Operational resilience

December 8, 2025

Getting Security Governance and Risk Management Right

Part 1 of a 2-part series on adopting the NCSC Cyber Assessment Framework (CAF 4.0)

In September 2025, the UK’s National Cyber Security Centre (NCSC) updated its Cyber Assessment Framework (CAF) to version 4.0, marking a significant evolution in how organisations assess and improve their cyber security maturity.

Unlike prescriptive checklists, CAF 4.0 is outcome focused. It establishes objectives, principles, and Indicators of Good Practice (IGPs) that define what success looks like, not just what needs to be done.

As the NCSC explains:

“The NCSC CAF… [is a] … specification of what needs to be achieved rather than a checklist of what needs to be done.”

This shift reflects a broader recognition that resilience cannot be achieved through compliance alone. Organisations must demonstrate measurable outcomes with clear evidence that their policies, processes, and governance structures are effectively managing cyber risk.

At its core, the CAF is designed to help organisations understand, assess, and manage cyber security risks systematically. But to achieve that, leadership must have access to reliable, real-time information about their security posture. When you lack visibility and evidence, governance relies on opinion and assumption. Both of which are inadequate in today’s dynamic threat landscape.

Objective A: Managing Security Risk

Target Outcome

Appropriate organisational structures, policies, processes, and procedures in place to understand, assess, and systematically manage security risks to network and information systems supporting essential functions.

Managing security risk is foundational to the CAF. It ensures that the systems and processes supporting essential functions are resilient to disruption, compromise, or misuse. To meet these objectives, organisations need structures and processes that connect governance intent with operational execution, to ensure that every stakeholder, from the board to the technical team, has access to accurate and timely information about risk.

CAF Objective A is built around four key principles: Governance, Risk Management, Asset Management, and Supply Chain Security. Together, they create a framework for systematic practices, continuous assurance and informed decision-making.

Principle A1 – Governance

Strong governance begins at the top. The CAF defines that overall accountability for cyber security rests with the board, supported by clear delegation of roles and responsibilities. Decision-makers must remain informed about the security and resilience of the organisation’s essential systems and act where issues could impact operations.

Governance in a CAF context is not about oversight alone; it’s about active assurance. Boards must regularly review their risk management policies, evaluate their continued relevance, and ensure that reporting mechanisms provide evidence of effectiveness.

This requires consistent, quantitative insight into how well security policies, controls, and behaviours are performing. With that data, leaders can make informed decisions about risk tolerance, investment, and remediation priorities.

Principle A2 – Risk Management

Effective risk management relies on the ability to identify, assess, and respond to threats in a structured and verifiable way. CAF 4.0 calls for systematic processes that move beyond questionnaires and periodic reviews and towards evidence-based, enterprise-wide risk management practices.

This means continuously collecting data on vulnerabilities, control effectiveness, and incidents. This approach gives decision-makers current, reliable information to make informed risk decisions. The process must deliver visibility into which risks matter most, their likely impact, and the mitigations in place.

An organisation that manages risk effectively understands not only what its risks are, but also how well its existing defences are performing against them. This continuous feedback loop is central to achieving the CAF’s goal of sustained resilience.

Principle A3 – Asset Management

You cannot protect what you cannot see. Asset management, though often overlooked, is critical to understanding and maintaining resilience across essential functions.

The CAF requires organisations to identify and understand everything that supports those functions. From data and people to systems and infrastructure. This inventory is the foundation for prioritising protection, detecting anomalies, and managing dependencies.

Maintaining an accurate and current picture of assets, however, can be difficult, especially in dynamic environments where systems and users change frequently. Organisations must therefore adopt routine processes (ideally automated), that monitor the state of assets continuously, flagging changes, and alerting stakeholders to new risks.

So, without that visibility, even the most robust governance and risk management frameworks can be undermined by unknown or unmanaged components in the environment.

Principle A4 – Supply Chain

Cyber resilience extends beyond an organisation’s boundaries. Dependencies on suppliers, managed service providers, and other third parties can introduce significant risks, particularly when those entities support critical systems or data.

The CAF emphasises the need to understand and manage these dependencies throughout the procurement lifecycle. This includes assessing supplier maturity, the provenance of their supply chain, and clearly defining shared security obligations within contracts and ongoing operations.

Visibility across the extended enterprise is often challenging, but essential. Consistent and objective supplier-performance evidence gives organisations confidence that they are managing external risks to the same standard as internal ones.

In practice, this means embedding supplier assurance processes that deliver verifiable data about control effectiveness and risk posture, not just attestations.

Achieving a Good Outcome

CAF 4.0 reflects the reality that cyber security governance and risk management cannot be static or compliance driven. Threats evolve, systems change, and business priorities shift. Therefore, organisations need governance structures and assurance processes that are continuous, data-driven, and responsive.

Manual or ad hoc assessments, even when well-intentioned, are no longer sufficient. They invariably offer only fleeting snapshots in time, while risks and exposures evolve continuously. To meet CAF’s outcome-based expectations, organisations must modernise how they gather, analyse, and act on security information.

This means moving from a reactive audit cycle to a proactive, continuous assurance model. One that leverages automation and real-time data to reliably measure and manage cyber security performance.

How Huntsman Security Supports CAF 4.0 Adoption

The NCSC CAF calls for evidence-based measurement of cyber security outcomes. Huntsman Security’s suite of technologies, Enterprise SIEM, Scorecard, and SmartCheck, are designed to help organisations deliver exactly that.

  • Enterprise SIEM provides near real-time telemetry, analysis, detection, and response capabilities. It allows organisations to systematically identify, assess, and manage cyber threats at scale, giving governance and operational teams a shared, accurate picture for effective risk response.
  • Scorecard and SmartCheck enable continuous, automated measurement of control effectiveness across technology, people, and process domains. They provide the quantitative evidence required to demonstrate performance against CAF Indicators of Good Practice.
  • Together, these solutions bridge the gap between strategic oversight and operational reality. They provide the data, context, and assurance needed to maintain cyber resilience in line with CAF objectives.

Certainly, by adopting these evidence-based tools, organisations can confidently measure progress, identify weaknesses, and prioritise remediation in support of essential functions.

Building Sustainable Resilience

Finally, adopting the NCSC CAF 4.0 is not merely a compliance exercise, it’s an opportunity to embed stronger, outcome-driven cyber resilience practices across the organisation.

Objective A, Managing Security Risk, lays the foundation for that transformation. It connects governance, risk management, asset awareness, and supplier assurance under a single principle: informed, accountable decision-making based on evidence.

Huntsman Security’s continuous threat exposure management solutions provide the measurement and visibility needed to support that principle in practice, enabling organisations to turn CAF objectives into operational reality.

Talk to an expert today.

BLOG POSTS

Related Cybersecurity Content

AI Threats Circle Unprepared Businesses

December 1, 2025

With promises of operational efficiencies many organisations are accelerating the adoption of AI. At the same time other organisations are struggling to step back and assess the real benefits AI offers. There is uncertainty about “sharing” sensitive information with an unknown AI assistant. This challenge isn’t new. Cyber security has long grappled with building trust […]

Read more

Cyber Security Predictions for 2026

October 7, 2025

2026 will bring new challenges for CISOs and security teams. Explore Huntsman Security’s six predictions - from geopolitical uncertainty to Secure by Design practices - that will shape the year’s cyber landscape.

Read more

Patching is Too Patchy, Say NCSC, ACSC and Friends

September 10, 2025

This type of joint-advisory has become all too familiar – the cyber security community again urging organisations to mitigate known, and avoidable, security weaknesses and vulnerabilities. The recent release from NCSC, ACSC and their counterparts details  a number of frequently exploited attacks and identifies their originating source – foreign commercial entities. Organisations, particularly those in […]

Read more

Beyond Compliance: The Case for Continuous Threat Exposure Management

September 4, 2025

Organisations must transform their threat exposure management practices to stay in control of their cyber security and minimise risk of disruption. This shift is essential to meet the growing volume and velocity of disruptions driven by today’s increasingly volatile threat environment. Managing an effective cyber security posture is already a problem for many organisations. Limited […]

Read more

Retail Cyber Attacks: A Costly Wake-Up Call for Businesses

July 15, 2025

The recent retail ransomware breaches and what organisations must do next In recent months, UK retail giants Marks & Spencer, Co-op, and Harrods were all hit by significant cyber security breaches. These retail cyber attacks, reportedly involving ransomware and groups such as Scattered Spider and DragonForce, disrupted operations, sparked investigations by the UK’s National Cyber […]

Read more

Why the ACSC Essential Eight is Crucial for Meeting SOCI Cyber Reporting Obligations

June 30, 2025

Organisations subject to Australia’s Security of Critical Infrastructure Act 2018 (SOCI) face a tough challenge: how to meet strict cyber incident reporting timelines while juggling a mix of governance frameworks, operational pressures, and technical controls. While the SOCI legislation enables organisations to choose from a range of cyber security frameworks to meet their obligations—such as […]

Read more

Think about your cyber security transformation

May 5, 2025

More cyber security breaches, this time in the finance, judicial and most recently the superannuation sectors. There have been ongoing warnings from ASIC and other regulators for organisations to prioritise their cyber resilience management. ASIC even repeated in Nov 2024, that poor cyber security protection that threatened consumer data was an enforcement priority for them […]

Read more

In 2025 we predict: The disruption in the SIEM market will lead to adjustments in cyber security strategy

February 17, 2025

20 years ago, there was widespread adoption of traditional Security Information and Event Management (SIEM) solutions. Its proven capabilities have meant SIEM is now an integral part of the security stack for most organisations. The SIEM market has since evolved, with an expansive range of functionality now available to meet customers’ needs. Next-Gen SIEMs, the […]

Read more

Operational resilience deadlines loom

February 3, 2025

Operational Resilience (OpRes) has been in the news a lot over the last few years. Advisories, white papers and conferences have all addressed the importance of cyber security resilience and its role in protecting the ongoing operations of enterprise. With almost every business function, in some way, reliant on your IT assets and data the […]

Read more

Cyber security observations from 2024 – we’re still rolling-the-dice

January 22, 2025

In 2024, we saw real progress with cyber security being recognised as a factor in organisational resilience. Senior executives and directors became increasingly aware of the need for its oversight. Yet, as we look in the rear-vision mirror back to 2024, we see organisations continuing to roll-the-dice when it comes to cyber security. As we […]

Read more

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.