Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Evidence to provide for organisational self-assessment

Author: Local Digital

Evidence to provide for organisational self-assessment

A list of evidence your council can use to support your CAF for local government self-assessment.

Here are typical examples of documentation your independent assurers expect to see as part of your self-assessment.

Managing security risk (objective A)

Board direction (A1.a)

  • Information security policy
  • Relevant job descriptions – to show roles have accountability for security of networks and information systems
  • Any cyber specific training at board level – this may include exercise training for example

Roles and responsibilities (A1.b)

  • Skills matrix and/or examples of a training record
  • RACI tables
  • Job description for information Security
  • Acceptable Use Policy

Risk management process (A2.a)

  • Evidence of risk management process review – this could be documented improvements identified in the review
  • Information security in project management – evidence of the project lifecycle process. It is good to see if cyber security is included in each stage of the project lifecycle.
  • Any examples of a Cyber Essentials remediation tracker or ITHC remediation tracker for example
  • Example of a risk assessment using information from Cyber Threat Intelligence, identified vulnerabilities.
  • Example of a risk assessment used for a change control, if used
  • Threat intelligence collection process/plan, if used
  • Vulnerability management policy/procedure and examples of vulnerability management – for example, scanning schedules and results. These can also be used for Vulnerability management (B4.d)

Assurance (A2.b)

  • Process followed to action findings identified by the assurance process
  • ITHC, audit remediation action trackers
  • Asset disposal procedure, including examples of certificates if used. This can also be used for Asset management (A3.a)
  • Cyber Essentials certification
  • ISO27001 certification
  • Internal and external audit schedules and reports
  • Written minutes or documentation showing a meeting of the operations manager with the managed service provider
  • Any audits conducted for suppliers. These can also be used for Supply chain (A4.a)

 Asset management (A3.a)

  • Asset register (please redact)
  • Asset management policy
  • Use of hardened gold builds, for example CIS Hardened images
  • Evidence that security requirements are included in the procurement of systems and services
  • Asset disposal procedure, including example of certificates, if used
  • Project management policy/procedure that shows cyber security should be considered and embedded from the early stages (similar to A2.a)
  • Any use of information asset owners (IAO) – for example, in asset management procedures, specific IAO training
  • Maintenance of assets conducted by authorised, trained personnel.
  • Information on any data centres you use – including access control, power supply, uninterruptible power supply (UPS), standby generator, monitoring for power/moisture

Supply chain (A4.a)

  • Cyber security supplier management process/policy, or references to cyber security in supplier management process
  • Customer/supplier responsibility contract clauses
  • Data sharing agreements
  • Information sharing clauses within contracts
  • Incident reporting and handling clauses in contracts
  • Supplier risk assessment
  • Supplier responsibilities within contracts including notifications of internal incidents
  • Examples of supply chain mapping that may have been done to identify, prioritise and assess suppliers
  • Monitoring, review, evaluation in supplier information security service delivery

Minimising the impact of cyber security incidents (objective D)

Response plan (D1.a)

  • Incident response plan
  • Evidence of recent incidents
  • Collection of evidence/forensics – in house or contracted to a supplier, evidence of past examples

 Response and recovery capability (D1.b)

  • Backup policy/plan and process for the restoration of backups – may be included in the backup policy/plan
  • Schedule for restore testing and/or examples of recent restore testing
  • Communications plan – for example, regulatory, internal and external stakeholders, media
  • Business impact assessment
  • Legal and contractual requirements identified

Testing and exercising (D1.c)

  • Documented exercise scenarios
  • Exercise schedule and reports of past exercises demonstrating exercises are conducted

Incident root cause analysis (D2.a)

  • Evidence that root cause analysis is conducted as part of the incident process
  • Evidence of sessions or meeting notes to discuss lessons learned following an exercise
  • Action tracker to prove lessons learned from exercises
  • Root cause analysis methodology used – for example, ‘Kelvin TOP-SET’, ‘Five whys’, ‘Fault tree analysis (FTA)’, ‘informal’

Using incidents to drive improvements (D2.b)

  • Lessons learned documented from previous incidents
  • Response plans incorporate lessons learned

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now