CAF Outcome A1.b: Roles and Responsibilities

From the UK NCSC's Cyber Assessment Framework (version 3.1):

Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

A1.b: Roles and Responsibilities to CSF mappings generated from UK Cabinet Office table.

Control ID Description
ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
PR.AT-5 Physical and cybersecurity personnel understand their roles and responsibilities
DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability
PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
ID.GV-4 Governance and risk management processes address cybersecurity risks
PR.AT-1 All users are informed and trained
RS.CO-1 Personnel know their roles and order of operations when a response is needed
PR.AT-2 Privileged users understand their roles and responsibilities
ID.AM-6 Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
PR.AT-4 Senior executives understand their roles and responsibilities

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Establish the security organisation (4.3.2.3.2)
    ISA/IEC 62443-2-1:2009
  • Define and communicate specific roles and responsibilities (4.3.2.5.5)
    ISA/IEC 62443-2-1:2009
  • Authorize account access (4.3.3.5.3)
    ISA/IEC 62443-2-1:2009
  • Form a continuity team (4.3.2.5.4)
    ISA/IEC 62443-2-1:2009
  • Define the organisational responsibilities (4.3.2.3.3)
    ISA/IEC 62443-2-1:2009
  • Document and communicate security expectations and responsibilities (4.3.3.2.5)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Information security roles and responsibilities (6.1.1)
    ISO 27001:2013
  • Responsibilities and procedures (16.1.1)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
PS-7: External Personnel Security
PM-2: Information Security Program Leadership Role
PM-1: Information Security Program Plan
PM-13: Security and Privacy Workforce
AT-3: Role-based Training
IR-2: Incident Response Training
CA-7: Continuous Monitoring
CA-2: Control Assessments
PM-14: Testing, Training, and Monitoring
SA-16: Developer-provided Training
SA-9: External System Services
SA-2: Allocation of Resources
PM-3: Information Security and Privacy Resources
PM-10: Authorization Process
PM-7: Enterprise Architecture
PM-9: Risk Management Strategy
PM-11: Mission and Business Process Definition
AT-2: Literacy Training and Awareness
CP-2: Contingency Plan
IR-3: Incident Response Testing
IR-8: Incident Response Plan
CP-3: Contingency Training