NIST CSF2 Toolkit Version 2 FUNCTION
CATEGORY
DOC REF
DOCUMENT
None None None None CSF-DOC-IMPL-1 CSF-DOC-IMPL-2 CSF-DOC-IMPL-3 CSF-DOC-IMPL-4 CSF-DOC-IMPL-5 CSF-FORM-IMPL-1 CSF-FORM-IMPL-2
ATTENTION READ ME FIRST NIST CSF2 Toolkit Completion Instructions CERTIKIT NIST CSF2 Implementation Guide CERTIKIT NIST CSF2 Toolkit Index The NIST Cybersecurity Framework (CSF) 2-0 CSF Benefits Presentation CSF Project Definition CSF Project Plan Procedure for the Control of Documents CSF Documentation Log CSF Progress Report CSF Current and Target Profile
Organizational Context (OC)
CSF-DOC-GVOC-1 CSF-DOC-GVOC-2 CSF-DOC-GVOC-3 CSF-DOC-GVOC-4 CSF-DOC-GVOC-5 CSF-DOC-GVOC-6 CSF-DOC-GVOC-7 CSF-FORM-GVOC-1 None
InfoSec Context, Reqts and Scope Legal, Regulatory and Contractual Requirements Procedure Legal, Regulatory and Contractual Requirements Schedule of Confidentiality Agreements Non-Disclosure Agreement Business Impact Analysis Process Business Impact Analysis Report Business Impact Analysis Tool EXAMPLE Legal, Regulatory and Contractual Requirements
Risk Management Strategy (RM)
CSF-DOC-GVRM-1 CSF-DOC-GVRM-2 CSF-DOC-GVRM-3 CSF-FORM-GVRM-1 None
InfoSec Objectives and Plan Cybersecurity Risk Management Policy Risk Assessment and Treatment Process Opportunity Assessment Tool EXAMPLE Opportunity Assessment Tool
Roles, Responsibilities, and Authorities (RR)
CSF-DOC-GVRR-1 CSF-DOC-GVRR-2 CSF-DOC-GVRR-3 CSF-DOC-GVRR-4 CSF-DOC-GVRR-5 CSF-DOC-GVRR-6 CSF-FORM-GVRR-1 CSF-FORM-GVRR-2 CSF-FORM-GVRR-3
InfoSec Roles Responsibilities and Authorities Executive Support Letter HR Security Policy Employee Screening Procedure Guidelines for Inclusion in Employment Contracts Employee Disciplinary Process Employee Screening Checklist Employee Termination and Change of Employment Checklist Leavers Letter
Policy (PO)
CSF-DOC-GVPO-1 CSF-DOC-GVPO-2 CSF-DOC-GVPO-3 CSF-DOC-GVPO-4 CSF-DOC-GVPO-5 CSF-DOC-GVPO-6 CSF-DOC-GVPO-7 CSF-DOC-GVPO-8 CSF-DOC-GVPO-9 CSF-DOC-GVPO-10 CSF-DOC-GVPO-11 CSF-DOC-GVPO-12 CSF-DOC-GVPO-13 CSF-DOC-GVPO-14 CSF-DOC-GVPO-15
Information Security Policy Social Media Policy Information Security Whistleblowing Policy Internet Access Policy Electronic Messaging Policy Online Collaboration Policy Cloud Services Policy IP and Copyright Compliance Policy Privacy and Personal Data Protection Policy Remote Working Policy Mobile Device Policy BYOD Policy Information Deletion Policy Data Masking Policy Data Leakage Prevention Policy
Oversight (OV)
CSF-DOC-GVOV-1 CSF-DOC-GVOV-2 CSF-FORM-GVOV-1
Process for Monitoring, Measurement, Analysis and Evaluation Procedure for Management Reviews Management Review Meeting Agenda
Cybersecurity Supply Chain Risk Management (SC)
CSF-DOC-GVSC-1 CSF-DOC-GVSC-2 CSF-DOC-GVSC-3 CSF-DOC-GVSC-4 CSF-DOC-GVSC-5 CSF-FORM-GVSC-1 CSF-FORM-GVSC-2 None None
Cybersecurity Supply Chain Policy Supplier Information Security Agreement Supplier Due Diligence Assessment Procedure Supplier Information Security Evaluation Process Supplier Evaluation Covering Letter Supplier Due Diligence Assessment Supplier Evaluation Questionnaire EXAMPLE Supplier Due Diligence Assessment EXAMPLE Supplier Evaluation Questionnaire
Asset Management (AM)
CSF-DOC-IDAM-1 CSF-DOC-IDAM-2 CSF-DOC-IDAM-3 CSF-DOC-IDAM-4 CSF-DOC-IDAM-5 CSF-DOC-IDAM-6 CSF-DOC-IDAM-7 CSF-DOC-IDAM-8 CSF-FORM-IDAM-1 None
Asset Management Policy Asset Inventory Acceptable Use Policy Asset Handling Procedure Procedure for Managing Lost or Stolen Devices Procedure for Taking Assets Offsite Procedure for the Management of Removable Media Physical Media Transfer Procedure Acceptable Use Confirmation Form EXAMPLE Network Diagram
Risk Assessment (RA)
CSF-DOC-IDRA-1 CSF-DOC-IDRA-2 CSF-DOC-IDRA-3 CSF-DOC-IDRA-4 CSF-DOC-IDRA-5 CSF-DOC-IDRA-6 CSF-DOC-IDRA-7 CSF-DOC-IDRA-8 CSF-FORM-IDRA-1 CSF-FORM-IDRA-2 None None
Risk Assessment Report Risk Treatment Plan Threat Intelligence Policy Threat Intelligence Process Threat Intelligence Report Technical Vulnerability Management Policy Technical Vulnerability Assessment Procedure Change Management Process Asset-Based Risk Tool Scenario-Based Risk Tool EXAMPLE Asset-Based Risk Tool EXAMPLE Scenario-Based Risk Tool
0. Implementation Resources
1. GOVERN (GV)
IDENTIFY (ID)
06/03/2024
Page 1 of 2