Skip to main content
NIST CSF 2.0

NIST Cybersecurity Framework Assessment

A structured, evidence-based assessment of your security maturity against the NIST Cybersecurity Framework. Designed to satisfy the scrutiny of cyber insurers, investors, and regulators alike.

What is the NIST Cybersecurity Framework?

The NIST CSF is the gold standard framework for cybersecurity risk management, developed by the US National Institute of Standards and Technology. Version 2.0 organises security across six core functions — Govern, Identify, Protect, Detect, Respond, and Recover.

It is used by organisations of all sizes to understand their current security posture, set targets, and measure progress. Critically for most organisations today, it is also the framework most commonly referenced by cyber insurance underwriters when evaluating risk.

Our assessment maps your actual controls and practices against each function and category — producing a maturity score with supporting evidence that you can share with insurers, investors, and board members.

GV
Govern

Establish and communicate cybersecurity risk management strategy, expectations, and policy across the organisation.

ID
Identify

Understand the assets, people, data, and systems that need protection — and the risks they face.

PR
Protect

Implement safeguards to limit or contain the impact of a cybersecurity event.

DE
Detect

Develop activities to identify the occurrence of a cybersecurity event in a timely manner.

RS
Respond

Take appropriate action regarding a detected cybersecurity incident — limiting impact and communicating effectively.

RC
Recover

Restore capabilities or services impaired by a cybersecurity incident and improve resilience.

Maturity Tiers

The NIST CSF defines four implementation tiers. Our assessment establishes where you are today and maps the path to where you need to be.

Tier 1
Partial

Ad hoc, reactive. Risk management is not formalised. Limited awareness of cyber risk across the organisation.

Tier 2
Risk Informed

Risk management practices exist but may not be organisation-wide. Leadership is aware of cyber risk.

Tier 3
Repeatable

Formally approved policies and practices. Organisation-wide approach to managing cyber risk.

Tier 4
Adaptive

Continuously improving based on lessons learned. Advanced threat intelligence informs security practices.

What you get from our assessment

  • Cyber insurance premium reduction — documented controls satisfy underwriter requirements
  • Investor and PE due diligence — structured evidence of security maturity
  • Regulatory alignment — maps to SOC 2, ISO 27001, HIPAA, PCI DSS and others
  • Prioritised remediation roadmap — fix what matters most, in the right order
  • Board-ready reporting — executive summary alongside technical findings
  • Baseline for ongoing measurement — track maturity improvement over time

Our assessment process

  1. 01
    Scoping call

    We agree the assessment scope, key systems in scope, and your specific goals — insurer evidence, investor due diligence, or internal roadmap.

  2. 02
    Evidence gathering

    Structured questionnaire, documentation review, and stakeholder interviews across each NIST CSF function.

  3. 03
    Analysis & scoring

    We score each category against the maturity tiers, with supporting evidence for every finding.

  4. 04
    Findings report

    Full technical report plus executive summary. Includes maturity heatmap, gap analysis, and prioritised remediation roadmap.

  5. 05
    Debrief

    We walk through findings with your team and answer questions. Report is ready to share with insurers or investors.

Ready to know your security maturity?

Talk to us about an assessment. We'll scope it to your specific goals — whether that's insurance, investors, compliance, or all three.

Request an assessment