The Cyber Assessment Framework (CAF)

The key security duties of an OES is to manage risks to their network and information systems and to prevent and/or minimise the impact of incidents to those systems, through appropriate and proportionate technical and organisational measures.

NCSC have outlined that this can be achieved by working towards 4 top-level objectives. These 4 objectives will be realised through the implementation of a set of 14 cyber security principles which are designed to be outcome focused.

The aim of the Cyber Assessment Framework (CAF) is to:

  • provide an OES a framework to establish how they are managing cyber security risks in relation to the production and delivery of wholesome water.
  • the results of the CAF will allow DWI to assess the extent to which an OES is achieving the outcomes specified by the cyber security principles.

DWI has published its CAF Guidance (PDF 609KB) which outlines a framework to enable companies to create a NIS Scope and provides a set of guidelines to aid the completion of the CAF.

This Guidance document also includes the CAF Reporting Tool (xls 155KB) which OES should use to complete their CAF profiles. A word copy of the Board Declaration (doc 25KB) should also be included in the final submission to DWI.


Page reviewed: 7 January 2019
Page modified: 7 January 2019

Drinking Water Inspectorate