Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Preparing for GovAssure

Author: Government Security Group (GSG), Cabinet Office

Preparing for GovAssure

GovAssure launched in April 2023 and replaces the cyber security element of the Departmental Security Health Check (DSHC).

Before beginning a GovAssure assessment, an organisation must:

  • appoint a GovAssure lead and senior responsible officer (SRO)
  • prepare people to support the assessment 
  • obtain funding and other resources

1. Appoint a GovAssure lead and SRO

To prepare for and run the assessment, the organisation will need a GovAssure lead who will act as a single point of contact to coordinate all communications. This could be the chief information security officer (CISO) or perhaps one of the cyber security managers.

To support the GovAssure lead, the organisation should also appoint a GovAssure SRO to act as the responsible owner for GovAssure. This person should be responsible for approving the Scoping Document and CAF self-assessments. In some organisations this  may also be the CISO, or the responsible Director / Director-General. 

2. Prepare people to support the assessment

In order to be successful the GovAssure assessment requires support from across an organisation.

The whole cyber team and, where appropriate, the GovAssure lead should be prepared to engage with Government, Data and Digital leaders to prepare them to help with the assessment.

The business and technical owners of the organisation’s systems in scope for GovAssure must be also available to support the assessment.

Finally, colleagues from the commercial and information assurance teams should be briefed at the start of the GovAssure assessment process. This will help navigate any commercial processes required; for example, if the organisation decides to procure an accredited organisation to act as a third-party assessor.

The GovAssure scheme includes a Responsible, Accountable, Support, Consulted and Informed (RASCI) template to help identify the roles required.

3. Obtain funding for the assessment

Running the assessment will require funding, and possibly procuring the services of a third-party assessor if the organisation requires an independent assurance review.

With the support of the commercial arm, the GovAssure lead and other responsible people should submit a business case for the assessment as soon as possible. If required, the GSG can advise on the rationale and potential costs for the business case.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now