NIST CSF2 Toolkit Version 1 AREA
DOC REF
DOCUMENT
0. Implementation Resources
None None None None None CSF-DOC-IMPL-1 CSF-DOC-IMPL-2 CSF-DOC-IMPL-3 CSF-DOC-IMPL-4 CSF-DOC-IMPL-5 CSF-FORM-IMPL-1 CSF-FORM-IMPL-2
ATTENTION READ ME FIRST NIST CSF2 Toolkit Completion Instructions A Guide to Implementing NIST CSF2 NIST CSF2 Toolkit Index CSF Framework 2-0 Draft CSF Framework Core 2-0 with Examples Discussion Draft CSF Benefits Presentation CSF Project Definition CSF Project Plan Procedure for the Control of Documents CSF Documentation Log CSF Progress Report CSF Current and Target Profile
1. Govern GV - Category GV-OC
CSF-DOC-GVOC-1 CSF-DOC-GVOC-2 CSF-DOC-GVOC-3 CSF-DOC-GVOC-4 CSF-DOC-GVOC-5 CSF-DOC-GVOC-6 CSF-DOC-GVOC-7 CSF-FORM-GVOC-1 None
InfoSec Context, Reqts and Scope Legal, Regulatory and Contractual Requirements Procedure Legal, Regulatory and Contractual Requirements Schedule of Confidentiality Agreements Non-Disclosure Agreement Business Impact Analysis Process Business Impact Analysis Report Business Impact Analysis Tool EXAMPLE Legal, Regulatory and Contractual Requirements
1. Govern GV - Category GV-RM
CSF-DOC-GVRM-1 CSF-DOC-GVRM-2 CSF-DOC-GVRM-3 CSF-FORM-GVRM-1 None
InfoSec Objectives and Plan Cybersecurity Risk Management Policy Risk Assessment and Treatment Process Opportunity Assessment Tool EXAMPLE Opportunity Assessment Tool
1. Govern GV - Category GV-SC
CSF-DOC-GVSC-1 CSF-DOC-GVSC-2 CSF-DOC-GVSC-3 CSF-DOC-GVSC-4 CSF-DOC-GVSC-5 CSF-FORM-GVSC-1 CSF-FORM-GVSC-2 None None
Cybersecurity Supply Chain Policy Supplier Information Security Agreement Supplier Due Diligence Assessment Procedure Supplier Information Security Evaluation Process Supplier Evaluation Covering Letter Supplier Due Diligence Assessment Supplier Evaluation Questionnaire EXAMPLE Supplier Due Diligence Assessment EXAMPLE Supplier Evaluation Questionnaire
1. Govern GV - Category GV-RR
CSF-DOC-GVRR-1 CSF-DOC-GVRR-2 CSF-DOC-GVRR-3 CSF-DOC-GVRR-4 CSF-DOC-GVRR-5 CSF-DOC-GVRR-6 CSF-FORM-GVRR-1 CSF-FORM-GVRR-2 CSF-FORM-GVRR-3
InfoSec Roles Responsibilities and Authorities Executive Support Letter HR Security Policy Employee Screening Procedure Guidelines for Inclusion in Employment Contracts Employee Disciplinary Process Employee Screening Checklist Employee Termination and Change of Employment Checklist Leavers Letter
1. Govern GV - Category GV-PO
CSF-DOC-GVPO-1 CSF-DOC-GVPO-2 CSF-DOC-GVPO-3 CSF-DOC-GVPO-4 CSF-DOC-GVPO-5 CSF-DOC-GVPO-6 CSF-DOC-GVPO-7 CSF-DOC-GVPO-8 CSF-DOC-GVPO-9 CSF-DOC-GVPO-10 CSF-DOC-GVPO-11 CSF-DOC-GVPO-12 CSF-DOC-GVPO-13 CSF-DOC-GVPO-14 CSF-DOC-GVPO-15
Information Security Policy Social Media Policy Information Security Whistleblowing Policy Internet Access Policy Electronic Messaging Policy Online Collaboration Policy Cloud Services Policy IP and Copyright Compliance Policy Privacy and Personal Data Protection Policy Remote Working Policy Mobile Device Policy BYOD Policy Information Deletion Policy Data Masking Policy Data Leakage Prevention Policy
1. Govern GV - Category GV-OV
CSF-DOC-GVOV-1 CSF-DOC-GVOV-2 CSF-FORM-GVOV-1
Process for Monitoring, Measurement, Analysis and Evaluation Procedure for Management Reviews Management Review Meeting Agenda
03/01/2024
Page 1 of 3
2. Identify ID - Category ID-AM
CSF-DOC-IDAM-1 CSF-DOC-IDAM-2 CSF-DOC-IDAM-3 CSF-DOC-IDAM-4 CSF-DOC-IDAM-5 CSF-DOC-IDAM-6 CSF-DOC-IDAM-7 CSF-DOC-IDAM-8 CSF-FORM-IDAM-1 None
Asset Management Policy Asset Inventory Acceptable Use Policy Asset Handling Procedure Procedure for Managing Lost or Stolen Devices Procedure for Taking Assets Offsite Procedure for the Management of Removable Media Physical Media Transfer Procedure Acceptable Use Confirmation Form EXAMPLE Network Diagram
2. Identify ID - Category ID-RA
CSF-DOC-IDRA-1 CSF-DOC-IDRA-2 CSF-DOC-IDRA-3 CSF-DOC-IDRA-4 CSF-DOC-IDRA-5 CSF-DOC-IDRA-6 CSF-DOC-IDRA-7 CSF-DOC-IDRA-8 CSF-FORM-IDRA-1 CSF-FORM-IDRA-2 None None
Risk Assessment Report Risk Treatment Plan Threat Intelligence Policy Threat Intelligence Process Threat Intelligence Report Technical Vulnerability Management Policy Technical Vulnerability Assessment Procedure Change Management Process Asset-Based Risk Tool Scenario-Based Risk Tool EXAMPLE Asset-Based Risk Tool EXAMPLE Scenario-Based Risk Tool
2. Identify ID - Category ID-IM
CSF-DOC-IDIM-1 CSF-DOC-IDIM-2 CSF-DOC-IDIM-3 CSF-FORM-IDIM-1 CSF-FORM-IDIM-2 None None None
Procedure for Continual Service Improvement Service Improvement Plan Procedure for the Mgt of Nonconformity Nonconformity and Corrective Action Log Incident Lessons Learned Report EXAMPLE Improvement Plan EXAMPLE Incident Lessons Learned Report EXAMPLE Nonconformity and Corrective Action Log
3. Protect PR - Category PR-AA
CSF-DOC-PRAA-1 CSF-DOC-PRAA-2 CSF-DOC-PRAA-3 CSF-DOC-PRAA-4 CSF-DOC-PRAA-5 CSF-DOC-PRAA-6 CSF-DOC-PRAA-7 CSF-DOC-PRAA-8
Access Control Policy User Access Management Process Dynamic Access Control Policy Segregation of Duties Guidelines Physical Security Policy Physical Security Design Standards Data Centre Access Procedure Procedure for Working in Secure Areas
3. Protect PR - Category PR-AT
CSF-DOC-PRAT-1 CSF-DOC-PRAT-2 CSF-DOC-PRAT-3 CSF-DOC-PRAT-4 CSF-FORM-PRAT-1 None
Awareness Training Presentation InfoSec Competence Development Procedure InfoSec Competence Development Report Information Security Summary Card Competence Development Questionnaire EXAMPLE Competence Development Questionnaire
3. Protect PR - Category PR-DS
CSF-DOC-PRDS-1 CSF-DOC-PRDS-2 CSF-DOC-PRDS-3 CSF-DOC-PRDS-4 CSF-DOC-PRDS-5 CSF-DOC-PRDS-6 CSF-DOC-PRDS-7 CSF-DOC-PRDS-8
Cryptographic Policy Records Retention and Protection Policy Information Classification Procedure Information Labelling Procedure Clear Desk and Clear Screen Policy Procedure for the Disposal of Media Backup Policy Privileged Utility Program Register
3. Protect PR - Category PR-PS
CSF-DOC-PRPS-1 CSF-DOC-PRPS-2 CSF-DOC-PRPS-3 CSF-DOC-PRPS-4 CSF-DOC-PRPS-5 CSF-DOC-PRPS-6 CSF-DOC-PRPS-7 CSF-DOC-PRPS-8 None
Configuration Management Policy Configuration Management Process Configuration Standard Template Logging and Monitoring Policy Software Policy Secure Development Policy Secure Coding Policy Secure Development Environment Guidelines EXAMPLE Configuration Standard Template
3. Protect PR - Category PR-IR
CSF-DOC-PRIR-1 CSF-DOC-PRIR-2 CSF-DOC-PRIR-3 CSF-DOC-PRIR-4 CSF-DOC-PRIR-5 CSF-DOC-PRIR-6 CSF-DOC-PRIR-7 CSF-DOC-PRIR-8
Network Security Policy ICT Continuity Incident Response Procedure ICT Continuity Plan ICT Continuity Exercising and Testing Schedule ICT Continuity Test Plan ICT Continuity Test Report Capacity Plan Availability Management Policy
4. Detect DE - Category DE-CM
CSF-DOC-DECM-1
Monitoring Policy
03/01/2024
Page 2 of 3
CSF-DOC-DECM-2 CSF-DOC-DECM-3 CSF-DOC-DECM-4
Anti-Malware Policy Web Filtering Policy CCTV Policy
4. Detect DE - Category DE-AE
CSF-DOC-DEAE-1 CSF-DOC-DEAE-2
Information Security Event Reporting Procedure Information Security Event Assessment Procedure
5. Respond RS - Category RS-MA
CSF-DOC-RSMA-1
Information Security Incident Response Procedure
5. Respond RS - Category RS-AN
CSF-DOC-RSAN-1 CSF-FORM-RSAN-1 CSF-FORM-RSAN-2
Preservation of Evidence Guidelines Incident Impact Information Log Plan Activation Log
5. Respond RS - Category RS-CO
CSF-DOC-RSCO-1 CSF-DOC-RSCO-2 CSF-DOC-RSCO-3 CSF-DOC-RSCO-4 CSF-FORM-RSCO-1 CSF-FORM-RSCO-2 None None None
Personal Data Breach Notification Procedure InfoSec Communication Programme Authorities Contacts Special Interest Group Contacts Personal Data Breach Notification Form Breach Notification Letter to Data Subjects EXAMPLE Authorities Contacts EXAMPLE Personal Data Breach Notification Form EXAMPLE Special Interest Group Contacts
5. Respond RS - Category RS-MI
CSF-DOC-RSMI-1 CSF-DOC-RSMI-2 CSF-DOC-RSMI-3
Incident Response Plan Ransomware Incident Response Plan Denial of Service Incident Response Plan Data Breach
6. Recover RC - Category RC-RP
CSF-FORM-RCRP-1
Incident Response Action Log
6. Recover RC - Category RC-CO
CSF-DOC-RCCO-1
Draft Public Update on Incident Recovery
03/01/2024
Page 3 of 3