CDCAT Cyber Maturity Assessment

Provided by

Enquire about this course


Faced with evolving threats and escalating risks, understanding and managing your organisation;s cyber security resilience has become essential to protecting your business. (CDCAT®) is the definitive means of measuring operational risk and managing and maintaining an effective cyber risk management strategy to drive your organisation's cyber resilience transformation. For organisations that hold accreditations against a number of security standards, the different annual audits can cost tens of thousands. CDCAT® enables resilience and gap analysis assessments to be completed against multiple standards simultaneously, saving time and effort.

Its underpinning methodology was developed by the Defence Science and Technology Laboratory (Dstl), for the Ministry of Defence (MOD). Dstl is a government organisation dedicated to ensuring that innovative science and technology contributes to the defence and security of the UK.

Who is CDCAT cyber resilience and gap analysis assessment for?

Any organisation that wants to confirm the effectiveness of its current cyber security controls, or is unsure how to go about establishing its cyber security resilience.

Do you understand the risks?

According to the UK Government;s Department for Culture, Media and Sport (DCMS) Cyber Security Breaches Survey 2019
  • Cyber security is increasingly a priority issue for organisations. 78% of businesses (vs. 74% in 2018) and 75% of charities (vs. 53% in 2018) now rate it as a high priority.
  • Only 58% of businesses and 53% of charities have taken action towards 5 or more of the Government;s 10 Steps to Cyber Security.
CDCAT® is a registered trade mark of The Secretary of State for Defence, Dstl. All rights reserved.


Many recognised best practices are built into the tool, for example:
  • UK;s 10 Steps to Cyber Security
  • ISO/IEC 27001
  • NIST Cyber Security Framework
  • Cyber Essentials
  • Defence Cyber Protection Partnership (DCPP)
The wide selection of standards in the tool allows you to select those most applicable to your organisation, tailoring the assessment to suit your needs in a unique CDCAT® strategy fused from one or more standard and threat requirement to meet and the audit need, for example to meet the needs of the UK NCSC Cyber Assurance Framework(CAF) or the EU Network and Information Systems (NIS) Directive and as needed for Competent Authority (CA) audits.


What benefits will CDCAT bring to my organisation?
  • Cutting-edge technology and gap analysis Assessments of your organisation;s cyber security resilience capability are carried out using CDCAT® - a unique calibrated measurement approach developed by the MOD and the Defence Science and Technology Laboratory (Dstl).
  • Agility Perform rapid assessments of your organisation;s systems and controls to take fast remedial action.
  • Tailored expertise Receive tailored advice on your organisation;s resilience and cyber security spending.
  • Complete scalability Develop an assured strategy regardless of your organisation;s standards audit needs, size, systems or market.
  • Keep ahead of the threats Cyber threats are continuously evolving - CDCAT®;s mitigations are continuously updated to evolve with the threat.
  • Assured cyber security investment Ensure your cyber security spend is based on real and comprehensive evidence.
  • Continuous enhancements Monitor the progress of your cyber resilience and make repeated assessments to ensure optimal transformation of your organisation;s cyber security.
  • Evidence-based reporting Supports compliance programmes and generates evidence to support the General Data Protection Regulation (GDPR) due diligence.
Assessment method:

CDCAT® assessments are conducted by a QA Cyber Consultants who are trained CDCAT assessors.


To undergo a CDCAT assessment, the scope of the system to be assessed is defined. This could range from a whole organisation, to one main information system, down to a single laptop. The risk tolerance for the system is then agreed - how much business risk is acceptable for that system? This determines the controls and the level of control systems outcome maturity required to be effective against the current threats. If a control is not in place or is not being implemented effectively, this is viewed as a vulnerability and will adversely affect the capability of the organisation to withstand attack. Attackers will always target the weakest link in the security chain. The easily repeatable resilience assessment can take as little as two hours depending on the scope, and produces a report immediately with full explanations. Frequent quick to achieve repetitions enable organisations to be responsive to cyber-criminals; continuously evolving methods and check any enhancements needed made to their resilience operations.

Typically, a CDCAT resilience assessment engagement is over three days:
  • Day 1 Initial client scoping
  • Day 2 CDCAT Assessment with customer team
  • Day 3 Delivery of CDCAT Assessment report and customer debrief


Start date Location / delivery
No fixed date United Kingdom Book now
01132207150 01132207150

Related article

The Cyber Pulse is QA's new portal to free Cyber content, including on-demand webinars, articles written by leading experts,