Published by [[NIST]], this is the framework against which organisations can evaluate their information security. It's not technically a #standard , though there's an argument to be made that it is an 'unofficial' standard. The catalogue of controls for this standard are held in [[NIST Special Publication 800-53|NIST SP 800-53]]. It is less proscriptive than [[ISO 27001]].
The framework defines five core functions: identify, protect, detect, respond, and recover. The latter three all involve [[contro#Reactive|reactive controls]].
## Framework core
The core set of principles are not a checklist. They are a series of activities, almost a mindset, that will help an organisation meet its cybersecurity goals. This is essentially an [[information security management system|ISMS]], although it's not named as such.
### Identify
Users should develop an understanding of the organisation's systems, people, [[asset|assets]], data and capabilities as well as how to manage them.
### Protect
Users should develop an implement 'appropriate' preventive [[security controls]], which in [[NIST]] are called safeguards. These controls should ensure the secure delivery of critical services
### Detect
Users should develop controls to...well, detect, incidents
### Respond
Users should develop controls to maintain resilience and restore any services damaged in an incident.
### Recover
## Implementation tiers
There are four tiers, from partial (Tier 1) to adaptive (Tier 4). This is unique to NIST - [[ISO 27001]] does not consider the maturity of the organisation.
### Tier 1: Partial
Risk management is informal. Cyber security activities may not be informed by risk assessment or business needs.
### Tier 2: risk-informed
There are some risk management practices and they have been approved by senior management. They may not yet be rolled out across the orgnisation. Activities are informed by risks and/or business needs
### Tier 3: Repeatable
At this level risk management activities are formally approved and widely adopted as policy. Moreover, the activities are reviewed and updated regularly, based on a good understanding of risk
### Tier 4: Adaptive
Cyber security activities are adapted over time based on lessons learned. The entire organisation is committed to managing cybersecurity risk. The relationship between cybersecurity risk and organisational objectives is clearly understood and applied to decision making.
>[!note]
>This assumes organisations understand their organisational objectives to start with which...hum
## Framework profiles
A way of describing the current state and the target state. They're intended to support business requirements and help to communicate risk within the organisation.