Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Stage 5: Final Assessment and Targeted Improvement Plan

Author: Government Security Guidance

Stage 5: Final Assessment and Targeted Improvement Plan

Stage 5 of GovAssure is the final stage of GovAssure and completes the independent assurance review report (IARR) and involves the Targeted Improvement Plan (TIP).

Stage 5 of GovAssure begins when the draft independent assurance reviewer report (IARR) is delivered to the organisation by the independent assessor.

Once this has happened, the organisation and the other stakeholders can proceed with the following steps:

  1. Complete the IARR
  2. Create the draft targeted improvement plan (TIP)
  3. Complete and share the TIP

These steps require input from the Government Security Group (GSG) and the organisation stakeholders, specifically:

  • GovAssure lead and senior responsible officer (SRO)
  • System owners
  • Department risk leads
  • Suppliers and/or managed service providers

 

Complete the IARR

When the draft IARR is provided to the organisation, the observations it contains are reviewed by the organisation’s stakeholders and the GSG. This is an opportunity to identify any corrections or clarifications that may have been missed during Stage 4.

Once the IARR is verified as complete by all stakeholders, the draft TIP can be prepared.

 

Create the draft TIP

The GSG provides the organisation with a partially populated TIP template, using information from the IARR. The TIP is an Excel spreadsheet that – when complete – shows a consolidated view of findings and recommendations. It is structured on a system-by-system basis, and is intended to be used as a strategic planning tool that provides a view of the organisation’s strengths or gaps against the associated target government profile. 

Note: the organisation can use its own template if desired. However, the GSG recommends that the organisation refers to the GSG template to ensure that all the required details are captured.

 

Complete and share the TIP

The organisation should complete the TIP by adding information on cyber security and resilience improvement programmes or activities, and reviewing and prioritising the pre-populated findings and recommendations.

Note: each organisation is best placed to understand how to prioritise recommendations in such a way that suits their needs, but the GSG has a web-based CAF Dependency Model to support this work if required.

Once the organisation has completed the TIP it must be shared with the GSG for review and discussion. Then, when all parties agree, the organisation can formally approve the TIP and communicate it with all key stakeholders.

Monitoring agreed actions and progress

The completion and approval of the TIP marks the beginning of improvement work required. The organisation is responsible for monitoring and tracking actions, and reporting on progress to the GSG. The internal stakeholders should agree on the process and frequency for these activities.

The GSG will support the organisation in these activities, and can facilitate additional support from the Cyber GSEC if required.

Note: the GSG recommends that the TIP be regularly reassessed and updated to align with evolving cyber security threats and organisational priorities. Any escalation regarding this process is through GSG.

Back to Stage 4   Back to overview

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now