Compliance and Assurance

Close up of hands typing on laptop with graphic overlay of a padlock and other network-like elements.

Compliance and Assurance

With an increasing number of frameworks and assessments, it can be confusing to understand where you should focus your efforts. We can guide you through these frameworks and prepare your organisation to meet your compliance requirements.

If you don’t have compliance requirements these frameworks are still excellent tools to build your cyber implementation plan around. We can help you understand and use these tools effectively.

We are experienced in the following frameworks: the NCSC’s Cyber Assessment Framework (CAF), NIST’s Cyber Security Framework (CSF), and the NCSC’s Cyber Essentials.

Find out more here.

We help you effectively use common cyber security frameworks

Framework understanding

Properly understanding a framework allows you to implement it more effectively

Expert guidance

Our expert advice helps you efficiently meet compliance requirements

Certification preparation

We get you ready to gain certification

CAF assessment

The NCSC created the Cyber Assessment Framework to reduce the risk of a cyber incident impacting organisations delivering critical services. It is fast becoming a standard across other industries as it is simple, thorough and effective.

Our consultants are well-versed in the framework and can help assess your current posture as well as help you understand what outcomes you should achieve.

NIST CSF

The US National Institute of Standards and Technology’s Cyber Security Framework remains the international standard for cyber security. It allows your organisation to understand and improve its cyber security practices.

We are experienced in implementing NIST standards; we will work with your organisation to follow the framework and make the required changes to comply with its recommendations.

Cyber Essentials

The NCSC’s Cyber Essentials scheme is its entry level certification that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.

It comes in two forms: Cyber Essentials and Cyber Essentials Plus. We are able to assist you in preparation for either certification, both of which allow you to benefit from external accreditation for your business.

Cyber Business Assurance

Complex organisations often rely on numerous IT and OT systems. Each of these systems could be made highly secure with a wide ranging set of security controls. In reality this is likely to be impractical, unaffordable, and unnecessary.

Instead cyber business assurance seeks to identify the abilities that enable an organisation to achieve its objectives. These abilities are then assessed for their disruption tolerance and the technology that enables them. The analysis produces a list of prioritised cyber associated risks at a system level. These can be used to inform broader risk management processes as well as to direct finite cyber security investments.

Frequently asked questions

If your organisation operates in an environment where there are statutory security requirements then these will likely mandate which framework to use. If you operate some aspect of UK critical national infrastructure then you will likely be required to implement CAF. The 2022 UK National Cyber Strategy mandated that all UK government organisations are to follow CAF.

NIST is recognised internationally, and the UK arms of many multinationals may be using this framework instead of CAF. Fundamentally, both CAF and NIST CSF define very similar security outcomes so activities performed under one can be ‘translated’ relatively easily in the other.

Cyber Essentials is much simpler than both NIST CSF and CAF and is aimed at smaller organisations. However, despite being simpler it is a useful precursor to implementing one of the larger frameworks - the proverb of learning to walk before you run applies here.

Cyber Essentials is a great starting point for many organisations on their journey towards a mature cyber security posture. Unless there are explicit reasons why you need something else, we’d recommend starting there and progressing toward NIST CSF or CAF in due time.

Cyber Essentials also puts in place a lot of the important groundwork needed for the more mature frameworks (such as asset management and authentication), and there is a lot of overlap, so no effort is wasted

Yes. These frameworks, particularly NIST CSF and CAF, describe a set of security outcomes in widely understood language. They are also industry best practices. These can be used to describe your current security situation and to define where you want to get to. CAF is particularly good at using easy to read, outcome based language that risk owners can understand.

When combined with risk assessment methodologies and threat modelling you can justify which outcomes you do not need to achieve. This is a key point of these frameworks - not everyone needs to implement every outcome.