Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Create your improvement and implementation plan

Author: Local Digital

Create your improvement and implementation plan

Use the feedback on your CAF for local government assessment to plan your next steps and improve your cyber resilience.

You are ready to start your improvement and implementation plan when you have:

  • received your assurance report
  • reviewed the report with your CAF team

About your improvement and implementation plan

Your independent assurance report will provide feedback highlighting where you should prioritise your efforts.

You will also receive an improvement and implementation plan with relevant sections completed by the assurer, providing recommendations for each contributing outcome where action is needed.

Use this information to complete your plan, prioritise which recommendations you will implement, and know who to involve and when to schedule work.

How to use your plan

The plan you make to address the issues identified throughout the CAF process is how you build your cyber resilience. This is where your organisation will see real improvement.

Your plan is a tool to:

  • highlight to senior decision makers where significant security gaps lie
  • align improvements with your existing plans or strategies
  • effectively plan time and resource
  • plan potential costs
  • measure progress
  • share next steps with your wider council

What creating your plan involves

  1. Review the assurance report from the independent assurer
  2. Work with colleagues at your council to draft your improvement and implementation plan
  3. Share your plan with the independent assurer for feedback
  4. Attend an improvement and implementation session arranged by the independent assurer
  5. Share the amended plan with your internal quality assurer
  6. Produce an executive presentation for your council. You can adapt the CAF executive presentation template (941KB.pptx) to suit your council’s needs
  7. Send the executive presentation to the independent assurer for feedback
  8. Schedule and lead an executive presentation at your council, with support from the independent assurer
  9. Finalise the plan and share it with your quality assurer and approver for sign off
  10. Submit your final plan to MHCLG

How to complete your plan

Review assurance report and recommendations

Before you complete your plan, you should collectively review the feedback from your independent assurance report. This will highlight from an external viewpoint where your council should focus your efforts.

You might want to include your CAF lead, key collaborators and service owners in this review meeting.

As part of the assurance report, the assurer will provide a draft implementation and improvement plan. For each contributing outcome, the assurer will provide:

  • recommended actions you could take to meet the outcome
  • the risk level associated with the recommendation
  • a description of the risk and what it could mean for your council
  • the control types associated with the recommendation – for example, people or process

Use this information to help you prioritise what recommendations to implement when you come to complete the plan.

Complete your draft plan

After you have reviewed the assurer’s recommendations and any associated risks, you need to complete the plan by providing the following for each recommendation:

  • who will be responsible for implementing it
  • cost, effort and complexity of implementing it
  • how you have justified the implementation
  • how you have prioritised it
  • when work to address the recommendation can be scheduled

How long it takes to implement a recommendation will depend on complexity and cost, with improvements happening in the near-, mid- and long-term. In the plan we suggest breaking this work down into quarters.

When completing the plan, think about:

  • time and capacity to implement recommendations and address risks
  • who might need to be involved, including who needs to sign off budget
  • available resource
  • organisational dependencies
  • if implementing a recommendation will address more than one outcome
  • if implementing a recommendation might be a larger piece of work that requires a separate workstream

Download an example improvement and implementation plan for organisational assessment (objectives A and D) (.xlsx, 63KB).

Share your draft plan for feedback

After you have completed your plan, you need to share it with your independent assurer. They will provide feedback and arrange a session with you to discuss the plan.

You can then use this feedback to adjust the plan before sharing it with your CAF quality assurer.

Finalise and share your plan

  1. Share your assurance report and finalised plan with your internal CAF quality assurer
  2. Make any changes based on feedback from the quality assurer
  3. Get final sign off of your plan from your CAF approver
Do not send your improvement and implementation plan by email.

Information about how to submit your self-assessment to MHCLG will be launched in early 2025.

Create an executive presentation

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now