AuditXYZ

Lesson 4 of 5

NIST CSF Framework Profiles: Current State and Target State

10 min readIntermediate

NIST CSF Framework Profiles

Framework Profiles are a practical tool for aligning cybersecurity activities with business requirements, risk tolerance, and resources. A Profile maps your organization's activities to the Framework Core's functions, categories, and subcategories.

Current Profile

The Current Profile documents your organization's existing cybersecurity posture. For each subcategory in the Framework Core, assess what you currently have in place. Be honest — the Current Profile is your baseline, and an inaccurate baseline leads to misguided priorities.

Building a Current Profile involves interviewing stakeholders across the organization, reviewing existing security documentation and controls, assessing technology implementations, and evaluating process maturity.

Target Profile

The Target Profile defines your desired cybersecurity posture. It reflects your business objectives, threat environment, regulatory requirements, and risk tolerance. The Target Profile should be achievable — setting unrealistic targets undermines the exercise.

Developing a Target Profile involves understanding business and regulatory requirements, assessing the threat landscape relevant to your industry, determining risk tolerance through leadership engagement, and identifying which subcategories are most important for your organization.

Gap Analysis

The gap between Current and Target Profiles is where the real value lies. Gaps represent areas where investment is needed. Prioritize gaps based on risk impact, feasibility, and cost. Create an action plan with timelines and resource requirements for closing the most critical gaps.

Community Profiles

NIST CSF 2.0 introduces the concept of Community Profiles — sector-specific or use-case-specific profiles developed by industry groups. These provide starting points for organizations in specific sectors, reducing the effort of building profiles from scratch.

Practical Tips

Start simple — you do not need to assess every subcategory in detail for your first profile. Focus on the categories most relevant to your business. Revisit and refine profiles annually. Use profiles as a communication tool with leadership to justify security investments and demonstrate progress.

In the next lesson, we will cover the changes in NIST CSF 2.0.