Understanding NIST CSF 2.0 Requirements

The NIST CSF 2.0 provides a comprehensive framework for improving cybersecurity risk management. It spans 22 categories and 108 subcategories, covering functions like Identify, Protect, Detect, Respond, and Recover.

Our assessments evaluate how well your organisation aligns with these core functions, focusing not only on policies but also on how effectively your defences operate under real-world conditions.

Tenendo Approach

We go beyond surface-level checklists. Our assessments include:

  • Detailed analysis of your current security controls mapped against NIST CSF 2.0 categories.
  • Simulated attack scenarios (including social engineering and red teaming elements) to validate your security readiness.
  • Contextual risk analysis to identify which gaps pose the most serious threats to your business.

Each engagement is tailored — whether you’re aiming for full NIST CSF alignment, preparing for audits, or improving your cybersecurity maturity.

Assessment Organisation

We follow a structured yet flexible process:

  1. Scoping & Planning
    We define the assessment scope based on your environment, industry, and business needs.
  2. Data Collection
    Through interviews, technical reviews, and penetration testing, we gather evidence across all CSF domains.
  3. Compliance & Maturity Mapping
    Each subcategory is evaluated for completeness, effectiveness, and relevance.
  4. Real-World Testing (Optional)
    If requested, we simulate adversarial scenarios (e.g., phishing, lateral movement) to validate assumptions and uncover operational gaps.
  5. Recommendations & Roadmap
    We provide actionable guidance, prioritising both immediate fixes and long-term resilience improvements.

Deliverables

At the end of the assessment, you receive:

  • Detailed compliance scorecard for all CSF categories and subcategories.
  • Risk-based gap analysis identifies partial or missing controls.
  • Real-world findings include weaknesses in network segmentation, user awareness, and detection capabilities.
  • Remediation roadmap, aligned with your business priorities and technical capacity.
  • Executive summary for senior stakeholders.