With knowledge of the current ability to manage and reduce cyber security risks, the organization’s knowledge of what needs to be accomplished to manage cyber security in a better way increases. This is where the NIST-CSF framework comes in handy for an organization that wants both an indication of the current ability to manage threats and vulnerabilities related to cyber security, but also the knowledge to take the necessary measures.
Following NIST-CSF is not a statutory requirement within the EU. Currently, there is no certification for NIST-CSF. If you want to be certified, management systems within information security ISO 27001 work very well. On the other hand, we see an increased request for NIST-CSF from European companies operating in the US market, which at short notice receive express demands from American customers to apply NIST-CSF. Companies whose customers are directly or indirectly suppliers to US authorities may be faced with explicit requirements to demonstrate a certain level of maturity in their approach to cyber security based on the NIST-CSF. There are four maturity levels and it is the customer/authority who decides which level applies.
The framework’s structure is based on five functional areas that follow each other in a logical sequence.