NIST Cybersecurity Framework
structured and tracked
Map your security controls to the NIST Cybersecurity Framework. Track maturity across the five core functions and generate compliance reports for executive stakeholders.
No credit card required. Free plan available forever.
NIST Cybersecurity Framework: structuring your security programme around five core functions
The NIST Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, provides a voluntary framework of standards, guidelines, and best practices for managing cybersecurity risk. Originally developed for critical infrastructure sectors in the United States, the framework has been widely adopted globally by organisations of all sizes and across all industries. The CSF organises cybersecurity activities into five core functions (Identify, Protect, Detect, Respond, and Recover) that together provide a comprehensive lifecycle view of an organisation's approach to managing cyber risk.
Unlike prescriptive compliance standards, the NIST CSF is outcome-based and designed to be adapted to an organisation's specific risk profile, resources, and business requirements. It includes four implementation tiers (Partial, Risk Informed, Repeatable, and Adaptive) that describe the degree of rigour in an organisation's cybersecurity risk management practices. This flexibility makes it a powerful tool for communicating cybersecurity posture to executives and board members, but it also means that tracking maturity and demonstrating progress requires structured tooling. SecPortal maps security controls and findings to the NIST CSF structure, enabling organisations to assess, track, and report on their cybersecurity maturity.
Five core functions
Identify
Develop an organisational understanding of cybersecurity risk to systems, assets, data, and capabilities. This function covers asset management, business environment analysis, governance, risk assessment, and risk management strategy. It establishes the foundation for all other cybersecurity activities.
Protect
Implement appropriate safeguards to ensure the delivery of critical services. Covers access control, awareness training, data security, information protection processes, maintenance, and protective technology. These controls limit the impact of potential cybersecurity events.
Detect
Define and implement activities to identify the occurrence of a cybersecurity event in a timely manner. Includes anomaly and event detection, security continuous monitoring, and detection processes. Effective detection enables rapid response to reduce the impact of incidents.
Respond
Take action regarding a detected cybersecurity incident. Covers response planning, communications, analysis, mitigation, and improvements. This function ensures the organisation can contain the impact of incidents and incorporates lessons learned into future responses.
Recover
Maintain plans for resilience and restore any capabilities or services impaired by a cybersecurity incident. Addresses recovery planning, improvements, and communications. This function supports timely return to normal operations and reduces the overall impact of incidents.
Implementation tiers
Tier 1: Partial
Cybersecurity risk management is ad hoc, reactive, and not formalised. Risk awareness is limited, and the organisation may not have processes to share cybersecurity information internally. Many organisations begin at this tier before implementing a structured framework.
Tier 2: Risk Informed
Risk management practices are approved by management but may not be established as organisation-wide policy. There is awareness of cybersecurity risk at the organisational level, but a consistent approach across all departments has not been fully implemented.
Tier 3: Repeatable
Risk management practices are formally approved and expressed as policy. Organisational cybersecurity practices are regularly updated based on changes in the threat landscape and business requirements. Processes are consistent and repeatable across the organisation.
Tier 4: Adaptive
The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. Continuous improvement through advanced technologies and practices is embedded in the organisational culture.
Control mapping and assessment
SecPortal enables your team to map security controls, findings, and organisational capabilities to each NIST CSF core function and sub-category. This structured mapping provides a clear picture of where the organisation is strong, where gaps exist, and which areas need investment. Cross-framework mapping capabilities also show how NIST CSF alignment supports compliance with other standards.
- Pre-built templates mapping controls to each of the five NIST CSF core functions
- Sub-category tracking for granular visibility into specific control implementation status
- Finding-to-function mapping linking vulnerabilities and issues to the NIST function they affect
- Cross-framework mapping showing how NIST CSF controls relate to ISO 27001, SOC 2, and other frameworks
- Executive dashboards displaying cybersecurity posture across all five functions at a glance
- AI-generated summaries translating technical control data into executive-ready language
Maturity tracking
Beyond individual control status, the NIST CSF is designed to measure and improve organisational maturity over time. SecPortal supports maturity tier assessments for each core function, allowing organisations to define target tiers, track progress toward those goals, and demonstrate improvement to executives and board members.
- Current maturity tier assessment for each core function with supporting evidence
- Target maturity tier definition allowing organisations to set and track improvement goals
- Gap analysis between current and target maturity tiers with specific remediation recommendations
- Historical maturity progression showing how the organisation has improved over successive assessments
- Maturity trend reporting for board-level communication of cybersecurity programme effectiveness
- Benchmark data to contextualise maturity levels relative to organisational objectives
- Action plan generation with prioritised steps for advancing from one tier to the next
The NIST Cybersecurity Framework is particularly valuable for organisations that need to communicate cybersecurity posture to non-technical stakeholders. SecPortal translates the framework's structure into clear dashboards and reports that executives can understand, while retaining the technical depth that security teams need for day-to-day operations. Whether you are adopting the NIST CSF for the first time or using it to benchmark progress across multiple business units, SecPortal provides the tracking and reporting infrastructure your programme requires.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Identify
Track asset management, risk assessment, governance, and supply chain risk management controls.
Protect
Manage access control, awareness training, data security, and maintenance controls.
Detect
Track anomaly detection, continuous monitoring, and detection process controls.
Respond
Manage response planning, communications, analysis, mitigation, and improvement controls.
Recover
Track recovery planning, improvement, and communications controls.
Align to NIST CSF
Track maturity across all five functions with structured controls.
No credit card required. Free plan available forever.