Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. How to gather evidence for your self-assessments

Author: Local Digital

Last updated: 2025-04-09

How to gather evidence for your self-assessments

Gathering evidence that shows how your council meets the contributing outcomes is an important part of the CAF for local government.

To complete your self-assessments, your council needs to collate evidence showing how you meet the indicators of good practice (IGPs) for each contributing outcome.

It is important you gather enough evidence for your independent assurer so that they get a full picture of your council to make useful recommendations.

It is important you:

  • provide evidence that is relevant and up to date
  • gather enough evidence to show how you are meeting or working towards an outcome
  • explain what your supporting evidence demonstrates

Always use existing documents. Do not create new artefacts to use as evidence.

Your CAF assessment should be a snapshot of your council’s current cyber resilience. You can add any new documentation you identify to your improvement and implementation plan.

Evidence for your organisational self-assessment

Examples of documents you could use for your organisation self-assessment include:

  • policy documents
  • terms of reference
  • business continuity and disaster recovery plans
  • incident response plans
  • copies of contracts

See examples of evidence you can provide for organisational self-assessment.

Evidence for your critical systems self-assessment

Examples of documents you could use for your critical systems self-assessment include:

  • policy documents
  • technical process documents
  • joiners, movers and leavers processes
  • audits of compliance
  • network diagrams
  • approved lists of software

See examples of evidence you can provide for critical systems self-assessment.

When to gather your evidence

We recommend gathering and organising evidence steadily throughout your CAF self-assessment.

Collating evidence at the end can be a real challenge, and might not reflect the effort you have put into the rest of your assessment.

It is likely you will need to gather evidence from different teams across your council so make sure you factor in time to communicate this.

Once you have collated evidence for your first CAF self-assessment, you can review it for future assessments.

How to organise and keep track of evidence

We recommend using the evidence tracker in your self-assessment workbook to organise and reference your evidence.

You can also see examples of how to collate and describe evidence in the example organisation self-assessment workbook.

Save your evidence in a folder structure that matches the contributing outcomes. This will make it easier for your council to see where you have gaps, and for your assurer to match your evidence to the outcome.

When you meet your independent assurer, you can discuss how best to share your evidence and decide on a format that works for you both.

Reference your evidence clearly

You should reference the evidence that supports contributing outcomes and IGPs in a way that is clear for your assurer to find.

Make sure your evidence list includes:

  • descriptive file name of document – for example, ‘[name]-risk-management-policy.pdf’
  • which contributing outcomes and IGPs it refers to
  • the location of the document for assurers to access – for example a hyperlink or Sharepoint folder name
Example: For the contributing outcome A1.a – Board direction, you might list the council’s information and cyber security strategy and include a link to where the assurer can find it.

If the evidence you are sharing is part of a document, then let the assurer know which section contains the evidence.

Example: If you are sharing a document that is several pages long, you might want to consider adding a screenshot of where the evidence appears in the document to the evidence tracker.

How this helps your assurer

Referencing evidence in the right format will help the assurer locate the relevant evidence that supports each contributing outcome. This will reduce the need for clarification from the assurer and help them understand your council’s cyber security posture.

Use the evidence tracker in our self-assessment template to reference evidence. This will help you reference evidence in the right format for the assurer.

What evidence you need for outcomes your council has ‘not achieved’

Even if you believe you have achieved a contributing outcome, you should still provide evidence of any relevant processes you have. This will help your assurer make a recommendation on how to meet the contributing outcome in your improvement and implementation plan.

In some cases the assurer may disagree with the council’s own assessment and suggest that the council has actually achieved the contributing outcome. This will be based on the evidence that the council has provided.

Share evidence securely with your assurer

It is important that your independent assurer has a secure way of accessing your evidence. Without this they will be unable to verify if your assessment is a true reflection of your organisation’s cyber posture.

In the introduction to assurance call with your independent assurer, you should have discussed:

  • how you will reference evidence
  • how you will provide access so they can view it

If not, contact your assurer to agree on an approach.

Before sharing with an assurer, redact any sensitive information in your evidence. For example, IP addresses and host names.

Find out how to store and share information securely.

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now