LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three components of the NIST Cybersecurity Framework?

Core, Tiers, and Profiles. The Core lists what to do (functions, categories, subcategories), Tiers measure how well you do it, and Profiles describe where you want to be.

NIST CSF split into three components: Core (what to do), Tiers (how well), Profiles (where you want to be)

* The three parts of the CSF: the Core is what to do, Tiers are how well, Profiles are where you aim. *

Component Purpose Analogy
Core The catalogue: 6 functions, 22 categories, 106 sub-categories of controls What to do
Tiers A 1–4 scale measuring how mature and risk-informed the organisation is How well you do it
Profile A current-vs-target snapshot, used as a roadmap for improvement Where you want to go

A typical CSF programme:

  1. Map current state against the Core → "Current Profile".
  2. Decide where you need to be → "Target Profile".
  3. Score current Tier of each function.
  4. Plan the controls and Tier movements to close the gap.

Tip: Most CSF implementations focus on the Core and ignore Tiers — but Tiers are what distinguish having controls from having a working risk-management programme. Without Tier 3+, you have a checklist, not a programme.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026