What are the four Tiers of the NIST CSF, and what do they measure?
Tier 1 (Partial) → Tier 2 (Risk Informed) → Tier 3 (Repeatable) → Tier 4 (Adaptive). Tiers measure how mature and integrated the cybersecurity programme is, NOT how secure the organisation is.
* The four Tiers climb from ad-hoc (Partial) to threat-informed (Adaptive) — measuring rigour and integration, not how secure you are. *
| Tier | Name | What it looks like |
|---|---|---|
| Tier 1 | Partial | Ad-hoc, reactive; little awareness of cyber risk; processes informal |
| Tier 2 | Risk Informed | Risk-aware practices in place but not org-wide policy |
| Tier 3 | Repeatable | Formal policies, processes, and tracking; consistent risk responses |
| Tier 4 | Adaptive | Continuous improvement, threat-informed, integrated with broader enterprise risk |
Organisations should pick their target Tier, which is the level at which cybersecurity risk is "acceptable, affordable, and feasible." Not everyone needs Tier 4 — many SMEs operate well at Tier 2 with conscious risk acceptance.
Tiers are measured across three attributes (per CSF v2.0):
- Cybersecurity Risk Governance — board involvement
- Cybersecurity Risk Management — how risks are tracked and treated
- External Participation — info sharing, supply-chain awareness
Tip: Don't confuse Tiers with Maturity Models (CMMI). CSF Tiers don't claim that higher is better — they describe how risk-driven and integrated the programme is. A Tier 2 organisation that consciously accepts the cost of not being Tier 4 is doing the right thing.
Go deeper:
The NIST CSF 2.0 (CSWP 29) — defines Tiers 1-4 and the risk-governance attributes they measure (not raw security).
NIST Cybersecurity Framework (Wikipedia) — quick reference for the Partial / Risk Informed / Repeatable / Adaptive ladder.