Readiness assessment for the CSF standard


A readiness assessment provides an overview of an organisation’s maturity

Society is becoming more digitalised and cybercrime poses an increased threat to organisations. So, classic security measures such as Firewall and Antivirus no longer provide sufficient protection for organisations against the threats they are facing. It is now more a question of how, rather than if, you will be hit by a cyberattack.

The National Institute of Standards and Technology’s CSF standard is an attempt to provide organisations with an overview of how ready they are to resist future threats and risks and how well-equipped organisations are to handle these challenges. At Globeteam we use this standard when we carry out readiness assessments, for instance in connection with NIS2.

The CSF standard focuses on the security capabilities that should help catch and manage IT incidents and then recreate the IT environment with the least possible negative consequence for the business. This sets requirements for organisational processes and IT environments and requires training of the individual employee; all of which Globeteam’s more than 50 security consultants can help you with.


The CSF standard’s five areas

The organisation’s maturity is based on questions from the CSF, or Cybersecurity Framework, standard. This can be used by the organisation’s management as a baseline to define objectives for the maturity level the organisation should strive to achieve in the long haul.

The CSF standard works with five areas, which are shown in the figure to the left.

In the example below, the organisation as a whole has a medium maturity level (2.3 out of 5), when it comes to organising, managing and maintaining cyber and information security. However, this average also covers a certain variance in terms of different abilities within security.

Maturity levels in the CSF standard

The maturity (or readiness) is found by answering a series of selected questions from the CSF standard and is expressed as a value that describes the maturity level of the organisation:

Maturity 1: Initial
The organisation has no or few risk management processes and works very little with cyber and information security.

Maturity 2: Partial
The organisation’s risk management processes within information security have not been formalised and risk is managed ad hoc.

Maturity 3: Repeatable
A method for risk management has been established, which has been disseminated throughout the organisation and approved by management but is not yet integrated through extensive policies.

Maturity 4: Managed
The organisation’s risk management has been approved by management and anchored through extensive policies. Practice is updated regularly based on changes to business requirements and environments.

Maturity 5: Optimised
The organisation continuously optimises implemented processes or approved policies based on activities and experiences. Through a continuous improvement process, the organisation actively adapts to changes to the threat and technology landscape.

The overall maturity level for an organisation helps define their vulnerability level. Specifically, this means the lower an organisation’s maturity within cyber and information security, the higher the probability of a risk occurring.

Example of maturity

The organisation’s maturity in the five areas from NIST’s CSF standard are measured as follows:

The ability to identify risks related to people, systems, assets and data.
Here the organisation has a high maturity level (3.79 out of 5).

The ability to protect critical processes through security measures.
Here the organisation has a medium maturity level (2.82 out of 5).

The ability to detect security incidents through targeted activities.
Here the organisation has a low maturity level (1.13 out of 5).

The ability to efficiently be able to handle identified security incidents.
Here the organisation has a medium maturity level (2.11 out of 5).

The ability to recover operations in case of an occurred event and to continuously mitigate vulnerabilities.
Here the organisation has a low maturity level (1.83 out of 5).

Based on current responses and the maturity level, Globeteam provides recommendations for increasing the organisation’s maturity level within the CSF standard’s 5 categories: Identify – Protect – Detect – Respond – Recover.

Globeteam bruger CSF-standarden til at måle organisationers modenhedsniveau

More than 50 security experts

It is important for all organisations to know their own maturity level within cyber and information security so that work on security can be tailored to the organisation’s maturity.

At Globeteam, our team consists of more than 50 security experts that can help carry out a readiness assessment (maturity analysis) in your organisation. In this way you avoid unnecessary attempts to manage security at a level requiring a higher maturity than you currently have, as these attempts almost always fail.

Lisbeth Loft Globeteam
Lisbeth Loft
Security advisor

Can I help ?

If you need help with NIS2, compliance or if you have questions about our readiness assessment / maturity analysis, please feel free to contact me on +45 2680 1415 or