How do I get scored in CAF Assessments
Using IGPs
Assessment of contributing outcomes is primarily a matter of expert judgement and the IGPs do not remove the requirement for the informed use of cyber security expertise and sector knowledge. IGPs will usually provide good starting points for assessments but should be used flexibly and in conjunction with the NCSC guidance associated with the top-level cyber security and resilience principles. Conclusions about an organisation’s cyber security and resilience should only be drawn after considering additional relevant factors and special circumstances.
- Achieved (Green):
The organisation fully meets the outcome. All key indicators are present and working as intended. Minor exceptions are acceptable only if there are equivalent compensating measures
-
Partially Achieved (Amber):
The organisation has implemented some, but not all, aspects of the outcome. What’s in place must still deliver meaningful improvements to cyber resilience — it’s more than just a token effort. -
Not Achieved (Red):
The organisation fails to meet the outcome. The presence of even one serious shortfall or missing indicator is typically enough to classify the outcome as not achieved.