Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Author: Local Digital

Use the five lens approach

The ‘five lens’ approach is a method your organisation can follow to identify your critical systems as part of your CAF for local government self-assessment.

It is based on the approach used by the GovAssure Cyber Assessment Framework for central government.

You can use an equivalent process to identify critical systems within your organisation if:

  • it provides the same level of detail as the five lens approach
  • you explain your methodology to your independent assurer

Apply each lens to the essential services you have identified.

1. Outline an essential service

Review your organisational scope, where you have considered:

  • your council’s mission, objectives and priorities
  • the essential services and functions that support these

Choose one of the essential services you have identified and give a brief summary describing:

  • who it serves
  • why it’s important
  • how it supports your council’s mission
Example:
A council identifies an essential service to be ‘Revenue and Benefits’. This service allows them to fundamentally manage revenue and benefits in support of various council priorities. It serves the general public and some vulnerable people.

2. Outline any sub-functions of the essential service

Break down your essential service into the key functions that enable its delivery.

This is helpful to identify high-level functions and any links between these.

Example:
A council identifies that the ‘Revenue and Benefits’ service is enabled by a:

  • back-end business/user administration
  • payment processing (collection and payment)
  • citizen support function for voice calling and online web access

3. Outline any core underlying infrastructure

Next, identify the relevant underlying infrastructure for the essential service – such as network or cloud hosting arrangements.

This is the lens where you clearly identify the groups of networks your essential service relies on, and what might be a potential critical system for your CAF self-assessment.

Example:

A council identifies that the core infrastructure supporting the administration, payment processing and citizen support functions are:

  • the council network
  • a payment supplier network
  • AWS hosting for council public portal and voice solution
  • Active Directory/Azure AD used for single sign-on (SSO) and authentication for users and end user computing systems required by council staff

The council decides Active Directory/Azure AD is a potential critical system in scope for the CAF for local government.

Although the council network, payment supplier network and AWS hosting are critical, the council did not decide these were in scope as they rely on other entities for managing. The council will gain assurance on these separately.

4. Outline key systems and applications

Once you have identified your core underlying infrastructure, identify and prioritise the systems and applications required to support the delivery of the essential service.

This starts to provide a view of the system architecture, which is important for the self-assessment of your critical systems.

Example:

A council identifies key systems as:

  • ERP platform (supports user and business administration)
  • Payment application (used to process outbound payments, potentially supporting vulnerable citizens)
  • Voice communications channel application
  • Payment collection online portal
  • Online support portal application

The council prioritises the payment application systems for external communications and ERP platform as higher priority.

5. Outline sites and locations

This lens identifies the sites that are related to the delivery of your essential service.

Review each potential critical system in terms of their hosting location or site.

Make sure you consider how these are interconnected, or where there are dependencies.

Example:

A council identifies the sites of their top priority critical systems are:

  • On premise domain controller (DC) – located in DC1 as primary and DC2 as secondary
  • Third party hosting on Azure
  • AWS hosting

Repeat for each essential service

Repeat the five lens approach for any other essential services you have identified to determine additional critical systems in scope.

Useful links

Download the GovAssure five lens worked example (pdf).

Prioritise your critical systems

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now