The catalyst for cyber security maturity: moving beyond compliance

Everyone’s talking about ‘the CAF’. You’ll probably hear phrases like: ‘we’re getting the CAF’ or ‘we have to do the CAF,’ echoing around the workplaces deemed in scope.

For many, it feels like just another compliance checklist; something cyber security teams must follow to prove they’re doing the right things to avoid becoming the next cyberattack headline. But that’s only one way to look at it; and it’s time to shift the narrative.

Closing the cyber defence gap

The cyber threat landscape is becoming more complex and aggressive. There was a 50% increase in nationally significant incidents and threefold rise in severe attacks in 2024 alone. These came not only from nation state actors but well-resourced criminal gangs.

The UK National Cyber Security Centre (NCSC)’s stance is clear: businesses must evolve from reactive compliance to pro-active resilience.

This means:

• Embedding security into digital transformation
• Treating cyber risk as a strategic issue
• Collaborating across sectors and borders
• Investing in people, processes, and technologies that can adapt to emerging threats.

CAF - more than compliance

It’s important to recognise that the CAF isn’t just a tick-box exercise, but a maturity model that can shape your organisation’s cyber strategy. While frameworks like Cyber Essentials, ISO 27001, and PCI DSS serve specific purposes, the CAF complements them by offering a broader, outcome-driven approach.

Not every organisation has a team of seasoned cyber professionals. The CAF provides a cornerstone for building a strong cyber posture. This ensures the right people, processes and technology are in place to reduce the likelihood of attack and disruption.

CAF also encourages organisations to think holistically. It’s not just about technical controls, it’s about governance, culture, risk management, and resilience. It helps shift cyber security from being a siloed IT issue to a board-level priority.

Seize the opportunity

Instead of seeing CAF as something forced upon you, embrace it as a strategic tool.

Whether you're early in your cyber journey or refining an established approach, the CAF can:

• Drive boardroom conversations
• Shape your roadmap
• Justify investment
• Strengthen business resilience
• Align cyber security with operational and strategic goals.

Just as the Health and Safety at Work Act (1974) transformed workplace culture, the CAF has the potential to embed cyber resilience into the fabric of modern organisations.

The CAF objectives

The CAF is structured around four core objectives:

• Objective A – managing security risk
  Ensuring cyber risks are identified, assessed, and effectively managed across the organisation.
• Objective B – protecting against cyber attack
  Implementing proportionate security controls to defend systems and data from cyber threats.
• Objective C – detecting cyber security events
  Establishing capabilities to detect and understand cyber security incidents in a timely manner.
• Objective D – minimising the impact of incidents
  Developing and maintaining plans to respond to and recover from cyber incidents to reduce harm and restore operations.

Alongside these, the energy and health sectors are expected to achieve an additional objective under the enhanced profile requirements:

• Objective E – sector-specific enhancements
  • Energy sector – physical security
  • Ensure physical access to critical systems and infrastructure is protected to maintain resilience.
  • Healthcare sector (NHS DSPT) – using and sharing information appropriately.
  • Ensure personal and sensitive information is used and shared transparently, lawfully, and securely to support safe and effective care.

Organisations in scope must provide evidence against relevant Indicators of Good Practice (IGPs), taking a risk-based approach to demonstrate progress toward maturity.

Real-world impact

Embracing the CAF principles doesn’t simply make you compliant but can entirely transform your cyber posture. This is demonstrated through a client we’ve worked with in the energy sector.

CAF case study:

• Risk management: the organisation conducted a full CAF-based risk assessment and established a cyber risk register, integrating it into their enterprise risk management processes. This elevated cyber risk to board-level visibility, driving investment in people and tooling.
• Technical controls: they implemented asset management and network segmentation across IT and OT environments, reducing their attack surface and strengthening access controls.
• Threat detection: by deploying a SIEM tool, their Security Operations team gained real-time visibility and improved threat detection and response capabilities.
• Incident response: they built and rehearsed incident response plans, reducing response times and ensuring everyone knew their role in a crisis.
• Resilience planning: they introduced fallback operational modes for critical systems and conducted resilience testing, ensuring continuity of essential services even during simulated cyber events.

This wasn’t just about meeting regulatory expectations; it was about embedding cyber resilience into the organisation’s DNA.