Select regional store:

NIST Cybersecurity Framework (CSF)

What is the NIST CSF? 

The NIST Cybersecurity Framework CSF is a voluntary framework that provides guidance to help organizations manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.

Although primarily intended for US critical infrastructure organizations, the Framework is flexible enough to be used by any organization anywhere in the world.

Implementing the Framework

The CSF can be used to review or improve an existing cybersecurity program or to establish an entirely new one, and it offers a relatively straightforward implementation process.

This pocket guide covers:

  • Advantages of implementing the NIST CSF
  • Detailed explanations of each of the CSF’s components
  • How you can integrate the CSF with other frameworks, including ISO 27001 and ISO 22301

Tailoring your CSF to your organization’s needs can help you manage cybersecurity threats effectively and efficiently.

Shop now

NIST CSF overview

The CSF contains three key components: the corse, the implementation tiers and the profiles.

The core

The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity. The core has four elements: functions, categories, subcategories, and informative references.

The five Framework core functions describe the basic phases to achieve cybersecurity:

  1. Identify potential cybersecurity risks to your information assets
  2. Protect yourself against these risks by developing and implementing safeguards
  3. Detect any irregular activity to determine if breaches have occurred
  4. Respond to any detected breaches to contain their impact
  5. Recover from these breaches by restoring any undermined assets

Each function is divided into categories, which are the activities necessary to fulfil each function. These might include asset management, risk assessment, awareness and training, and detection processes.

Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfil each category.

Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines. These describe methods or points of consideration to help achieve the outcomes of each subcategory (or control), and include ISO 27001, COBIT®, and NIST SP (Special Publication) 800-53.

Framework Implementation Tiers

Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures on the basis of its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive. 

The Current profile

The current profile is a picture of an organization’s ongoing cybersecurity activities and their outcomes. It is an opportunity for an organization to clearly establish its current cybersecurity activities. The current profile can also be an effective way of communicating the organization’s cybersecurity posture internally or with external partners.

The Target profile

The target profile describes the organization’s intended destination for cybersecurity risk management activities. These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.

Learn more about the NIST CSF and how it compares to
ISO 27001

Download our green paper to find out more about these two frameworks and how they can help protect your organization.

Download now

Free PDF download: Implementing Cybersecurity – The case for the NIST CSF

Learn about the benefits of implementing the NIST CSF

Download our green paper to find out more about the NIST CSF and how it can help protect your organization.

Download now

This website uses cookies. View our cookie policy