Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. About the independent assurance process

Author: Local Digital

About the independent assurance process

You should engage with an independent assurer before you begin the CAF for local government to make a plan for your assurance review.

Why assurance is important

The independent assurance review gives you an external view of how resilient your council currently is. It confirms that your assessment reflects how you are protecting your critical systems and organisation.

The assurance process:

  • confirms where you are making appropriate efforts to mitigate against common cyber attacks
  • identifies areas for improvement that you can prioritise
  • helps you communicate findings and next steps to your senior leaders, so everyone can understand your cyber risk

It also supports MHCLG to build an accurate picture of cyber security in the local government sector.

When to contact an independent assurer

You should request an introduction to assurance call once you have:

  • an understanding of what the CAF involves
  • started to prepare for the CAF
  • identified your CAF team roles and responsibilities
  • drafted your CAF schedule
  • support from your senior leadership and management team to start the CAF
Councils who would like to assure their organisational self-assessment by 31 March 2025 can book independent assurance through MHCLG.

Find out how to arrange independent assurance.

About your independent assurer

Your independent assurer will be:

  • qualified and certified security professionals
  • trained by GovAssure (CAF for central government)
  • familiar with cyber security risks across the public and private sector
  • have a minimum Baseline Personnel Security Standard (BPSS) security clearance

An assurer will examine the:

  • scope of your assessment and any associated risks
  • information you provide in your self-assessment
  • quality and relevance of the evidence supporting your assessment

They will work with you to provide:

  • an assurance report, with an executive summary
  • a draft implementation and improvement plan to help you prioritise recommendations to action
  • support in presenting findings and recommendations to senior leaders

Overview of the assurance process

You will engage with your independent assurer at several points throughout the CAF process.

An overview of key assurance activities in the CAF for local government process.
An overview of core assurance activities during the CAF for local government process.

1. Attend an introduction to assurance call

Your council will be invited to attend an introduction session with a member of the assurance team to:

  • make sure you are clear on what you need to provide your assurers
  • agree on expected timescales
  • agree how you will share your self-assessment and evidence securely
  • set up prospective dates for assurance workshops
  • agree who will attend future meetings with assurers
  • answer any questions you have about the process

The assurer will confirm who should attend, but it should include your CAF lead and main collaborators.

After the session, you will be assigned an individual independent assurer who will contact you to arrange further assurance workshops.

2. Share your scoping workbook

Once you have set the scope of your assessment, you will share your scoping workbook with your assurer for review.

In your introduction call, you will have agreed with your assurer how you will share your documents with them securely.

Do not send your workbooks or supporting evidence to your assurer by email.
If you have completed Get CAF Ready, you should review the work you have already done to make sure it remains accurate and then share it with your assurer.

3. Check in during your self-assessment

Once you have completed several contributing outcomes for your self-assessment, your assurer will hold a check-in call to make sure you are on the right track.

This session is also a chance to review timescales and to answer any questions.

4. Share your self-assessment workbook

Your assurer will schedule in the review process once you have:

  • shared your completed self-assessment
  • collated relevant evidence and documentation to support your self-assessment
  • agreed with your quality assurer and CAF approver that you are ready for review

The assurer will look at your self-assessment and your supporting evidence to:

  • confirm which outcomes your organisation meets
  • highlight areas of good practice within your organisation
  • recommend areas for improvement to make sure your council has appropriate resilience and associated risk

They may schedule a workshop to discuss any questions they may have about your assessment or supporting evidence.

5. Review the assurance report with your CAF team

Your assurer will produce an assurance report and share it with you to review.

Then, they will schedule a session to discuss the findings of the report with you.

6. Create an improvement and implementation plan

Use the prioritised feedback within the assurance report to create your improvement and implementation plan.

Then, share your improvement plan with your assurer for feedback.

Following your self-assessment, you can submit your scoping workbook, assured self-assessment, and improvement and implementation plan to MHCLG for both the organisation and critical systems assessments. We plan to publish more information on how to securely submit these documents, and how your information will be used, in spring 2025.

7. Create an executive presentation

Once the assurance report has been finalised, we recommend that you create an executive presentation to share with your senior leadership and management team.

After you have created the presentation, share it with the assurer for feedback. The assurer can also attend and support your presentation to your council’s senior leaders.

Who you should involve in the assurance process

Your assurer may have questions or need further clarifications. This means it is important that collaborators are available during the assurance process.

The independent assurance review includes a meeting with individuals across your organisation. Include people who have:

  • been involved in your CAF self-assessment
  • knowledge of your organisational context and governance
  • knowledge of your critical systems
To make the assurance process as smooth as possible, make sure your CAF lead is on hand to answer any questions.

Plan time into your CAF schedule

You should plan enough time for the assurance process to take place.

It will take approximately 30 hours of your CAF team’s work to:

  • share evidence with assurers
  • support the assurer with any explanations and clarifications
  • review the assurance report
  • share your report findings with senior leaders
  • develop your improvement and implementation plan

Arrange your independent assurance

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now