Our Freequently asked questions

————————————————————————————————

Do we collect any data regarding business affairs, such as whether the business has been involved in a data breach in the past five years?

No, our framework does not ask any questions related to business affairs. We focus solely on assessing your current cybersecurity practices and maturity across various sectors to help improve your organization’s security posture. We do not require past incident details for certification.

How often do you need to renew your certification?

Certification renewal is typically required every 2 years to ensure that your enterprise remains compliant with the framework’s measures. The renewal process may involve a review or re-assessment of your security practices to ensure ongoing adherence to the certification requirements.

Is there an exception to the requirements for certain measures?

Yes, there is a “This is not applicable for the Enterprise section” note for measures that do not apply to your organisation. If a particular measure does not fit your business model or does not apply to your industry, you do not need to meet that requirement. For example, if your business does not handle sensitive data or does not have remote workers, some security measures may not be relevant.

Can you apply for certification even if we haven’t fully implemented all measures?

You can still apply for certification, but you must meet all measures for the levels up to the level that you’re applying for. If your enterprise hasn’t implemented all required measures, you should work on meeting them before submitting your application for certification.

Do you need to worry about any Data Handling or Security Concerns?

There is no need to worry about how your data is handled when using the NCIFC Framework. We do not collect any personally identifiable information (PII) or sensitive company data. For example, we will never ask questions such as how many security breaches your organisation has experienced. The only data collected through the framework consists of simple responses — “Yes”, “No”, or “Not Applicable” — for each area assessed. Additionally, we ask for your organisation’s name, the sector in which it operates, and a rough estimate of the number of employees. This minimal data collection ensures privacy while still enabling useful insights to be drawn from the assessments.