Jacco Meijer
|
Jun 27, 2025

CSF Tiers for cybersecurity risk governance and management

NIST CSF 2.0 contains useful tiers for Capability Maturity Modeling in Enterprise Architecture

NIST CSF Categories

The post below about combining ISO 27001 and NIST CSF shows an Enterprise Architecture (EA) model that maps the two standards.

Jacco Meijer
|
Jun 27, 2025

Combining ISO 27001 and NIST CSF

How to use ISO 27001 and NIST Cyber Security Framework together

One of the advantages of NIST CSF is a well known set of categories that are useful as Enterprise Architecture (EA) business functions. This post is about the Maturity Model that NIST CSF describes as Tiers which can be used to classify the maturity of e.g. these business functions.

NIST CSF tiers

The full descriptions of the tiers is found in Appendix B of NIST CSF. Below is a brief summary that gives a quick overview.

Tier	Name	Risk Governance	Risk Management
1	Partial	Ad hoc	Ad hoc
2	Risk Informed	Adds management approval	Adds awareness and sharing on informal basis
3	Repeatable	Adds company wide policy	Adds consistent methods
4	Adaptive	Adds company culture	Adds feedback loop

The well known nature of the framework and the clear descriptions it provides is a major advantage over defining your own. As with many other maturity models, the model goes from the ad hoc state to a state that is continuously improving from experience.

The tiers explicitly being designed for cyber security make them a valuable benchmark for this specific field.

NIST CSF profiles

Related to the tiers, the NIST CSF defines the concept of profiles. From an EA perspective the CSF current profile corresponds to as is and the CSF target profile corresponds to to be.

The tiers are useful for defining a baseline as is or to be models and can be customized where needed.

Enterprise Architecture

Within EA the tiers are generally used by applying a metric to an element. The diagram below shows color coded capabilities for the four tiers.

NIST CSF tiers on CSF Categories

Using the color coded tiers on the CSF core functions and mid-level categories results in a diagram like the example below. This provides an organization with clear overview of the status of cybersecurity risk governance and management.

Conclusion

NIST CSF tiers are a useful way to complement an organization's cybersecurity risk management methodology. The tiers can be used as a benchmark and when risks for an organization increase, part of the strategy can be moving up to a higher tier.

For organizations that are ISO 27001 certified and willing to adopt the tiers, the post below is about how ISO 27001 and NIST CSF can be combined.

Jacco Meijer
|
Jun 27, 2025

Combining ISO 27001 and NIST CSF

How to use ISO 27001 and NIST Cyber Security Framework together

Jacco Meijer
|
Jul 8, 2025

[draft] Enterprise Architecture threat modeling

Threat modeling with the Archimate language as part of both ISO 27001 and NIST CSF

Jacco Meijer
|
Jun 20, 2025

Archimate risk assessment elements

A few simple specializations for working with risk assessments in Archimate

Jacco Meijer
|
Jun 13, 2025

Security principles in Enterprise Architecture

Adding security principles to Enterprise Architecture for NIST CSF and ISO 27001

Jacco Meijer
|
Jun 6, 2025

Combining ISO 27001 and NIST CSF

How to use ISO 27001 and NIST Cyber Security Framework together

Jacco Meijer
|
May 1, 2025

CISSP certification and Enterprise Architecture

How do the CISSP certification domains relate to Enterprise Architecture and the ArchiMate layers?

Jacco Meijer
|
Apr 23, 2025

Architect roles in the ArchiMate context

An ArchiMate model that maps architect roles to the ArchiMate framework layers.

Jacco Meijer
|
Mar 18, 2025

Visualizing IT Architecture in three languages, UML, C4 and ArchiMate

What are the differences and what are these languages most used for?

Jacco Meijer
|
Feb 18, 2025

OAuth 2.0 and OpenID Connect Sequence Diagrams

Technical specs can be hard to read. While still highly technical, the UML Sequence Diagrams provided in this blog are a lot easier to understand.

Jacco Meijer
|
Jan 9, 2025

OWASP and CISSP

OWASP recommendations from the independent information security certification CISSP.

Jacco Meijer
|
Mar 21, 2024

UI Library with MDX documentation

Using the simple Render JSX plugin for Esbuild this post shows how to setup a simple UI library.

Jacco Meijer
|
Mar 20, 2024

Render JSX plugin for Esbuild

Transform Esbuild generated JSX bundles to HTML pages.

Jacco Meijer
|
Mar 19, 2024

Esbuild as a static site generator for MDX

Static site generators gain popularity. This blog is about using Esbuild as a static site generator for MDX.

Jacco Meijer
|
Mar 18, 2024

11ty and Github pages

Simplifying the Contentful-Gatsby-Netlfy trio.

Jacco Meijer
|
Jun 30, 2022

NPM7 and @npmcli/arborist

@npmcli/arborist is a powerful library that handles the new NPM 7 workspaces. This blog is about a simple make tool that uses the library.

Jacco Meijer
|
May 12, 2022

Comparing React app, Nextjs and Gatsby

A new React project starts with a React toolchain. Main tools in the chains are SSR, React server components and GraphQL.

Jacco Meijer
|
May 10, 2022

Versioning strategy for NPM modules

It is important to be able to bump the version of a NPM package without side effects.

Jacco Meijer
|
Apr 12, 2022

React component themes and CSS variables

Creating React components with flexible themes by using CSS variables.

Jacco Meijer
|
Mar 21, 2022

Content modeling with variants

The efficiency of a variant field in a content model.

Jacco Meijer
|
Mar 12, 2022

Documentation

Documenting a software project is challenging. Here's a few simple guidelines that help a team writing clear documentation.

Jacco Meijer
|
Mar 11, 2022

Javascript history

In 1986 David Ungar and Randall B. Smith developed Self at Xerox PARC. Inspired by Java, Scheme and Self Brendan Eich created Javascript in 1995.

Jacco Meijer
|
Mar 10, 2022

On Javascript transpilers, bundlers and modules

There's Javascript transpilers, modules, bundles and bundlers. This is a brief overview of all of these.

Jacco Meijer
|
Feb 11, 2022

Agile Scrum

The Agile Scrum framework is flexible enough to be used in many different ways. Here's one way of working.

Jacco Meijer
|
Jan 20, 2022

What happened to Wheelroom?

Founded in 2018. Started to fly in 2020 and abandoned in 2021. What happened?

Jacco Meijer
|
Jan 19, 2022

Contentful, Netlify and Gatsby four years later

What did we learn from using Contentful for four years?

Jacco Meijer
|
Jan 18, 2022

Typescript interface for React UI components

How to define an interface for React UI components that prevents breaking changes.

Jacco Meijer
|
Jan 17, 2022

Naming React components

What's in a name? A clear naming strategy helps developers communicate. Most devs rather spend time writing component code than wasting time on a good component name.

CSF Tiers for cybersecurity risk governance and management

NIST CSF Categories

Combining ISO 27001 and NIST CSF

NIST CSF tiers

NIST CSF profiles

Enterprise Architecture

NIST CSF tiers on CSF Categories

Conclusion

Combining ISO 27001 and NIST CSF

Other posts

[draft] Enterprise Architecture threat modeling

Archimate risk assessment elements

Security principles in Enterprise Architecture

Combining ISO 27001 and NIST CSF

CISSP certification and Enterprise Architecture

Architect roles in the ArchiMate context

Visualizing IT Architecture in three languages, UML, C4 and ArchiMate

OAuth 2.0 and OpenID Connect Sequence Diagrams

OWASP and CISSP

UI Library with MDX documentation

Render JSX plugin for Esbuild

Esbuild as a static site generator for MDX

11ty and Github pages

NPM7 and @npmcli/arborist

Comparing React app, Nextjs and Gatsby

Versioning strategy for NPM modules

React component themes and CSS variables

Content modeling with variants

Documentation

Javascript history

On Javascript transpilers, bundlers and modules

Agile Scrum

What happened to Wheelroom?

Contentful, Netlify and Gatsby four years later

Typescript interface for React UI components

Naming React components