The Framework Behind the Frameworks
The NIST Cybersecurity Framework (CSF) has quietly become one of the most influential security frameworks in existence. Published by the National Institute of Standards and Technology, it’s referenced by regulators, required by federal contractors, and used as a foundation by organizations that want a structured approach to cybersecurity without committing to a formal certification.
NIST CSF 2.0, released in February 2024, expanded the framework’s scope and added a sixth core function. If you’ve been referencing the original CSF, it’s worth understanding what changed.
The Six Core Functions
CSF 2.0 organizes cybersecurity activities into six functions that represent the full lifecycle of security management:
Govern (New in 2.0)
Establishes and monitors the organization’s cybersecurity risk management strategy, expectations, and policy. Govern is the foundation that informs how an organization implements the other five functions. It covers organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk management.
The addition of Govern reflects what security practitioners have known for years: without governance and leadership commitment, the other functions don’t work consistently.
Identify
Understand your organization’s cybersecurity risk posture. This includes asset management, risk assessment, and understanding the business environment. You need to know what you have, what it’s worth, and what threatens it before you can protect it.
Protect
Implement safeguards to ensure delivery of critical services. Access control, data security, information protection, platform security, and technology infrastructure resilience all live here.
Detect
Develop and implement capabilities to identify cybersecurity events. Continuous monitoring, adverse event analysis, and detection processes.
Respond
Take action regarding detected cybersecurity incidents. Incident management, analysis, reporting, communication, and mitigation.
Recover
Restore capabilities or services impaired by a cybersecurity incident. Recovery planning, communication during recovery, and execution of recovery plans.
Why SaaS Companies Use It
As a Starting Framework
Many SaaS companies use NIST CSF as their initial security framework before pursuing formal certifications. Its flexible, outcome-based structure lets you build security capabilities without the overhead of a full management system or audit engagement.
As a Common Language
NIST CSF provides a shared vocabulary for discussing security posture with customers, partners, and leadership. When a customer asks “how do you handle incident response?” you can reference your Respond function capabilities rather than scrambling for ad hoc answers.
As a Risk Assessment Backbone
The framework’s structure maps naturally to risk assessment activities. Many organizations use the CSF functions and categories as the basis for their risk assessments, then map those to specific control frameworks like SOC 2 or ISO 27001.
As a Federal Requirement
If you sell to US federal agencies or federal contractors, NIST frameworks are often explicitly required. CSF provides the overarching structure, with NIST 800-53 providing detailed control specifications.
CSF 2.0 Tiers
The framework defines four implementation tiers that describe an organization’s cybersecurity risk management maturity:
Tier 1 (Partial): Cybersecurity risk management is ad hoc, with limited awareness and no formal processes.
Tier 2 (Risk Informed): Risk management practices are approved by management but may not be established as organization-wide policy.
Tier 3 (Repeatable): Risk management practices are formally approved and expressed as policy. Practices are regularly updated based on changes in risk.
Tier 4 (Adaptive): The organization adapts its cybersecurity practices based on lessons learned, predictive indicators, and real-time awareness.
Most SaaS companies starting their security journey are at Tier 1-2. A solid SOC 2 or ISO 27001 program typically puts you at Tier 3.
NIST CSF vs SOC 2 vs ISO 27001
NIST CSF is a framework, not a standard. There’s no certification or audit. You use it to structure your security program and assess maturity, but there’s no external validation.
SOC 2 is an attestation. An auditor validates your controls and issues a report. It’s evidence you can hand to customers.
ISO 27001 is a certifiable management system standard. An accredited body certifies your ISMS and issues a certificate.
They’re complementary, not competing:
- Use NIST CSF to structure your thinking and communicate your security posture
- Use SOC 2 to provide audit evidence to US customers
- Use ISO 27001 to demonstrate certified security management globally
Many organizations use NIST CSF as the overarching framework and map SOC 2 and ISO 27001 controls into its structure.
Mapping CSF to Your Existing Program
If you already have SOC 2 or ISO 27001, mapping to NIST CSF is straightforward:
| CSF Function | SOC 2 Mapping | ISO 27001 Mapping |
|---|---|---|
| Govern | CC1 (Control Environment) | Clauses 4-7 (Context, Leadership, Planning, Support) |
| Identify | CC3 (Risk Assessment), CC6 (Logical and Physical Access) | A.5 (Organizational), A.8 (Technology) |
| Protect | CC5 (Control Activities), CC6, CC8 (Change Management) | A.5-A.8 (various controls) |
| Detect | CC7 (System Operations) | A.8.15-A.8.16 (Logging, Monitoring) |
| Respond | CC7 (System Operations) | A.5.24-A.5.28 (Incident Management) |
| Recover | CC9 (Risk Mitigation) | A.5.29-A.5.30 (Business Continuity) |
Getting Started with NIST CSF
- Assess your current state. Map your existing security practices to the CSF functions and categories. Identify where you’re strong and where you have gaps.
- Define your target profile. Determine what level of capability you need in each category based on your business context and risk appetite.
- Prioritize gaps. Focus on the gaps between your current state and target profile that represent the highest risk.
- Implement and iterate. Build capabilities, measure progress, and continuously improve.
At Concerto, we use NIST CSF alongside SOC 2, ISO 27001, and other frameworks to build comprehensive security programs. Whether you’re using CSF as your starting point or mapping it to an existing program, we can help. Schedule a consultation to discuss your security program.
