Roles and responsibilities
Completing the CAF for local government self-assessment involves collaboration with teams across your organisation.
This includes your cyber, governance, data protection, risk, finance and wider business teams.
It is useful to identify who might take on core roles within your council, including:
Once you have identified these roles, you can:
- check availability of individuals and teams
- plan a schedule for your assessment
- book internal collaboration sessions
Who takes on these roles may vary depending on the size of your council.
We’ve suggested estimates for the number of hours each role may need to commit to the CAF. These will vary depending on the role, size and complexity of your council, the services you offer, and organisational governance.
Download a RASCI matrix template
See a list of responsibilities for each role and plan who will be responsible for different tasks at each stage of the CAF.
CAF lead
The CAF lead is responsible for leading and coordinating the completion of your council’s assessment.
Your CAF lead needs to be involved throughout the whole self-assessment process. Consider their availability carefully, as this could take an estimated 100 hours of their time.
The CAF lead will need a deep understanding of the CAF for local government and what is required.
They are usually a member of the IT team at managerial level, and are likely to be a cyber security specialist.
This is a really important role. They will work closely with your CAF approver to plan, coordinate and complete the framework.
Your CAF lead will:
- lead your team to complete the CAF
- help identify the members of your CAF team
- assign roles and responsibilities
- allocate appropriate resource
- create your council’s CAF schedule
- communicate regularly with your senior leadership and management team
- prepare your team and make sure they have the knowledge and skills required
- facilitate collaboration internally and externally with any third parties required
- identify any issues or blockers for progress
- be involved in the detail of completing the self-assessment
- be involved in mapping your critical systems architecture
- take part in conversations with your independent assurer
- help create and sign off your organisation’s improvement and implementation plan
- action your organisation’s improvement and implementation plan after the assessment
Approver
The approver is a member of your senior leadership and management team who is accountable for your council’s submission.
Your approver will need to commit an estimated 25 hours to the CAF process and be involved from start to finish.
As well as advocating for the CAF at board level, they will be responsible for confirming the self-assessment is a true representation of the council’s position.
Your approver could be your Senior Information Risk Owner (SIRO), Head of ICT, or equivalent.
Your approver will:
- represent the council’s CAF activity at board level
- engage with senior stakeholders
- work closely with the CAF lead
- advocate for council-wide engagement with the CAF
- be significantly involved in preparing to start the CAF and setting your scope
- sign off the self-assessment of your organisation
- sign off the self-assessment of your critical systems
- approve the council’s final CAF assessment
- help create and sign off your council’s improvement and implementation plan
Get support from your senior leadership and management team.
Collaborators
Collaborators make up the largest part of your CAF team. These are specialists from different teams across your organisation who contribute towards your CAF assessment.
Different collaborators are often brought in for activities by the CAF lead, and their time commitments may vary.
They will supply detailed information on your council’s current cyber risk policies, management of critical systems, or evidence to support your assessment.
Collaborators can include directors or heads of services, service administrators, system owners and IT architects, as well as people from your procurement, governance, data protection and risk teams.
As the CAF focuses on your essential services and the critical systems that underpin them, it is useful to have a list of systems you use and the system owners.
You may not be able to identify all relevant collaborators until you have scoped your critical systems.
Your collaborators will need to:
- understand what the CAF means for local government
- understand what tasks your CAF lead expects them to be responsible for
- contribute towards assessing against the indicators of good practice honestly and accurately
- gather relevant evidence to support your assessment
- review documents
- contact third-party suppliers
- communicate regularly with your CAF lead and other collaborators
- share issues or blockers to progress with your CAF lead
- support implementation of your improvement plan
Setting the scope
Collaborators could include:
- service leads
- business system owners
Estimated collaboration time: 3 hours
Self-assessment of your organisation (objectives A and D)
Collaborators could include:
- service leads
- risk managers
- procurement leads
- legal advisors
- business continuity managers
Estimated collaboration time: 6 hours
Self-assessment of your critical systems (objectives B and C)
Collaborators could include:
- business system owners
- policy leads
- IT disaster recovery leads
- members of the human resources team
Estimated collaboration time:
- up to 16 hours for business system owners
- 6 hours for other collaborators
Assure and develop an improvement and implementation plan
Collaborators from the previous stages may need to support the assurance review. Risk managers will also help put together and prioritise an improvement plan.
Estimated collaboration time: 6 hours
If your collaborators are not involved in the preparation stage it is important you give them time to understand what the CAF is, what it means for your organisation, and the level of detail they are expected to provide.
Systems mapper
The systems mapper will need to undertake in-depth network and system discovery to create architecture documentation of your critical systems. This is crucial for assessing boundaries.
Your systems mapper will be needed for an estimated 10 hours during discovery and then an estimated 20 hours per system that needs to be mapped.
A system mapper is usually a specialist role within your IT team. Technical, enterprise or IT architects are key to the critical systems parts of the CAF. They might have experience with:
- designing IT infrastructure
- integrating hardware, software, and network resources
- ensuring secure data management that is compliant with regulations
If you do not have this expertise within your council, you may need to seek external support.
Your systems mapper will need to:
- be involved in identifying your critical systems
- undertake network and system discovery
- provide high level support and insights for collaborators for the self-assessment of your organisation, as well as supporting evidence collection (estimated 10 hours)
- map the architecture of each critical system (estimated 20 hours per system)
- inform and agree position statements for the self-assessment of your critical systems
- provide support during the independent assurance review
Quality assurer
Before your CAF approver signs off your assessment, you should assign someone internally to quality check your self-assessment.
This could be a secondary role taken on by your CAF lead, CAF approver, or it might be a Senior Information Risk Owner (SIRO), Head of IT, or someone who has experience with similar assurance frameworks.
They should understand the purpose of the CAF, and make sure responses accurately reflect the council’s current cyber resilience.
Your quality assurer will be needed for an estimated 1.5 hours per self-assessment (3 hours in total).
Your quality assurer will need to:
- monitor completion of the CAF
- check that responses accurately reflect your council
- check that evidence provided accurately reflects your council
- understand any council-specific constraints and make sure these are mentioned if relevant
- understand what additional information your external independent assurer might need
Contact and confirm your team
Once you have identified who might take on these roles, contact them as soon as possible.
Involving them early on will help them to plan the time required and input on timescales.
Book in any workshop or meeting time to collaborate on your self-assessment and discuss evidence to support this.
Introduce the CAF to your senior leadership team