The NIST Cybersecurity Framework (CSF) is one of the most widely referenced security frameworks globally — and one of the most inconsistently understood. Security professionals regularly cite it. Boards ask whether their organisation is “NIST-aligned.” Regulatory guidance frequently recommends it. But a significant proportion of organisations that claim to use the NIST CSF are applying it superficially — citing the five function names without the systematic gap analysis and risk management discipline that makes the framework valuable.

This post explains what the NIST CSF actually is, what the five functions cover, and how the framework is intended to be used as a tool for security programme development and maturity assessment.

What the NIST CSF Is — and What It Isn’t

The NIST Cybersecurity Framework is a voluntary framework for managing cybersecurity risk, developed by the US National Institute of Standards and Technology in collaboration with industry. It is not a compliance standard — there is no NIST CSF certification, no audit process, and no regulatory enforcement mechanism tied to it. It is a structured way of thinking about cybersecurity risk management that can be applied to any organisation, in any sector, of any size.

The framework provides: a common language for communicating about cybersecurity risk internally and with partners, clients, and regulators; a structured approach to identifying gaps in the security programme; and a reference for building or improving a security programme aligned to recognised best practices. It is a strategy and assessment tool, not a controls checklist.

The Five Core Functions

IDENTIFY. Understanding the organisational context, assets, and risks that inform the security programme. Identify covers: asset management (what do you have?); business environment (what are your critical business objectives and how does technology support them?); governance (what policies, roles, and accountabilities exist for managing cybersecurity risk?); risk assessment (what are the cybersecurity risks to your critical assets?); and risk management strategy (what is your risk tolerance and how do you make risk treatment decisions?).

Identify is where most security programmes have their most significant gaps — because it requires the hard work of inventorying assets, mapping dependencies, and understanding risk before you implement controls. Programmes that skip Identify and start with Protect end up implementing controls without knowing what they are protecting or what risks they are addressing.

PROTECT. Implementing safeguards to ensure delivery of critical services. Protect covers: identity management and access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology. This is the broadest function and covers the majority of conventional security controls.

DETECT. Developing and implementing appropriate activities to identify the occurrence of cybersecurity events. Detect covers: anomalies and events detection; security continuous monitoring; and detection processes. Detection is consistently underinvested relative to protection — organisations that spend extensively on preventive controls but have limited visibility into whether those controls are being bypassed are operating with a significant gap in their security programme.

RESPOND. Taking action regarding a detected cybersecurity incident. Respond covers: response planning; communications; analysis; mitigation; and improvements. Respond is the function that determines how well an organisation manages an incident when prevention fails — which it will, eventually.

RECOVER. Maintaining plans for resilience and restoring any capabilities or services that were impaired due to a cybersecurity incident. Recover covers: recovery planning; improvements; and communications during recovery. Recover is the function most closely tied to business continuity — it determines how quickly and effectively normal operations are restored after an incident.

At Bitsecura, we use the NIST Cybersecurity Framework as the foundation for cyber security strategy development and maturity assessments — providing a structured, outcomes-based view of where an organisation’s security programme is strong and where investment will produce the greatest risk reduction. If you want to use NIST CSF properly rather than just cite it, talk to us here.


Bitsecura provides NIST CSF-aligned cybersecurity strategy and advisory services. Learn more about our NIST CSF services.