• What is Cyber Assessment Framework?
  • Understanding the NCSC CAF
  • Why the NHS needs to prioritise CAF compliance
  • Common cyber security and audit challenges in NHS trusts
  • How AD360 supports CAF compliance
  • Mapping AD360 to the CAF objectives
  • Summary table: How AD360 aligns with the NCSC CAF objectives
  • CAF readiness checklist: Getting started with AD360
  • Final thoughts: Building a resilient NHS cyber strategy
  • FAQs

Imagine walking into a hospital where every door, record, and device is protected by invisible security guards who are alert, adaptive, and always on duty. That’s the level of vigilance the NHS needs today. With cyber threats growing in number and sophistication, healthcare organisations across the UK are facing a new kind of frontline. It’s not just about keeping patient data safe; it’s about ensuring that critical services run smoothly, lives aren’t disrupted, and trust in the NHS remains unshakable.

To address these challenges and meet NIS Directive requirements, the National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF). This comprehensive cyber security assessment framework is designed specifically for public sector organisations, including NHS trusts. The NCSC CAF provides a practical blueprint for building cyber resilience and supporting the overall NHS cyber security strategy.

In this blog, we'll break down the NCSC CAF, explore its importance for NHS trusts, and show how ManageEngine AD360, a unified identity and access management (IAM) solution, helps NHS IT teams align with the framework's requirements. Whether you're strengthening access controls, auditing privileged accounts, or minimising the risk of cyber incidents, this blog will help you get started.

What is Cyber Assessment Framework?

A Cyber Assessment Framework is a structured methodology for evaluating an organisation's cybersecurity posture. It is essential for:

  • Identifying vulnerabilities and cyber risk.
  • Ensuring compliance with regulations such as the NIS Directive and ISO standards.
  • Implementing best practices for data protection.

For NHS trusts, adopting a cyber risk assessment framework is crucial to safeguard sensitive patient data, maintain operational continuity, and strengthen overall cyber resilience.

Understanding the NCSC CAF

The NCSC CAF enables organisations to effectively manage cyber risks, especially those impacting essential healthcare functions. It is built around four key objectives:

  1. Managing security risk in the supply chain.
  2. Protecting against cyberattacks.
  3. Detecting cybersecurity events.
  4. Minimising the impact of cyber incidents.

The CAF applies a risk management-based approach, making it ideal for critical infrastructure sectors like healthcare. It encourages organisations to adopt security practices that match their threat exposure and improve their overall security posture.

Why the NHS needs to prioritise CAF compliance

NHS trusts handle highly sensitive data and rely heavily on interconnected digital systems. A single data breach can disrupt services, compromise patient safety, and erode public trust. Healthcare accounted for 23% of all data breaches globally in 2024—more than any other sector—underscoring the urgent need for a robust cyber risk assessment framework.

In the UK, incidents such as the Synnovis ransomware attack, which exposed data on 300 million patient interactions and disrupted thousands of appointments, highlight the real-world consequences and the critical need for stronger resilience.

However, legacy infrastructure and manual processes often make CAF implementation harder for NHS trusts.

Common cyber security and audit challenges in NHS trusts

Here are the most common security and governance gaps that hold NHS organisations back:

  • Lack of centralised identity governance across multiple domains and legacy systems: Many NHS organisations operate with a mix of modern and legacy IT systems, often spanning multiple domains, departments, and even physical locations. Without a centralised identity governance solution, it becomes difficult to manage user accounts, permissions, and access rights consistently. This fragmentation increases the risk of orphaned accounts, excessive privileges, and unauthorised access—making the organisation more vulnerable to cyberthreats.
  • Weak password and privilege management, especially for third-party access: Password policies in many NHS trusts are often inconsistent or outdated, and privileged accounts may not be adequately monitored. Third-party vendors and contractors frequently require access to critical systems, but without strict controls, these external users can become a significant security risk. Weak or shared passwords and unmonitored privileged access can open the door to data breaches and ransomware attacks.
  • Inconsistent logging and monitoring of critical events: Effective cybersecurity relies on the ability to detect and respond to suspicious activities in real time. However, many NHS trusts struggle with inconsistent or incomplete logging across their IT infrastructure. This lack of unified monitoring makes it challenging to identify unusual behaviour, investigate incidents, and demonstrate compliance during audits. Without comprehensive event logs, threats can go undetected for extended periods.
  • Manual audits that delay detection and increase risk: Traditional, manual audit processes are time-consuming and prone to human error. NHS IT teams often spend countless hours gathering data from disparate systems to prepare for compliance checks or incident investigations. This reactive approach not only delays the detection of security issues but also increases the risk of overlooking critical vulnerabilities. Automated, policy-driven auditing is essential for timely threat detection and streamlined compliance, requiring more than the basic audit tools NHS teams might typically use.

Ultimately, NHS trusts must move beyond basic audit tools and adopt integrated IAM solutions—like ManageEngine AD360—that automate identity governance, enforce security policies, and provide continuous, organisation-wide visibility into access and compliance.

How AD360 supports CAF compliance

ManageEngine AD360 is purpose-built to enhance control, visibility, and automation into your identity and access landscape. It maps effectively to the NCSC CAF by enabling NHS IT teams to:

  • Centrally manage user identities across Active Directory (AD) and cloud platforms.
  • Enforce least privilege access using role-based controls.
  • Audit login activities and configuration changes in real time.
  • Detect anomalies using behavioural analytics.

Mapping AD360 to the CAF objectives

The NCSC CAF is built around four core objectives that define a robust cybersecurity posture for organisations delivering essential services, such as NHS trusts. AD360 directly supports each of these objectives by providing comprehensive IAM capabilities, automation, and real-time visibility across hybrid IT environments. Let's explore how AD360 aligns with each CAF objective:

Objective A: Managing security risk

CAF principle: Organisations must have effective structures, policies, and processes to identify, assess, and systematically manage security risks, including data security, to essential network and information systems.

How AD360 helps NHS trusts:

  • Centralised identity governance: Provides a unified platform for managing user access across on-premises and cloud systems, ensuring consistent enforcement of NHS-specific security policies.
  • Automated identity life cycle management: Streamlines joiner-mover-leaver (JML) processes, automating user provisioning and deprovisioning and reducing the risk of orphaned or over-privileged accounts.
  • Policy-based access control: Enforces role-based and conditional access policies, ensuring only authorised personnel can access sensitive health data.
  • Approval workflows and access certification: Implements auditable workflows for access changes and facilitates regular access reviews in line with NHS DSPT and ISO 27001 requirements.
  • Delegated administration: Allows secure, least-privilege delegation to local teams, improving operational resilience without compromising security.
  • Alignment with NHS compliance standards: Built-in reporting and alerting support compliance with the CAF, the DSPT, the GDPR, and ISO 27001.

Real-world NHS example: Bedfordshire Hospitals NHS Foundation Trust automated identity governance with AD360, reducing manual errors and improving audit readiness. This streamlined account management, minimised insider threats, and strengthened security, effectively supporting the CAF objective of managing security risk.

Objective B: Protecting against cyberattacks

CAF principle: Organisations must ensure effective defences are in place to protect against cyberthreats targeting essential functions.

How AD360 helps NHS trusts:

  • Multi-factor authentication (MFA): Enforces MFA for all users, including third-party contractors, significantly reducing the risk of credential compromise.
  • Password policy enforcement: Ensures robust, NHS-aligned password policies to prevent weak or reused credentials.
  • Privileged access management: Enables granular control and monitoring of privileged accounts, preventing unauthorised changes and privilege escalation.
  • Just-in-time and time-bound access: Grants temporary access for external users only as needed, minimising exposure and supporting Zero Trust principles.
  • Threat analytics: Uses behavioural baselines and real-time alerts to identify and respond to suspicious activities, such as unusual logins or privilege escalations.

Objective C: Detecting cybersecurity events

CAF principle: Organisations must be able to detect potential security incidents in a timely manner to protect essential services.

How AD360 helps NHS trusts:

  • Continuous monitoring and real-time auditing: Tracks user logins, privilege changes, and critical configuration modifications across all systems.
  • Comprehensive logging and SIEM integration: All relevant events are logged and can be integrated with SIEM solutions for advanced threat detection and incident response.
  • User behaviour analytics: Detects anomalies, such as off-hours admin logins or abnormal access patterns, and escalates incidents to security teams.
  • Automated alerts: Notifies NHS security teams instantly of high-risk events, enabling rapid investigation and response.

According to IBM’s Cost of a Data Breach Report 2024, organizations with extensive use of security AI and automation—such as centralised identity management—identified and contained breaches 33% faster than those without.

Objective D: Minimising impact of cyber incidents

CAF principle: Organisations must prepare for and manage the impact of security breaches to limit damage and ensure rapid recovery.

How AD360 helps NHS trusts:

  • Automated incident response: Enables immediate disabling of compromised accounts and automated workflows to contain threats.
  • AD backup and recovery: Supports rapid restoration of AD objects and configurations, ensuring continuity after ransomware or accidental deletions.
  • Detailed audit trails: Maintains comprehensive logs for post-incident analysis, regulatory reporting, and continuous improvement.
  • Automated offboarding: Ensures access for leavers and third parties is revoked promptly, reducing the risk of lingering or orphaned accounts.

Summary table: How AD360 aligns with the NCSC CAF objectives

CAF objective AD360 in action Benefits to NHS trusts
Managing security risk Automated user provisioning, role-based access control, and delegated administration. Ensures only authorised staff have access; reduces risk.
Protecting against cyberattacks MFA, strict password policies, and privileged account monitoring. Blocks unauthorised access and mitigates credential abuse.
Detecting security events Real-time activity auditing, anomaly detection, and SIEM integration. Enables rapid threat identification and investigation.
Minimising the impact of incidents Instant account lockdown, AD backup and restore, and comprehensive audit trails. Supports fast recovery and detailed incident analysis.

CAF readiness checklist: Getting started with AD360

If you're starting your NCSC CAF compliance journey, this checklist for NHS IT teams provides essential steps for how to comply with the NCSC CAF using AD360:

  1. Map users and roles:
    1. Conduct a thorough review of all staff, contractors, and third-party users.
    2. Align each user’s access permissions with their current responsibilities and department needs.
    3. Regularly update roles and permissions as staff move, join, or leave, using automated workflows to reduce manual errors.
  2. Enable MFA and SSO:
    1. Enforce adaptive MFA for all users—including healthcare staff, temporary workers, and external partners—to protect sensitive patient data and critical systems.
    2. Implement SSO to streamline secure access across all clinical and administrative applications to reduce password fatigue and improve productivity.
  3. Automate user provisioning:
    1. Use templates and approval-based workflows to automate onboarding, role changes, and offboard permanent and temporary staff.
    2. Set up time-bound access for contractors and temporary healthcare workers, ensuring permissions expire automatically when no longer needed.
  4. Monitor privileged accounts:
    1. Continuously audit privileged user activity, including administrators and third-party vendors, to detect unauthorised changes or suspicious behaviour.
    2. Schedule regular reviews and certifications of privileged access to maintain least-privilege principles and regulatory compliance.
  5. Set up alerts and custom reports:
    1. Configure real-time alerts for critical events such as failed login attempts, privilege escalations, and unusual access patterns.
    2. Leverage AD360’s prebuilt and custom compliance reports to simplify audit preparation and demonstrate adherence to NHS, HIPAA, and GDPR requirements.
  6. Streamline self-service for staff:
    1. Enable self-service password resets and account unlocks to reduce IT helpdesk workload and ensure uninterrupted access for clinicians and staff.
  7. Maintain continuous compliance monitoring:
    1. Use AD360’s continuous monitoring and reporting capabilities to identify proactively and respond to compliance gaps or security incidents.
    2. Regularly export and review audit-ready reports to support internal and external audits.

By following this checklist, your NHS trust can automate key IAM tasks, reduce manual errors, enhance patient data protection, and meet both technical and governance requirements for CAF compliance.

Final thoughts: Building a resilient NHS cyber strategy

Meeting CAF requirements is not just about ticking a compliance box—it’s about building a security culture that protects the NHS, its staff, and its patients from increasingly sophisticated cyber threats. A robust cyber strategy ensures uninterrupted healthcare services, preserves public trust, and safeguards sensitive patient data against breaches and operational disruptions.

ManageEngine AD360 empowers NHS IT teams to achieve CAF compliance efficiently by automating identity governance, strengthening access controls, and providing continuous audit readiness. With centralised visibility and proactive risk management, NHS trusts can create a secure, resilient, and responsive IT environment that evolves alongside emerging cyber risks.

FAQs

While not legally binding, the NCSC CAF is strongly encouraged for public sector bodies. NHS England and NHS Digital recommend it as a best practice for cybersecurity for NHS organisations.

Yes. AD360 supports hybrid AD, Microsoft Entra ID, and Microsoft 365 environments, making it ideal for AD360 for NHS CAF alignment.

AD360 provides targeted, identity-centric auditing tailored to healthcare needs and CAF objectives, unlike generic audit tools NHS teams might use.

Yes, AD360 also supports DSP Toolkit, GDPR, and NHS information governance requirements.

AD360 provides detailed logs and customizable reports to support NHS data breach reporting and incident response.