How to prepare
Make sure your council is ready to start the Cyber Assessment Framework (CAF) for local government.
For councils starting the CAF for local government, this guide will help you to:
- prioritise actions to prepare for the self-assessment
- plan internal collaboration and timescales
1. Understand what the CAF involves for your council
Take time to understand:
- the CAF objectives, principles and contributing outcomes
- what self-assessing your organisation involves
- what self-assessing your critical systems involves (guidance due to be available in spring 2025)
- what the independent assurance review involves (guidance due to be available in winter 2024)
- what the improvement and implementation plan involves (guidance due to be available in winter 2024)
2. Identify key roles and responsibilities
Think about who needs to be involved across your council.
The CAF self-assessment requires the support of roles and governance groups across your organisation. We strongly recommend proactive engagement with your:
- senior leadership and management team
- service leads
- system owners
- commercial (third-party) providers
Think about the resources available in your council and any external factors that might affect completing your self-assessment. If you need extra resources to complete parts of the CAF, make sure these are in place before you start.
- Decide who will be responsible for key roles
- Find out how to get support from your senior leadership and management team
3. Create your CAF schedule
You should be confident that your council has the resources, skills and time to complete your self-assessment.
Creating a schedule can be a useful tool for planning. It can help you to:
- plan how long the CAF will take
- note any external activities that might affect your council’s schedule
- decide on a suitable time to start the CAF in your council’s calendar year
Download a template to plan your CAF schedule (.xlsx, 22KB).
4. Book in time for your team to collaborate
The CAF is a council-wide effort and should not be seen as the sole responsibility of your cyber security team.
To support collaboration, we recommend that you:
- communicate that you are starting the CAF with your organisation
- identify who needs to be involved at each stage
- engage with system owners as early as possible
- book in workshops and collaboration time
- set up a designated channel for communication, such as on Microsoft Teams or Slack