← Home
NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework (CSF) is a voluntary, risk-based framework developed by the
National Institute of Standards and Technology (NIST) to help organizations manage and reduce
cybersecurity risk.
It provides a common language for cybersecurity across all industries and organizations, regardless of size.
Figure – The six core functions of the NIST Cybersecurity Framework (CSF 2.0).
Overview
Objectives
Identify cybersecurity risks
Protect critical assets and operations
Detect cybersecurity events quickly
Respond effectively to incidents
Recover normal operations with minimal disruption
Continuously improve cybersecurity maturity
Core Structure
The NIST CSF is built around six core functions (CSF 2.0).
1. Govern (GV)
Establish organizational cybersecurity governance.
Focuses on:
Cybersecurity strategy
Policies
Risk management
Roles and responsibilities
Legal and regulatory compliance
Supply chain governance
Executive oversight
Key question:
Are we managing cybersecurity as part of business governance?
2. Identify (ID)
Understand what needs protection.
Activities include:
Asset inventory
Software inventory
Business environment
Critical services
Risk assessment
Risk prioritisation
Third-party dependencies
Key question:
What assets are important and what risks exist?
3. Protect (PR)
Implement safeguards to reduce the likelihood of cyber incidents.
Includes:
Identity and access management
Authentication
Awareness and training
Data protection
Encryption
Backups
Secure configuration
Network security
Protective technologies
Key question:
How do we prevent cyber attacks?
4. Detect (DE)
Identify cybersecurity events as early as possible.
Activities include:
Security monitoring
Log collection
Intrusion detection
Anomaly detection
Continuous monitoring
Alert generation
Key question:
Has something happened?
5. Respond (RS)
Take action once an incident occurs.
Includes:
Incident response planning
Communications
Investigation
Containment
Eradication
Forensics
Coordination with stakeholders
Lessons learned
Key question:
What do we do now?
6. Recover (RC)
Restore operations after an incident.
Activities include:
Disaster recovery
Business continuity
System restoration
Recovery validation
Post-incident improvements
Communication with customers and regulators
Key question:
How do we return to normal operations?
Framework Components
Core
The Core defines the six cybersecurity functions and the outcomes organizations should achieve.
Profiles
Profiles compare:
Current cybersecurity posture
Desired cybersecurity posture
Profiles help organizations:
Prioritise improvements
Plan investments
Measure progress
Align cybersecurity with business objectives
Tiers
Implementation Tiers describe how mature cybersecurity risk management is.
Tier 1 – Partial
Informal processes
Limited awareness
Reactive cybersecurity
Minimal governance
Tier 2 – Risk Informed
Some documented processes
Management aware of cybersecurity risks
Risk considered during decision-making
Tier 3 – Repeatable
Documented policies
Consistent implementation
Regular assessments
Well-defined governance
Tier 4 – Adaptive
Continuous improvement
Threat intelligence integrated
Metrics-driven decisions
Highly mature cybersecurity program
Risk Management Process
Typical NIST CSF implementation:
Understand business objectives
Identify critical assets
Assess cyber risks
Select security controls
Implement safeguards
Monitor security continuously
Respond to incidents
Recover operations
Review and improve
Benefits
Flexible and scalable
Risk-based approach
Industry neutral
Improves communication between technical and business teams
Supports compliance with multiple regulations
Helps prioritise cybersecurity investments
Encourages continual improvement
Integrates well with existing security standards
Relationship with Other Standards
NIST CSF complements rather than replaces other cybersecurity standards.
Standard
Purpose
Relationship to NIST CSF
IEC 62443
Industrial Automation & Control Systems (OT)
NIST CSF provides enterprise-level risk management; IEC 62443 provides detailed OT security requirements.
ISO/IEC 27001
Information Security Management System (ISMS)
NIST CSF can be used to structure and assess an ISO 27001 security program.
ISO/IEC 27002
Security controls
Provides detailed security controls that support NIST CSF outcomes.
CIS Controls
Practical security controls
Helps implement many of the Protect, Detect, and Respond functions.
Strengths
Easy to understand
Business-focused
Technology agnostic
Scalable from small businesses to critical infrastructure
Widely adopted globally
Strong focus on risk management and continuous improvement
Limitations
Does not prescribe specific technical controls
Requires organisations to select and implement appropriate controls
Not a certification standard
May need to be combined with standards such as IEC 62443 or ISO/IEC 27001 for detailed implementation guidance
Key Takeaways
Developed by NIST to manage cybersecurity risk.
Applicable across all industries and organisation sizes.
Built around six functions: Govern, Identify, Protect, Detect, Respond, Recover .
Uses Profiles to compare current and target cybersecurity states.
Uses Implementation Tiers to measure cybersecurity maturity.
Promotes continuous improvement and risk-based decision making.
Often used alongside standards such as IEC 62443 , ISO/IEC 27001 , and ISO/IEC 27002 .