The Core Functions of NIST CSF: Identify

The Identify Function of NIST CSF is focused on ensuring that the cyber security risks your organisation has identified are properly understood and managed.  This involves effectively managing your assets, assessing and prioritising risk and, where needed, improving your approach to cyber security risk management.

The Identify Function comprises three Categories, which we will explore below.

ID.AM – Asset Management

The Asset Management Category focuses on building a clear picture of the assets that enable your organisation to achieve its business purposes, as well as managing these assets in line with your organisation’s risk approach and business objectives throughout their entire lifecycle.  Additionally, this Category requires you to prioritise assets based on their classification, criticality to the business, the supporting resources available, and their overall impact on your organisation’s mission.

When managing your assets, you need to maintain asset inventories to document them; the assets you need to document include:

• Your data (and designated types of metadata)
• Hardware
• Software
• Services and systems
• Suppliers and other third-party services that your organisation uses.

As part of the measures taken to protect your data, you also need to clarify the communication methods that you’ve authorised for both internal and external communications by producing visual representations of your data flows. This includes displaying where your data comes from, where it goes, how it gets there, any changes made to it during transit, and how it is stored.

‍

Practical application example:

Many organisations now use automated discovery tools that scan networks and cloud platforms to populate asset inventories, ensuring they stay up to date without relying on manual input.  A common practical step is mapping the data flow for a single high-risk process first, such as payroll or customer onboarding, then using that template to map other processes across the organisation.

‍

ID.RA – Risk Assessment

This Category is about developing a thorough understanding of the cyber security risks facing your organisation, your assets, and your stakeholders. This means identifying and recording internal and external threats relevant to your organisation and, in your subsequent risk assessment, evaluating the impact and likelihood of these vulnerabilities being exploited by a related threat.  

Such threats, vulnerabilities, impact and likelihood scorings will form the basis of your inherent risk rating and allow you to determine your risk responses.  Such responses need to be planned and prioritised in advance, tracked on an ongoing basis, and communicated to the appropriate individuals (such as management, or others involved in the risk response).

Alongside assessing risks, you must also identify, validate and record any vulnerabilities in your assets themselves, and receive, analyse and react to these vulnerabilities in line with documented processes such as a vulnerability disclosure process.

If changes or exceptions need to be made to your cyber security risk strategy, these need to be formally managed by assessing and documenting the impact of the change or exception, and tracking them on an ongoing basis.

To stay ahead of emerging threats, your organisation must gather and analyse information about existing information security threats in order to produce threat intelligence.  Such information must come from information security forums and other reputable security sources (such as government security agencies, newsletters, etc.).  These sources can provide you with up-to-date information about the types of threats that exist, the technologies, tactics and actors associated with them, whether the intelligence is relevant to them and to what degree.

Finally, to reduce the likelihood of an incident relating to the authenticity or integrity of hardware and software used, your organisation needs to assess these items before they are acquired or used. Likewise, third-party suppliers providing critical products and services must be formally assessed prior to being engaged by your organisation.

‍

Practical application example:

A practical way to operationalise this is to conduct brief, quarterly threat modelling workshops with IT and business owners.  These sessions review recent threat intelligence and map it to real business processes.  Another example is embedding third party risk assessments into procurement workflows so that no new supplier is approved without a cyber risk review.

‍

‍

ID.IM – Improvement

The Improvement Category requires you to proactively identify improvements to your cyber security risk management strategy across all of the NIST CSF Functions.  This includes identifying areas for improvement by:

• Evaluating your cybersecurity risk activities and their outputs
• Conducting security tests and exercises, in collaboration with suppliers and other third parties where appropriate
• Reviewing the execution of your operational processes, procedures and activities
• Using knowledge gained from security incidents to improve current security controls.

You are also required to produce incident response plans and other cybersecurity plans (where necessary) to prepare for incidents affecting your business operations. Such plans need to be communicated to users, kept up-to-date, and improved where necessary.

‍

Practical application example:

Many organisations run short, scenario based tabletop exercises periodically (e.g., every six months) with their executive teams.  These sessions test real processes, such as how ransomware would be escalated, who decides to take systems offline and how customers would be informed.  A simple improvement activity might involve updating the incident response plan based on lessons learned from these exercises.

‍

The Identify Function of the NIST CSF plays a central role in helping organisations build a clear, accurate picture of their cybersecurity risk landscape. By understanding your risks whilst prioritising your assets and suppliers, your organisation will be enabled to respond to those risks in a way that is appropriate and proportionate to the risks themselves.  Together, the Asset Management, Risk Assessment and Improvement Categories ensure that security decisions are informed, prioritised, and aligned with business needs.