What are Subcategories and Informative References in the NIST CSF, and how do they work together?
Subcategories are concrete outcome statements ("what good looks like"); Informative References map each one to specific controls in established standards.
Subcategory example: ID.BE-1: "The organization's role in the supply chain is identified and communicated." — a measurable outcome, not an implementation instruction.
Its informative references point to where the "how" lives:
- COBIT 5 APO08.04, APO10.03 …
- ISO/IEC 27001:2013 A.15.1.3, A.15.2.1 …
- NIST SP 800-53 CP-2, SA-12
- (elsewhere also ISA/IEC 62443 for industrial control systems)
Why this design is clever: an organization already certified to ISO 27001 doesn't start over — it maps existing controls onto CSF subcategories and immediately sees its coverage and gaps. The CSF acts as a Rosetta Stone between standards.
Tip: This mirrors the BSI Grundschutz Kreuzreferenztabellen — modern frameworks all provide cross-mappings because real organizations must satisfy several standards at once.