Tiers
When rolling out a new program, we must first understand where they are at (the current state) and where they intend to go (the future state). While framework profiles are used to determine current and future states, we need to first assess the current state. We will focus more on performing these types of assessments later in this chapter. We must first understand how to rank our program against the framework.
Auditing firms tend to rank the NIST CSF on a maturity ranking by leveraging the Capability Maturity Model Integration (CMMI). This changes the frameworkâs original intention in evaluating and reducing risks. There are some similarities between the framework tiers and CMMI. Most of the similarities come in the form of documentation and official organizational policies. However, this was not the intent of the framework.
In fact, the framework specifically states that it is not intended to be evaluated as a maturity model. This is not to say that maturity should...
