Facilitating GRC Best Practice
Supported Standards:
ISO 31000
BS 10500
ISO 19600
ISO/IEC 38500
ISO/IEC 27001
ISO/IEC 22301
ISO/IEC 20000
Balanced Scorecard
Consultancy Topics:
IT Governance
IT Risk
IT Compliance
Information Security
Business Continuity

Cybersecurity Framework Establsihment


Analytix cybersecurity consulting service assists organisations to establish or improve their cybersecurity programmes.

Alignment with the Ìnternational Cybersecurity Framework

These services are aimed to assist organisations to effectively develop and implement the NIST Cybersecurity Framework.

Cybersecurity Framework

We provide the technical expertise and project management capabilities needed to build an efficient and effective cybersecurity framework that will provide your organisation with a “prioritised, flexible, repeatable, performance-based, and cost- effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.

The scope and structure of a cybersecurity framework establishment programme can vary, and our effort expended will be tailored to the needs of your organisation, while we will ensure that the essential elements of a cybersecurity framework be established that:

  • Provide a common language for understanding, managing, and expressing cybersecurity risk both internally and externally
  • Can be used to help identify and prioritize actions for reducing cybersecurity risk
  • Serve as a tool for aligning policy, business, and technological approaches to managing cybersecurity risks
  • Can be used to manage cybersecurity risk across entire organisation
  • ​Can establish focus on the delivery of critical services within an organization



Different types of entities – including sector coordinating structures, associations, and organizations – can use the NIST Cybersecurity Framework for different purposes, including the creation of common cybersecurity risk scores and profiles.

Our approach to cybersecurity programme design and establishment projects is based on the principles of the NIST Cybersecurity framework, and covers the full lifecycle of Cybersecurity framework implementation that makes provision for the following seven phases: 

Step 1: Prioritize and Scope—Requests that organizations scope and prioritize business/mission objectives and high-level organizational priorities. This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization.

Step 2: Orient—Provides organizations an opportunity to identify threats to, and vulnerabilities of, systems identified in the Prioritize and Scope step.

Step 3: Create a Current Profile—Identifies the requirement to define the current state of the organization’s cybersecurity program by establishing a current state profile.

Step 4: Conduct a Risk Assessment—Allows organizations to conduct a risk assessment using their currently accepted methodology. The information used from this step in the process is used in Step 5.

Step 5: Create a Target Profile—Allows organizations to develop a risk-informed target state profile. The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes.

Step 6: Determine, Analyze, and Prioritize Gaps—Organizations conduct a gap analysis to determine opportunities for improving the current state. The gaps are identified by overlaying the current state profile with the target state profile.

Step 7: Implement Action Plan—After the gaps are identified and prioritized, the required actions are taken to close the gaps and work toward obtaining the target state.

The NIST Cybersecurity Framework (CSF) provides an assessment mechanism that enables organisations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.

Cybersecurity Professional Programme - The Cybersecurity Nexus (CSX)

ISACA has developed a new security knowledge platform and cybersecurity professional programme. The Cybersecurity Nexus (CSX), developed in collaboration with cybersecurity experts from leading companies around the world, supplies cutting-edge thought leadership, training and certification programs for professionals who are leading cybersecurity to the future.

As part of the knowledge, tools and guidance provided by CSX, ISACA has developed a guide for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework, or CSF).

CSF Components

The Framework provides a uniform guide to managing cybersecurity programme. This includes industry-driven standards, best practices and implementation measures to manage cybersecurity risks to information technology and operational technology.

The CSF is a risk-based approach to managing cybersecurity risk and is comprised of three parts:

  • Framework Core
  • Framework Implementation Tiers and the
  • Framework Profiles.


Each CSF component reinforces the connection between business drivers and cybersecurity activities.

The Framework provides:

  • A common structure for managing cybersecurity risk
  • Help to identify and understand your organisation’s dependencies with its business partners, vendors, and suppliers
  • A platform that will allow you to coordinate cybersecurity risk within your industry and sector for the delivery of critical infrastructure services.


The Framework places cybersecurity activities into five functions

  1. Identify
  2. Protect
  3. Detect
  4. Respond, and
  5. Recover.


Organisations should implement capabilities in each of these areas.

Not a Replacement for ISO 27001

The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program. The organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one.

The outcomes in the Core will help your managenment to answer the following questions:

  • What people, processes and technologies are essential to provide the right services to the right stakeholders?
  • What do we need to do to protect those assets from the cybersecurity risks discovered in the Identify function?
  •  What detection capability can we implement to recognize potential or realized risk to organizational assets from identified cybersecurity risk?
  • What cybersecuirty response and recovery activities are appropriate and necessary to continue operations (albeit diminished) or restore services described above?

The NIST Cybersecurity Framework provides organizations with a number of benefits which lead to a stronger cybersecurity posture. These benefits include: 

  • Describe their current cybersecurity posture
  • Describe their target state for cybersecurity 
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process 
  • Assess progress toward the target state
  • Communicate among internal and external stakeholders about cybersecurity risk