The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce. NIST cybersecurity framework consists of standards, guidelines, and best practices to manage cybersecurity risks and improve the standard of critical infrastructure.
NIST cybersecurity framework explained
The framework has three sections, each emphasises the important link between business objectives and cybersecurity activities.
The three components are:
- The Core – comprises four elements; functions, categories, sub-categories and informative references
- The Implementation Tiers – Describe the maturity of the organisation’s cybersecurity posture
- The Profiles - The alignment of the functions, categories, and sub-categories with the business requirements, risk tolerance, and resources
The framework’s core consists of concurrent and continuous, basic cybersecurity functions:
- Identify – In order to develop the strategy an organisation must identify their systems, people, assets, data and capabilities
- Protect – Develop and implement appropriate controls
- Detect – Develop and implement a strategy for breach detection
- Respond – Develop and implement a suitable Incident response plan
- Recover – Develop and implement a disaster recovery plan
The framework tiers are:
- Partial – Ad hoc and reactive risk management. Cybersecurity activities are not aligned to organisational risk objectives/business requirements.
- Risk-Informed – Risk management activity is approved by management but there may not be a company-wide policy. Cybersecurity activities are informed by organisational risk objectives/business requirements.
- Repeatable – Risk management practices are formally approved and detailed in a policy. Cybersecurity activities are regularly updated based on changes to the organisations risk objectives/business requirements. Changes in the threat landscape and the state of technology are considered.
- Adaptive – Through a process of continuous improvement, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
A profile enables organisations to establish a roadmap for reducing cybersecurity risk that is well aligned with the business objectives, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Profiles support business requirements and aid in communicating risk within and between organisations.
Get in touch with our security experts
Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.