Welcome to the
CyberIQs Knowledge Centre
NIST Tier and profile
Hi, I would like to understand how the tiering system works in NIST CSF, and what is the difference with the NIST profile. The tiering system seems a maturity score; however, I have found in many places including the NIST documentation that the tiers do not express maturity. If they are not a way of expressing maturity what are they? Please, can someone help me understand what is the tiering system and how to interpret them after an assessment?
In my experience there are slighly different ways of using the tier system in NIST.The one I use often is based on high level NIST assessments. See below,
Tier1: no policy, procedures or processes
Tier2: processes are available in the organization
Tier3: policies, procedures and processes are part of the security program of the organization.
The tiers represent 3 key features of an organization.
1. Risk Management Process
2. Integrated Risk Management Program
3. External Participation
1. How widely adopted are the risk management practices?
2. How well integrated are cyber risks in the wider risk management framework
3. How well connected is the organisation within their ecosystem (intelligence sharing and production)
Check these links: