Home/Services/Audits & Attestation/NIST CSF

Audits & Attestation

NIST CSF

A maturity assessment against the NIST Cybersecurity Framework, benchmarking your current and target profiles and producing a prioritised improvement roadmap.

Request this service → See our approach

Overview

Know your cyber maturity, plan your uplift.

The NIST CSF gives organisations a common language for managing cyber risk across its core functions. It’s widely used to benchmark maturity and guide investment.

We assess your current profile across the framework’s functions, agree a target profile aligned to your risk appetite, and hand you a prioritised roadmap to close the gap.

What’s covered

The areas this audit examines.

Govern

Risk governance, roles and strategy (CSF 2.0).

Identify

Asset, risk and supply-chain understanding.

Protect

Safeguards across access, data and training.

Detect

Monitoring and detection capability.

Respond & Recover

Incident response and resilience.

Who needs this

Is this the right fit?

The organisations that most often turn to this engagement.

US-market-facing companiesNIST CSF widely expected.

Federal contractors / suppliersCSF and 800-53 alignment.

Critical-infrastructure operatorsResilience benchmarking.

Enterprises maturing securityA common improvement framework.

Boards seeking a maturity viewRisk-based reporting.

Any org benchmarking cyber riskCurrent and target profiles.

Regulatory drivers

Why this is required

The NIST Cybersecurity Framework is a widely adopted, voluntary benchmark that boards, insurers and partners increasingly expect organisations to measure against; an assessment establishes a defensible maturity baseline and roadmap.

NIST CSF 2.0

Provides the functions and categories against which security maturity is assessed.

Board & insurer expectations

Cyber-insurers and boards increasingly request a recognised maturity benchmark.

Partner & contractual requirements

Customers may require alignment to the framework as part of due diligence.

How we work

Our consistent, repeatable process.

A controlled process that delivers an outcome you can defend.

Scoping & profile definition

Agreeing the scope and the organisational profile to assess.

Current-profile assessment

Assessing maturity across the CSF functions and categories.

Target-profile & tiering

Defining the target profile and implementation tier.

Gap & risk analysis

Rating gaps between current and target by risk and effort.

Prioritised roadmap

A sequenced roadmap to reach the target profile.

Report & readout

A clear report and leadership readout of findings.

What you receive

Documentation built for every audience.

Profile assessment reportCurrent and target profiles documented.
Function & category scorecardMaturity scored across the CSF functions.
Implementation tier ratingYour tier, with rationale.
Gap & risk registerGaps rated by risk and effort.
Prioritised roadmapA sequenced plan to the target profile.

Standards & frameworks

Aligned throughout to the standards and regulations that matter for you.

NIST CSF 2.0NIST SP 800-53ISO 27001 (mapping)CIS Controls

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

Target profile / risk appetite agreed

Asset and system inventory

Existing policies gathered

Control owners available for interviews

Prior assessments / audits shared

Scope (org units) defined

Evidence available per function

Roadmap stakeholders identified

FAQ

Common questions

Is NIST CSF a certification?

No — the NIST Cybersecurity Framework is a voluntary framework for assessing and improving how you manage cyber risk, not a certifiable standard you pass or fail. It is widely used as a common language with boards, insurers and partners, and pairs well with ISO 27001 where formal certification is also needed.

Do you cover CSF 2.0?

Yes. We assess against the latest CSF 2.0, including the new Govern function it introduced alongside Identify, Protect, Detect, Respond and Recover. Govern brings cybersecurity governance, roles and risk-management strategy explicitly into the framework, and we measure your maturity across all six functions.

How do you measure maturity?

We rate each category of the framework against defined maturity tiers, supported by evidence and interviews rather than self-assessment alone. The result is a clear current profile and an agreed target profile, with the gap between them expressed as a prioritised, practical roadmap.