Skip to main content

São Paulo/SP – March 17, 2023 – The NIST cybersecurity framework It is one of the most widely used in the world providing a framework, based on existing standards, guidelines and practices to manage and reduce cybersecurity risk.

*Julliana Nunes

What's your goal?

O NIST cybersecurity framework It is one of the most widely used in the world providing a framework, based on existing standards, guidelines and practices, to manage and reduce cybersecurity risk. An organization can use the framework for identify, to assess and to manage cybersecurity risk by helping to to prevent, to detect and to respond to cyber threats and attacks.


The framework presents existing standards, guidelines, and practices in a way that enables communication of cybersecurity activities and outcomes throughout the organization, from the executive level to the implementation/operational level. Consists of five (5) concurrent and ongoing functions to provide a high-level strategic view of an organization's security risk management lifecycle. Identify, Protect, To detect, To respond and To recover.

Each function has categories and subcategories that are related to examples of Informational References such as existing standards, guidelines and practices, for example: ISO 27001:2013, COBIT 5 and ISA 62443-2-1:2009.


Each Function it has a group of categories related to programmatic needs and specific activities such as “Asset Management”, “Risk Management” and “Supply Chain Risk Management”.


Each Category has specific technical and/or management activities, as in the case of the “Asset Management” category, with the Subcategory: Physical devices and systems within the organization are inventoried.

Implementation Layers

The Implementation Layers present how the organization deals with cybersecurity risk and the processes involved to manage that risk. There are 4 (four) implementation layers. The higher the tier the closer the organization's cybersecurity risk management program is to the characteristics defined in the framework. Being:

  • Tier 1: Partial (Tier 1: Partial)
  • Tier 2: Informed risk (Tier 2: Risk informed)
  • Tier 3: Repeatable (Tier 3: repeatable)
  • Tier 4: Adaptable (Tier 4: Adaptive)

Structure Profile

A Structure Profile represents results based on business needs. This mechanism is used to identify cybersecurity improvement opportunities by comparing a Current Profile common Target Profile. The Current Profile can be used to support prioritization and measurement of progress towards the Desired Profile.

benefits of Framework for your organization

  • It is adaptable to provide a flexible, risk-based implementation that can be used with a wide range of cybersecurity risk management processes;
  • Provides a common language for communicating requirements among stakeholders responsible for delivering essential critical infrastructure products and services;
  • Use of Informative References, using standards, guidelines and practices common across infrastructure sectors, illustrating methods for achieving the results associated with each Sub-Category. Therefore, frameworks how ISO 27001 and COBIT 5 are also aggregated for better cybersecurity risk management outcome;
  • Enables greater protection of information and critical operations;
  • Increased resilience of business processes;
  • Increased confidence of customers, suppliers and stakeholders, demonstrating that their investment in the organization is safe and protected against adverse events.

*Juliana Nunes is GRC and Information Security Senior Consultant | [SAFEWAY]


SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.

Today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions. We have both the technical skill and the experience necessary to help your company determine and raise the level of maturity in cybersecurity using the controls and implementation layers determined by the Framework NIST. If you want more information, contact one of our specialists!