LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How is the NIST CSF Core structured internally (its hierarchy)?

Functions → Categories → Subcategories → Informative References — from 5 broad pillars down to ~108 concrete outcomes with pointers into other standards.

Four-level hierarchy: Functions, Categories, Subcategories, Informative References.

* Functions → Categories → Subcategories → Informative References; the naming PR.AC-3 encodes the path. *

  • 5 Functions (Identify … Recover) — the pillars
  • 23 Categories — groups of outcomes within a function, e.g. Asset Management (ID.AM) or Data Security (PR.DS)
  • ~108 Subcategories — specific outcome statements, e.g. ID.BE-1: "The organization's role in the supply chain is identified and communicated"
  • Informative References — for each subcategory, pointers to matching controls in COBIT 5, ISO/IEC 27001, NIST SP 800-53, ISA 62443, …

The naming convention encodes the hierarchy: PR.AC-3 = function PRotect → category Access Control → subcategory 3.

Tip: The CSF itself contains no controls — the references are what link the "what" (outcome) to the "how" (controls in other standards). That's why it's called a framework, not a standard.

Go deeper:

From Quiz: ISM / Frameworks — NIST CSF & IKT Minimalstandard | Updated: Jul 05, 2026