GovAssure supports the HM Government’s National Cyber Strategy 2022, its objectives, and aims. It takes guidance from the Network & Information Systems (NIS) and NCSC’s Central Assurance Framework (CAF) and will support the GSG’s initiative to increase the UK’s cyber resilience and protect essential services, with the first key milestone in 2025. Once all critical functions have been sufficiently hardened against common vulnerabilities and attacks, the scope will increase to include all identified public sector organisations to achieve the same by 2030.






Improve overall cyber resilience

The scheme targets Operators of Essential Services, organisations working with Critical National Infrastructure, and public sector and governmental departments.
Whilst these areas will engage with and implement cyber security measures at present, GovAssure aims to standardise these measures, introducing a consistent and baseline level of security, and improve overall cyber resilience, with two key pillars in mind:
• Build a strong foundation of organisational cyber security resilience
• Defend as 'one'

These are supported by four objectives that are crucial to cyber resilience, giving clear guidance on areas of focus to the applicable organisations, namely:
• Managing cyber risk
• Protecting against cyber attack
• Detecting cyber security events
• Minimising the impact of cyber security incidents

Within these objectives, there are 14 principles that contain 39 contributing outcomes (COs).
Each department, or organisation, must be reviewed by an independent third party who is on the Cyber Security Supplier 3 (CSS3) Dynamic Purchasing System framework, and approved to provide GovAssure compliant services.

The perfect partner

Commissum Associates (Resillion) is a longstanding provider of technical assurance and cyber security services to public sector clients and is accredited to provide GovAssure standard services.

Trusted partner: As a Cabinet Office approved supplier of GovAssure independent assessments, we ensure your GovAssure compliance is achieved first time
In safe hands: Our vast experience working within UK Public Sector means we understand your challenges, seeing that your GovAssure assessment is fit for purpose and supportive of your organisation’s objectives
Expert resources: Your dedicated consultant will have comprehensive GovAssure training from GSG and will provide advice and guidance you can depend on
Efficient service: A dedicated Project Management team to create clear communication pathways so all parties have access to the right people, at the right time, to deliver your projects within budget and without delay
On the same page: Our collaborative approach will reduce the time required for workshops and discrepancies, meaning reduced costs and time, and you can keep doing what you do best

Key objectives of the Review

Key objectives, as noted on the website, of the Independent Assurance Review are:

  • Assess the level of attainment of the target Government CAF profile that has been assigned to the system
  • Validate the opinion of ‘achieved’ or ‘partially achieved’ along with the associated commentary against each CAF contributing outcome, based on the evidence provided by your organisation and the associated indicators of good practice
  • Assess at a high level, how your organisation is identifying and managing its cyber risks.
  • Understand the key cyber security risks related to your organisation and your in-scope critical systems
  • Determine the effectiveness of current cyber security controls
  • Provide a draft report covering observations and recommendations against the target government CAF profile and, following an agreement process, a final report, detailing challenges and important observations for the organisation
Resillion Accreditations Check Box
Exclamation Mark

The GovAssure Approach

The GovAssure approach consists of five stages:

  1. Describe departmental context, essential services, and mission
  2. Identify systems within scope and alignment to the CAF Profile
  3. Self-assessment against the CAF
  4. Independent Assurance Review
  5. Final Assessment/Target Improvement Plan

Organisations must first perform a situational analysis, identifying any essential services, and their profile level, that are in scope for the GovAssure assessment. Once services have been identified, a CAF self-assessment must be completed for each system, aligning with the proposed criteria and defining whether objectives have either been achieved, partially achieved, or not achieved. Feel free to get in touch with Commissum if you need support with your self-assessment.

After organisations have submitted the self-assessment and are permitted by the GSG, they will proceed to the next stage – the Independent Assurance Review. This is where the self-assessment is reviewed by an objective third party, such as Commissum, to verify it.

Stages of the Independent Assurance Review

Project Initation

Defines how the GovAssure Independent Assessment Review will be conducted and who will be involved.

High Level Web CAF review

A high level review of GovAssure Self Assessment via the Web CAF portal.

Workshop Topics Identification

An in-depth assessment of areas of partial or non-compliance, which will be subject to discussion in subsequent GovAssure workshops.

Conduct Workshops

Workshops to discuss and agree on initial findings of the GovAssure Independent Assurance Review.


A period of arbitration (conducted by GSG) may be required if findings cannot be fully agreed.

Report Writing

The complete GovAssure Independent Assurance Review report to be submitted to GSG.

Need help? Talk to us

By continuing, you accept our Privacy Policy

    Cyber Risk Management

    Keep up with the ever-changing threat landscape. Identify vulnerabilities before attackers do.

    Read more

    Our Accreditations and Certifications

    Crest Accreditation Resillion
    Check Penetration Testing
    RvA L690 Accreditation
    ISO 27001
    ISO 9001 Resillion
    CCV Cyber Pentest
    Cyber Essentials

    Contact Us