Comprehensive cyber security position assessment aligned with NCSC CAF v4.0
To provide a platform-agnostic Supply Chain Cyber Assurance offering, the following artefacts align with the NCSC Cyber Assessment Framework (CAF) v4.0—the binding baseline for the UK Cyber Security and Resilience Bill (CSRB)—and reflect the mandates of NIS2 and DORA.
The initial audit identifies discrepancies between a vendor's current security posture and regulatory mandates. It evaluates both organisational policy and technical implementation.
| CAF Objective | Assessment Area | Focus of Initial Audit |
|---|---|---|
| A: Managing Security Risk | Governance & Accountability | Board ownership of risk, appointment of Compliance Leads, and formal Risk Appetite Statements. |
| Risk Management | Threat analysis methodology, attack scenario modelling (e.g., attack trees), and intelligence integration. | |
| Asset Management | Accuracy of asset inventory (data, people, systems) and mapping of infrastructure dependencies. | |
| Supply Chain Assurance | Nth-party risk visibility, Software Bill of Materials (SBOM) availability, and secure development lifecycle (SDL). | |
| B: Protecting Against Attack | Identity & Access | MFA coverage, Joiner/Mover/Leaver (JML) efficiency, and "least privilege" enforcement. |
| Data Security | Data classification, encryption of data at rest/motion (TLS 1.3), and backup integrity. | |
| System Security | Hardened baseline configurations, vulnerability management, and malware detection. | |
| Resilient Networks | Network segmentation, DDoS protection, and tested failover mechanisms. | |
| C: Detecting Events | Security Monitoring | Log retention, alerting thresholds, and understanding of "normal" system behaviour. |
| Proactive Discovery | Structured threat hunting capabilities and use of behavioural baselines to find abnormalities. | |
| D: Minimising Impact | Response & Recovery | Documented RTOs/RPOs, incident reporting readiness (24h/72h windows), and BCP/DR testing. |
| Lessons Learned | Post-incident analysis processes and how insights feed back into governance. |
Once the initial audit is remediated, the service transitions to continuous scanning and telemetry collection to maintain "Compliance Velocity".
Automated tracking of Mean Time to Detect (MTTD), Mean Time to Acknowledge (MTTA), and Mean Time to Remediate (MTTR).
Continuous monitoring of Patch Latency (days to apply critical patches) and count of End-of-Life (EOL) assets.
Real-time monitoring for Orphaned Accounts (aiming for < 5%) and MFA Coverage Rate.
Continuous discovery of Shadow IT, Domain Drift (typosquatting), and Leaked Credentials on the dark web.
Automated SBOM scanning for new vulnerabilities in application dependencies (e.g., Log4j-style risks).
Logging and reporting of significant events that were blocked (e.g., large-scale brute-force attempts) as required by CSRB.
The report transforms technical telemetry into a board-level maturity roadmap. It uses the Red-Amber-Green (RAG) protocol defined by NCSC CAF IGPs.
| Status | CAF v4.0 Definition | Example Threshold/Metric | Board Action Required |
|---|---|---|---|
| GREEN (Achieved) | All Indicators of Good Practice (IGPs) are present. | 100% MFA for privileged access; patch latency < 7 days. | No action. Maintain monitoring. |
| AMBER (Partially Achieved) | Measures provide worthwhile benefits, but gaps remain. | Patch latency 8-30 days; measures apply to some but not all systems. | Remediation Plan. Must be approved and tracked monthly. |
| RED (Not Achieved) | Significant gaps; even one bad practice indicator is sufficient. | Orphaned accounts > 5%; no data collection for monitoring; patch latency > 30 days. | Immediate Escalation. Potential pause in onboarding/procurement. |
The dashboard provides a tiered "pane of glass" for real-time risk oversight.
Lacking real-time validation is now a marker of negligence. This framework transforms cyber resilience into a "Compliance Currency" that enables organisations to accelerate revenue by removing vetting bottlenecks.