Identify your essential services
An important part of setting the scope of the CAF for local government self-assessment is defining your organisational context and identifying your essential services.
This involves:
- Discussing and documenting your organisational context, including your:
- mission and priorities
- threat landscape
- risk appetite
- Identifying your essential services
Discuss and document your organisational context
Documenting your council’s mission, objectives and priorities in your CAF scoping workbook (.xlsx, 81KB) is the first step to identifying your essential services and the critical systems that underpin them.
Your CAF lead, approver and collaborators should reflect on and document:
- your council’s mission
- objectives that help you deliver that mission
- your organisation’s top priorities
- your threat landscape – including who could attack your organisation and why, and what could happen if they were successful
- the cyber risk appetite in your council
This will also give your independent assurers an understanding of your organisation’s context so they can determine if security controls are appropriate and proportionate.
First, look at your council’s:
- annual report
- mission statement
- organisation objectives
- any legal or regulatory obligations
- any frontline services you provide to citizens
To define your mission, consider:
- core issues your council addresses
- who your council serves
- your council’s responsibilities and functions – including any specific roles, duties, or obligations the council must fulfil
- your council’s short-term and long-term goals
- outcomes your council aims to achieve and how you will measure success
- core values that guide the council’s work and how these influence your decision-making
- any partnerships or collaborations that are essential for your council
- any major challenges or opportunities your council faces
To define your objectives, consider:
- your council’s objectives for the next year and how they support your overall mission
- what outcomes or results you expect from these objectives
- how they align with your council’s strategic priorities
- your council’s short-term and long-term strategic priorities
To define your priorities, consider:
- what criteria or factors were considered when selecting your top priorities
- how these priorities were defined – if they were identified using a process or framework, and if they have been reviewed by stakeholders
- how these priorities align with your council’s mission and strategic plan
Your mission and priorities could involve:
- children and families’ support
- council tax
- crime prevention
- education and schools
- environmental health
- housing
- leisure and recreation
- licensing and regulation
- planning and development control
- social services
- street cleaning and maintenance
- transportation
- waste management
Discuss your organisation’s current threat landscape and any mitigations you currently have in place. If there is a multi-threat picture, list the different types. Consider:
- who could attack you, including any significant external threats
- why you could be a target, including any political, economic, social or environmental factors that pose risks
- what could go wrong if they were successful
- if there have been any recent incidents
- how you monitor emerging threats
If you have any threat assessments, you can reference them in your organisational scope.
It is useful to summarise your organisation’s cyber risk appetite, including:
- any recent cyber security incidents and how you managed them
- what cyber risks are most relevant to your council
- the potential impact of these cyber risks on your operations, finances and reputation
- what level of cyber security risk you are willing to take responsibility for
- any areas in the council that have a higher or lower tolerance for risk
- any legal or regulatory requirements your council must comply with for cyber security
The NCSC has published a blog post on risk appetite, including how to define your organisation’s risk appetite.
How to identify your essential services
Once you understand your council’s mission, you can determine the essential services that allow your organisation to deliver this.
Essential services are the services that allow your council to operate and achieve your mission and objectives.
They include:
- services your citizens rely on every day
- operators of essential services – services that are essential for the maintenance of vital societal or economic activities, such as energy, transport, health, water or digital infrastructure
- fundamental organisational mission and outputs – services that support the mission and day to day business of your council.
Essential services, and the number of them you identify during scoping, will vary from council to council. It depends on how many are required to meet your organisation’s mission and objectives.
The Cyber Assessment Framework is designed to help you protect these essential services. Identifying and scoping these is an important step and should be an organisation wide activity.
Evaluate consequences of cyber incidents
You can use a business impact assessment (BIA) to help your council identify critical business functions, vulnerabilities, and dependencies. They support processes such as disaster recovery, business continuity planning, risk assessment and mitigation planning.
If your council has already completed a BIA use this as a starting point.
If you do not have capacity to complete a BIA, review any disaster recovery (DR) or business continuity plan (BCP) documents your council already has.
Find out more about completing a business impact assessment (BIA).
Next steps
You can move on to identifying your critical systems once you have a clear understanding of:
- your council’s mission, objectives and priorities
- the essential services and functions that support these
Identify your critical systems