Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. How to complete your organisational self-assessment

Author: Local Digital

How to complete your organisational self-assessment

What to consider when self-assessing your organisation as part of the CAF for local government – from who to involve to sharing your self-assessment with your assurer.

1. Establish who needs to be involved

Your CAF lead should invite collaborators with relevant expertise to inform how your council is meeting objectives A and D, and to collate relevant evidence.

Collaborators might include:

  • service leads
  • risk managers
  • procurement leads
  • legal adviser
  • business continuity managers

Your team should allow approximately four weeks to complete the self-assessment of your organisation.

The CAF lead should:

  1. Brief your CAF collaborators to make sure they understand the CAF and what is expected of them
  2. Confirm which outcomes and indicators of good practice (IGPs) are appropriate for each collaborator to contribute towards
  3. Discuss the best way for your team to collaborate on the workbook. This should be a collaborative exercise and your CAF lead should have oversight. You may want to:
    • work centrally on one spreadsheet
    • collate responses in smaller teams with regular check-ins
    • book in workshops to discuss or review responses

Find out more about roles and responsibilities.

2. Review and collate evidence

To complete your self-assessment, you need to assess and document the extent to which your council meets the contributing outcomes. This includes:

  • assessing whether your council has achieved, not achieved or, in some cases, partially achieved an outcome
  • providing supporting commentary and evidence to your independent assurer to support your decision

How you meet each contributing outcome is not prescribed and will vary according to organisational circumstances.

To help you understand whether you have achieved, not achieved, or partially achieved an outcome, you should work through the set of IGPs associated with each outcome.

It is useful to start with the ‘Achieved’ IGPs for each outcome and ask:

  • Does this statement apply to your council?
  • To what extent do you meet this IGP?
  • Are there any alternative controls in place for meeting this IGP?
  • Do you have evidence that you can reference to show how you are meeting this IGP?

How to use the indicators of good practice (IGPs).

Collate good evidence for each contributing outcome

You and your collaborators need to collate evidence of how your council meets the IGPs for each contributing outcome.

This is an important part of the process. You will need to share the evidence with your independent assurer.

Always use existing documents. Do not create new artefacts to use as evidence.

It is important you provide:

  • evidence that is relevant and up to date
  • enough evidence to show how you are meeting or working towards an outcome

Examples of good documents to use include:

  • policy documents
  • terms of reference
  • business continuity and disaster recovery plans
  • incident response plans
  • copies of contracts

It is important your CAF assessment is a snapshot of your council’s current cyber resilience. You can add any new documentation you identify to your improvement and implementation plan.

Make sure you can share evidence with your assurer

It is important that your independent assurer has a secure way of accessing your evidence.

You should have agreed how evidence is shared and referenced with your independent assurer at the onboarding stage. If not, contact your independent assurer to agree on an approach.

You can find good examples of how to collate and describe evidence in the workbook’s evidence tracker example.

Summarise your response for each IGP

You should use the self-assess your organisation workbook to review each indicator of good practice (IGP) and record your response. This includes providing a short explanation of how your council is meeting each IGP.

This gives context to your independent assurer so they can understand how your council has interpreted this.

Include information such as:

  • why you have a process in place
  • how often your council reviews or updates this
  • any dependencies with third parties
  • what your supporting evidence demonstrates

3. Self-assess against each contributing outcome

Once you have collectively reviewed and collated your evidence, choose how you have assessed your council against each contributing outcome.

You and your collaborators should use your own judgement and knowledge of your council before deciding if you are achieving a contributing outcome or not.

Understanding which IGPs you meet will provide you with a good starting point for deciding if you have achieved a contributing outcome or not. However, there can be more than one way to meet a contributing outcome.

You should also consider if there are any alternative controls, factors or circumstances that change your assessment. If this is the case, make sure you explain this in your supporting commentary.

It is important your assessment is honest and accurately reflects current activities in your council. Completing your assessment as accurately as possible will help MHCLG to understand any risks or issues within the sector, and consider how to further support the sector in addressing these risks.

Meeting the CAF for local government profile

The CAF for local government provides councils with a baseline to work towards. We understand you might not meet this right away, but by completing a CAF self-assessment you will identify what improvements you can make to achieve it in the future.

The value of the CAF is in understanding your council’s current position, its exposure to cyber risk and how the position can be improved over time.

4. Check your self-assessment for quality and accuracy

Your CAF quality assurer and approver will need to review your organisation self-assessment workbook before it is shared with your independent assurer for review.

Your quality assurer should consider if:

  • this accurately reflects your council
  • your evidence is relevant and up to date
  • this gives enough organisational context to your assurer
  • your evidence is accessible to an external reviewer
  • any internal feedback has been addressed

Once your quality assurer has reviewed your workbook, you need to get sign-off from your approver.

Getting your self-assessment independently assured

Your self-assessment should now be ready for its independent assurance review. We plan to publish guidance on the assurance process in winter 2024.

How to use the IGPs

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now