FOI Request - Cyber Assessment Framework

Request 101003998929

I am writing to request information under the Freedom of Information Act 2000 regarding the Council’s current status and plans regarding the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF).
Please provide the following information:

1. Adoption Status

a) Has the Council formally adopted the Cyber Assessment Framework (CAF) as its primary cyber security assurance model?
b) If yes, on what date was the framework adopted, and what is the current progress of its implementation (e.g., pilot stage, partial rollout, or fully implemented)?
c) If the Council has not adopted the CAF, is there a formal plan or timeline to do so in the 2026/27 financial year (or beyond)?

2. Alternative Frameworks

a) If the Council has decided not to adopt the CAF, please state the primary reason for this decision (e.g., lack of resources, preference for other standards, or awaiting further central government guidance).
b) Please list any other cyber security or risk management frameworks currently in use by the Council outside of PSN (e.g., ISO 27001, Cyber Essentials/Cyber Essentials Plus, NIST).

3. Manpower and Personnel

a) How many Full-Time Equivalent (FTE) staff members are currently allocated to the implementation, assessment, or ongoing maintenance of the CAF?
b) Has the Council recruited new staff specifically to handle the requirements of the CAF, or has the workload been absorbed by existing IT/security teams?
c) Have external consultants or third-party service providers been contracted to assist with the CAF assessment?
d) How are you planning to select systems to be prioritised during the CAF implementation?

4. Financial Cost

a) What is the total estimated cost to date of adopting/implementing the CAF framework within the Council? (Please include costs for staff time, software/tools, and external consultancy).
b) What is the projected annual budget for maintaining compliance with the CAF over the next three financial years?

5. Governance

a) Which department or senior leadership role (e.g., SIRO, CISO, or Head of IT) is ultimately responsible for the Council’s CAF compliance and reporting?