CSF-DOC-GVPO-5
CSF-DOC-GVPO-10 Remote Working Policy
CSF-DOC-GVPO-11 Mobile Device Policy
CSF-DOC-GVPO-12 BYOD Policy
CSF-DOC-GVPO-13 Information Deletion Policy
CSF-DOC-GVPO-14 Data Masking Policy
CSF-DOC-GVPO-15 Data Leakage Prevention Policy
CSF-DOC-GVOV-1 Process for Monitoring, Measurement, Analysis and Evaluation
CSF-DOC-GVOV-2 Procedure for Management Reviews
CSF-FORM-GVOV-1 Management Review Meeting Agenda Cybersecurity
CSF-DOC-GVSC-1 Cybersecurity Supply Chain Policy
CSF-DOC-GVSC-2
FUNCTION CATEGORY DOC REF DOCUMENT 0. Implementation Resources None ATTENTION READ ME FIRST NIST CSF2 Toolkit Completion Instructions None CERTIKIT NIST CSF2 Implementation Guide None CERTIKIT NIST CSF2 Toolkit Index None The NIST Cybersecurity Framework (CSF) 2-0 CSF-DOC-IMPL-1 CSF Benefits Presentation CSF-DOC-IMPL-2 CSF Project Definition CSF-DOC-IMPL-3 CSF Project Plan CSF-DOC-IMPL-4 Procedure for the Control of Documents CSF-DOC-IMPL-5 CSF Documentation Log CSF-FORM-IMPL-1 CSF Progress Report CSF-FORM-IMPL-2 CSF Current and Target Profile 1. GOVERN (GV) Organizational Context (OC) CSF-DOC-GVOC-1 InfoSec Context, Reqts and Scope CSF-DOC-GVOC-2 Legal, Regulatory and Contractual Requirements Procedure CSF-DOC-GVOC-3 Legal, Regulatory and Contractual Requirements CSF-DOC-GVOC-4 Schedule of Confidentiality Agreements CSF-DOC-GVOC-5 Non-Disclosure Agreement CSF-DOC-GVOC-6 Business Impact Analysis Process CSF-DOC-GVOC-7 Business Impact Analysis Report CSF-FORM-GVOC-1 Business Impact Analysis Tool None EXAMPLE Legal, Regulatory and Contractual Requirements Risk Management Strategy (RM) CSF-DOC-GVRM-1 InfoSec Objectives and Plan CSF-DOC-GVRM-2 Cybersecurity Risk Management Policy CSF-DOC-GVRM-3 Risk Assessment and Treatment Process CSF-FORM-GVRM-1 Opportunity Assessment Tool None EXAMPLE Opportunity Assessment Tool Roles, Responsibilities, and Authorities (RR) CSF-DOC-GVRR-1 InfoSec Roles Responsibilities and Authorities CSF-DOC-GVRR-2 Executive Support Letter CSF-DOC-GVRR-3 HR Security Policy CSF-DOC-GVRR-4 Employee Screening Procedure CSF-DOC-GVRR-5 Guidelines for Inclusion in Employment Contracts CSF-DOC-GVRR-6 Employee Disciplinary Process CSF-FORM-GVRR-1 Employee Screening Checklist CSF-FORM-GVRR-2 Employee Termination and Change of Employment Checklist CSF-FORM-GVRR-3 Leavers Letter Policy (PO)
Information Security Policy CSF-DOC-GVPO-2 Social Media Policy CSF-DOC-GVPO-3
CSF-DOC-GVPO-1
Information Security Whistleblowing Policy CSF-DOC-GVPO-4 Internet Access Policy
Electronic
Online
Cloud Services
CSF-DOC-GVPO-8 IP
Copyright Compliance
Privacy
Messaging Policy CSF-DOC-GVPO-6
Collaboration Policy CSF-DOC-GVPO-7
Policy
and
Policy CSF-DOC-GVPO-9
and Personal Data Protection Policy
Oversight (OV)
Supply Chain
Management (SC)
Risk
Supplier Information Security Agreement CSF-DOC-GVSC-3 Supplier Due Diligence Assessment Procedure CSF-DOC-GVSC-4 Supplier Information Security Evaluation Process CSF-DOC-GVSC-5 Supplier Evaluation Covering Letter CSF-FORM-GVSC-1 Supplier Due Diligence Assessment CSF-FORM-GVSC-2 Supplier Evaluation Questionnaire None EXAMPLE Supplier Due Diligence Assessment None EXAMPLE Supplier Evaluation Questionnaire IDENTIFY (ID) Asset Management (AM) CSF-DOC-IDAM-1 Asset Management Policy CSF-DOC-IDAM-2 Asset Inventory CSF-DOC-IDAM-3 Acceptable Use Policy CSF-DOC-IDAM-4 Asset Handling Procedure CSF-DOC-IDAM-5 Procedure for Managing Lost or Stolen Devices CSF-DOC-IDAM-6 Procedure for Taking Assets Offsite CSF-DOC-IDAM-7 Procedure for the Management of Removable Media CSF-DOC-IDAM-8 Physical Media Transfer Procedure CSF-FORM-IDAM-1 Acceptable Use Confirmation Form None EXAMPLE Network Diagram Risk Assessment (RA) CSF-DOC-IDRA-1 Risk Assessment Report CSF-DOC-IDRA-2 Risk Treatment Plan CSF-DOC-IDRA-3 Threat Intelligence Policy CSF-DOC-IDRA-4 Threat Intelligence Process CSF-DOC-IDRA-5 Threat Intelligence Report CSF-DOC-IDRA-6 Technical Vulnerability Management Policy CSF-DOC-IDRA-7 Technical Vulnerability Assessment Procedure CSF-DOC-IDRA-8 Change Management Process CSF-FORM-IDRA-1 Asset-Based Risk Tool CSF-FORM-IDRA-2 Scenario-Based Risk Tool None EXAMPLE Asset-Based Risk Tool None EXAMPLE Scenario-Based Risk Tool NIST CSF2 Toolkit Version 2 06/03/2024 Page 1 of 2
CSF-DOC-IDIM-1 Procedure for Continual Improvement
CSF-DOC-IDIM-2 Improvement Plan
CSF-DOC-IDIM-3 Procedure for the Mgt of Nonconformity
CSF-FORM-IDIM-1 Nonconformity and Corrective Action Log
Lessons
Report
Plan
Control Policy CSF-DOC-PRAA-2
Access Management Process
Access Control Policy
CSF-DOC-PRAA-3
CSF-DOC-PRAA-4 Segregation of Duties Guidelines
CSF-DOC-PRAA-5 Physical Security Policy
CSF-DOC-PRAA-6 Physical Security Design Standards
CSF-DOC-PRAA-7 Data Centre Access Procedure
CSF-DOC-PRAA-8 Procedure for Working in Secure Areas
CSF-DOC-PRAT-1 Awareness Training Presentation
CSF-DOC-PRAT-2 InfoSec Competence Development Procedure
CSF-DOC-PRAT-3 InfoSec Competence Development Report
CSF-DOC-PRAT-4 Information Security Summary Card
CSF-FORM-PRAT-1 Competence Development Questionnaire None EXAMPLE Competence Development Questionnaire Data
CSF-DOC-PRDS-1
Improvement
(IM)
Identity
Access
User
CSF-FORM-IDIM-2 Incident
Learned
None EXAMPLE Improvement
None EXAMPLE Incident Lessons Learned Report None EXAMPLE Nonconformity and Corrective Action Log PROTECT (PR)
Management, Authentication, and Access Control (AA) CSF-DOC-PRAA-1
Dynamic
Training
Awareness and
(AT)
Security (DS)
Cryptographic Policy
Records Retention and Protection Policy
Information Classification Procedure
Information Labelling Procedure CSF-DOC-PRDS-5 Clear Desk and Clear Screen Policy CSF-DOC-PRDS-6 Procedure for the Disposal of Media CSF-DOC-PRDS-7 Backup Policy CSF-DOC-PRDS-8 Privileged Utility Program Register Platform Security (PS)
Configuration Management Policy CSF-DOC-PRPS-2 Configuration Management Process CSF-DOC-PRPS-3 Configuration Standard Template CSF-DOC-PRPS-4 Logging and Monitoring Policy CSF-DOC-PRPS-5 Software Policy CSF-DOC-PRPS-6 Secure Development Policy CSF-DOC-PRPS-7 Secure Coding Policy CSF-DOC-PRPS-8 Secure Development Environment Guidelines None EXAMPLE Configuration Standard Template Technology Infrastructure Resilience (IR) CSF-DOC-PRIR-1 Network Security Policy CSF-DOC-PRIR-2 ICT Continuity Incident Response Procedure CSF-DOC-PRIR-3 ICT Continuity Plan CSF-DOC-PRIR-4 ICT Continuity Exercising and Testing Schedule CSF-DOC-PRIR-5 ICT Continuity Test Plan CSF-DOC-PRIR-6 ICT Continuity Test Report CSF-DOC-PRIR-7 Capacity Plan CSF-DOC-PRIR-8 Availability Management Policy DETECT (DE) Continuous Monitoring (CM) CSF-DOC-DECM-1 Monitoring Policy CSF-DOC-DECM-2 Anti-Malware Policy CSF-DOC-DECM-3 Web Filtering Policy CSF-DOC-DECM-4 CCTV Policy Adverse Event Analysis (AE) CSF-DOC-DEAE-1 Information Security Event Reporting Procedure CSF-DOC-DEAE-2 Information Security Event Assessment Procedure RESPOND (RS) Incident Management (MA) CSF-DOC-RSMA-1 Information Security Incident Response Procedure Incident Analysis (AN) CSF-DOC-RSAN-1 Preservation of Evidence Guidelines CSF-FORM-RSAN-1 Incident Impact Information Log CSF-FORM-RSAN-2 Plan Activation Log Incident Response Reporting and Communication (CO) CSF-DOC-RSCO-1 Personal Data Breach Notification Procedure CSF-DOC-RSCO-2 InfoSec Communication Programme CSF-DOC-RSCO-3 Authorities Contacts CSF-DOC-RSCO-4 Special Interest Group Contacts CSF-FORM-RSCO-1 Personal Data Breach Notification Form CSF-FORM-RSCO-2 Breach Notification Letter to Data Subjects None EXAMPLE Authorities Contacts None EXAMPLE Personal Data Breach Notification Form None EXAMPLE Special Interest Group Contacts Incident Mitigation (MI) CSF-DOC-RSMI-1 Incident Response Plan Ransomware CSF-DOC-RSMI-2 Incident Response Plan Denial of Service CSF-DOC-RSMI-3 Incident Response Plan Data Breach RECOVER (RC) Incident Recovery Plan Execution (RP) CSF-FORM-RCRP-1 Incident Response Action Log Incident Recovery Communication (CO) CSF-DOC-RCCO-1 Draft Public Update on Incident Recovery 06/03/2024 Page 2 of 2
CSF-DOC-PRDS-2
CSF-DOC-PRDS-3
CSF-DOC-PRDS-4
CSF-DOC-PRPS-1