Cybersecurity Maturity Assessment

The NIST Cybersecurity Framework (CSF) is a voluntary guidance framework developed by the U.S. National Institute of Standards and Technology. Originally published in 2014 and updated to version 2.0 in February 2024, it provides a structured approach to managing cybersecurity risk that is applicable to organizations of any size, sector, or maturity level.

While NIST CSF originated in the United States, it has become a globally recognized standard. Many European organizations use it alongside EU regulations like NIS2 and DORA, as the framework's structure maps well to these regulatory requirements. The framework is technology-neutral and outcome-focused, making it adaptable to any environment.

NIST CSF 2.0 organizes cybersecurity activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The addition of "Govern" as a separate function in version 2.0 reflects the growing importance of cybersecurity governance and management accountability — a theme echoed by NIS2's management liability provisions.

Govern (GV) is the newest function, added in CSF 2.0. It establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. It addresses how cybersecurity decisions are made, who is responsible, and how performance is measured. This function underpins all others.

Identify (ID) focuses on developing organizational understanding to manage cybersecurity risk. This includes asset management, risk assessment, business environment understanding, and supply chain risk identification. You cannot protect what you do not know you have.

Protect (PR) outlines safeguards to ensure delivery of critical services. This includes access control, security awareness training, data security, information protection processes, and maintenance of protective technology.

Detect (DE) defines activities to discover cybersecurity events in a timely manner. Effective detection requires security monitoring, anomaly detection, and continuous monitoring of systems and networks.

Respond (RS) covers actions taken regarding a detected cybersecurity incident. This includes response planning, communications, analysis, mitigation, and improvements based on lessons learned.

Recover (RC) addresses activities to maintain resilience and restore any capabilities or services impaired due to a cybersecurity incident. This includes recovery planning, improvements, and communications.

Level 1 — Initial: Cybersecurity activities are ad hoc and reactive. There are no formal processes, documentation is minimal or absent, and responses depend on individual heroics rather than systematic approaches. Most startups begin here.

Level 2 — Developing: Some processes exist but are inconsistently applied. Documentation may exist for certain areas but is incomplete. The organization is aware of the need for security but has not yet standardized its approach.

Level 3 — Defined: Processes are documented, standardized, and consistently followed across the organization. Policies are approved by management, roles are assigned, and there is a systematic approach to security. This is often the minimum target for regulatory compliance.

Level 4 — Managed: Security processes are measured using metrics and KPIs. Performance is monitored and reported to management regularly. The organization uses data to make informed decisions about security investments and improvements.

Level 5 — Optimizing: The organization continuously improves its security posture based on lessons learned, threat intelligence, and industry developments. Processes are adaptive and predictive. Security is deeply integrated into business strategy and culture.