Shift Key Cyber Logo
Cyber Resilience Audit2025-09-23T16:50:40+01:00

Cyber Resilience Audit

Cyber Resilience Audit (CRA) scheme members are companies that have been assessed as meeting the standards set by the National Cyber Security Centre (NCSC) to deliver independent cyber security audits. These audits will be conducted against the Cyber Assessment Framework (CAF).

The CRA is aimed mainly at organisations who are classed as Operators of Essential Services (OES), although it can be used by any company seeking an independent audit of their cyber resilience.

The Cyber Assessment Framework helps organisations achieve and demonstrate that they have a proportionate level of cyber security and resilience relating to the essential functions they provide.

It helps organisations meet legal and regulatory requirements by providing a framework for assessing how well (or not) expected cyber security requirements defined within a CAF Profile.

What does the Cyber Assessment Framework consist of?

There are 4 high-level objectives:

  • CAF Objective A – Managing security risk.

  • CAF Objective B – Protecting against cyber-attacks.

  • CAF Objective C – Detecting cyber security events.

  • CAF Objective D – Minimising the impact of cyber security incidents.

Underpinning these are 14 principles of cyber security and resilience which provide the foundations of the CAF. These in turn lead to 41 contributing outcomes that are assessed to the following:

  • Achieved

  • Partially achieved

  • Not achieved

This approach allows for an outcome-based audit rather than a compliance tick-box exercise.

I am a small business can I use the Cyber Assessment framework (CAF)?2025-09-23T15:58:09+01:00

Yes, the CAF is an outcome-based assessment that can be scaled to the size of your organisation to evaluate and improve your cyber resilience.

Is this only for organisations within the UK Critical National Infrastructure?2025-09-23T16:01:19+01:00

It is primarily designed for organisations operating within Critical National Infrastructure such as Energy, Transport, Government, Healthcare and Digital Infrastructure. However, it can be used by any organisation of any size.

What is a CAF Profile?2025-09-23T16:04:05+01:00

There are two CAF Profiles

  1. The Baseline (sometimes called Basic) Profile is sector-agnostic and defines a suggested target level for each of the CAF outcomes. This Profile represents a level of cyber resilience matched to basic attacker capability and unsophisticated threats.
  2. The Enhanced CAF Profile is a more tailored, sector-specific target level for the CAF outcomes. It corresponds to a level of cyber resilience matched to a moderate attacker capability moderately sophisticated attack.

Book a free consultation to find out more about our Cyber Resilience Audit service and how your organisation could benefit.

Shift Key Cyber Logo Mark

Experts in audit, risk, governance and compliance

Services

spacer title

Company

Privacy Policy / Cookie Policy

© 2025 Shift Key Cyber LTD. Registered in England and Wales: 13676908.
Shift Key Cyber Logo is the Registered Trademark of Shift Key Cyber Limited.

Go to Top