The key security duties of an OES is to manage risks to their network and information systems and to prevent and/or minimise the impact of incidents to those systems, through appropriate and proportionate technical and organisational measures.
NCSC have outlined that this can be achieved by working towards 4 top-level objectives. These 4 objectives will be realised through the implementation of a set of 14 cyber security principles which are designed to be outcome focused.
The aim of the Cyber Assessment Framework (CAF) is to:
- provide an OES a framework to establish how they are managing cyber security risks in relation to the production and delivery of wholesome water.
- the results of the CAF will allow DWI to assess the extent to which an OES is achieving the outcomes specified by the cyber security principles.
DWI has published its CAF Guidance which outlines a framework to enable companies to create/update a NIS Scope and provides a set of guidelines to aid the completion of the CAF.
DWI will send each company a CAF Reporting Tool (v3) which should be used to complete the CAF. Each submission should be accompanied by a signed Board Declaration.