Set your scope
Before you start your CAF for local government self-assessment, discuss and agree on the scope of your assessment with your whole team.
Considering your council’s mission, objectives and priorities will give you a clear understanding of:
- the essential services that support your council’s priorities
- the core infrastructure, network and information systems that underpin these
- the critical systems to prioritise for your assessment
You should consider the entirety of your organisation’s IT network during scoping.
What setting your scope involves
During scoping you will need to:
- Download the CAF scoping workbook (.xlsx, 74KB) – use this to document your scoping decisions
- Discuss and document your organisational context
- Identify your essential services
- Identify your critical systems – we recommend you use the five lens approach to identify and prioritise your critical systems
- Finalise your scoping workbook for review
- Share your scoping workbook with your independent assurer for feedback
Who should be involved in scoping
Your CAF lead and approver should collaborate with:
- service leads
- business system owners
- IT and cyber security teams
- other relevant roles identified
You may find it helpful to set up workshop sessions to collaborate on your council’s scoping workbook.
Your quality assurer and CAF approver will need to review and confirm your scoping workbook before you share it.
Timescales
We recommend planning approximately 30 to 35 hours across your CAF team to set your scope. This will vary depending on the size of your organisation.
Why setting your scope is important
It is important your independent assurers and MHCLG understand your organisational context when reviewing your self-assessment.
Knowing your council’s mission, priorities and risk appetite provides a better understanding of:
- your council’s level of risk exposure
- whether the security controls you have in place are proportionate
Scoping of your essential services and the critical systems that underpin them is vital for the next stages of the CAF. The systems you identify and prioritise determine what you will focus on during the:
- architecture mapping of your critical systems
- self-assessment of your critical systems
Identify your essential services