NIST CSF Security Maturity Assessment: how does it work?
How mature is your organization's cybersecurity? That question is difficult to answer without a structured measurement instrument. Our NIST CSF Security Maturity Assessment evaluates your cybersecurity program against the world's most widely used cybersecurity framework and provides a concrete picture of where you stand and where you need to go.
What is a NIST CSF Security Maturity Assessment?
A NIST CSF Security Maturity Assessment measures the maturity of your cybersecurity program against the NIST Cybersecurity Framework. The assessment evaluates all five core functions of the framework: Identify, Protect, Detect, Respond, and Recover.
The NIST Cybersecurity Framework was developed by the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce. Originally focused on critical infrastructure, the framework has grown into the international standard for cybersecurity risk management. Organizations of every size and in every sector use it as a compass for their security program.
The goal of a maturity assessment is not to obtain a certification, but to get an honest and measurable picture of your current security level. That picture is essential for three purposes: prioritization of investments (where does a euro deliver the most value?), communication to management and the board (how are we doing?), and progress measurement (are we actually improving over time?).
Methodology and maturity levels
Our assessment is based on NIST CSF 2.0, the most recent version of the Cybersecurity Framework (published in February 2024). NIST CSF 2.0 offers improved guidelines, is more broadly applicable than earlier versions, and includes additional attention to governance and supply chain security.
We use four maturity levels per assessed component:
- Level 0 -- Not present: the control or process has not been implemented. There is no awareness of the need or no resources have been allocated.
- Level 1 -- Ad hoc: the control exists in some form but is informal and dependent on individuals. There is no formal documentation and execution is inconsistent.
- Level 2 -- Defined: the control is formally documented, responsibilities are assigned, and the process is consistently executed. This is the level that most organizations should set as a minimum target.
- Level 3 -- Optimized: the control is not only documented but is also actively measured, audited, and continuously improved. Decisions are made in a data-driven manner and the process is integrated into broader business operations.
The NIST CSF is the most widely used cybersecurity framework in the world and closely aligns with other standards such as ISO 27001, NIS2, and the CIS Controls. A good NIST CSF maturity score is therefore a strong indicator of an organization's overall cybersecurity maturity.
The five steps of the assessment
The assessment follows the five core functions of the NIST CSF. For each function, you answer three questions about specific sub-areas. Each question is evaluated at the maturity level (0 to 3), after which the system calculates a weighted score per function and an overall maturity score.
The first function assesses three fundamentals of cybersecurity: asset management (do you have an up-to-date inventory of all IT assets?), risk assessment (do you periodically conduct a risk assessment?), and governance (has a formal security policy been established?).
You cannot protect what you do not know. Identify is the foundation of every security program. Without a complete inventory of your assets, an understanding of your risks, and a governance framework within which security decisions are made, all subsequent measures are built on shifting ground. Organizations that score low on Identify often lack the fundamental prerequisites for effective security.
The second function assesses the protective measures that should prevent or limit attacks: access control (how mature is your access management?), security awareness and training (are employees regularly trained?), and data protection (is encryption and/or DLP implemented?).
Protective measures are the first line of defense. Good access management prevents unauthorized individuals from reaching sensitive systems. Security awareness training reduces the risk of phishing -- still the most commonly used attack vector. And data protection through encryption and Data Loss Prevention (DLP) limits the damage if a breach does occur. Together, these measures form the preventive layer of your security.
The third function assesses your ability to discover incidents: continuous monitoring (are systems and networks continuously monitored?), detection processes (are there formal procedures for detecting incidents?), and anomaly detection (are deviations automatically identified and reported?).
Detection determines how quickly you discover an incident. Research by IBM shows that the average time to detect a data breach is 194 days. Every day an attacker goes unnoticed in your network increases the damage. Continuous monitoring, structured detection processes, and automated anomaly detection drastically reduce this detection time. Organizations without detection capability often only discover incidents when an external party informs them -- or when the damage has already been done.
The fourth function assesses your ability to respond adequately to incidents: response planning (is an incident response plan in place?), communication (are communication procedures for incidents documented?), and analysis and mitigation (are incidents analyzed and contained?).
A good response plan limits damage and recovery time. Without a plan, organizations respond chaotically to incidents: critical hours are lost figuring out who needs to do what, communication is ad hoc, and technical mitigation starts too late. A tested incident response plan -- including communication protocols for employees, customers, regulators, and media -- is the difference between a managed incident and a crisis. NIS2 additionally requires that significant incidents be reported within 24 hours.
The fifth function assesses your recovery capability after an incident: recovery planning (is there a recovery plan for after an incident?), improvements (are lessons learned systematically incorporated?), and recovery communication (is communication coordinated during recovery?).
Recovery capability determines the resilience of your organization. A ransomware attack that takes down your entire IT environment requires a reliable and tested recovery plan. Without such a plan, recovery time can extend from days to weeks, with all the financial and reputational damage that entails. Equally important is systematically incorporating lessons learned: every incident is an opportunity to improve your security. Organizations that fail to do this make the same mistakes again.
What do you get as a result?
After completing all five functions, the assessment automatically calculates your maturity profile. The results consist of four components:
- Overall maturity score -- an overarching score reflecting the average maturity level of your cybersecurity program. The score is expressed as a maturity level with a corresponding color indication.
- Radar chart (5 functions) -- a visual representation of your score per NIST CSF function. The radar chart shows at a glance which functions are strong and which are weak. A balanced profile is desirable: a high score on Protect but a low score on Detect creates a false sense of security.
- Individual category scores -- detailed scores per assessed component within each function, so you can see exactly which sub-areas need the most attention.
- Recommendations -- prioritized improvement points per function, based on your specific answers. The recommendations focus on the areas with the greatest improvement relative to the investment.
The free report
- Overall maturity score with visual color indication
- Radar chart of the five NIST CSF functions
- Recommendations per function with priority indication
- Comparison with average scores in your sector
After completing the assessment, you can receive the report directly by email as a PDF. The free report provides a clear overview of your current maturity level per NIST CSF function. The radar chart immediately makes visible where the strongest and weakest points are. The recommendations help you take the first improvement steps.
The free report is particularly suitable as a starting point for a conversation with management or the board about the state of cybersecurity within your organization. The visual radar chart makes the abstract concept of "security maturity" tangible and open to discussion.
Premium Maturity Assessment
- Score per NIST CSF function: Identify, Protect, Detect, Respond, Recover
- Maturity level 1-5 with detailed explanation per component
- Gap analysis per subcategory with specific recommendations
- 12-month roadmap to the next maturity level
- Spider/radar chart with current level vs. target level
- Management reporting for security investment steering
The premium report transforms the maturity measurement into a concrete improvement program. Where the free report shows where you stand, the premium report shows how to get there. The gap analysis per subcategory identifies exactly which controls are missing or insufficiently mature. The 12-month roadmap translates these gaps into an achievable improvement plan with clear milestones.
The spider/radar chart with current versus target level is a powerful communication tool for boardrooms. It shows at a glance where the organization currently stands and where it wants to be in twelve months. The management reporting translates technical maturity scores into business language, so that security investments are supported by measurable goals and progress.
The premium report is particularly valuable for organizations preparing for ISO 27001 certification, needing to demonstrate NIS2 compliance, or wanting to justify their security budget to management. The detailed gap analysis and roadmap save weeks of consultancy hours.
Free vs. premium comparison
| Component | Free | Premium |
|---|---|---|
| Overall maturity score | ✓ | ✓ |
| Radar chart (5 functions) | ✓ | ✓ |
| Recommendations per function | ✓ | ✓ |
| Score per NIST CSF function (detailed) | ✕ | ✓ |
| Maturity level 1-5 with detailed explanation | ✕ | ✓ |
| Gap analysis per subcategory | ✕ | ✓ |
| 12-month roadmap to next level | ✕ | ✓ |
| Spider/radar chart (current vs. target level) | ✕ | ✓ |
| Management reporting for investment steering | ✕ | ✓ |
Frequently Asked Questions
What is the NIST CSF?
The NIST Cybersecurity Framework (CSF) is an internationally recognized framework for managing cybersecurity risks. It was developed by the National Institute of Standards and Technology, part of the U.S. Department of Commerce. The framework consists of five core functions -- Identify, Protect, Detect, Respond, and Recover -- that together cover the full cybersecurity lifecycle. NIST CSF is used by organizations of every size, from SMEs to multinationals and government institutions.
What are maturity levels?
Maturity levels indicate how well an organization has established and manages its cybersecurity processes. In our assessment, we use four levels: level 0 (not present), level 1 (ad hoc, informal, and dependent on individuals), level 2 (defined, documented, and consistently executed), and level 3 (optimized, measured, and continuously improved). A higher level does not necessarily mean more technology, but rather more structure, documentation, and measurability.
What maturity level should you aim for?
The ideal maturity level depends on your organization, sector, and risk profile. For most SMEs, level 2 (defined and documented) is a realistic and healthy target. Organizations in regulated sectors -- financial, healthcare, energy, government -- or with a high risk profile should aim for level 3. Important: not every function needs to be at the same level. Prioritize based on your greatest risks. An organization that processes a lot of sensitive data may invest extra in Protect and Detect.
How does NIST CSF relate to ISO 27001?
NIST CSF and ISO 27001 are complementary, not competing. ISO 27001 is a certifiable standard with specific requirements for an Information Security Management System (ISMS). It prescribes what you must do. NIST CSF is a more flexible framework focused on risk management that describes how mature you are. Many organizations use NIST CSF as the overarching model to measure their security maturity and ISO 27001 as the implementation standard for the ISMS. A good NIST CSF maturity score is a strong indicator of ISO 27001 readiness.
How often should you measure maturity?
Measure your security maturity at least annually as part of your annual security review or management review. Additionally, perform an interim measurement after significant changes: a major investment in security tooling, a reorganization, a cyber incident, or a change of CISO. Regular measurement makes the progress of your security program visible and measurable. It also enables you to evaluate the effectiveness of investments: has that new SIEM implementation actually improved your Detect score?
What does it cost to go from level 1 to 2?
Costs vary significantly per organization and per function, but the step from level 1 (ad hoc) to level 2 (defined) primarily involves documentation and process formalization. For an SME with 50-200 employees, this typically requires 3 to 6 months of effort and an investment of 10,000 to 50,000 euros in policy development, procedures, and basic tooling. The step from level 2 to 3 is generally more expensive and time-intensive, as it requires automation, continuous measurement, and more advanced tooling. The premium report includes a roadmap that specifies this investment per function.
Is NIST CSF mandatory?
NIST CSF is not legally mandatory in the EU. However, it is widely recognized as an international best practice and serves as a reference framework for many regulators and auditors. The requirements in NIS2 Article 21 closely align with the five functions of NIST CSF. Many organizations that need to demonstrate NIS2 compliance use NIST CSF as the underlying framework. For U.S. federal agencies, NIST CSF is mandatory via Executive Order 13800.
What is the difference between NIST CSF 1.1 and 2.0?
NIST CSF 2.0, published in February 2024, contains four key enhancements compared to version 1.1. First, a sixth core function has been added: Govern, focused on cybersecurity governance and risk management at the board level. Second, the framework has been made more broadly applicable -- no longer exclusively focused on critical infrastructure. Third, the guidelines for supply chain risk management have been strengthened. Fourth, version 2.0 offers more support for smaller organizations with limited resources. Our assessment is based on the NIST CSF 2.0 structure.