Analysis and practical guidance on UK public-sector cyber risk - GovAssure, the CAF, Secure by Design, threat intelligence and operational resilience.
GovAssure made the NCSC CAF the spine of UK government cyber assurance. The part that catches teams out is the supply chain.
Operational resilience is now a regulator question. If your most critical service went down tomorrow, could you recover in time - and prove it?
A security mandate run on a spreadsheet fails in five predictable ways: no control, evidence chaos, late governance, weak defensibility, cross-team friction.
A strong questionnaire shows how a supplier governs itself; an outside-in rating shows what an attacker sees. You need both.
An untested recovery plan is a wish with a cover page. Operational resilience is a posture you can score.
GovAssure made the NCSC CAF the spine of UK government cyber assurance. The part that catches teams out is the supply chain.
SolarWinds, MOVEit, Okta, Kaseya - the defining breaches share one trait. The lesson isn’t trust less; it’s assure continuously.
A questionnaire is a photograph; risk is a film. Why point-in-time supplier assurance fails - and what replaces it.
CAF, ISO 27001, Cyber Essentials and NIST ask the same questions in different shapes. Control mapping turns one answer into evidence for all.
The Secure by Design mandate asks for security designed in and continuously assured. A tracker spreadsheet can’t do either.
Occasional, practical notes on UK public-sector cyber risk and compliance. No spam, unsubscribe anytime.
See how continuous, AI-assisted assurance works on your own suppliers.