LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What's the relationship between Categories, Sub-categories, and Informative References in the NIST CSF Core?

Functions split into Categories (themes), Categories split into Sub-categories (specific outcomes), and each Sub-category is mapped to entries in other frameworks (ISO 27001, COBIT, CIS Controls, SP 800-53) via Informative References.

Hierarchy: Function to Category to Sub-category to Informative References

* The Core drills down: Functions to Categories to outcome-based Sub-categories, each mapped to other frameworks via Informative References. *

Function    →  Category           →  Sub-category               →  Informative References
Govern         GV.SC (Cyber       GV.SC-01: A cyber supply chain   CIS Controls v8.0: 15.2
               supply chain         risk management program is     CRI Profile v2.0: GV.SC-01
               risk management)    established                     SP 800-221A: GV.PO-1
                                                                   CSF v1.1: ID.SC-1

Informative References are the Rosetta Stone of cybersecurity frameworks: they let an organisation that already implements SP 800-53 instantly find the relevant 27002 control, or vice versa.

Tip: CSF Sub-categories are written as outcomes, not actions ("a program is established"), so they can be mapped to almost any control catalogue. That's deliberate — it lets the CSF stay implementation-agnostic.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026