Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Use the five lens approach

Author: Local Digital

Use the five lens approach

The ‘five lens’ approach is a method your organisation can follow to identify your critical systems as part of your CAF for local government self-assessment.

This is based on the approach used by the GovAssure Cyber Assessment Framework for central government.

You might have an internal risk process that your council could use. You can use this process to identify critical systems within your organisation if:

  • it provides the same level of detail as the five lens approach
  • you explain your methodology to your independent assurer

Apply each lens to the essential services you have identified.

1. Outline an essential service

Review your organisational scope, where you have considered:

  • your council’s mission, objectives and priorities
  • the essential services and functions that support these

Choose one of the essential services you have identified and give a brief summary describing:

  • who it serves
  • why it’s important
  • how it supports your council’s mission
Example:
NE Council identifies an essential service to be ‘Revenue and Benefits’. This service allows them to fundamentally manage revenue and benefits in support of various council priorities. It serves the general public and some vulnerable people.
This shows how you apply lens 1 essential services - a description of an identified essential service that supports your council’s mission. The essential service is 'Revs and Bens' to manage revenue and benefits. This serves 'the general public and some vulnerable people'.
This shows how you apply lens 1: Essential services

2. Outline any sub-functions of the essential service

Break down your essential service into the key functions that enable its delivery.

This is helpful to identify high-level functions and any links between these.

Example:
NE Council identifies that the ‘Revenue and Benefits’ service is enabled by a:

  • back-end business/user administration
  • payment processing (collection and payment)
  • citizen support function for voice calling and online web access
This shows how you apply lens 2: Organisational function - a breakdown of the essential services key functions. The key functions identified are: Business user / administration portal, Payments (collection and payments), Citizen support.
This shows how you apply lens 2: Organisational function

3. Outline any core underlying infrastructure

Next, identify the relevant underlying infrastructure for the essential service – such as network or cloud hosting arrangements.

This is the lens where you clearly identify the groups of networks your essential service relies on, and what might be a potential critical system for your CAF self-assessment.

Example:

NE Council identifies that the core infrastructure supporting the administration, payment processing and citizen support functions are:

  • the council network
  • a payment supplier network
  • AWS hosting for council public portal and voice solution
  • Active Directory/Azure AD used for single sign-on (SSO) and authentication for users and end user computing systems required by council staff

NE Council decides Active Directory/Azure AD is a potential critical system in scope for the CAF for local government.

Although the council network, payment supplier network and AWS hosting are critical, the council did not decide these were in scope as they rely on other entities for managing. The council will gain assurance on these separately.

This shows how you apply lens 3: Core underlying infrastructure - identifying the relevant underlying infrastructure such as network or cloud hosting for the essential service, Revs and Bens. In this example, these are: Council network, payment supplier, AWS hosting Priority 1: AD. Azure AD (single sign on for apps) Priority 2: Desktop / end user computing
This shows how you apply lens 3: Core underlying infrastructure

4. Outline key systems and applications

Once you have identified your core underlying infrastructure, identify and prioritise the systems and applications required to support the delivery of the essential service.

This starts to provide a view of the system architecture, which is important for the self-assessment of your critical systems.

Example:

NE Council identifies key systems as:

  • ERP platform (supports user and business administration)
  • payment application (used to process outbound payments, potentially supporting vulnerable citizens)
  • voice communications channel application
  • payment collection online portal
  • online support portal application

NE Council prioritises the payment application systems for external communications and ERP platform as higher priority.

This shows how you apply lens 4, Systems - Identifying the prioritised systems or applications required to support the function to deliver the essential service, Revs and Bens. In this example, the prioritised systems are: - Priority 1: ERP platform - Priority 1: Payment applications - Priority 1: Voice comms channel application - Priority 1: Payment collection online portal - Priority 2: Online support online application
This shows how you apply lens 4 - Systems

5. Outline sites and locations

This lens identifies the sites that are related to the delivery of your essential service.

Review each potential critical system in terms of their hosting location or site.

Make sure you consider how these are interconnected, or where there are dependencies.

Example:

NE Council identifies the sites of their top priority critical systems are:

  • on-premise domain controller (DC) – located in DC1 as primary and DC2 as secondary
  • third-party hosting on Azure
  • AWS hosting
This shows how you apply lens 5: Site / locations - identifying the relevant sites for the essential service. In this example, the sites for Revs and Bens are: On-premises: located in DC1 and DC2 as secondary; Third party hosting on Azure; AWS hosting
This shows how you apply lens 5: Site / locations

Repeat for each essential service

Repeat the five lens approach for any other essential services you have identified to determine additional critical systems in scope.

Useful links

Download the GovAssure five lens worked example (pdf).

Prioritise your critical systems

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now