Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Stage 1: Organisational context, essential services and mission

Author: Government Security Guidance

Stage 1: Organisational context, essential services and mission

Stage 1 of GovAssure focuses on capturing and defining a holistic view of the organisation’s mission, context, and essential services.

If you need a transcript of the video, email cybergovassure@cabinetoffice.gov.uk.

The top-down approach of Stage 1 allows the people running the assessment to take a fresh look at their organisation, to assess the current approach to cyber risk management, and to understand how a cyber attack could impact the organisation’s ability to fulfil its essential services.

Each organisation will require the support from across their teams to support this exercise. For example, chief risk officers should be consulted to check the understanding and recording of the primary organisational risks.

Where possible, those running the assessment should use existing sources of information, such as the results of other essential service discovery exercises. This can include organisational outcome delivery plans, business continuity information, and details of how personally identifiable information (PII) is captured and distributed.

Stage 1 is divided into two parts:

  1. Describe the organisation’s context and mission
  2. Identify and define the essential services

This information is recorded in the GovAssure scoping document.

Part A: Describe the organisation’s context and mission

Capture the following information about the organisation:

  • Mission – What is the organisation trying to achieve? How does it support the delivery of government services?
  • Objectives – What are the key objectives used to deliver that mission?
  • Priorities – What are the organisation’s top priorities?
  • Threat landscape – Who are the organisation’s likely attackers and what motivates them? What could happen if they were successful?
  • Cyber risk appetite – what level of risk is the organisation willing to accept in order to meet their strategic objective?

Once all this information has been agreed and recorded, the next step is to identify the underpinning essential services.

Part B: Identify and define the essential services

At a high level, services that fall into one of the following categories are considered to be essential:

  • Critical National Infrastructure (CNI): services that the UK public relies upon, on a daily or near daily basis, as per official guidance
  • Services provided by an operator of essential services (OES): if an organisation is formally considered an OES, then the services it provides are automatically considered to be essential, such as those in the energy, transport, health, water, and digital infrastructure sectors
  • Services fundamental to organisational outputs and mission: services that must be delivered and without which the organisation would not be able to operate; for example government policy development, regulation, ministerial briefings, analysis, and advice.

Once the essential services are identified, organisations must do further work to develop an in-depth view of each one, and to decide which of them are in scope for the GovAssure assessment. This will require cooperation and collaboration from across the organisation, and we recommend that the people responsible for this part of the assessment conduct a series of workshops with the appropriate representatives to gather the information needed.

This work is supported by lenses 1 and 2 of the 5 lens model. This model is provided as an example of how a single identified service can be identified and assessed throughout the GovAssure process. For more information see 5 lens model: a worked example below.

Introducing the GovAssure scoping document

The GovAssure Scoping Document is a foundational document and deliverable for the whole GovAssure process. It will be owned by you as an organisation. You will be responsible for completing this to record discussions and decisions taken by the organisation to identify and define essential services and ‘in-scope’ critical systems for GovAssure providing an evidence-based. The template and an example can be downloaded to view and use. 

The GovAssure Scoping Document is a foundational document and deliverable for the whole GovAssure process. It will be owned by you as an organisation. You will be responsible for completing this to record discussions and decisions taken by the organisation to identify and define essential services and ‘in-scope’ critical systems for GovAssure providing an evidence-based justification of the scope of GovAssure. Understanding the operating context of an organisation and the desirable data it holds helps to understand the possible threat actors, levels of sophistication and their motivation for wanting to target your organisation. This information not only helps an organisation to better protect themselves by implementing appropriate and proportionate risk-based controls, it helps to minimise the impact of cyber security incidents.

The Scoping Document is divided into the following stages:

  • Stage 1 – Organisational context and services 
    • Part A: Organisational mission, objectives and priorities
    • Part B: Identifying and defining the essential services.
  • Stage 2 – In-scope systems and assignment to the CAF profile
    • Part A: Identifying and defining the critical systems
    • Part B: In-Scope critical systems for GovAssure and assigning the target CAF profile.

The Scoping Document will be routinely referred to throughout the end-to-end GovAssure process. It is important because it will be used to drive the scope of the Stage 3: CAF self-assessment as well as Stage 4: Independent assurance review and Stage 5: final assessment and targeted improvement plan. The independent assurance reviewers will also use it to help to understand your organisation, its context, the risk appetite set by the organisation. This will support the reviewer to provide an appropriate and proportionate view of your control environment as part of their independent review of your CAF return.

In the following sections, Stage 1: Part A and Part B will be covered in detail. Part A focuses on the organisations strategic delivery context, threat landscape and security posture. Part B focuses on the organisation’s essential services and the systems underpinning them.

An example of a completed GovAssure Scoping Document is available to support this process and understand the expected level of detail, using the fictitious government department, the ‘Department of Artificial Intelligence and Robotic Technologies’ (DAIRT).

Stage 1: Part A of the ‘GovAssure Scoping Document’  will encourage the organisation to think about and document the following:

  • Mission – What is the organisation trying to achieve? How does it support the delivery of Government services?
  • Objectives – What are the objectives to deliver that mission?
  • Priorities – What are the organisation’s top priorities?
  • Threat landscape – Who may seek to target the organisation? Why? What could go wrong if they were successful?
  • Cyber risk appetite – What is the cyber risk appetite for the organisation? (It is recognised that not all organisations will have a formally documented statement)

Government organisations vary hugely in mission, services, complexity and threat. A statement of your organisation’s context and posture will be vital for scoping GovAssure correctly, for selecting the appropriate target CAF profile (Baseline or Enhanced) and for helping the assurance reviewer understand your challenges and chosen controls. The following questions and prompts should be considered when assessing the current organisational posture as part of the scoping exercise

Overarching Organisational Mission:

  • At the highest level, what does the organisation do?
  • Is the organisation a recognisable part of the national security apparatus?
  • Is the broader mission a target for activists?
  • Are the outputs a possible target for fraudsters?

Threat Landscape:

  • Have you or a third party characterised the threats to the organisation?
  • Which actor groups have you assessed as a threat?
  • What incidents has the organisation experienced and what lessons have you detailed?
  • Do you incorporate this analysis in the choice of controls?

Threat Surface:

  • How dispersed and accessible is the estate?
  • Do you have overseas connectivity?
  • Does the enterprise have externally facing public services?
  • Are the organisation’s premises accessible to the public?
  • What are the most desirable information assets such as large PII or security data sets?
  • Are you reliant on third parties for IT provision or host to other organisations?

Known Risks and stated Risk Appetite:

  • How does the organisation express and measure risk at a strategic level?
  • What are the priority organisational risks in Cyber?
  • Do you have a stated risk appetite and how does this apply to the way you design and deliver security controls around the estate?

Existing Cyber Security Assurance 

  • What existing assurance and testing do you employ and what are the findings from them e.g. DHSC, Red teaming exercises, Table Top Exercises, external benchmarking or gap analyses?

Five Lens Model: Thinking through essential services and critical systems (a worked example)

We developed a Five Lens model to break down the logical process from essential services. We have provided a worked example following one essential service through the Five Lens model for our fictitious Government department, DAIRT. This model can be used to consider the systems you will select to be in-scope for any given service you are taking through GovAssure.

Next Steps

By completing Stage 1 you will have developed an understanding of the organisational context and defined the essential services the organisation is including in-scope for GovAssure.

A completed Stage 1 – Part A and Part B (mission, essential service and function) of the GovAssure Scoping Document for the organisation is required to progress to Stage 2.

Organisations should not progress to Stage 2 until the essential services have been agreed by the organisation, and the scoping template completed.

Stage 1 Outcomes

As an organisation, you have:

  1. Allocated the GovAssure coordinator lead role.
  2. Clear accountability within the organisation for GovAssure and approval mechanisms.
  3. A first draft of the RASCI covering GovAssure and communications with representatives that will need to input to the GovAssure process.
  4. Ability to articulate Lens 1 and 2 of the Five Lens Model.
  5. GovAssure Scoping Document completed for Part A (organisation background) and Part B (essential services, function and service type – OES, CNI or Fundamental output).
  6. agreed methodology for understanding the relative importance/prioritisation of the essential services you’ve shortlisted for scoping consideration.
  7. Senior stakeholder agreement to the prioritised essential services approved by the GovAssure accountable role.

Stage 1 Output

Stage 1 of the GovAssure scoping document should contain the details of the organisation’s mission, context, and risk appetitive, and the essential services that are within scope of the GovAssure assessment.

Once complete, the organisation can begin to assess the systems that support the services within scope in stage 2.

 

Back to overview   Move on to Stage 2

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now