Skip to additional navigation Skip to content

Response 4014047

Response to request for information

Reference

4014047

Response date

26 May 2026

Request

National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF).

Please provide the following information:

  1. Adoption Status
    • Has the Council formally adopted the Cyber Assessment Framework (CAF) as its primary cyber security assurance model?
    • If yes, on what date was the framework adopted, and what is the current progress of its implementation (e.g., pilot stage, partial rollout, or fully implemented)?
    • If the Council has not adopted the CAF, is there a formal plan or timeline to do so in the 2026/27 financial year (or beyond)?
  2. Alternative Frameworks
    • If the Council has decided not to adopt the CAF, please state the primary reason for this decision (e.g., lack of resources, preference for other standards, or awaiting further central government guidance).
    • Please list any other cyber security or risk management frameworks currently in use by the Council outside of PSN (e.g., ISO 27001, Cyber Essentials/Cyber Essentials Plus, NIST).
  3. Manpower and Personnel
    • How many Full-Time Equivalent (FTE) staff members are currently allocated to the implementation, assessment, or ongoing maintenance of the CAF?
    • Has the Council recruited new staff specifically to handle the requirements of the CAF, or has the workload been absorbed by existing IT/security teams?
    • Have external consultants or third-party service providers been contracted to assist with the CAF assessment?
    • How are you planning to select systems to be prioritised during the CAF implementation?
  4. Financial Cost
    • What is the total estimated cost to date of adopting/implementing the CAF framework within the Council? (Please include costs for staff time, software/tools, and external consultancy).
    • What is the projected annual budget for maintaining compliance with the CAF over the next three financial years?
  5. Governance
    • Which department or senior leadership role (e.g., SIRO, CISO, or Head of IT) is ultimately responsible for the Council’s CAF compliance and reporting?

Response

  1. Adoption Status
    • RBC have not yet fully adopted CAF yet. we completed the CAF-ready works in 2024. There is a formal plan to become fully FAF compliant by April 2030.
  2. Alternative Frameworks
    • We follow ISO27001, Cyber Essentials and PSN.
  3. Manpower and Personnel
    • How many Full-Time Equivalent (FTE) staff members are currently allocated to the implementation, assessment, or ongoing maintenance of the CAF? Currently nobody is dedicated to this work. It is predicted to take a minimum of 140 hours of time from the ICT department, plus additional works from other departments.
    • Has the Council recruited new staff specifically to handle the requirements of the CAF, or has the workload been absorbed by existing IT/security teams? Not applicable
    • Have external consultants or third-party service providers been contracted to assist with the CAF assessment? We have spoken to several third parties around this and are reviewing our options currently, this includes advice from SOCITM, the membership body for Public Authority ICT departments. All work is dependent upon Local Government Reorganisation and the impacts that will have upon RBC. 
    • How are you planning to select systems to be prioritised during the CAF implementation? We will follow our current prioritisation order for systems and infrastructure depending upon level of importance for public facing activities, security and importance in keeping the authority working as normal.
  4. Financial Cost
    • What is the total estimated cost to date of adopting/implementing the CAF framework within the Council? (Please include costs for staff time, software/tools, and external consultancy). Not completed yet. Although it is expected that there will be 10 days of consulting work at a cost of £1,000 per day.
    • What is the projected annual budget for maintaining compliance with the CAF over the next three financial years? Not yet calculated
  5. Governance
    • Which department or senior leadership role (e.g., SIRO, CISO, or Head of IT) is ultimately responsible for the Council’s CAF compliance and reporting? SIRO

FOI Responses ICT 2026