What is NIST?

The National Institute of Standards and Technology Cyber Security Framework is a framework to help organisations manage and reduce their cyber security risk. It uses a common language and set of best practices for managing cyber risk across an organisation.

The framework is designed to be adaptable and flexible to adjust to the needs of different organisations of any size in any industry. It is structured around five core functions – Identify, Protect, Detect, Respond, and Recover – these represent the basic cyber security activities that any organisation should undertake to manage and reduce cyber security risk.

Although typically used by US-based organisations, it is becoming more common in the UK and Europe.

Who is required to comply with NIST?

There is no legislation or regulatory requirement for organisations to adopt the NIST CSF. However, some industries and sectors may be required by law or
regulation to implement specific cyber security measures or frameworks that align with the NIST CSF.

Organisations in the UK that have complex supply chains or business relationships involving US organisations, may find it beneficial to use the NIST CSF to help document their cyber security risk, mitigations and treatment processes.

NIST is recognised by the ICO (Information Commissioner’s Office) as a robust approach to evaluating an organisation’s IT Security and Data Protection capabilities. The NIST CSF is particularly useful in supporting the continual and evolving challenges of IT Security and Data Protection within an organisation, and can establish a task orientated approach to managing complex business models with complex risks.

How can Evolve North help?

We provide annual external audit and scoring of an organisation’s approach to IT Security, Data Protection and Governance against the requirements of the NIST CSF, identifying maturity levels and evaluating risk appetite. This can be leveraged to provide your organisation’s risk committee with a tangible benchmark to assist in making informed risk decisions based upon risk appetite, targeting areas that will have the most impact on risk management and reduction.

The audit is best conducted as an annual exercise to demonstrate and measure progress in a meaningful way to all stakeholders and help drive appropriate risk management and risk reduction across the business over the coming years.

Talk to a specialist now – call 01748 905 002.


Evolve North works across a wide range of differing industries throughout the UK and Europe in both public, private and voluntary sectors.