How to complete your organisational self-assessment
What to consider when self-assessing your organisation as part of the CAF for local government – from who to involve to sharing your self-assessment with your assurer.
1. Establish who needs to be involved
Your CAF lead should invite collaborators with relevant expertise to inform how your council is meeting objectives A and D, and to collate relevant evidence.
Collaborators might include:
- service leads
- risk managers
- procurement leads
- legal adviser
- business continuity managers
Your team should allow approximately four weeks to complete the self-assessment of your organisation.
The CAF lead should:
- Brief your CAF collaborators to make sure they understand the CAF and what is expected of them
- Confirm which outcomes and indicators of good practice (IGPs) are appropriate for each collaborator to contribute towards
- Discuss the best way for your team to collaborate on the workbook. This should be a collaborative exercise and your CAF lead should have oversight. You may want to:
- work centrally on one spreadsheet
- collate responses in smaller teams with regular check-ins
- book in workshops to discuss or review responses
Find out more about roles and responsibilities.
2. Review and collate evidence
To complete your self-assessment, you need to assess and document the extent to which your council meets the contributing outcomes. This includes:
- assessing whether your council has achieved, not achieved or, in some cases, partially achieved an outcome
- providing supporting commentary and evidence to your independent assurer to support your decision
How you meet each contributing outcome is not prescribed and will vary according to organisational circumstances.
To help you understand whether you have achieved, not achieved, or partially achieved an outcome, you should work through the set of IGPs associated with each outcome.
It is useful to start with the ‘Achieved’ IGPs for each outcome and ask:
- Does this statement apply to your council?
- To what extent do you meet this IGP?
- Are there any alternative controls in place for meeting this IGP?
- Do you have evidence that you can reference to show how you are meeting this IGP?
How to use the indicators of good practice (IGPs).
Collate good evidence for each contributing outcome
You and your collaborators need to collate evidence of how your council meets the IGPs for each contributing outcome.
This is an important part of the process. You will need to share the evidence with your independent assurer.
It is important you provide:
- evidence that is relevant and up to date
- enough evidence to show how you are meeting or working towards an outcome
Examples of good documents to use include:
- policy documents
- terms of reference
- business continuity and disaster recovery plans
- incident response plans
- copies of contracts
It is important your CAF assessment is a snapshot of your council’s current cyber resilience. You can add any new documentation you identify to your improvement and implementation plan.
Make sure you can share evidence with your assurer
It is important that your independent assurer has a secure way of accessing your evidence.
You should have agreed how evidence is shared and referenced with your independent assurer at the onboarding stage. If not, contact your independent assurer to agree on an approach.
Summarise your response for each IGP
You should use the self-assess your organisation workbook to review each indicator of good practice (IGP) and record your response. This includes providing a short explanation of how your council is meeting each IGP.
This gives context to your independent assurer so they can understand how your council has interpreted this.
Include information such as:
- why you have a process in place
- how often your council reviews or updates this
- any dependencies with third parties
- what your supporting evidence demonstrates
3. Self-assess against each contributing outcome
Once you have collectively reviewed and collated your evidence, choose how you have assessed your council against each contributing outcome.
You and your collaborators should use your own judgement and knowledge of your council before deciding if you are achieving a contributing outcome or not.
Understanding which IGPs you meet will provide you with a good starting point for deciding if you have achieved a contributing outcome or not. However, there can be more than one way to meet a contributing outcome.
You should also consider if there are any alternative controls, factors or circumstances that change your assessment. If this is the case, make sure you explain this in your supporting commentary.
Meeting the CAF for local government profile
The CAF for local government provides councils with a baseline to work towards. We understand you might not meet this right away, but by completing a CAF self-assessment you will identify what improvements you can make to achieve it in the future.
The value of the CAF is in understanding your council’s current position, its exposure to cyber risk and how the position can be improved over time.
4. Check your self-assessment for quality and accuracy
Your CAF quality assurer and approver will need to review your organisation self-assessment workbook before it is shared with your independent assurer for review.
Your quality assurer should consider if:
- this accurately reflects your council
- your evidence is relevant and up to date
- this gives enough organisational context to your assurer
- your evidence is accessible to an external reviewer
- any internal feedback has been addressed
Once your quality assurer has reviewed your workbook, you need to get sign-off from your approver.