Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. How to store and share your assessment securely

Author: Local Digital

How to store and share your assessment securely

Consider how to securely share your CAF for local government self-assessment and evidence with your team and independent assurers.

Storing and sharing within your council

The primary people who will see your self-assessment and the outcome of your assurance is your council.

Your CAF lead and approver should discuss access options and how to share it with appropriate people across your organisation.

For example, this might be a shared space in SharePoint where you can control who can view and edit documents.

Storing your supporting evidence

It is a good idea to keep a list of evidence your organisation plans to submit for your self-assessment. Your CAF self-assessment workbooks contain a spreadsheet template you can use. This can help your organisation see where you have gaps and monitor progress, and is also important for your assurer.

It’s useful for your evidence tracker to include:

  • descriptive file names – for example, ‘[name]-risk-management-policy.pdf’
  • which indicator(s) of good practice and outcome it supports
  • the location of the document for assurers to access – for example, a hyperlink or Sharepoint folder name

Make sure that your evidence is stored securely and access is appropriately managed and monitored.

Do not embed evidence within the self-assessment workbooks. You should not email evidence to anyone during the CAF process.

Providing access to your independent assurer

An independent assurer will need to review your self-assessment workbook and your supporting evidence.

In your introduction to assurance call, you will agree with your assurer how to store and share these documents.

You could do this by inviting your independent assurer to:

  • access a secure folder of documentation – we recommend this approach for most types of evidence
  • an online workshop where you screen share more sensitive evidence – for example, firewall configurations and access control lists

Once your assurance workshops have been scheduled, your assurer will email you to request access.

You must not email your workbook or supporting evidence to your assurer.

Once assurance is completed, your assurer will upload the assurance report and recommendations to your council’s shared space.

The workbook and report will only be stored and processed by your assurer for a limited period of time, for the purpose of assurance. They will delete this once the CAF process is complete.

What to submit to the Ministry of Housing, Communities and Local Government (MHCLG)

You will need to submit your assured CAF assessment and your improvement and implementation plan to MHCLG.

MHCLG will look at these to:

  • understand cyber security risks and issues across the sector as a whole
  • consider how we can best provide support

This is in line with the ambitions set out in the Government Cyber Security Strategy 2022-2030.

We plan to launch more information on how to submit your assessment in spring 2025.

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now