Stage 4: Independent assurance review

GovAssure is a risk-based assurance review process, and therefore a third-party review of the scoping document, WebCAF responses, and the evidence repository is required.

Note: It is important to prepare for Stage 4 by commissioning the required independent assurance or peer reviewer at the start of or during Stage 3. This means that the review can begin as soon as Stage 3 is complete.

There are two types of review that can take place during Stage 4:

an independent assurance review by an accredited third party
a peer review by either a suitable third-party organisation or an internal resource

An organisation must commission an independent assurance review if any of the following are true:

it is a lead government department in Tranche 1
it is an organisation that holds government-sector designated critical national infrastructure (CNI)
one or more of the systems within scope of the assessment has been assessed against the Enhanced government CAF profile
it is an arms-length body (ALB) that has been put in scope for an independent assurance review by its parent department

If none of the above is true the organisation can complete a peer review instead, but may choose to commission an independent assurance review if desired.

For more information, see peer review guidance

Objectives of the independent assurance review

The independent assurance review is intended to:

assess the level of attainment of the target government CAF profiles that have been assigned to the systems in scope
validate the ‘achieved’ or ‘partially achieved’ responses and commentary for each CAF contributing outcome, based on the evidence provided and the associated indicators of good practice
assess at a high level how the organisation is identifying and managing its cyber risks
understand the key cyber security risks related to the organisation and its in-scope critical systems
determine the effectiveness of current cyber security controls
provide a draft report of observations and recommendations against the target government CAF profiles and – following a review process – a final report detailing challenges and important observations for the organisation

Selecting a reviewer

The organisation must select an independent assurance reviewer from the Crown Commercial dynamic purchasing system (DPS). To find an assurer, log into the system and search under the Cyber Security Service 3 section for a GovAssure accredited reviewer. See Cyber Security Services 3 for more information.

The GSG has worked closely with the NCSC and the Crown Commercial Service to develop the minimum accreditation requirements for independent assurance reviewers. Organisations can add further requirements if they wish to do so.

Note that it is important to avoid any possibility of a conflict of interest when selecting an assurance reviewer. Such a conflict could arise if the reviewer has had some form of responsibility or involvement with the systems in-scope; for example, system design, service delivery/operation, architectural review, or a penetration test.

Such involvement won’t necessarily preclude a provider from bidding to run a review, but failure to declare any interests could preclude them from bidding for future GovAssure work.

An overview of the independent assurance review

The purpose of an independent assurance review is to judge the organisation’s self-assessed position for all in-scope systems against the assigned target government CAF profiles.

Broadly speaking, the review comprises 5 stages:

Onboarding and scoping
Planning
Assessment and analysis
Reviewing and communicating results
Issuing the independent assurance review report (IARR)

The GovAssure scoping document completed during Stage 1 and Stage 2 will also be used to understand the organisation’s context, threat, risk, defensive posture, and where appropriate controls should be implemented.

The reviewer will use WebCAF to perform the review: specifically, they will complete the assurance reviewer section for each of the contributing outcomes for each of the systems.

They will also use the evidence repository to test whether the outcomes are being met.

Key considerations

The following are 6 key factors an organisation should consider during Stage 4 of an assessment.

(1) Your data, your responsibility

During the self-assessment process, the collected data and all aspects of managing it should be under the control of the organisation going through GovAssure.

When the independent assurance reviewer comes on board, the contract that the organisation makes with them must formalise the requirements and arrangements for how the reviewer will handle the data.

(2) WebCAF submission and review readiness

When the self-assessment information is ready for review in WebCAF, the organisation should ensure there is a formal sign-off procedure before the assessment is submitted for review. Evidence of sign-off should be captured so it can be provided on request.

(3) Risk-based assurance review

The independent assurance review is a risk-based review, rather than a security compliance audit. This means the reviewer will recognise that there are a number of ways in which contributing outcomes and supporting indicators of good practice (IGPs) may be achieved. As such, they may consider compensating controls that the organisation has in place, provided that supporting and sufficient evidence is provided for these controls.

(4) Limitations of the independent assurance review

The review does not constitute a complete and full assessment of the organisation’s cyber security, and does not include all possible internal control weaknesses that an end-to-end and comprehensive compliance assessment might identify. Therefore, the review should not be considered a means of providing full assurance for an organisation’s cyber security measures.

(5) Reliance on accurate information

The review is focused on an independent view of an organisation’s self-assessment, findings during workshops, and the evidence provided. Its accuracy and value relies on the honest and accurate completion of the self-assessment.

(6) Assumptions and dependencies

The reviewer’s ability to provide an effective assurance review depends on the organisation:

ensuring that all required stakeholders will be available to actively participate when necessary
providing information, documentation, and evidence to the reviewers in a timely manner
designating a single point of contact empowered to coordinate with the reviewer, escalate any issues, facilitate delivery decisions, and communicate with senior stakeholders across the organisation
providing the reviewer with agreement and approval of their work

Independent assurance review process

At a high level, the independent assurance review process comprises the following steps:

Briefing and onboarding – the selected independent assurance reviewer is briefed on the scope of the assessment exercise and given access to the GovAssure scoping document.
Planning and initiating – the organisation’s representatives meet with the reviewer to explain the scope in more detail, to plan how to work together, to set the timeline for the review, and finally to give the reviewer access to WebCAF and the evidence repository.
Assessment and analysis – the review begins, starting with a high-level review and proceeding to a more detailed analysis.
Reviewing and communicating the results – the results of the review are agreed with the organisation’s representatives, using an arbitration process if necessary, and then presented in the independent assurance review report (IARR).

These steps are described in more detail below.

1. Briefing and onboarding

The independent assurance reviewer should be briefed as early as possible on the scope of the self-assessment activity, so that they can understand the scale of the exercise and the effort required.

On-boarding calls should be held to brief the reviewer and to give them access to the GovAssure scoping document. Arrangements for access to IT equipment, WebCAF, and the evidence repository should also be agreed, but not granted.

Note: The Stage 4 review should be run in parallel with the Stage 3 self-assessment. Therefore, the independent assurance or peer reviewer should be commissioned either in advance of or at the start of Stage 3.

2. Planning and initiating the review

The organisation should hold planning meetings with the reviewer to fully explain the context of their organisation, the systems within scope, the government CAF profile assigned to each one, and the approach taken during the self-assessment exercise. This should all be done with reference to the scoping document.

Next, the individuals who are working in WebCAF and collating evidence for the self-assessment should be put in contact with the reviewer.

We recommend that the reviewer prepares an operational terms of reference document for the review, which includes how the review will be managed, the timelines, and the key contact details. This document should be signed off by the organisation and the reviewer.

Once the plan is agreed, the reviewer should be given access to IT equipment, WebCAF, and the evidence repository.

3. Assessment and analysis

The reviewer should follow a similar process to that of the self-assessment:

3A. Perform a high-level desk-based review

3B. Review in depth

3C. Run workshops

3D. Resolve questions and queries

3E. Develop a list of gaps and controls

3A. Perform a high-level desk-based review

The review should perform a high-level review of the self-assessment, covering the following:

Quality: assess the overall quality of the self-assessment
Completeness: confirm that all contributing outcomes and IGPs for each system in WebCAF have been answered, and the rating and comments are showing as complete
Evidence: availability, quality, and consistency of supporting evidence and the extent to which it is clearly cross-referenced with WebCAF
Contributing outcomes: an initial check to identify any that may need closer attention, for example any marked ‘Not Applicable’ or that do not meet the target profile – outcomes marked as ‘Achieved’ and ‘Partially Achieved’ are likely to be subject to greater scrutiny than those marked as ‘Not Achieved’
The approach taken: consider any similarities between the responses to the different objectives as a whole, and how appropriate these are – for example, whether the contributing outcomes for A and D were completed from the organisational level, and how applicable they are to the system level.

3B. Review in depth

Following the initial review, the reviewer should proceed to an in-depth assessment of the contributing outcomes for each system, their assessed state compared to the target CAF profile, and the supporting IGPs. Consideration should be given to each of the following factors.

3B1 – Achievement against the target CAF profiles

The reviewer will consider how well each system has met the contributing outcomes for the chosen target CAF profile. Note that an organisation may choose to focus solely on achieving the minimum required standard, and thus may not provide evidence to demonstrate that a system exceeds the requirements of the profile, even if it does.

3B2 – IGP statements supporting the overall contributing outcome

The reviewer must provide an expert judgement on whether the specific IGP statements have been successfully met, based on the self-assessment responses, the supporting evidence, and findings during workshops. They will record their assessment for each statement in WebCAF by selecting one of the following options:

Yes: the IGP describes the state of the system given the evidence provided
No: the IGP does not describe the state of the system given the evidence provided
Not Assessed: This IGP is not applicable or the system is exempt from it – the reason for selecting this option should be recorded in the comment box

Note that the IGPs supporting a contributing outcome are not intended to be exhaustive, and organisations may implement additional good practice or compensating controls that would otherwise return an “Achieved” or “Partially Achieved” contributing outcome. Where alternative good practice is implemented, this should be recorded by the reviewer in the supporting narrative.

3B3 – Provision and quality of evidence

The reviewer will consider the supporting evidence provided in support of the self-assessment. It is the responsibility of the organisation to make sure the evidence is provided in such a way that it can be easily accessed and analysed, with appropriate cross-referencing with the related information in WebCAF.

3B4 – Contributing outcomes

The reviewer will select an achievement rating for each contributing outcome statement and also provide a narrative on their conclusions in WebCAF. Once they have reviewed the individual IGPs for a contributing outcome, they will then choose from the following achievement ratings for that outcome, in the same way that the organisation’s contributors did during the self-assessment:

Achieved: the reviewer agrees that the system has achieved this outcome, meaning that they agree with all the ‘Yes’ answers given for each ‘Achieved’ IGP (except where an IGP has been identified as “Not Assessed”)
Partially Achieved: the reviewer agrees that the system has partially achieved the contributing outcome, meaning that they agree with all the ‘Yes’ answers given for each ‘Partially Achieved’ IGP – note that this will require that every IGP for the outcome with ‘Partially Achieved’ as an option has been marked as such
Not Achieved: this system has not achieved this specific contributing outcome – note that if the organisation has answered ‘Yes’ to any ‘Not Achieved’ IGP, the reviewer must mark this outcome as “Not Achieved”

Reviewers must justify their assessment of the contributing outcome achievement rating in the box provided.

3B5 – Narrative detail

The reviewer must provide a narrative at the contributing outcome level in WebCAF. They may also provide details at the IGP level if their evaluation differs from that of the organisation, to justify the use of the ‘Not Assessed’ option, or to explain factors preventing a clear assessment. Where reviewers and the organisation agree on an evaluation, they will not be required to provide a supporting narrative.

3C. Run workshops

Working with the organisation lead, the independent assessor will schedule a series of workshops covering Objectives A to D (note that Objective B might require more than 1 workshop).

The workshops may cover:

consideration of each contributing outcome at a holistic level, before drilling down into underlying IGPs and any queries the assessor may have at the IGP level
achievement against the target CAF profile
consideration of any IGP outliers – for example, if most are ‘Partially Achieved’ but one is ‘not achieved’, or whether IGPs marked as ‘Not Applicable’ can be justified
whether there is a consistent level of evidence for those IGPs that require justification
Completing these three steps should enable areas of focus to be determined – any IGPs that are not appropriately justified by the evidence, or which do not fit with the overall assessment of the CO.
questions or queries relating to evidence and its completeness – see the following section

3D. Resolve questions and queries

The reviewer will collate their questions and queries as they work, and we recommend that these be addressed during dedicated workshops with the organisation, on a “per objective” basis.

However, ultimately the reviewer and the organisation should agree on an approach that minimises disruption to their work. For example, the reviewer could provide a list of questions and queries to the organisation for response from the appropriate technical contacts; this may be more efficient than running workshops. If such a review process is implemented, we recommend not allowing repeated loops through the process as this may cause delays. Rather, there should be a single time-limited opportunity to respond.

3E. Develop a list of gaps and controls

The reviewer will summarise the details of any control gaps discovered for contributing outcomes, including an overall achievement level and justification for this, especially if it differs from the original level provided by the organisation. There should be an understanding of the IGPs leading to the contributing outcome not achieving its target CAF profile.

4. Reviewing and communicating results

The final workshops should result in the independent assurance reviewer and the organisation agreeing on the assessment findings.

However, if there are conflicting views that cannot be resolved, there is an arbitration process that can be followed. In the first instance, the areas of dissent should be identified in a single list and a separate workshop arranged to focus on their resolution. This should include the senior stakeholder from the organisation.

Once agreement is reached, the finalised observations and recommendations should be reviewed and agreed between the organisation and the reviewer, and the details recorded in the Independent Assurance Review Report (IARR) – the template is available here.

If there are still unresolved points following this final workshop, they can be escalated to the GovAssure team.

GovAssure WebCAF external assessment system report

The reviewer is expected to document their results in WebCAF, but they may want to support working through the review with the automatically generated external assessment system report

This report contains the outputs from an organisation’s self-assessment, including the reviewer’s comments on a system-by-system basis. It will be made available to the organisation and the reviewer once the independent assurance review is complete.

Specifically, this report contains:

summary radargram graphics for each CAF objective, showing the underlying contributing outcomes of the reviewer results for the system vs the target government CAF profile
a summary table comparing the reviewer achievement results of each contributing outcome vs the target government CAF profile
a list of the contributing outcomes under each objective that did not meet the required rating under the target government CAF profile
a table of the IGP comments and achievement levels as determined by the reviewer, clearly referencing any IGPs that cause the contributing outcome to not meet the target Government CAF profile

This auto-generated report will be used by reviewers to generate the Independent Assurance Review Report (IARR), which will be shared with organisations. The data and graphs produced in this report should be used by assessors in the IARR.

Peer review guidance

Scope and audience

In Stage 4 of GovAssure, if an organisation is not required to submit their self-assessment for an independent assurance review they can opt to follow the peer review process instead.

A peer review can be performed by:

the lead government department (LGD)
the Government Internal Audit Agency (GIAA)
another organisation
an internal resource – that is, someone in the organisation itself

This guidance applies to both the individual(s) performing the peer review and the organisation being reviewed.

Note: those performing the peer review should refer to the Conducting a peer review guidance.

Peer reviewer requirements

A peer review of a GovAssure self-assessment must be performed by an impartial individual with no possible conflict of interest. The reviewer determines whether the organisation has achieved the target contributing outcome level, based on the self-assessment information in WebCAF and accompanying evidence.

Note: if the peer reviewer finds that a system they are reviewing has been assigned the Enhanced CAF profile, they should contact the Government Security Group (GSG) at cybergovassure@cabinetoffice.gov.uk.

Reviewers should be able to anticipate and accommodate the flexibility in organisations’ responses. When the answers for a contributing outcome answer by both the organisation and the reviewer align, extensive commentary is not necessary. However, in cases where the answers differ, reviewers are encouraged to use the provided text field to elaborate on the disagreement, providing reasoning and context for the difference.

When the peer review is concluded, the reviewer should present the organisation with a comprehensive summary report and a targeted improvement plan (TIP).

Selecting a peer review type

An organisation eligible to commission a peer review should select one of the following approaches.

Peer review by the lead government department
Peer review by the Government Internal Audit Agency
Peer review by another organisation
Internal peer review
No review required

Note: the selected approach must be agreed with the organisation’s LGD.

(1) Peer review by the lead government department

If this approach is the preferred one, the organisations should engage their LGD as early as possible in the GovAssure process. If agreed, the LGD should identify an individual with sufficient time and capability to dedicate to the review.

(2) Peer review by the Government Internal Audit Agency

The Government Internal Audit Agency (GIAA) is an executive agency of HM Treasury, and provides objective and independent insight and assurance.

(3) Peer review by another organisation

This should be a government organisation that has experience with GovAssure or cyber assurance more broadly. It can be an organisation that the organisation under assessment has a pre-existing relationship with, provided there is no conflict of interest.

LGDs are expected to support their organisations in identifying a potential reviewer from within their sector.

(4) Internal peer review

It is possible for the peer review to be performed by an individual within the same organisation. The individual (or individuals) selected must not have been directly involved in the self-assessment; for example, it would be possible to select the owner of a system that was not within scope of the self-assessment.

(5) No review required

In rare exceptions, the organisation may opt not to perform a peer review. This must be agreed with GSG.

Adding peer reviewers on WebCAF

To give peer reviewers access to WebCAF, organisations must send their names, email addresses, and home organisations to webcaf@cabinetoffice.gov.uk. They will each be added as “Assessors” to WebCAF.

Once access is granted, WebCAF users designated as Organisation Leads can give reviewers access to the relevant assessments. Multiple peer reviewers can be assigned to an assessment, and single reviewers can be assigned to more than one assessment.

Conducting a peer review

This guidance is for anyone who is appointed as a peer reviewer of an organisation’s GovAssure self assessment.

A comprehensive peer review should take between 1 and 2 days. However, this is highly dependent on the nature of the organisation and the number of systems under assessment.

Note: a peer review is not a checkbox exercise – the entire self-assessment and all the supporting evidence must be reviewed thoroughly to ensure that the details are correct.

For more information, including a copy of the peer review template and a slide deck of supporting information, contact cybergovassure@cabinetoffice.gov.uk from a government email address.

Before you begin

Before beginning a peer review, ensure that you are familiar with the following:

GovAssure Stage 1
GovAssure Stage 2
GovAssure Stage 3

You must also ask the GovAssure lead for the organisation to grant you access to:

the organisation’s completed GovAssure scoping document
the self-assessment(s) under review in WebCAF, with “Assessor” privileges
the evidence referenced in the self-assessment – this will be held in a separate, secure repository

Note: if you have previously used WebCAF for another assessment, you will have to log out and then back in again in order to see any newly assigned assessments. If you have any technical issues with WebCAF, contact webcaf@cabinetoffice.gov.uk.

Step 1: Read the scoping document and agree the ways of working

In order to review the self-assessment, you must first review and understand the organisation’s GovAssure scoping document. Pay particular attention to:

the organisation’s context
its essential services
the systems within the scope of the assessment

You must also confirm that all the systems within scope have been assigned the Baseline government Cyber Assurance Framework (CAF) profile. If any have been assigned the Enhanced profile, the self-assessment is not eligible for peer review, and you cannot proceed.

Once this is done, establish a rough timeline with the organisation under assessment and establish ways of working. This includes agreeing times and details of meetings to track progress and discuss findings, and also the contact details of relevant people within the organisation.

Step 2 [Optional]: Review the example self-assessment

If this is your first time performing a peer review, or if you need to refamiliarise yourself with the process, you can view the example of a completed self-assessment in WebCAF. This example indicates the kind of answers organisations may provide as part of a self-assessment.

Note: these examples should not be considered the only way to answer the questions required to meet the Baseline profile requirements. As a peer reviewer, you must use your own judgement as to whether an organisation has provided suitable answers.

Step 3: Review the organisation’s self-assessment

When reviewing a self-assessment, for each contributing outcome (CO) you should run through the following procedure:

Read the description of the CO and the indicators of good practice (IGPs) associated with it.
Check the organisation’s answers for the CO rating, along with the comments they have provided.
Read the supporting IGP answers associated with that CO.

Note: You are not expected to evaluate these IGPs individually, but you should review how they support the organisation’s overall CO rating.

Where relevant, check any supporting evidence referenced in IGP answers. If you do not already have access to a piece of evidence, request it from the organisation.

Step 4: Record your findings

Once you have reviewed the COs, you must enter an achievement rating and a comment for each one. If you agree with the rating assigned by the organisation, you do not need to provide detailed commentary. However, if you have assigned a different rating, you should use the comment to explain why in full, highlighting the key differences.

Note: You are not required to provide any answers at IGP level. It is only necessary to review each CO.

You can contact the organisation during the review if you require clarification of any points.

Step 5: Finalise the review

Once you have completed your review, you can discuss your findings with the GovAssure lead and other responsible officers, including (where relevant) representatives of the lead government department. If necessary, further workshops and feedback sessions may be held.

Once the peer review is agreed and signed off, the GovAssure lead can submit the WebCAF assessment to GSG.

Peer Review Next steps

Following submission, the reviewed assessment will be stored in a tier two storage environment and will not be accessible on WebCAF in the long term. Peer reviewers are not expected to contribute further, unless they do so voluntarily.

The results of the assessment for all systems under review will be collated into a report, which the organisation will use to inform a targeted improvement plan. If applicable, the lead government department will assist them.