Stage 5: Final Assessment and Targeted Improvement Plan
Stage 5 of GovAssure is the final stage of GovAssure and completes the independent assurance review report (IARR) and involves the Targeted Improvement Plan (TIP).
Stage 5 of GovAssure begins when the draft independent assurance reviewer report (IARR) is delivered to the organisation by the independent assessor.
Once this has happened, the organisation and the other stakeholders can proceed with the following steps:
- Complete the IARR
- Create the draft targeted improvement plan (TIP)
- Complete and share the TIP
These steps require input from the Government Security Group (GSG) and the organisation stakeholders, specifically:
- GovAssure lead and senior responsible officer (SRO)
- System owners
- Department risk leads
- Suppliers and/or managed service providers
Complete the IARR
When the draft IARR is provided to the organisation, the observations it contains are reviewed by the organisation’s stakeholders and the GSG. This is an opportunity to identify any corrections or clarifications that may have been missed during Stage 4.
Once the IARR is verified as complete by all stakeholders, the draft TIP can be prepared.
Create the draft TIP
The GSG provides the organisation with a partially populated TIP template, using information from the IARR. The TIP is an Excel spreadsheet that – when complete – shows a consolidated view of findings and recommendations. It is structured on a system-by-system basis, and is intended to be used as a strategic planning tool that provides a view of the organisation’s strengths or gaps against the associated target government profile.
Note: the organisation can use its own template if desired. However, the GSG recommends that the organisation refers to the GSG template to ensure that all the required details are captured.
Complete and share the TIP
The organisation should complete the TIP by adding information on cyber security and resilience improvement programmes or activities, and reviewing and prioritising the pre-populated findings and recommendations.
Note: each organisation is best placed to understand how to prioritise recommendations in such a way that suits their needs, but the GSG has a web-based CAF Dependency Model to support this work if required.
Once the organisation has completed the TIP it must be shared with the GSG for review and discussion. Then, when all parties agree, the organisation can formally approve the TIP and communicate it with all key stakeholders.
Monitoring agreed actions and progress
The completion and approval of the TIP marks the beginning of improvement work required. The organisation is responsible for monitoring and tracking actions, and reporting on progress to the GSG. The internal stakeholders should agree on the process and frequency for these activities.
The GSG will support the organisation in these activities, and can facilitate additional support from the Cyber GSEC if required.
Note: the GSG recommends that the TIP be regularly reassessed and updated to align with evolving cyber security threats and organisational priorities. Any escalation regarding this process is through GSG.