Prioritise your critical systems
How to prioritise the critical systems you have identified as part of your CAF for local government self-assessment.
Once you’ve applied the five lens approach – or other methodology of your choice – review the systems you have identified. Use your team’s expertise to determine a shortlist of systems which are of highest priority to your council.
Prioritise your systems so you know:
- which systems you may consider in scope for your assessment
- which additional systems could be considered in scope, or included in a future assessment
Your prioritised critical systems are likely to be systems that would have a significant effect on your council if a cyber attack took place.
Make sure you can explain the rationale behind your choice to your assurer.
Identify your shortlist as a team
Once you have applied the five lens approach, or equivalent, you might have more than three critical systems identified. Prioritising these critical systems collaboratively is important.
As a team, discuss which are the most critical to your council’s mission.
Your CAF lead should collaborate with stakeholders such as:
- service leads
- business system owners
- IT and cyber team members
We recommend booking workshops, meetings or creating a channel on Teams or Slack for this activity.
Activities that can help to prioritise critical systems
Categorising your critical systems using a criticality rating is one method you can use to prioritise which systems to focus on.
This may identify which systems are likely to have the biggest impact if disrupted.
Here’s an example approach to categorise your critical systems.
- Download a template to help you categorise your critical systems (.xlsx, 195KB)
- Review each shortlisted critical system and the service or key business process or function it supports
- Consider how critical the service or function is. You could class these as:
- mission critical
- business critical
- non-critical
- business supporting
- Consider the confidentiality impact – rate the impact of data loss or compromise from that system
- Consider the integrity impact – rate the impact of inaccurate data and processing
- Consider the availability impact – rate the impact of the system not being available for 12 hours
- Combine these ratings to determine the system criticality. This rating should align with your confidentiality, integrity and availability impact ratings
- If you still have multiple ‘mission critical’ systems, look at the maximum tolerable downtime and expected recovery time objectives to further prioritise your shortlist
You should also consider how other factors, such as the time of year, might affect how you rate impact. For example, some systems might be considered more critical during the elections period.
Assess the risks associated with the critical systems you have identified. This will help you better understand the risk exposure and potential impact of risks associated with each system and could help you prioritise which systems to consider for CAF assurance.
You should:
- identify threats – look for threats to your critical systems, such as cyber attacks (including malware and phishing), physical threats, natural disasters or human errors
- assess vulnerabilities within critical systems that could be exploited – for example weak authentication, outdated software, or insufficient access controls
- consider the likelihood and impact of identified threats exploiting vulnerabilities for those systems
To evaluate risk, you might choose to use:
- risk matrices
- heat maps
- qualitative or quantitative risk assessment software
To complete a risk assessment you might want to consider frameworks like NIST SP 800-30, ISO 27005 (fee applies to download), or FAIR (Factor Analysis of Information Risk).
Finalise and share your scoping workbook
Share your scoping workbook with your internal CAF quality assurer once you have completed all sections.
Download an example scoping workbook (.xlsx, 166KB).
Your quality assurer will need to check it accurately reflects organisational context, and that the team has agreed on your chosen critical systems.
Work with them to discuss feedback before getting final sign off from your CAF approver.
Once the workbook has been signed-off, you need to securely share the final version with your independent assurer.
Find out how to share your self-assessment securely.