NIST CSF’s four implementation tiers are one of the most misused elements of the framework. Organisations that self-assess their security programme often rate themselves at Tier 3 (Repeatable) or Tier 4 (Adaptive) when an honest assessment would place them at Tier 1 (Partial) or Tier 2 (Risk Informed). The consequences of this misassessment are not just administrative — an inflated tier rating produces a false picture of security programme maturity that leads to misallocated investment and unjustified confidence.
Using the tiers honestly, on the other hand, provides a realistic baseline that drives meaningful improvement planning.
The Four Tiers
Tier 1: Partial. Cybersecurity risk management practices are not formalised. Risk is managed in an ad hoc, sometimes reactive manner. There is limited awareness of cybersecurity risks at the organisational level. The organisation may not have formal cybersecurity policies, a risk management process, or coordinated incident response. Cybersecurity activities and tools may exist but they are not coordinated or informed by a consistent risk management approach.
Tier 1 describes more organisations than would self-identify at this level. An organisation without a formal risk assessment process, without documented security policies that are actually implemented, or without regular security reporting to leadership is effectively at Tier 1 in those dimensions regardless of the technical security tools it has deployed.
Tier 2: Risk Informed. Risk management practices are approved by management but not established as organisational-wide policy. Awareness of cybersecurity risk exists but is not organisation-wide. The organisation has some risk-based approach to security investment and understands dependencies, but these are not systematic. This tier describes organisations that have begun formalising their security programme but have not yet achieved consistent, documented implementation across all areas.
Tier 3: Repeatable. Cybersecurity risk management practices are formally approved, expressed as policy, and consistently implemented. The organisation regularly updates practices based on changes in business requirements, threats, and technologies. There is an organisation-wide approach to managing cybersecurity risk. The key differentiator from Tier 2 is consistency and documentation — the practices work, they are documented, and they operate reliably across the organisation.
Tier 4: Adaptive. The organisation actively adapts its cybersecurity practices based on lessons learned and predictive indicators. Cybersecurity risk management is embedded in the organisation’s culture. The organisation uses threat intelligence to refine its cybersecurity programme and can rapidly adapt to new threats. Tier 4 describes genuinely mature security programmes with strong threat intelligence integration and continuous improvement mechanisms.
How to Use the Tiers Honestly
The tiers are most useful as a dimension-by-dimension assessment rather than a single organisation-level rating. An organisation may be Tier 3 in access management, Tier 2 in incident response, and Tier 1 in supply chain security. This dimension-level view reveals where investment should be prioritised — closing the Tier 1 gaps before optimising the Tier 3 capabilities.
An honest dimension-level assessment requires evidence, not self-assessment. “We have an incident response plan” does not make incident response Tier 3. “Our incident response plan is documented, tested annually, and produces findings that are remediated on a defined schedule” approaches Tier 3. The distinction matters.
At Bitsecura, we conduct evidence-based NIST CSF maturity assessments — evaluating actual control effectiveness rather than relying on self-assessment — and produce honest tier ratings that provide a reliable baseline for improvement planning. If you want to know where you actually stand, reach out here.
Bitsecura provides NIST CSF-aligned cybersecurity strategy and advisory services. Learn more about our NIST CSF services.