Welcome to the
CyberIQs Knowledge Centre

NIST Tier and profi...
Clear all

NIST Tier and profile

Active Member
Joined: 1 year ago
Posts: 5
Topic starter  

Hi, I would like to understand how the tiering system works in NIST CSF, and what is the difference with the NIST profile. The tiering system seems a maturity score; however, I have found in many places including the NIST documentation that the tiers do not express maturity. If they are not a way of expressing maturity what are they? Please, can someone help me understand what is the tiering system and how to interpret them after an assessment?


Active Member
Joined: 1 year ago
Posts: 10

In my experience there are slighly different ways of using the tier system in NIST.The one I use often is based on high level NIST assessments. See below,


Tier1: no policy, procedures or processes

Tier2: processes are available in the organization

Tier3: policies, procedures and processes are part of the security program of the organization.

Eminent Member
Joined: 1 year ago
Posts: 28

The tiers represent 3 key features of an organization.

1. Risk Management Process

2. Integrated Risk Management Program

3. External Participation


Which means:


1. How widely adopted are the risk management practices?

2. How well integrated are cyber risks in the wider risk management framework

3. How well connected is the organisation within their ecosystem (intelligence sharing and production)


Check these links: