NIST CSF 2 Assessment Services
URM provides independent, impartial assessments of the National Institute of Science and Technology Cyber Security Framework (NIST CSF) 2.0, covering the Categories and Subcategories within the 6 Functions as set out below:
- Govern (GV): Here, we assess whether your cybersecurity governance aligns with your organisation's overall business objectives and risk management strategies. We also assess the effectiveness of your cybersecurity policies, ensuring that they're documented, approved, and communicated to relevant stakeholders. There is also an assessment of the integration of your cybersecurity risk management processes.
- Identify (ID): Under this Function, we aim to confirm assets are inventoried and classified according to their criticality and sensitivity. The effectiveness of your risk assessment processes is also determined, along with your understanding of your business environment and dependencies, e.g., supply chain risks.
- Protect (PR): The focus of our assessment is on the safeguards your organisation has in place to ensure the delivery of your critical services. Safeguards we assess include access control (e.g., is access to assets restricted based on user roles and responsibilities) data protection mechanisms (e.g., encryption, data loss prevention, and security controls) as well as staff security awareness and training.
- Detect (DE): With this Function, we aim to assess how your organisation identifies and analyses possible cybersecurity attacks and compromises in a timely manner. Such assessments include your ability to continuously monitor for cybersecurity events and anomalies as well as verifying the implementation and testing of processes and detection tools, along with your event analysis and correlation.
- Respond (RS): Our assessment here is focused on ensuring appropriate activities are performed in response to detected cybersecurity incidents. Our assessment includes confirming that incident response plans are in place, regularly tested, and updated, evaluating your ability to contain and mitigate the impact of cybersecurity incidents and ensuring internal and external communications are in a place during an incident.
- Recover (RC): With the final Function, we look to assess your ability to restore assets and operations affected by a cybersecurity incident. Included here will be an assessment of your recovery planning and exercising, the integration of cybersecurity recovery plans with broader business continuity efforts, and your ability to conduct post-incident reviews and learn from incidents in order to improve recovery strategies.
Our assessments involve a combination of inspecting documentation and conducting interviews with staff members who either have responsibility for the development and maintenance of the framework/governance or are control owners. The objectives of URM’s assessments are typically to:
- Assess the level of maturity of controls implemented by your organisation associated with the NIST CSF 2.0 Categories and Subcategories
- Determine a current maturity score, based on NIST’s maturity scale, identify improvements that could be made and the resulting predicted maturity scores following completion of recommended improvements.
The assessment scope can be tailored to suit your needs, covering the entire CSF or a subset, to address specific risks that you have identified. Leveraging our extensive knowledge of ISO 27001:2022, we are also able to position NIST CSF2 assessments within your existing Information Security Management System (ISMS), mapping results to ISO 27001:2022 controls, allowing them to be tracked within your existing reporting mechanisms.
Get in touch
Please note, we can only process business email addresses.
Why URM for NIST?
Track record
URM has a 19-year track record of providing high-quality consultancy and training support, assisting organisations improve their information and cyber security, as well as information governance posture and capabilities. A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards such as SOC 2 and ISO 27001. URM is particularly adept at developing existing frameworks to meet the requirements of these standards or building on existing ISO 27001 ISMS’ to achieve NIST conformance. Having assisted over 400 organisations to achieve world-recognised standards, URM has worked with organisations of all sizes from micro businesses to multi-national organisations and from all the major market sectors.
Tailored approach
URM is renowned for adopting a highly tailored and bespoke service where its consultants are constantly striving to deliver sustainable solutions that meet both the current and future needs of the client organisation.
Flexible delivery
When transferring knowledge on meeting the requirements of NIST, URM can deliver this through various delivery mechanisms, i.e., through one-to-one support, workshops or training courses. Furthermore, when delivering remediation services to address gaps, URM’s support is tailored and flexible, based on the client’s requirements, internal knowledge and available resources. Support can be delivered on an activity-per-activity basis or where a consultant is allocated on a recurring basis, e.g., 1 day a week. As such, the engagements help to ensure that remediation activities are followed through, remain compliant and that sufficient evidence for the audit is generated.
Developing an ISO 27001 Information Security Policy
URM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.
URM’s blog explains how to plan and execute effective and conformant internal audits of management systems at each stage of the internal audit process.
URM’s blog explains why ‘people’ warrants its own control theme in ISO 27001 and how to prepare for a people controls audit, offering advice for each control.
URM’s blog explains what ISO 27002 is, how it can benefit your organisation, & how you can use it to support your implementation of an ISO 27001-conformant ISMS