GovAssure and the UK Cyber Security Strategy

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

25 May, 2023 - In January 2022, the U.K. government published the Government Cyber Security Strategy, which extends from 2022 through to 2030. The strategy exists to enhance the country’s resilience against cyberattacks across essential government agencies, bolstering the U.K. as a sovereign nation.

Build resilience with GovAssure

An essential element of the Government Cyber Security Strategy is GovAssure, a scheme to give central government a better understanding of the security and resilience capabilities of the public sector, to empower organizations to better protect themselves from hostile threats. GovAssure uses the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC), which is comprised of four high-level objectives and 14 principals as shown below:

Across the four objectives, there are 39 contributing outcomes, and each is associated with a set of indicators of good practice (IGP), which are broken down into three categories:

  • Achieved: All outcomes must be met to be assessed as achieved.
  • Partially achieved: This column may not be present for all outcomes. It is important that the partial achievement is delivering specific, worthwhile cyber security benefits.
  • Not achieved: Normally, just one indicator in this column will result in an assessment of not achieved.

The GovAssure scheme requires organizations to review each of the IGPs against the essential services and state whether they meet the requirement. Each IGP must have a justification for the response and evidence of the activities being implemented in practice. The responses are then validated by a third party to ensure that responses are consistent across departments and enable a collaborative and standardised approach. Departments must also plan activities to close any gaps between the required level of compliance and the actual responses documented.

Follow a strategy

Whilst that sounds straightforward in theory, the reality becomes complicated very quickly when applied to a large governmental department. The key to this process is identifying the correct stakeholders and ensuring that the resources are made available as needed for each of the critical services. The work should be set up as a formal project with milestones as well as a management sponsor to help drive it.

This is the first stage of an ongoing process. If the evidence is not available or the controls are not implemented, this will be added to a non-compliance list.

Tips and recommendations

Tips and recommendations for completing the process as efficiently and quickly as possible include:

  • Take time to fully understand the scope of the critical systems. This will make the responses to the IGP more straightforward.
  • Ensure that any centralised controls (e.g., governance) are documented before requesting local-level or technology-specific responses. This will prevent repetition of work.
  • Provide a series of example responses and evidence tailored to your department systems and language. This will make the process smoother and more consistent across departments.
  • Use the process to highlight known issues and risks. The scheme should be seen as a tool to get more support to close gaps and remediate vulnerabilities.

The purpose of the initial GovAssure work is to provide the Cabinet Office’s Government Security Group (GSG) with greater visibility of the common cyber security challenges facing government. Therefore, the key is to provide an accurate view of the status so the risks can be properly understood and prioritised.

Learn more about BSI Digital Trust’s cyber risk advisory and compliance services. Follow along with other digital trust, environmental, health, safety, and supply chain topics that should be at the top of your list at BSI’s Experts Corner.