks but here the key is to employ a tool that systematically prioritises risks with a way of checking that they are being managed and resolved successfully.
Organisations need tools that not only identify vulnerabilities but also help them systematically address the requirements of the UK’s National Cyber Security Centre’s Cyber Assessment Framework (CAF). Choose an Attack Surface Management (ASM) platform that is designed to provide continuous visibility, actionable insights, and governance-aligned reporting.
Hexiosec ASM supports dynamic risk assessments, integrating threat intelligence feeds and sector-specific insights to inform risk assessments. The CAF requires that:
“Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to network and information systems, change of use and new threat information.”
Security teams face an overwhelming volume of vulnerability data. A single scan can reveal hundreds of CVEs, each with technical details and patching requirements. The real challenge isn’t detection, it’s prioritisation.
Hexiosec ASM continuously scans for vulnerabilities, using live – not stale – data, prioritising issues so teams can focus on what matters most. Severity scores like CVSS help indicate potential impact, but they don’t show whether a vulnerability is actively exploited. To address this, Hexiosec ASM incorporates CISA’s Known Exploited Vulnerability list and Exploit Prediction Scoring System (EPSS) data, adding real-world context to risk assessments.
By combining severity, known exploits, and likelihood of active exploitation, Hexiosec ASM enables organisations to focus remediation on vulnerabilities that pose the greatest current risk, reducing noise and supporting CAF’s principle of systematic, informed risk management.
Supply chain: Managing risk beyond your borders
Supply chain risk is notoriously hard to manage. A recent letter from the Department of Science, Innovation & Technology encouraged the UK’s top 350 firms to insist all their suppliers have Cyber Essentials but, whilst a good start, this is limited by three issues:
- The scope of Cyber Essentials is set by the organisation itself so may miss out on undiscovered assets, as discussed above.
- Cyber Essentials is what the name suggests, the 5 things that all organisations must have but does not consider any “special” aspects, and so almost every organisation needs to think beyond the “essentials”.
- A certificate like Cyber Essentials is a single point in time, a bit like an MOT on your car. It doesn’t make the car safe 364 days, or even one day later, and organisations’ online infrastructure is often changing rapidly.
The CAF states:
“If an organisation relies on third parties (such as outsourced or cloud-based technology services) it remains accountable for the protection of any essential function. This means that there should be confidence that all relevant security requirements are met regardless of whether the owning organisation or a third party operates the function.”
Hexiosec ASM’s passive scanning approach allows organisations to assess third-party cyber hygiene without touching their infrastructure. By carrying out daily or weekly scans of your suppliers (prioritising based on the importance), you can have confidence in their cyber security, share new insights (using Hexiosec Transfer) and resolve accountability.
Why act now? Final thoughts
NCSC’s CAF is about building resilience, not just compliance. Hexiosec’s ASM tool supports that mindset by giving organisations the visibility, context, and control they need to manage cyber risk in a dynamic environment.
By starting with Principle A and Attack Surface Management, recently advocated by NCSC, organisations can take a simple initial step to meeting CAF and turning cyber risk into an easy Boardroom conversation.
The Hexiosec ASM platform aligns with the foundational principles of the NCSC CAF, providing a comprehensive, threat-informed, and governance-aligned approach to managing cyber risk across essential functions. Hexiosec ASM translates technical risk into digestible insights for leadership, bridging the gap between technical teams and decision-makers. It directly supports each sub-point of CAF Objective A, making it a strategic enabler for compliance, resilience, and operational assurance.
Related Posts
