Boards in UK financial services and NHS Trusts keep treating the NCSC Cyber Assessment Framework as a self-assessment spreadsheet exercise. That's how organisations end up with green ratings against principles they cannot actually evidence under regulator scrutiny — and it's why the FCA and the Department of Health and Social Care are asking harder questions than they did three years ago.
The NCSC published CAF v3.2 in April 2024, refining indicators of good practice across the four objectives. For operators of essential services under the UK NIS Regulations 2018, and increasingly for FCA-regulated firms aligning to PS21/3 operational resilience expectations, the CAF has become the de facto language regulators use when they probe cyber maturity. The Cyber Security and Resilience Bill, currently progressing through Parliament, will widen the scope further.
Our consultants have run CAF-aligned assessments across UK banks, building societies and NHS Trusts. The same four control gaps appear repeatedly at board level. Here they are.
Gap 1: Principle A2 — Risk Management Without Real Asset Context
Most boards approve a cyber risk register that lists generic threats: ransomware, phishing, insider misuse. The CAF v3.2 Indicators of Good Practice under A2.a demand something tougher — risk decisions tied to specific essential functions and their supporting assets.
When we audit against this principle, the failure pattern is consistent. The CISO has a risk register. The asset register lives in a separate spreadsheet maintained by IT operations. Neither references the essential function the organisation is required to protect. The result: when NCSC or a sector regulator asks "show us how your risk treatment maps to the systems supporting your critical national infrastructure obligations," the answer is silence.
Fix it: Rebuild the risk register so every entry is anchored to a named essential function, a named system, and a named owner. If you cannot draw that line in under 60 seconds, you fail A2.
Gap 2: Principle B4 — System Security That Stops at the Perimeter
Principle B4 covers system security. The indicators of good practice in v3.2 explicitly call out secure configuration, vulnerability management, and the protection of data in transit and at rest across the full technology estate — including cloud and operational technology.
Boards routinely sign off on B4 based on patching SLAs for the corporate Windows estate. They miss three things: SaaS configurations (Microsoft 365, Salesforce, ServiceNow), infrastructure-as-code drift in AWS and Azure, and the OT or medical device estate. NHS Trusts running unsupported medical devices on flat VLANs cannot honestly claim B4 compliance, regardless of how good their endpoint patching looks.
Fix it: Demand evidence of secure baseline enforcement across every environment — corporate IT, cloud tenants, OT, and third-party-managed services. CIS Benchmarks and NCSC Cloud Security Principles give you the reference points.
Gap 3: Principle C1 — Security Monitoring With No Detection Engineering
Buying a SIEM is not the same as monitoring. CAF v3.2 C1.a and C1.b require that monitoring coverage is driven by threat understanding and that detection capability is continuously tuned.
The board sees a green light because a managed SOC provider sends a monthly report. What the board does not see: how many of the SOC's detection rules are mapped to MITRE ATT&CK techniques relevant to financial services or healthcare threat actors; whether identity-layer telemetry (Entra ID sign-in logs, conditional access failures) is ingested; whether the SOC has ever detected something the organisation didn't tell it to look for.
Fix it: Require your monitoring provider to evidence detection coverage against a named threat model. Run purple team exercises quarterly. If your SOC cannot produce a use-case catalogue mapped to ATT&CK, you do not have C1 coverage — you have a log archive.
Gap 4: Principle D1 — Response Plans That Have Never Met Reality
Principle D1 covers response and recovery planning. The indicator of good practice is unambiguous: plans must be tested, and lessons must drive change.
The British Library incident of October 2023 and the Synnovis ransomware attack on NHS pathology services in June 2024 both demonstrated the same lesson — organisations had incident response plans, but the plans assumed scenarios that bore no resemblance to what actually happened. Plans built around "the SOC alerts us, we contain, we restore from backups within 24 hours" collapse when the attacker has already destroyed the backup catalogue and the identity provider is compromised.
Fix it: Run a tabletop exercise this quarter on a scenario that breaks your assumptions. Include the executive committee, communications, legal, and your insurer. Document the gaps. Feed them back into D1 evidence.
How Pyralink Helps
Pyralink Innovation Ltd runs CAF-aligned assessments for UK financial services firms and NHS Trusts under the leadership of our Founder and Managing Director, Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team produces evidence packs that stand up to regulator review, not RAG-rated spreadsheets that collapse under questioning.
We deliver three things boards consistently ask for: a CAF gap analysis mapped to your essential functions, a remediation roadmap costed against your risk appetite, and ongoing vCISO support from £497 per month to close the gaps. Pyralink carries £5M professional indemnity insurance. Our CloudAuditX platform automates the evidence collection across AWS, Azure and Microsoft 365 — the environments where Gap 2 and Gap 3 hide.
If your next CAF self-assessment is due and you suspect the green ratings are optimistic, the cheapest hour you will spend this quarter is the one where someone independent stress-tests your evidence.