The NIST Cybersecurity Framework (CSF) is one of the most influential and widely adopted models for managing cybersecurity risk. Developed by the National Institute of Standards and Technology (NIST) in the United States, it provides a structured, risk‑based approach that helps organisations of all sizes understand, prioritise, and improve their cybersecurity posture.
The framework’s goal is to help organisations:
Identify and manage cybersecurity risks systematically.
Align security activities with business objectives.
Build resilience against evolving threats.
Communicate cybersecurity priorities clearly across technical and executive levels.
It’s not a regulation — it’s a voluntary, adaptable guide that integrates with existing standards like ISO 27001, COBIT, and CIS Controls.
The Five Core Functions
These five pillars form the foundation of the NIST CSF:
Identify — Understand assets, data, systems, and risks.
Protect — Implement safeguards to ensure service continuity.
Detect — Develop capabilities to discover cybersecurity events quickly.
Respond — Take coordinated action to contain and mitigate incidents.
Recover — Restore operations and improve resilience after disruptions.
Together, they represent the full lifecycle of cybersecurity management.
Building Blocks
The framework is organised into three main components:
Core:- Defines the five functions, categories, and subcategories — the “what” of cybersecurity
Implementation Tiers:- Describe how mature and risk‑aware an organisation’s cybersecurity practices are (from Partial to Adaptive).
Profiles:- Customised alignment between current and target cybersecurity states — the “how” and “where to improve.”
Implementation Tiers
These tiers measure how well cybersecurity risk is managed:
Tier 1 — Partial: Reactive, informal processes.
Tier 2 — Risk‑Informed: Some structured practices exist.
Tier 3 — Repeatable: Policies and governance are established.
Tier 4 — Adaptive: Continuous improvement and intelligence‑driven.