How CNI-like organisations can benefit from appropriate application of the Cyber Assessment Framework (CAF)
We all rely on our Critical National Infrastructure (CNI); after all, that’s what it means. The good practices of its providers, suppliers and maintainers are crucial to those infrastructures being available when needed. It should be no surprise to say that this is a highly regulated space. Here in Europe, this typically means alignment to the EU Network and Information Systems (NIS-D) Directive, enforced in the UK via the UK Network and Information Systems Regulations (NIS-R) 2018.
This regulation requires providers to follow the Information Commissioner’s Office (ICO) guidance as the competent authority.
At present, this means following the Cyber Assessment Framework (CAF) as published by the National Cyber Security Centre (NCSC). For organisations that fall within the scope of NIS (D), the CAF represents a statement of expectation about conducting operations within essential services.
CGI has considerable experience leveraging this framework in support of our clients. We believe the CAF is also useful as a toolkit to organisations outside of the pure CNI umbrella. For these organisations, the principles of the CAF need to be applied sensibly, cognisant of an organisation’s specific needs and business priorities and in support of established tooling and governance frameworks.