Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Author: Local Digital

How to complete your organisational self-assessment

What to consider when self-assessing your organisation as part of the CAF for local government – from who to involve, to sharing your self-assessment with your assurer.

1. Establish who needs to be involved

Your CAF lead should invite collaborators with relevant expertise to inform how your council is meeting objectives A and D, and to collate relevant evidence.

Collaborators might include:

  • service leads
  • risk managers
  • procurement leads
  • legal adviser
  • business continuity managers

Your team should allow approximately four weeks to complete the self-assessment of your organisation.

The CAF lead should:

  1. Brief your CAF collaborators to make sure they understand the CAF and what is expected of them
  2. Confirm which outcomes and indicators of good practice (IGPs) are appropriate for each collaborator to contribute towards
  3. Discuss the best way for your team to collaborate on the workbook. This should be a collaborative exercise and your CAF lead should have oversight. You may want to:
    • work centrally on one spreadsheet
    • collate responses in smaller teams with regular check-ins
    • book in workshops to discuss or review responses

Find out more about roles and responsibilities.

2. Review and collate evidence

To complete your self-assessment, you need to assess and document the extent to which your council meets the contributing outcomes. This includes:

  • assessing whether your council has achieved, not achieved or, in some cases, partially achieved an outcome
  • providing supporting commentary and evidence to your independent assurer to support your decision

How you meet each contributing outcome is not prescribed and will vary according to organisational circumstances.

To help you understand whether you have achieved, not achieved, or partially achieved an outcome, you should work through the set of IGPs associated with each outcome.

It is useful to start with the ‘Achieved’ IGPs for each outcome and ask:

  • Does this statement apply to your council?
  • To what extent do you meet this IGP?
  • Are there any alternative controls in place for meeting this IGP?
  • Do you have evidence that you can reference to show how you are meeting this IGP?

How to use the indicators of good practice (IGPs).

Collate good evidence for each contributing outcome

You and your collaborators need to collate evidence of how your council meets the IGPs for each contributing outcome. This is an important part of the CAF process.

Always use existing documents. Do not create new artefacts to use as evidence.

It is important you provide:

  • evidence that is relevant and up to date
  • enough evidence to show how you are meeting or working towards an outcome

Examples of good documents to use include:

  • policy documents
  • terms of reference
  • business continuity and disaster recovery plans
  • incident response plans
  • copies of contracts

See examples of evidence you can provide for organisational self-assessment.

It is important your CAF assessment is a snapshot of your council’s current cyber resilience. You can add any new documentation you identify to your improvement and implementation plan.

You can find good examples of how to collate and describe evidence in the workbook’s evidence tracker example.

Share evidence securely with your assurer

It is important that your independent assurer has a secure way of accessing your evidence. Without this, they will be unable to verify if your assessment is a true reflection of your organisation’s cyber posture.

In the introduction to assurance call with your independent assurer, you should have discussed:

  • how you will reference evidence
  • how you will provide access so they can view it

If not, contact your assurer to agree on an approach.

How to store and share information securely.

Summarise your response for each IGP

You should use the self-assess your organisation workbook to review each indicator of good practice (IGP) and record your response. This includes providing a short explanation of how your council is meeting each IGP.

This gives context to your independent assurer so they can understand how your council has interpreted this.

Include information such as:

  • why you have a process in place
  • how often your council reviews or updates this
  • any dependencies with third parties
  • what your supporting evidence demonstrates

3. Self-assess against each contributing outcome

Once you have collectively reviewed and collated your evidence, choose how you have assessed your council against each contributing outcome.

You and your collaborators should use your own judgement and knowledge of your council before deciding if you are achieving a contributing outcome or not.

Understanding which IGPs you meet will provide you with a good starting point for deciding if you have achieved a contributing outcome or not. However, there can be more than one way to meet a contributing outcome.

You should also consider if there are any alternative controls, factors or circumstances that change your assessment. If this is the case, make sure you explain this in your supporting commentary.

It is important your assessment is honest and accurately reflects current activities in your council. Completing your assessment as accurately as possible will help MHCLG to understand any risks or issues within the sector, and consider how to further support the sector in addressing these risks.

Meeting the CAF for local government profile

The CAF for local government provides councils with a baseline to work towards. We understand you might not meet this right away, but by completing a CAF self-assessment you will identify what improvements you can make to achieve it in the future.

The value of the CAF is in understanding your council’s current position, its exposure to cyber risk and how the position can be improved over time.

4. Check your self-assessment for quality and accuracy

Your CAF quality assurer and approver will need to review your organisation self-assessment workbook before it is shared with your independent assurer for review.

Your quality assurer should consider if:

  • this accurately reflects your council
  • your evidence is relevant and up to date
  • this gives enough organisational context to your assurer
  • your evidence is accessible to an external reviewer
  • any internal feedback has been addressed

Once your quality assurer has reviewed your workbook, you need to get sign-off from your approver.

6. Finalise and share your self-assessment with the independent assurer

This stage is complete when:

  • the workbook is reviewed and signed off by your quality assurer and approver
  • evidence is recorded in the evidence tracker
  • the workbook and evidence are securely stored, and your independent assurer can access them

You will then email your assurer to let them know that the self-assessment of your organisation is ready for review.

You cannot resubmit your self-assessment to the independent assurer.

Find out more about independent assurance.

How to use the IGPs

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now