Prioritise your critical systems
How to prioritise the critical systems you have identified as part of your CAF for local government self-assessment.
Once you’ve applied the five lens model – or an equivalent methodology of your choice – review the systems you have identified.
Decide which ones are of greatest priority to determine:
- which systems have potential to be in scope for your Cyber Assessment Framework (CAF)
- which are additional systems which could be considered in scope, or included in the future
Your prioritised critical systems are likely to be systems which would have a significant effect on your council if a cyber attack took place.
Make sure you can explain the rationale behind your choice.
Review your shortlist as a team
Prioritising your critical systems collaboratively is important. Use your shortlist of critical systems to discuss as a team which are most critical to your council.
Your CAF lead should collaborate with:
- service leads
- business system owners
- IT and cyber team members who have architecture mapping skills
We recommend booking workshops, meetings or creating a channel on Teams or Slack to undertake this activity as a team
Activities that can support prioritising your critical systems
Assess the risks associated with the systems you have identified. This will help you to prioritise protection measures more effectively.
You should:
- identify threats – look for threats to your critical systems, such as cyber attacks, or human errors
- assess vulnerabilities within critical systems that could be exploited by threats
- determine impact – consider the impact of identified threats exploiting vulnerabilities
You might use:
- risk matrices
- heat maps
- qualitative or quantitative risk assessment software
To complete a risk assessment you might want to consider frameworks like NIST SP 800-30, ISO 27005, or FAIR (Factor Analysis of Information Risk).
When prioritising your critical systems, consider the risk of:
- threats – do you have protection in place for cyber attacks (such as malware and phishing), physical threats and natural disasters?
- vulnerabilities – do you have weak authentication, outdated software or insufficient access controls?
Finalise and share your scoping workbook
Share your draft scoping workbook with your internal CAF quality assurer. They will need to make sure it accurately reflects your organisational context, and that the team has agreed on your chosen critical systems.
Work with them to discuss feedback before getting final sign off from your CAF approver.
Once the workbook has been signed-off, you need to securely share the final version with your independent assurer. Then, submit it to MHCLG.
Find out how to share your self-assessment securely.
How to submit to MHCLG
MHCLG needs to understand which systems are in scope so that we can better understand any risks or issues within the sector, and consider how to further support the sector in addressing these risks.
We plan to publish more information on how to securely submit these documents, and how your information will be used, in spring 2025.