New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Cyber risk

NIST Cybersecurity Framework

The flexible, outcome-based framework for managing cyber risk – Govern, Identify, Protect, Detect, Respond, and Recover.

The NIST Cybersecurity Framework (CSF) is the world's most widely referenced model for organising a cyber security programme. It isn't a certification, a law, or a control checklist – it's a shared taxonomy of the outcomes a mature programme achieves, arranged so that executives, auditors, and engineers can finally have the same conversation. Version 2.0 (2024) reshaped it around six functions – Govern, Identify, Protect, Detect, Respond, Recover – and made two things explicit: cyber risk is an enterprise governance matter, and the framework is for every organisation, not just US critical infrastructure.

How the framework is builtLink to this section

The CSF core is a hierarchy: six functions, 22 categories (the table below), and just over a hundred subcategories of specific outcomes. Around the core sit two instruments that make it usable:

  • Organisational profiles. A current profile records where you stand against the outcomes; a target profile records where your risk appetite says you should be. The gap between them, prioritised, is your security roadmap – defensible to a board because every line traces to a business decision.
  • Tiers (1–4). From Partial to Adaptive, tiers characterise how rigorous and repeatable your risk governance is. They calibrate ambition: most organisations genuinely need Tier 2–3, and pretending otherwise wastes money.

The addition of the Govern function in 2.0 was the significant move: risk strategy, roles, policy, oversight, and supply chain risk were promoted from background assumptions to first-class outcomes – reflecting where real programmes fail.

Why choose an uncertifiable framework?Link to this section

Because it's the connective tissue. The CSF doesn't compete with your other obligations; it organises them. Its outcomes map onto ISO 27001 controls, Essential Eight mitigations, SOC 2 criteria, and regulator expectations (APRA's CPS 234 sits comfortably inside it, and OCR points US healthcare entities at it for HIPAA). That makes it ideal as the management layer: one risk-based structure for decisions and reporting, with each compliance regime satisfied as a mapped subset rather than its own parallel programme. US-aligned supply chains and defence-adjacent work also increasingly name it explicitly – as does its sibling NIST SP 800-171, the control set behind CMMC, which we cover in depth here.

The trap to avoidLink to this section

The CSF's flexibility is its weakness in careless hands: because nothing is mandatory, it's easy to produce a colourful heatmap of self-assessed maturity that flatters everyone and changes nothing. The discipline that makes it work is evidence – every outcome claimed in your current profile should have an artefact behind it: a tested backup, a completed training cohort, an exercised response plan, a reviewed access list. Assessments without evidence are opinion surveys. We don't do opinion surveys.

How we helpLink to this section

We use the CSF as our chassis for whole-of-programme uplift – assess honestly, target deliberately, and build with proof:

  • Current-profile assessment. An evidence-based benchmark across all 22 categories – what's actually operating, not what the org chart implies – with tier ratings you can defend.
  • Target profile and roadmap. A target state set with your leadership against risk appetite, budget, and obligations, and a sequenced uplift plan that starts with the highest-risk gaps.
  • Uplift, delivered. Our consultants implement the controls – identity, hardening, monitoring, response – rather than leaving you a PDF and a handshake.
  • The human layer, evidenced. PR.AT (Awareness and Training) is a category all its own, and it's our specialty: role-based training on our platform with tamper-evident completion records – evidence for the category and armour for every other one.
  • Board-grade reporting. Profile dashboards and metrics that keep Govern honest: leadership sees real posture, trend, and the return on every uplift dollar.

The table below walks through every CSF 2.0 category and how we help you achieve it.

CSF 2.0 functions and categories

Govern

IDCategoryHow we help
GV.OCOrganizational ContextWe capture the mission, stakeholder expectations, and legal and contractual obligations that shape your risk decisions – the context every later choice traces back to.
GV.RMRisk Management StrategyWe define your risk appetite and cyber risk management strategy in business language leadership can actually endorse and apply.
GV.RRRoles, Responsibilities, and AuthoritiesWe assign cyber accountabilities from board to practitioner – who owns which risks, who decides, who reports – and embed them in role descriptions.
GV.POPolicyWe write a policy set that matches how you operate, with the review cycle and attestation records that make policies enforceable rather than aspirational.
GV.OVOversightWe build the reporting rhythm – metrics, dashboards, and board papers – that lets leadership genuinely oversee cyber risk rather than rubber-stamp it.
GV.SCCybersecurity Supply Chain Risk ManagementWe stand up supplier risk management proportionate to your exposure – tiering, due diligence, contract clauses, and ongoing monitoring of the vendors that matter.

Identify

IDCategoryHow we help
ID.AMAsset ManagementWe build and automate the asset inventory – hardware, software, SaaS, data, and the people and suppliers behind them – because you can't protect what you haven't listed.
ID.RARisk AssessmentWe run structured cyber risk assessments tied to your real threats and crown-jewel assets, producing a register that drives spending decisions instead of shelfware.
ID.IMImprovementWe turn assessment findings, exercises, and incidents into a tracked improvement plan – the mechanism that moves your profile from current to target.

Protect

IDCategoryHow we help
PR.AAIdentity Management, Authentication, and Access ControlWe implement MFA, SSO, least privilege, and access lifecycle management – the controls that shut down the most common attack paths first.
PR.ATAwareness and TrainingOur home ground – role-based security awareness and technical training delivered on our platform, with tamper-evident completion records that evidence this entire category.
PR.DSData SecurityWe classify data and apply protection through its life cycle – encryption at rest and in transit, leakage controls, and secure disposal.
PR.PSPlatform SecurityWe harden endpoints, servers, and cloud workloads – configuration baselines, patch management, and software integrity – aligned to Essential Eight practices where they fit.
PR.IRTechnology Infrastructure ResilienceWe design resilience into networks and infrastructure – segmentation, redundancy, capacity – so single failures stay single failures.

Detect

IDCategoryHow we help
DE.CMContinuous MonitoringWe define what to log, centralise it, and tune detection across networks, endpoints, cloud, and identity – sized to your team, not a Fortune 100 SOC.
DE.AEAdverse Event AnalysisWe build triage and analysis procedures so alerts become understood events with declared severity – fast enough to matter.

Respond

IDCategoryHow we help
RS.MAIncident ManagementWe write the incident response plan people can execute under pressure – roles, escalation, severity levels – and validate it in exercises.
RS.ANIncident AnalysisWe establish investigation and forensics procedures – evidence preservation, root-cause analysis, and the records that survive legal and insurance scrutiny.
RS.COIncident Response Reporting and CommunicationWe map your notification obligations (regulators, customers, insurers, the OAIC's 30-day clock) and prepare the templates before an incident starts the timer.
RS.MIIncident MitigationWe define containment and eradication playbooks for your likeliest scenarios – ransomware, BEC, cloud account compromise – so responders act, not improvise.

Recover

IDCategoryHow we help
RC.RPIncident Recovery Plan ExecutionWe build and test recovery procedures with clear priorities and integrity checks, tying into business continuity so restoration follows business impact, not server order.
RC.COIncident Recovery CommunicationWe prepare the recovery-phase communications – customers, partners, staff, board – that protect trust while systems come back.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.