Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. What a good self-assessment looks like

Author: Local Digital

What a good self-assessment looks like

Making sure your self-assessment is as accurate as possible and supported by evidence is an important part of the CAF for local government.

Doing this will help your independent assurer to:

  • better assess your self-assessment
  • provide recommendations in the context of your council
  • reduce the need for additional clarification

What an assurer will look for in a self-assessment

There are 4 things an assurer will be looking for in a self-assessment:

  • completeness
  • accuracy
  • relevancy
  • consistency

Completeness

The assurer will look at how complete the self-assessment is.

They might consider:

  • Did the council adequately complete the self-assessment workbook?
  • Were responses justified with good quality, organised and sufficient evidence, as explained below?
  • Did the assurer have to request additional information?

Accuracy

The assurer will look at the accuracy of the council’s responses.

They might consider:

  • How accurately did the council measure their cyber security posture?
  • Are the responses by the council truly reflective of their current position?
  • How many of the council’s indicator of good practice (IGP) responses match the assurer’s assessment?

Relevancy

The assurer will look at how relevant the responses and evidence are.

They might consider:

  • Did the responses align to each of the contributing outcomes and IGPs?
  • How relevant was the evidence provided to support each contributing outcome and IGP?

Consistency

The assurer will look at the evidence the council provides and check it is consistent throughout the self-assessment.

They might consider:

  • How consistent was the council with their current cyber security position across the self-assessment?
  • If the statements provided align and support the dependencies between contributing outcomes and IGPs?
  • Was there any conflicting data in the information or evidence provided in each case?

What can help you produce a good self-assessment

Provide enough organisational context

The assurer does not work at your council. This means that you need to provide enough organisational context in your self-assessment.

A good response to a contributing outcome or IGP should:

  • state whether a contributing outcome or IGP is met by the council
  • describe how the council believes they have met or have not met the contributing outcome or IGP
  • confirm whether your council has any alternative controls in place
  • show how your evidence supports the stated position for a contributing outcome and IGP

In your response it is important to explain how the contributing outcome and IGP is met, considering:

  • people
  • processes
  • technology
  • specific security controls that might be relevant

For example, a response to contributing outcome A1.a – Board Direction might look like:

Information and cyber security risks and associated actions are an agenda item at our monthly Council’s Board meetings. These are presented by the Director of IT and Cyber Security who has overall accountability for the security of network and information systems and is a permanent member of the board.

Below the board sits an Information Security Working Group which includes cross representation from across the council (including SIRO, CISO, Cyber leaders, IT leads, Business continuity, DPO, Department heads). When necessary these individuals are called in to support the board meetings to discuss cyber security risks that require high-level input from the board.

Information security and cyber security risks documented in the risk register are reviewed and managed as part of the board meetings.

The information and cyber security strategy has recently been reviewed by the board, is current and has been signed off. This is reviewed on an annual basis, or when there is a change in the threat landscape. This strategy has been communicated to risk management decision-makers through the Information Security Working Group.

The cyber security strategy continually supports our organisational practices through inclusion in our policies, processes and procedures. Any changes in the stance to our cyber security strategy elicit a review of those policies, processes and procedures to make sure they remain relevant.

How this helps the assurer

This response provides the assurer with the background they need to understand:

  • when cyber security risks and actions are reviewed by a council’s board
  • who is presenting to the board
  • where the board sits in relation to other groups in the council
  • how risks are documented

Reference evidence clearly

You should reference the evidence that supports contributing outcomes and IGPs in a way that is clear for the assurer to find.

When listing evidence make sure it includes:

  • descriptive file name of document – for example, ‘[name]-risk-management-policy.pdf’
  • which contributing outcomes and IGPs it refers to
  • the location of the document for assurers to access – for example a hyperlink or Sharepoint folder name

For example, for the contributing outcome A1.a – Board direction, you might list the council’s Information and Cyber Security Strategy and include a link to where the assurer can find it.

If the evidence you are sharing is part of a document, then let the assurer know which section contains the evidence. For example, if you are sharing a document that is several pages long, you might want to consider adding a screenshot of where the evidence appears in the document to the evidence tracker.

You should redact any sensitive information in your evidence. For example, IP addresses and host names.

You should save the evidence in a folder structure that matches the contributing outcomes. This will make it easier for the assurer to match evidence to outcome.

How this helps the assurer

Referencing evidence in the right format will help the assurer locate the relevant evidence that supports each contributing outcome. This will reduce the need for clarification from the assurer and help them understand your council’s cyber security posture.

Use the evidence tracker in our self-assessment template to reference evidence. This will help you reference evidence in the right format for the assurer.

Be specific when writing a response

When writing a response to an IGP, be as specific as possible. Try to avoid vague terms.

For example, instead of saying that a process is reviewed regularly, you should specify the actual timeframe – whether that is 3 months, 6 months or every year.

A response to an IGP for contributing outcome A3.a – Asset management might look like this:

All assets have an inventory and include details like: Asset number, owner, data classification, location. This information is reviewed by the Information Asset Owner at least once a year.

How this helps the assurer

This response specifies what type of information an inventory includes and how often it is reviewed. In this case, once a year.

Consider how much detail is needed in a response to IGPs

Some IGPs might only need a succinct response, while others will require more detail. Make sure all your responses are relevant and include enough detail. This will mean your council is likely to receive more relevant feedback.

Think about what the IGP is asking for and provide sufficient information that describes how the IGP is met.

Review our example self-assessment

We have published an example workbook for the organisational self-assessment, which includes an example evidence tracker.

While the example workbook does not include examples for every contributing outcome and IGP, it should give you an idea of what a good response looks like.

Sign in to download to the example self-assessment workbook

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now