UK NCSC Cyber Assessment Framework

United Kingdom

4 domains

39 controls

UK NCSC Cyber Assessment Framework v3.2 (used by NIS Regulations 2018 competent authorities and Cabinet Office GovAssure).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (4)

A Managing Security Risk

7 controls

Controls in the A Managing Security Risk domain of UK NCSC Cyber Assessment Framework — 7 controls
Code	Title	Description
A1.a	Board Direction	Senior leadership sets clear direction on security of network and information systems, with documented accountability an...
A1.b	Roles and Responsibilities	Security roles and responsibilities are clearly defined, allocated, communicated, and resourced across the organisation.
A1.c	Decision Making	Security decisions are made by individuals with sufficient authority, expertise, and access to information to act on ris...
A2.a	Risk Management Process	A systematic and repeatable risk management process identifies, analyses, prioritises, and manages risks to essential fu...
A2.b	Assurance	The organisation gains confidence in the effectiveness of its security measures through independent assessment, testing,...
A3.a	Asset Management	Everything required to deliver, maintain, or support essential functions is identified and managed, including data, hard...
A4.a	Supply Chain	The organisation understands and manages security risks to essential functions arising from dependencies on external sup...

B Protecting Against Cyber Attack

20 controls

Controls in the B Protecting Against Cyber Attack domain of UK NCSC Cyber Assessment Framework — 20 controls
Code	Title	Description
B1.a	Policy and Process Development	Policies and processes governing the security of network and information systems are developed, applied, and kept up to...
B1.b	Policy and Process Implementation	Security policies and processes are effectively implemented, monitored for compliance, and enforced through technical an...
B2.a	Identity Verification, Authentication and Authorisation	Users, devices, and systems accessing networks supporting essential functions are robustly verified, authenticated, and...
B2.b	Device Management	Devices used to access networks and information supporting essential functions are managed, hardened, and trusted.
B2.c	Privileged User Management	Privileged user accounts are tightly controlled, monitored, and used only when necessary with strong authentication and...
B2.d	Identity and Access Management	User identities are managed throughout the joiner mover leaver lifecycle and access rights are reviewed regularly.
B3.a	Understanding Data	The organisation has a clear understanding of data important to the operation of essential functions, including its loca...
B3.b	Data in Transit	Data important to the operation of essential functions is protected in transit through encryption and integrity controls...
B3.c	Stored Data	Data important to the operation of essential functions is protected at rest, including on endpoints, servers, removable...
B3.d	Mobile Data	Data important to essential functions on mobile devices is appropriately protected against loss, theft, or unauthorised...
B3.e	Media Equipment Sanitisation	Media and equipment are sanitised before disposal, reuse, or transfer to prevent disclosure of data important to essenti...
B4.a	Secure by Design	Network and information systems supporting essential functions are designed to be secure, including segmentation, harden...
B4.b	Secure Configuration	Systems are securely configured and configuration drift is detected and remediated.
B4.c	Secure Management	Systems are managed securely, including patching, vulnerability management, and protection of management interfaces.
B4.d	Vulnerability Management	Vulnerabilities are identified, assessed, and managed in a timely manner across the estate supporting essential function...
B5.a	Resilience Preparation	The organisation prepares for cyber attack disruption so essential functions continue to operate.
B5.b	Design for Resilience	Networks and systems are designed to be resilient to cyber security incidents, with segmentation and isolation built in.
B5.c	Backups	Backups of data and configuration important to essential functions are taken, protected from compromise, and tested for...
B6.a	Cyber Security Culture	A positive cyber security culture is developed and maintained across the organisation.
B6.b	Cyber Security Training	Staff have the skills, knowledge, and experience to deliver their security role, supported by role based training.

C Detecting Cyber Security Events

7 controls

Controls in the C Detecting Cyber Security Events domain of UK NCSC Cyber Assessment Framework — 7 controls
Code	Title	Description
C1.a	Monitoring Coverage	Monitoring captures the data required to detect security incidents affecting essential functions across IT, OT, cloud, a...
C1.b	Securing Logs	Logs are protected from unauthorised modification or deletion to preserve evidential value.
C1.c	Generating Alerts	Monitoring tools generate timely and accurate alerts on indicators of malicious activity affecting essential functions.
C1.d	Identifying Security Incidents	Security incidents are identified from monitoring data through triage and analysis with appropriate skills and tools.
C1.e	Monitoring Tools and Skills	Monitoring staff have the tools, skills, and authority needed to detect threats to essential functions effectively.
C2.a	System Abnormalities for Attack Detection	The organisation defines what good looks like for normal operation so abnormal activity indicating attack can be discove...
C2.b	Proactive Attack Discovery	The organisation proactively hunts for attacks that may have evaded existing detections.

D Minimising the Impact of Cyber Security Incidents

5 controls

Controls in the D Minimising the Impact of Cyber Security Incidents domain of UK NCSC Cyber Assessment Framework — 5 controls
Code	Title	Description
D1.a	Response Plan	Incident response plans are in place to manage cyber security incidents affecting essential functions, including roles,...
D1.b	Response and Recovery Capability	The organisation has the capability to respond to and recover from cyber security incidents and restore essential functi...
D1.c	Testing and Exercising	Response and recovery plans are tested regularly and exercised to validate effectiveness and improve readiness.
D2.a	Incident Root Cause Analysis	When an incident occurs, root causes are identified to inform improvement of defences.
D2.b	Using Incidents to Drive Improvements	Lessons identified from incidents and exercises are used to drive improvements to security and resilience.

Frequently Asked Questions

What is UK NCSC Cyber Assessment Framework?

UK NCSC Cyber Assessment Framework is a compliance framework from United Kingdom with 4 domains and 39 controls. UK NCSC Cyber Assessment Framework v3.2 (used by NIS Regulations 2018 competent authorities and Cabinet Office GovAssure). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does UK NCSC Cyber Assessment Framework have?

UK NCSC Cyber Assessment Framework has 39 controls organised across 4 domains. The largest domains are B Protecting Against Cyber Attack (20 controls), A Managing Security Risk (7 controls), C Detecting Cyber Security Events (7 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does UK NCSC Cyber Assessment Framework map to?

UK NCSC Cyber Assessment Framework does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with UK NCSC Cyber Assessment Framework compliance?

Start your UK NCSC Cyber Assessment Framework compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about UK NCSC Cyber Assessment Framework requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 39 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required