LOGBOOK

HELP

Quiz Entry - updated: 2026.06.04

What are Subcategories and Informative References in the NIST CSF, and how do they work together?

Subcategories are concrete outcome statements ("what good looks like"); Informative References map each one to specific controls in established standards.

Subcategory example: ID.BE-1: "The organization's role in the supply chain is identified and communicated." — a measurable outcome, not an implementation instruction.

Its informative references point to where the "how" lives:

  • COBIT 5 APO08.04, APO10.03 …
  • ISO/IEC 27001:2013 A.15.1.3, A.15.2.1 …
  • NIST SP 800-53 CP-2, SA-12
  • (elsewhere also ISA/IEC 62443 for industrial control systems)

Why this design is clever: an organization already certified to ISO 27001 doesn't start over — it maps existing controls onto CSF subcategories and immediately sees its coverage and gaps. The CSF acts as a Rosetta Stone between standards.

Tip: This mirrors the BSI Grundschutz Kreuzreferenztabellen — modern frameworks all provide cross-mappings because real organizations must satisfy several standards at once.

From Quiz: ISM / Frameworks — NIST CSF & IKT Minimalstandard | Updated: Jun 04, 2026