What is the NIST Cyber Security Framework? 

Govern  

This is a crucial function which outlines how organisations should create their cyber security strategies, as well as the ways to measure its success. It’s essential to establish: 

• Your mission and objectives relating to cyber security, ensuring stakeholders are bought in  
• Which stakeholders are involved in implementing cyber security best practices; plus, their roles and responsibilities 
• A strategy that outlines how you mitigate and manage risks that you uncover via your risk assessments 
• The risk policies and processes to put in place to reinforce this, as well as how these will be tracked
   

Identify 

This function outlines the need to take inventory of your assets, as well as the vital data and systems you need to protect, to identify your minimum viable company. You should undertake thorough risk assessments to uncover where to most effectively allocate your resources. At this stage you must discern:  

• All assets that require protection- identifying them and assessing them for risk 
• A clear understanding of your current cyber security risks across all departments and initiatives 
• Which risks are priority to address  

Protect 

This function outlines the importance of implementing proactive measures to protect your data, systems, and networks. These generally involve controls that restrict access to your critical systems and data. Steps that should be taken include:  

• Restricting your assets and data to members of staff who are authorised 
• Arranging specialist cyber security training for all staff 
• Ensuring your data is backed up and protected against both cyber threats and insider threats 
• Putting measures in place to maintain your data backups and software regularly 

Detect 

It’s crucial to ensure that measures are put in place to detect a cyber-attack to limit the damage it can cause. You must ensure that: 

• You’re able to spot any anomalies or suspicious events- both internally and externally 
• Continuous 24/7 monitoring of your systems, networks, and vulnerabilities to spot any unusual activity 

Respond 

This function requires your organisation to have a detailed plan to address incidents promptly and effectively, with minimal disruption. To align with the NIST incident response function, you must:  

• Have a thorough incident response plan in place that can be immediately implemented once a threat is detected 
• Be sure that your business can stay operational, even in the event of an attack 
• Have a communications plan to report the incident to the relevant legal and regulatory bodies 
• Be able to thoroughly investigate, contain, and analyse an attack to prevent reoccurrence- ensuring you update your policies accordingly 

Recover 

Restoring your services after a cyber incident should be a seamless process. To align with the ‘recover’ function of the NIST framework, your business must:  

• Be able to promptly recover your data, equipment, and network after a cyber incident 
• Outline, implement, and test your disaster recovery plans, ensuring all stakeholders are clear on the process 

These functions not only ensure your business is protected against threats but can streamline operations and reduce costs too. For instance, we worked with a London Borough Council on safeguarding their critical services and assets with backup as a service and disaster recovery as a service, leading to a 54% reduction in operational and administrative costs. 

If you’re unsure of where to start when aligning these functions, take our cyber security maturity assessment, for a comprehensive overview of your key areas of improvement, according to the NIST cyber security framework. 

The NIST is a US government body, but its cyber security framework is upheld globally as the gold-standard in cyber and data security. Businesses based in the UK, particularly those who regularly handle sensitive data, should look to incorporate this framework to effectively protect this data and safeguard against internal and external threats.  

NIST is generally not a requirement for organisations in the UK- unless you work with US government bodies- however, it’s recommended due to its effectiveness and can be advantageous in securing international contracts.  

By following the NIST Cyber Security Framework, you clearly display that your company is:  

• Trustworthy and dedicated to protecting your customers data, increasing trust with your customers and stakeholders 
• Resilient against threats, ensuring continuity even in the event of a cyber attack 
• Upholding the very best practices relating to cyber security, providing competitive edge should you look to secure funding or government contracts  

NIST compliance ensures you are protected against threats, minimising any disruptions and reducing the costs of downtime. A cornerstone of this framework is improving the synergy between technical and corporate teams, meaning you’re able to create a unified workplace culture that is focused on cyber security and protecting your company’s data.