The NIST Cybersecurity Framework (CSF) is the world's most widely referenced model for organising a cyber security programme. It isn't a certification, a law, or a control checklist – it's a shared taxonomy of the outcomes a mature programme achieves, arranged so that executives, auditors, and engineers can finally have the same conversation. Version 2.0 (2024) reshaped it around six functions – Govern, Identify, Protect, Detect, Respond, Recover – and made two things explicit: cyber risk is an enterprise governance matter, and the framework is for every organisation, not just US critical infrastructure.
How the framework is builtLink to this section
The CSF core is a hierarchy: six functions, 22 categories (the table below), and just over a hundred subcategories of specific outcomes. Around the core sit two instruments that make it usable:
- Organisational profiles. A current profile records where you stand against the outcomes; a target profile records where your risk appetite says you should be. The gap between them, prioritised, is your security roadmap – defensible to a board because every line traces to a business decision.
- Tiers (1–4). From Partial to Adaptive, tiers characterise how rigorous and repeatable your risk governance is. They calibrate ambition: most organisations genuinely need Tier 2–3, and pretending otherwise wastes money.
The addition of the Govern function in 2.0 was the significant move: risk strategy, roles, policy, oversight, and supply chain risk were promoted from background assumptions to first-class outcomes – reflecting where real programmes fail.
Why choose an uncertifiable framework?Link to this section
Because it's the connective tissue. The CSF doesn't compete with your other obligations; it organises them. Its outcomes map onto ISO 27001 controls, Essential Eight mitigations, SOC 2 criteria, and regulator expectations (APRA's CPS 234 sits comfortably inside it, and OCR points US healthcare entities at it for HIPAA). That makes it ideal as the management layer: one risk-based structure for decisions and reporting, with each compliance regime satisfied as a mapped subset rather than its own parallel programme. US-aligned supply chains and defence-adjacent work also increasingly name it explicitly – as does its sibling NIST SP 800-171, the control set behind CMMC, which we cover in depth here.
The trap to avoidLink to this section
The CSF's flexibility is its weakness in careless hands: because nothing is mandatory, it's easy to produce a colourful heatmap of self-assessed maturity that flatters everyone and changes nothing. The discipline that makes it work is evidence – every outcome claimed in your current profile should have an artefact behind it: a tested backup, a completed training cohort, an exercised response plan, a reviewed access list. Assessments without evidence are opinion surveys. We don't do opinion surveys.
How we helpLink to this section
We use the CSF as our chassis for whole-of-programme uplift – assess honestly, target deliberately, and build with proof:
- Current-profile assessment. An evidence-based benchmark across all 22 categories – what's actually operating, not what the org chart implies – with tier ratings you can defend.
- Target profile and roadmap. A target state set with your leadership against risk appetite, budget, and obligations, and a sequenced uplift plan that starts with the highest-risk gaps.
- Uplift, delivered. Our consultants implement the controls – identity, hardening, monitoring, response – rather than leaving you a PDF and a handshake.
- The human layer, evidenced. PR.AT (Awareness and Training) is a category all its own, and it's our specialty: role-based training on our platform with tamper-evident completion records – evidence for the category and armour for every other one.
- Board-grade reporting. Profile dashboards and metrics that keep Govern honest: leadership sees real posture, trend, and the return on every uplift dollar.
The table below walks through every CSF 2.0 category and how we help you achieve it.
CSF 2.0 functions and categories
Govern
| ID | Category | How we help |
|---|---|---|
| GV.OC | Organizational Context | We capture the mission, stakeholder expectations, and legal and contractual obligations that shape your risk decisions – the context every later choice traces back to. |
| GV.RM | Risk Management Strategy | We define your risk appetite and cyber risk management strategy in business language leadership can actually endorse and apply. |
| GV.RR | Roles, Responsibilities, and Authorities | We assign cyber accountabilities from board to practitioner – who owns which risks, who decides, who reports – and embed them in role descriptions. |
| GV.PO | Policy | We write a policy set that matches how you operate, with the review cycle and attestation records that make policies enforceable rather than aspirational. |
| GV.OV | Oversight | We build the reporting rhythm – metrics, dashboards, and board papers – that lets leadership genuinely oversee cyber risk rather than rubber-stamp it. |
| GV.SC | Cybersecurity Supply Chain Risk Management | We stand up supplier risk management proportionate to your exposure – tiering, due diligence, contract clauses, and ongoing monitoring of the vendors that matter. |
Identify
| ID | Category | How we help |
|---|---|---|
| ID.AM | Asset Management | We build and automate the asset inventory – hardware, software, SaaS, data, and the people and suppliers behind them – because you can't protect what you haven't listed. |
| ID.RA | Risk Assessment | We run structured cyber risk assessments tied to your real threats and crown-jewel assets, producing a register that drives spending decisions instead of shelfware. |
| ID.IM | Improvement | We turn assessment findings, exercises, and incidents into a tracked improvement plan – the mechanism that moves your profile from current to target. |
Protect
| ID | Category | How we help |
|---|---|---|
| PR.AA | Identity Management, Authentication, and Access Control | We implement MFA, SSO, least privilege, and access lifecycle management – the controls that shut down the most common attack paths first. |
| PR.AT | Awareness and Training | Our home ground – role-based security awareness and technical training delivered on our platform, with tamper-evident completion records that evidence this entire category. |
| PR.DS | Data Security | We classify data and apply protection through its life cycle – encryption at rest and in transit, leakage controls, and secure disposal. |
| PR.PS | Platform Security | We harden endpoints, servers, and cloud workloads – configuration baselines, patch management, and software integrity – aligned to Essential Eight practices where they fit. |
| PR.IR | Technology Infrastructure Resilience | We design resilience into networks and infrastructure – segmentation, redundancy, capacity – so single failures stay single failures. |
Detect
| ID | Category | How we help |
|---|---|---|
| DE.CM | Continuous Monitoring | We define what to log, centralise it, and tune detection across networks, endpoints, cloud, and identity – sized to your team, not a Fortune 100 SOC. |
| DE.AE | Adverse Event Analysis | We build triage and analysis procedures so alerts become understood events with declared severity – fast enough to matter. |
Respond
| ID | Category | How we help |
|---|---|---|
| RS.MA | Incident Management | We write the incident response plan people can execute under pressure – roles, escalation, severity levels – and validate it in exercises. |
| RS.AN | Incident Analysis | We establish investigation and forensics procedures – evidence preservation, root-cause analysis, and the records that survive legal and insurance scrutiny. |
| RS.CO | Incident Response Reporting and Communication | We map your notification obligations (regulators, customers, insurers, the OAIC's 30-day clock) and prepare the templates before an incident starts the timer. |
| RS.MI | Incident Mitigation | We define containment and eradication playbooks for your likeliest scenarios – ransomware, BEC, cloud account compromise – so responders act, not improvise. |
Recover
| ID | Category | How we help |
|---|---|---|
| RC.RP | Incident Recovery Plan Execution | We build and test recovery procedures with clear priorities and integrity checks, tying into business continuity so restoration follows business impact, not server order. |
| RC.CO | Incident Recovery Communication | We prepare the recovery-phase communications – customers, partners, staff, board – that protect trust while systems come back. |