NCSC Cyber Assessment FrameworkNCSC CAF
The UK National Cyber Security Centre's outcome-based framework for assessing cyber resilience in essential services and supporting supply chains.
The CAF is built around four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of incidents. Fortoxa provides continuous visibility and evidence across all four.
How Fortoxa maps to it
A — Managing security risk
Asset inventory, governance records and policy adherence tracking so risk decisions are documented, not remembered.
B — Protecting against cyber attack
Identity, access, data-in-transit and data-at-rest controls monitored continuously across your cloud and endpoint estate.
C — Detecting cyber security events
24/7 telemetry ingestion with behavioural detection on endpoints, network and SaaS. Alerts routed to your team with full context.
D — Minimising the impact
Incident runbooks, response logs and post-incident review artefacts — so a real event produces an auditable trail, not a scramble.
Evidence mapping to CAF principles
Every control maps to specific CAF contributing outcomes, with exportable reports for assessors and internal assurance.
Supply-chain visibility
Third-party access, shared credentials and vendor misconfiguration flagged before they become an incident.
The source
Fortoxa's mapping is our own interpretation. For the authoritative framework text, consult the regulator directly.
Read the NCSC CAF collectionGet compliant without hiring a security team
Fortoxa handles the monitoring, evidence collection and audit-ready reporting so your team can focus on the business.