When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
Implementing an approach such as the NIST Cybersecurity Framework (CSF) can be challenging, as its scope is wide and there’s a lot to do. But many feel that the benefits of basing your cybersecurity approach around a standard framework such as the CSF make the effort worthwhile. Here we provide some tips on getting the CSF in place, in a relevant and applicable way, and as quickly as possible.
By the way, this article is based on our personal views; if you want a more official guide see the guidance of the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security in their publication “Commercial Facilities Sector – Cybersecurity Framework Implementation Guidance” dated May 2020.
We include this step right at the start because you really need to be sure that the CSF is the way to go for your organization before you begin implementing it. Have a look at alternatives such as the ISO/IEC 27001 standard, COBIT, Cyber Essentials (in the UK) and other NIST publications (NIST SP 800-53 for example) so that you can sensibly answer the question “why did we go for the NIST CSF?” without scratching your head. Factors you may like to consider include the need for certification, acceptance in the countries in which you operate and any other standards your organization might want to pursue later.
If, once you’ve done your research, it’s all systems go with the CSF, then let’s get started.
Before you start the implementation process, you need to know what it is you’re implementing. The NIST CSF website has plenty of useful resources to help you to understand the various components of the framework and how to use them. Get the PDF of the standard and sit down in Starbucks (other coffee shops are available) and read it. Then read it again. Once you know what functions, categories, subcategories, tiers, profiles, informative references and implementation examples are, you’re probably as ready as you can be.
You will already be doing many of the things covered by the CSF, so you need to give yourself credit for these. The current profile is an assessment of how well you presently meet each of the outcomes defined in the subcategories of the CSF. It’s the “where we are now” or the “as is” for your organization and it’s important that you’re honest and accurate about this. If it helps (and it probably will), you can use the “tiers” concept of the CSF to assess your status on a scale from 1 (Partial) to 4 (Adaptive). You can do this at the subcategory level if you have the time and patience, or at the category level if it suits you better.
At this stage we know what we currently have in place, but in order to decide how much more cybersecurity we need, we could do with a clear understanding of where the risks are. There are many different ways of doing this, but you should aim to include everyone who has an angle on what the risks are, how likely they are, and how they would be affected if they were to actually happen. The risk assessment will take into account the controls you have documented in your current profile and aim to highlight those areas where significant risk still exists. You’re then going to use the CSF to plug those gaps.
Once you’ve defined where you are now against the CSF, you obviously now need to define where you’re trying to get to. It’s important to note that NIST’s intention with the CSF is not to say that everyone should do everything. It’s designed so that you can pick and choose which subcategories are important for you, and this is heavily informed by the risk assessment you did in Step 4. Again, you can use the tiers concept to define how far you need to go with the various areas of the CSF (once more at either category or subcategory level), so for example you could say “we need to move from a 1 to a 3” for this particular objective.
By now, you have a definition of where you are, and a good understanding of where you need to be, based on an assessment of risk. It should be fairly straightforward then, to identify the tasks you need to do to get from the current position to the desired future one. This list of actions forms the basis of your implementation plan. Factor in some prioritisation (actions to address high risks first), agreed resourcing and some sensible timescales and you’re ready to start improving your cybersecurity.
This is the part that takes the time, and the longer it takes, the more change you’ll need to cope with too, as new systems are implemented, restructures take place and resources come and go. Communication will be key to keeping the plan (and the reasons for it) in people’s minds as other issues clamour for their attention. Keep the focus on the high priority tasks and you’ll be maximising the impact of your efforts on your organization’s cybersecurity.
While you’re busy implementing, don’t forget to return to your current profile often to update it and show the progress you’re making towards your target profile. Be prepared also to adjust your target profile in the face of significant change and, if necessary, to revisit your risk assessment. After all, there’s little point in sticking to the original plan if the goalposts have moved.
This last step really cuts across several of the previous ones; implementing the CSF shouldn’t be a one-time project that then needs to be repeated a few years later. When addressing the areas defined by the categories and subcategories of the framework, always look to embed the changes as processes or procedures, with owners, managers and adequate resources associated with them. You’re aiming to create a cybersecurity machine that runs on its own power, rather than a set of one-off tweaks that will decay over time.
The NIST Cybersecurity Framework is a valuable tool for organizations wanting to improve their cybersecurity, and it’s rapidly gaining increasing acceptance and backing outside of the USA too. If you’re not worried about certification then it’s a great choice to base your information security defences around, and NIST are committed to providing more and more online resources to help you to get the best from the standard.
Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).
The CertiKit NIST Cybersecurity Framework 2.0 toolkit can help you implement the standard easily. The toolkit is aligned to the structure of the final published version of CSF 2.0. With 150+ expertly created documents, this toolkit has everything you need to implement the framework. With unlimited email support from our consultants, a perpetual license and lifetime updates, you’ll have everything you need to implement NIST CSF 2.0.
NIST have now released the final version of the Cybersecurity Framework 2.0. The toolkit has been updated to align to the latest version, and all existing CSF customers will receive the update free of charge.