How to use the indicators of good practice
In the CAF for local government, indicators of good practice (IGPs) are statements that reflect good cyber security practice within a council.
About the indicators of good practice
Each contributing outcome you assess your council against contains related indicators of good practice (IGPs). The intention of the CAF is to simplify how you implement cyber security. IGPs help to break this down into small steps.
To complete your assessment, you need to:
- consider each IGP for a contributing outcome
- agree or disagree on whether your council meets the relevant IGPs
- explain and provide evidence on how your council currently meets them
These indicators should:
- be applied in the context of your council, using your expert judgement
- help you tell the story of your current cyber positioning and any factors affecting this
- inform what supporting evidence you share with an independent assurer
They are not:
- an inflexible checklist
- an exhaustive list covering everything the assurer should consider
- guaranteed to apply to your council
How they are categorised
There are three categories of IGPs:
- Achieved – these show the typical characteristics of an organisation that has fully achieved an outcome
- Partially achieved – these show the typical characteristics of an organisation partially achieving an outcome
- Not achieved – these show the typical characteristics of an organisation that has not achieved an outcome
How to use the IGPs in your self-assessment
Always consider the IGPs in the context of your council, using your expert judgement. They are a good starting point for your conversations, but still need sector knowledge and cyber security expertise.
Prove you meet an IGP by including:
- relevant evidence and examples against each IGP
- a short explanation demonstrating what your evidence shows
Assess ‘Achieved’ IGPs first
When completing your self-assessment, first look at the ‘Achieved’ IGPs for each outcome. Then consider the ‘Not achieved’ IGPs.
Consider and assess each IGP independently.
If you meet all the ‘Achieved’ IGPs, it is likely your organisation has achieved the contributing outcome. You should consider additional factors or special circumstances before deciding if you meet a contributing outcome.
If you meet one or more of the ‘Not achieved’ IGPs, it is likely your organisation has not achieved an outcome.
If you do not meet all the ‘Achieved’ IGPs and do not meet any of the ‘Not achieved’ IGPs, it is likely your organisation will have ‘Partially achieved’ that outcome.
If an IGP is not applicable
There may be cases where an IGP is not applicable to your council.
If this is the case:
- mark the IGP as ‘Not applicable for our council’ in the workbook
- provide a statement as to why you believe the IGP is not applicable
When considering whether a IGP applies, consider your organisation’s role as:
- data owner / controller
- data processor
- IT service provider
- consumer of commercial (third-party) IT services
These cases are unlikely and should be treated as exceptions.
A council is assessing if they meet the contributing outcome Assurance (A2.b).
One of the contributing outcome’s IGPs states:
You validate that the security measures in place to protect the network and information systems are effective and remain effective for the lifetime over which they are needed.
The council tells the assurer that this IGP is not applicable. This is because responsibility for the IT environment is fully outsourced to a commercial (third-party) supplier.
If you meet a contributing outcome in a way not specified in the IGPs
During the assessment, it is possible that your council meets a contributing outcome in a way not specified in the IGPs. For example, you have alternative controls in place.
If this happens, you should:
- mark the contributing outcome as ‘Achieved’ in the workbook
- provide a statement against the contributing outcome and the relevant IGPs describing why you think the contributing outcome has been achieved
The statement should:
- describe the alternative controls
- provide evidence that supports your response
This will help the assurer decide if your organisation has met the contributing outcome.
An organisation is assessing if they meet the contributing outcome Privileged user management (B2.c)
One of the contributing outcome’s IGPs states:
Privileged user access to network and information systems supporting your essential function(s) is carried out from dedicated separate accounts that are closely monitored and managed.
The organisation tells the assurer they have not met the IGPs because a system in a control room is:
- ‘always on’ and could not be logged off due to security reasons
- always left in a logged-on state
- used for privileged operations
- could be accessed by anyone in the control room without logging in
However, the council provides evidence they have met the outcome with the following alternative controls:
- the control room requires individuals to use a pass and pin to access
- entry and exit to the control room is recorded
- only individuals with permission to enter the room have access
- entry and exit is monitored and recorded by CCTV
Interpreting IGPs for local government
A key benefit of the Cyber Assessment Framework is the flexibility it allows for sector-specific interpretation. This means the outcomes you need to meet are tailored to councils.
MHCLG has worked with experts to offer guidance on how councils should interpret the CAF indicators of good practice for local government. You can find this guidance within your CAF self-assessment workbooks.
See useful links and resources