The UK’s National Cyber Security Centre (NCSC) has introduced its new Cyber Resilience Audit (CRA) scheme, a significant step in enhancing cybersecurity across critical sectors. Announced at the CYBERUK conference in May, the scheme aims to establish a framework for certifying auditors who can conduct independent assessments based on the Cyber Assessment Framework (CAF). This initiative is designed to address the evolving needs of sectors deemed nationally critical, ensuring they meet rigorous cybersecurity standards.
Catherine H., head of the NCSC’s assured professional schemes, explained that the CRA scheme will focus on verifying that auditors meet common requirements set by oversight bodies. Once auditors are approved, they will be eligible to conduct specific sector audits, provided they meet additional criteria set by the relevant oversight body. This approach ensures that auditors are well-equipped to address sector-specific challenges while maintaining high standards of cybersecurity assurance.
The CRA scheme is open to audit companies of all sizes, with a particular emphasis on including firms that address issues of under-representation in the industry. This includes those serving geographically remote or underserved areas, aiming to broaden the reach and impact of the scheme. The NCSC plans to monitor and develop the scheme in collaboration with government departments and regulators to continually enhance its effectiveness and relevance.
Detailed information and documentation for the CRA scheme will be made available on the NCSC’s website as the scheme progresses. The NCSC expects to begin accepting applications from auditors and publishing further details by autumn. This initiative follows the launch of GovAssure in April 2023, which focuses on independent auditing of government agencies’ cyber resilience, further strengthening the UK’s approach to cybersecurity.
Reference: