The cyber security strategy is structured around the following four objectives and fourteen principles or outcomes.
| Objective | Principle or outcome |
|---|---|
| Managing security risk | A1 Governance A2 Risk management A3 Asset management A4 Supply chain |
| Protecting against cyber attack | B1 Service protection policies and processes B2 Identity and access control B3 Data security B4 System security B5 Resilient networks and systems B6 Employee awareness and training |
| Detecting cyber security events | C1 Security monitoring C2 Proactive security event discovery |
| Minimising the impact of cyber security incidents | D1 Response and recovery planning D2 Lessons learned |
Each principle or outcome has a recommended benchmark measure of achievement, defining also what represents partial or non-achievement. This is explained in the Introduction to the Cyber Assessment Framework (CAF) on UK Government Security.