AuditXYZ

Lesson 2 of 5

The Five Core Functions of NIST CSF

13 min readIntermediate

The Five Core Functions

The NIST CSF Framework Core organizes cybersecurity activities into five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. Together, they provide a strategic view of the cybersecurity lifecycle. A mature program invests in all five — organizations that focus only on protection leave themselves vulnerable.

Identify

The Identify function develops organizational understanding of cybersecurity risk. Key categories include asset management (what do we have?), business environment (what matters most?), governance (who is responsible?), risk assessment (what could go wrong?), and risk management strategy (how do we address risks?). You cannot protect what you do not know about.

Protect

The Protect function implements safeguards to ensure delivery of critical services. Categories include access control, awareness and training, data security, information protection processes, maintenance, and protective technology. This is where most security spending occurs — firewalls, encryption, access management, and security training.

Detect

The Detect function develops capabilities to identify cybersecurity events. Categories include anomalies and events, continuous security monitoring, and detection processes. Detection is about finding incidents as they happen — SIEM, intrusion detection, log monitoring, and anomaly detection fall here.

Respond

The Respond function develops capabilities to act on detected cybersecurity events. Categories include response planning, communications, analysis, mitigation, and improvements. Having a documented incident response plan, conducting tabletop exercises, and maintaining communication templates are core Respond activities.

Recover

The Recover function develops capabilities to restore services impaired by cybersecurity events. Categories include recovery planning, improvements, and communications. Business continuity planning, disaster recovery, and post-incident review are core Recovery activities.

Balancing the Functions

Most organizations over-invest in Protect and under-invest in Detect, Respond, and Recover. A balanced approach acknowledges that prevention is not perfect — you must also be able to find, contain, and recover from incidents. Evaluate your spending and capability across all five functions.

In the next lesson, we will cover implementation tiers.