Interactive Handbook: HKMA C-RAF 2.0

The C-RAF Process Flow

This interactive handbook demystifies the HKMA's Cyber Resilience Assessment Framework (C-RAF 2.0). Start here to understand the end-to-end process, then dive deeper into the interactive tools for each stage. Click on any step below for a summary.

Click a step above to see the details.

Inherent Risk Calculator

The C-RAF journey begins by assessing your institution's inherent risk. Use this tool to complete the assessment based on the five key risk categories. The calculator automatically applies the HKMA's "upward adjustment" rule and determines your required maturity level.

For each criterion, select the most appropriate risk level for your institution.

Assessment Results

Tally:

Low: 0

Medium: 0

High: 0

Overall Inherent Risk:

-

Required Maturity Level:

-

Maturity Assessment Explorer

Once your required maturity is set, you must assess your current capabilities against the C-RAF's 7 domains and 26 components. Use the filters below to explore the control principles for each maturity level (Baseline, Intermediate, Advanced).

iCAST Deep Dive

For institutions requiring Intermediate or Advanced maturity, Intelligence-led Cyber Attack Simulation Testing (iCAST) is mandatory. It's a realistic simulation of a sophisticated attack. Explore the five phases of an iCAST project below.