LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the four Tiers of the NIST CSF, and what do they measure?

Tier 1 (Partial) → Tier 2 (Risk Informed) → Tier 3 (Repeatable) → Tier 4 (Adaptive). Tiers measure how mature and integrated the cybersecurity programme is, NOT how secure the organisation is.

Four-tier ladder from Partial to Risk Informed to Repeatable to Adaptive

* The four Tiers climb from ad-hoc (Partial) to threat-informed (Adaptive) — measuring rigour and integration, not how secure you are. *

Tier Name What it looks like
Tier 1 Partial Ad-hoc, reactive; little awareness of cyber risk; processes informal
Tier 2 Risk Informed Risk-aware practices in place but not org-wide policy
Tier 3 Repeatable Formal policies, processes, and tracking; consistent risk responses
Tier 4 Adaptive Continuous improvement, threat-informed, integrated with broader enterprise risk

Organisations should pick their target Tier, which is the level at which cybersecurity risk is "acceptable, affordable, and feasible." Not everyone needs Tier 4 — many SMEs operate well at Tier 2 with conscious risk acceptance.

Tiers are measured across three attributes (per CSF v2.0):

  • Cybersecurity Risk Governance — board involvement
  • Cybersecurity Risk Management — how risks are tracked and treated
  • External Participation — info sharing, supply-chain awareness

Tip: Don't confuse Tiers with Maturity Models (CMMI). CSF Tiers don't claim that higher is better — they describe how risk-driven and integrated the programme is. A Tier 2 organisation that consciously accepts the cost of not being Tier 4 is doing the right thing.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026