Skip to content
English
Back to adoptech.co.uk
  • There are no suggestions because the search field is empty.

CAF - B1.a Policies, processes, and procedure development

This article provides additional information on how you can meet the requirement for the CAF control - B1.a Policies, processes, and procedure development

Developing Policies, Processes and Procedures

Organisations should maintain a comprehensive and structured set of policies, processes and procedures that define how security, governance and regulatory requirements are managed across service operations.
These documents should outline:

  • the overarching security governance model

  • the risk management approach

  • the technical and procedural controls required to protect systems supporting essential functions

Maintaining Policies in Adoptech

  • All policies and procedures should be maintained within Adoptech to ensure:

    • version control

    • ownership

    • approval workflows

    • scheduled reviews

  • Policies should be practical and achievable, written in plain language to support adoption by staff at all levels.

  • Controls and their compliance procedures should be documented in Adoptech, with more detailed procedures stored in systems such as SharePoint or GitHub where required.

  • Procedures relying on user behaviour should be supported and reinforced through training.

Embedding Cyber Security in Operations

  • Cyber security requirements should be embedded throughout operational processes.

  • Relevant KPIs or compliance indicators should be monitored and reported to senior management.

  • This ensures leadership maintains visibility of policy effectiveness and areas requiring improvement.

Reviewing and Updating Policies

  • Policies and procedures should be reviewed and updated at least annually, or sooner when triggered by:

    • changes in technology or services

    • organisational changes

    • updates in the threat landscape

    • significant security incidents

  • Reviews ensure that documents remain appropriate, relevant and aligned with evolving risks.

Designing for Predictable Security Outcomes

  • Where technically feasible, systems and automated controls should be designed to remain secure even when user behaviour deviates from expected processes.

  • This reduces reliance on human factors and supports consistent, predictable security outcomes.