Following the publication of NCSC's Guidance for NIS, we are developing the Cyber Assessment Framework (CAF) which is intended to be a systematic method for assessing the extent to which operators of essential services (OES) are achieving the outcomes specified by the 14 NIS principles.
The following list of requirements for the CAF underpin our approach. The CAF must:
- Provide a suitable framework for NIS competent authorities (CAs) to undertake assessments as required by Directive Article 15
- Maintain the outcome-focused approach of the principles and discourage assessments being carried out as tick-box exercises
- Be compatible with the use by OES of appropriate existing cyber security guidance and standards
- Enable the identification of effective cyber security improvement activities
- Exist in a baseline version which is sector-agnostic
- Be extensible to accommodate sector-specific elements as may be required by CAs
- Enable CAs to set and adjust meaningful outcome target levels for OES to achieve
- Be as straightforward and cost-effective to apply as possible
The first iteration of the CAF will be available, via this website, by the end of April 2018.