NCSC CYBER RESILIENCE AUDIT & GOVASSURE

Independent cyber resilience audits – assured by the NCSC

RightCue is proud to be an NCSC Assured Service Provider under the Cyber Resilience Audit (CRA) scheme. This means we have been independently assessed by the UK’s National Cyber Security Centre and meet their rigorous standards for delivering independent Cyber Assessment Framework (CAF) based audits.

Whether you are a government department preparing for GovAssure, an operator of essential services meeting regulatory obligations, or an organisation in a critical national infrastructure sector – we provide the independent assurance you need, delivered with the business-first approach you’d expect from RightCue.

What is the NCSC Cyber Resilience Audit scheme?

The Cyber Resilience Audit (CRA) scheme is an NCSC initiative that assures providers who can conduct independent Cyber Assessment Framework (CAF) based audits. It gives government organisations, regulators, and oversight bodies confidence that the companies delivering these audits meet the NCSC’s high standards for competence, quality, and independence.

The CRA scheme supports a broad range of sectors and oversight bodies, including central government (through GovAssure), healthcare, civil aviation, energy, and other nationally critical sectors. Organisations under these bodies’ oversight require independent assurance reviews conducted by CRA-approved providers.

As an NCSC Assured CRA provider, RightCue is approved to deliver these independent audits – helping you demonstrate your cyber resilience to regulators, stakeholders, and oversight bodies with confidence.

What is GovAssure?

GovAssure is the UK Government’s assurance approach for assessing how well government organisations are managing cyber security risks to their critical services. Launched in April 2023, it requires government departments and arm’s length bodies to undergo annual Independent Assurance Reviews (IARs) based on the NCSC’s Cyber Assessment Framework.

From April 2026, only companies that are part of the NCSC’s Cyber Resilience Audit scheme will be eligible to deliver GovAssure IARs. RightCue meets this requirement, positioning us as a trusted partner for government organisations needing to fulfil their GovAssure obligations.

GovAssure reviews involve a structured process: scoping with the organisation, conducting the assessment against CAF objectives and principles, and producing a detailed report that provides assurance to senior leadership and central government oversight functions.

The Cyber Assessment Framework explained

The Cyber Assessment Framework (CAF) is developed by the NCSC to provide a systematic, outcome-focused approach to assessing how well organisations are managing cyber risks to essential functions. It is used across regulated and critical national infrastructure sectors, and forms the basis for both GovAssure and wider CRA audits.

The CAF is structured around four key objectives:

Objective A – Managing security risk:

Appropriate organisational structures, policies, and processes to understand, assess, and manage security risks.

Objective B – Protecting against cyber attack:

Proportionate security measures to protect systems and data from cyber attack.

Objective C – Detecting cyber security events:

Capabilities to detect cyber security events affecting essential functions.

Objective D – Minimising the impact of cyber security incidents:

Capabilities to minimise the adverse impact of incidents on essential functions.

Each objective contains a set of principles and contributing outcomes that organisations are assessed against. RightCue’s auditors evaluate your organisation’s posture across all four objectives, providing a clear and structured view of where you stand and what needs attention.

How we deliver CRA and GovAssure reviews

Our approach combines deep technical and governance expertise with the pragmatic, business-focused delivery that defines everything we do at RightCue:

Scoping and planning

We work with you to define the scope of the review, understand your critical services, identify key stakeholders, and establish assessment boundaries. For GovAssure engagements, this includes reviewing your completed GovAssure Scoping Document and agreeing review timelines and logistics.

Evidence gathering and assessment

Our auditors assess your organisation against the relevant CAF objectives and principles. This involves reviewing policies, procedures, risk assessments, configuration baselines, incident logs, training records, supplier risk assessments, monitoring outputs, and other evidence that demonstrates how your controls operate in daily practice.

Independent and objective reporting

We produce a detailed, structured report that provides a clear assessment of your cyber resilience posture. Our reports are suitable for submission to regulators, oversight bodies, and senior leadership – giving them confidence that risks are being managed effectively.

Actionable recommendations

We don’t just identify gaps – we provide practical, prioritised recommendations that are aligned to your business objectives and resources. Our goal is to help you improve, not simply to highlight what’s wrong.

Ongoing support

Cyber resilience is not a one-off exercise. We can support you on an ongoing basis, from remediation planning through to readiness assessments ahead of your next annual review.

Who needs a Cyber Resilience Audit?

The CRA scheme and CAF-based audits are relevant to a wide range of organisations, including:

Government departments and arm’s length bodies required to undergo annual GovAssure Independent Assurance Reviews.
Operators of Essential Services (OES) under the NIS Regulations across sectors including energy, transport, healthcare, digital infrastructure, and water.
Critical National Infrastructure (CNI) organisations seeking to demonstrate cyber resilience to regulators and oversight bodies.
Defence and public sector organisations needing independent assurance of their cyber security posture.
Any organisation that wants to assess its cyber resilience against the UK’s gold standard framework, whether for regulatory, contractual, or strategic reasons.

If you’re unsure whether your organisation falls in scope, get in touch – we can help you understand your obligations and the best path forward.

“The RightCue team were instrumental in the (compliance) process…Their knowledge of controls was outstanding, and they really understood our business.”

Imran Musawi

Cyber Security Engineer, Solidatus

Why choose RightCue for your CRA or GovAssure review?

The RightCue virtual CISO team are proven industry leaders with a minimum of 20 years of experience in the cyber security industry, extensive knowledge and experience in information governance, and a solid understanding of business priorities.

Our experts work with several organisations across industries and deal with diverse security challenges. Their deep understanding of industry best practices and emerging threats allows them to provide strategic guidance and make informed decisions to protect your sensitive data and assets.

Our CISO consultants are adept at providing board level representation to set the organisation’s tone, build good security foundations based on the recognised standards, and ensure legal, regulatory and contractual compliance, e.g. data privacy requirements.

Invest in a robust information security strategy with our vCISO services. Let us be your trusted partner in safeguarding your organisation’s valuable assets, reputation, and future growth.

By choosing our vCISO services, you unlock a range of benefits for your organisation, strengthening your information security strategy:

Prioritised security spending: We help you identify and address the most critical information risks, enabling you to allocate your security budget effectively and efficiently.
Cohesive security approach: Instead of relying on fragmented tools and ad-hoc consulting, we deliver a comprehensive security strategy ensuring all aspects of your organisation’s security are integrated seamlessly.
Access to trusted and practical advice: Our team of qualified practitioners have a wealth of experience and industry knowledge. Rely on their expertise to provide you with trusted and practical advice tailored to your specific needs.
Clarity on costs and deliverables: We believe in transparency and clear communication. Our vCISO services provide clarity on costs and deliverables, helping with budgeting and planning.
Rapid security incidents and breaches response: Our vCISO ensures swift, SLA-based incident response minimising impact and business disruption.

Why choose RightCue for your CRA or GovAssure review?

NCSC Assured: We have been independently assessed by the NCSC and meet the rigorous standards required to deliver Cyber Resilience Audit services. This gives you confidence that our skills, experience, and quality of service are of the highest standard.

Chartered professionals: Our team includes Chartered Cyber Security Professionals certified by the UK Cyber Security Council, bringing recognised expertise in governance, risk, and technical security.

Business-first approach: We understand that cyber security exists to support your organisation’s objectives, not hinder them. We deliver assessments that are proportionate, pragmatic, and aligned to your business priorities.

Cross-sector experience: With over 15 years of consultancy experience across financial services, healthcare, defence, government, and critical infrastructure, we understand the nuances of different regulatory environments and how CAF requirements apply in practice.

Trusted relationships: We build long-term partnerships with our clients. From initial assessment through to remediation and ongoing assurance, we are with you every step of the way.

Complementary expertise: As CREST-accredited penetration testers, ISO 27001 certification body, Cyber Essentials certification body, and Defence Cyber Certification body, we offer a comprehensive suite of assurance services that complement and strengthen your overall security posture.

“We appointed RightCue because we didn’t have a need for a full time CISO but needed that level of expertise on a virtual level. Whilst achieving various cyber security accreditations was a key driver, we have got so much more from working with the team. Through delivering fun and innovative training, all of our staff understand the importance of protecting data. We run regular phishing tests, and RightCue report back on results and identify any gaps to plug.

“They are alongside us when we run business continuity simulation, and again identify any areas to develop. Yogesh meets us regularly to report back on various aspects of data and information – giving us a clear roadmap. IT security is so much higher on the agenda now and the board value the pragmatic, practical and level-headed approach RightCue have brought. There is no doubt that I sleep better at night knowing the RightCue team are by my side!”

Eoin O’Connell

Chief Information Officer, The Nurture Group

Talk to our Cyber Resilience Audit experts

Get in touch to discuss how RightCue can support your organisation with NCSC Assured Cyber Resilience Audits and GovAssure Independent Assurance Reviews.

Knowledge Hub

To find out more about our penetration testing service and how it can can proactively help to keep your business secure read our useful articles and guides: