NIST Cybersecurity Framework for SMEs: a practical guide

What the NIST CSF actually is

The National Institute of Standards and Technology Cybersecurity Framework is a voluntary framework first published in 2014 and updated to CSF 2.0 in 2024. It isn't a compliance standard and it isn't a certification – unlike ISO 27001, there's no accredited body that audits you against it and issues a certificate. What it is, is a framework for organising cybersecurity activities: a common language for describing what a cybersecurity programme does and how mature it is.

Despite being voluntary, it carries real weight. US federal agencies use it as a reference. Some state regulations require or reference it. Cyber insurance underwriters increasingly build their questionnaires around its structure, whether they say so explicitly or not. If you do business in the US, or with US organisations that take cybersecurity seriously, you'll encounter it.

For UK businesses, the closest equivalent in intent is the NCSC's Cyber Essentials scheme – but the two aren't directly comparable. Cyber Essentials is narrower and more prescriptive, covering a specific set of technical controls. The NIST CSF is broader and less prescriptive: it tells you what to think about, not exactly how to implement it. That flexibility is both its strength and the reason SMEs sometimes struggle to know where to start.

The six functions of CSF 2.0 explained practically

CSF 1.1 was built around five core functions. CSF 2.0 adds a sixth – Govern – at the top of the structure. Together they cover the full lifecycle of a cybersecurity programme.

Govern is the new addition in 2.0 and sits above the others deliberately. It covers organisational context, risk management strategy, supply chain risk, policies and board-level oversight. The rationale is sound: without governance, the other five functions lack direction and accountability. For an SME, this means documented policies, a named person responsible for cybersecurity decisions and some evidence that risk is being considered at a leadership level.

Identify covers asset management, risk assessment and understanding your environment. You can't protect what you don't know you have. This function is about building an accurate picture of your assets – hardware, software, data, users – and understanding which of them are most critical and most exposed.

Protect covers the controls you put in place to reduce the likelihood of an incident: access control, awareness training, data security, configuration management and patching. This is where most day-to-day security work sits.

Detect covers monitoring, anomaly detection and continuous assessment – the capability to notice when something is wrong. Many SMEs are weak here. Without centralised log monitoring and alerting, a breach can go undetected for days or weeks.

Respond covers incident response planning, communications and mitigation – what you do when something does go wrong. Having a plan before an incident is the difference between a managed response and a crisis.

Recover covers recovery planning, improvements and communications after an incident. It's about getting back to normal operations and learning from what happened.

One important point for SMEs: the framework is a map, not a checklist. It contains hundreds of subcategories across the six functions. You don't need to implement all of them. The task is to identify which categories matter most to your risk profile, and prioritise accordingly.

Where SMEs typically have gaps

When we assess SME cybersecurity programmes against the CSF, the same gaps appear repeatedly. They're not random – they reflect the constraints of running security without a dedicated team.

In Govern: no documented risk management process, and no clear board-level accountability for cybersecurity. Security decisions get made reactively, by whoever is available, without a framework for weighing up risk.

In Identify: an incomplete asset inventory, with shadow IT not accounted for. Staff using personal cloud storage, unapproved SaaS tools or unmanaged devices don't appear in the official picture – which means they don't appear in the risk assessment either.

In Protect: MFA not fully deployed (present on email, absent on the CRM or cloud file storage), patching handled ad hoc rather than on a regular cycle, and no documented access control policy governing who has access to what and how that access is reviewed.

In Detect: no centralised log monitoring, no alerting on anomalous behaviour. Endpoint detection and response (EDR) may be installed but not actively monitored. The capability to notice a breach is absent or unreliable.

In Respond: an incident response plan that exists on paper but has never been tested. Nobody has run a tabletop exercise. The first time the plan is used is during a real incident.

In Recover: a backup process that's running but has never been tested with a real restore. No documented recovery time objective. No communications plan for notifying customers, regulators or insurers if the worst happens.

CSF 2.0 and how it compares to ISO 27001 and Cyber Essentials

The NIST CSF is broader than both ISO 27001 and Cyber Essentials, though it maps onto them reasonably well.

Cyber Essentials covers a subset of the Protect function – specifically, five technical control areas: firewalls, secure configuration, access control, malware protection and patch management. It's a valuable baseline, but it's a narrow slice of the full CSF. If you hold Cyber Essentials, you've addressed some of Protect. You haven't addressed Govern, Identify, Detect, Respond or Recover in any systematic way.

ISO 27001 maps across all six functions. Its management system approach – policies, risk assessments, internal audits, management reviews – aligns well with the Govern function in particular. If you hold ISO 27001, you've addressed most of the CSF framework, though the specific technical controls required by your Statement of Applicability will determine how fully.

For businesses operating across both the UK and US markets, using the NIST CSF as the organising framework and mapping Cyber Essentials or ISO 27001 controls into it produces a comprehensive programme. It addresses US market expectations while satisfying international certification requirements – and it gives you a single reference point for explaining your cybersecurity posture to insurers, customers and partners.

How to use the framework without enterprise resources

The right starting point for an SME isn't a full implementation programme – it's a gap assessment against the framework's Core. Work through the six functions, identify which categories are most relevant to your risk profile, and map your current state honestly against each one.

The framework's tiers – Partial, Risk Informed, Repeatable and Adaptive – are useful here. Most SMEs are at Tier 1 (Partial) or Tier 2 (Risk Informed) when they start. The goal isn't necessarily to reach Tier 4 (Adaptive) across all functions – it's to reach Tier 3 (Repeatable) in the areas that matter most to your risk profile.

Prioritise the Identify and Protect functions first. You can't detect or respond effectively if you don't know what you have and haven't protected it. Getting these two functions to a repeatable level gives you a solid foundation before investing in detection and response capabilities.

Quick wins that move the dial without requiring significant budget or headcount:

• A complete, current asset inventory – every device, every service, every user account
• MFA enabled on every account that supports it, with no exceptions
• A tested backup – not just a running backup process, but a verified restore
• A documented incident response contact list – who to call, in what order, if something goes wrong

None of these require enterprise resources. They require time, attention and the willingness to make security decisions deliberately rather than reactively.

CSF and cyber insurance

US cyber insurers increasingly reference the NIST CSF in their underwriting questionnaires, either explicitly or through questions that map directly to CSF controls. Even where the framework isn't named, the underlying structure is often there: questions about MFA, endpoint protection, patch management, backup testing and incident response planning correspond almost exactly to the Protect and Recover functions.

The controls underwriters weight most heavily are well documented at this point: MFA on all privileged and remote access, EDR deployed across endpoints, tested and immutable backups, a regular patching cycle and a documented incident response plan. These aren't arbitrary – they're the controls that most directly affect whether a ransomware attack results in a recoverable situation or a total loss.

Using the CSF as your cybersecurity programme framework, and maintaining documentation of your posture against it, puts you in the best position to answer insurance questionnaires accurately. It also gives you a clear narrative for demonstrating improvement at renewal – showing that you've moved from Tier 1 to Tier 2 in a specific function is a concrete, auditable claim. That's more persuasive to an underwriter than a general assertion that you take security seriously.