The NIST Cybersecurity Framework (CSF) is a voluntary, outcome-based framework for managing and reducing cybersecurity risk. CSF 2.0 (2024) broadened its scope beyond critical infrastructure and added a sixth Function, Govern. It describes desired outcomes in a common language and maps cleanly to ISO 27001, SOC 2, CIS Controls and NIST 800-53.
The CSF Core: six Functions
| Function | Purpose | Example categories |
|---|---|---|
| Govern (GV) | Establish and monitor the cyber risk-management strategy, roles and policy | Organisational context, risk-management strategy, roles & responsibilities, policy, oversight, supply-chain risk |
| Identify (ID) | Understand assets, data, suppliers and risks | Asset management, risk assessment, improvement |
| Protect (PR) | Safeguards to limit or contain impact | Identity & access, awareness & training, data security, platform security, resilience |
| Detect (DE) | Find and analyse anomalies and incidents | Continuous monitoring, adverse-event analysis |
| Respond (RS) | Act on a detected incident | Incident management, analysis, reporting, mitigation |
| Recover (RC) | Restore capabilities after an incident | Recovery plan execution, communications |
Each Function contains Categories (outcome groups) and Subcategories (specific outcomes), with Implementation Examples and Informative References that map to other standards.
Implementation Tiers
| Tier | Name | Characteristic |
|---|---|---|
| 1 | Partial | Ad hoc, reactive risk management; limited awareness |
| 2 | Risk Informed | Risk practices approved but not organisation-wide |
| 3 | Repeatable | Formal policies, consistent organisation-wide practice |
| 4 | Adaptive | Continuous improvement using lessons learned and predictive indicators |
Tiers describe the rigour of cyber risk governance and management — they are a maturity indicator, not a score to maximise blindly. Choose a target Tier appropriate to your risk.
Profiles: current vs target
- A Profile is your selection and prioritisation of outcomes based on business needs, risk and obligations.
- A Current Profile captures the outcomes you achieve today; a Target Profile captures where you need to be.
- The gap between them drives your prioritised action plan.
Adoption roadmap
- Scope and context: define the organisation, mission, obligations and risk appetite (Govern).
- Build the Current Profile — assess how well you achieve each outcome today.
- Define the Target Profile — the outcomes appropriate to your risk.
- Gap analysis between Current and Target, expressed as prioritised actions.
- Implement improvements, assigning owners and using Tiers to gauge maturity.
- Measure, report to leadership (Govern) and iterate continuously.
What CSF 2.0 changed
- Added the Govern Function — cybersecurity as an enterprise-risk and leadership responsibility.
- Broadened applicability beyond critical infrastructure to all organisations.
- Strengthened supply-chain risk management guidance.
- Added implementation examples, quick-start guides and organisational profiles.
Readiness checklist
- A cyber risk-management strategy and roles are defined and governed (Govern).
- Assets, data and suppliers are inventoried and risk-assessed (Identify).
- Access control, training, data and platform security controls are in place (Protect).
- Continuous monitoring and detection are operating (Detect).
- An incident-response capability exists and is tested (Respond).
- Recovery plans exist and are exercised (Recover).
- Current and Target Profiles are documented with a prioritised action plan.
NIST CSF mapped to other frameworks
| Framework | Relationship |
|---|---|
| ISO 27001 | Controls map closely; CSF outcomes ↔ Annex A / ISMS |
| NIST 800-53 | CSF references 800-53 controls as one implementation set |
| CIS Controls | CIS safeguards implement many CSF outcomes |
| COBIT | COBIT governs enterprise around CSF implementation |
Frequently asked questions
Need help with NIST CSF?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
