Quiz Entry - updated: 2026.07.05
How is the NIST CSF Core structured internally (its hierarchy)?
Functions → Categories → Subcategories → Informative References — from 5 broad pillars down to ~108 concrete outcomes with pointers into other standards.
* Functions → Categories → Subcategories → Informative References; the naming PR.AC-3 encodes the path. *
- 5 Functions (Identify … Recover) — the pillars
- 23 Categories — groups of outcomes within a function, e.g. Asset Management (ID.AM) or Data Security (PR.DS)
- ~108 Subcategories — specific outcome statements, e.g. ID.BE-1: "The organization's role in the supply chain is identified and communicated"
- Informative References — for each subcategory, pointers to matching controls in COBIT 5, ISO/IEC 27001, NIST SP 800-53, ISA 62443, …
The naming convention encodes the hierarchy: PR.AC-3 = function PRotect → category Access Control → subcategory 3.
Tip: The CSF itself contains no controls — the references are what link the "what" (outcome) to the "how" (controls in other standards). That's why it's called a framework, not a standard.
Go deeper:
NIST SP 800-53 Rev. 5 — Security and Privacy Controls — Der Kontrollkatalog, auf den die CSF-Subkategorien verweisen; mit Mappings zu ISO/IEC 27001.