How to Conduct a NIST CSF 2.0 Risk Assessment, Step-by-Step Guide for 2025

Most organizations are familiar with the NIST Cybersecurity Framework (CSF). It’s widely adopted, broadly applicable, and designed to help teams align information security risk management practices with business outcomes. Knowing the CSF framework, however, isn’t the same as understanding how to assess against it.

With the release of NIST CSF 2.0 in 2024, organizations now have clearer guidelines to meet. But they also face more pressure than ever to implement a consistent risk assessment process at scale. The already-high expectations are rising as regulations evolve and the consequences for cyberattacks and non-compliance become more severe.

Fortunately, the path to GRC resilience has never been so clear. Organizations now have access to a massive pool of resources and expertise that grows wider with every day. 

This guide explains how to conduct a NIST CSF 2.0 risk assessment. It applies a control-based approach to the NIST SP 800-30 methodology to make the process repeatable, outcome-focused, and evidence-driven.

Readers will learn how to:

• Prepare for a NIST CSF risk assessment.
• Conduct the assessment using control implementation data.
• Communicate results via risk registers and CSF Profiles.
• Maintain CSF assessments continuously to inform security decision-making and strategy.
  

It also explains how NIST GRC compliance software can simplify each step, from launching assessments to documenting risks to reporting on CSF outcomes.

But before we dive into the steps, let’s review how CSF 2.0 and SP 800-30 work together.

The NIST Cybersecurity Framework 2.0 is a well-known resource for organizations to assess, improve, and communicate cybersecurity risk.

As directed by Executive Order 13636, the National Institute of Standards and Technology (NIST) released NIST CSF 1.0 in 2014 to help critical infrastructure sectors manage cyber risk. Because energy, healthcare, and financial services sectors are ‘critical’ to national security and economic stability, they are often the target of sophisticated cyber threats.

However, the framework was also written so that other organizations could adopt it voluntarily. And many did, especially in sectors like education, local government, and small business. Then, NIST released NIST CSF 2.0.

Finalized in 2024, CSF 2.0 is the first major update to the framework since its initial publication. With expanded guidance, modernized terminology, and a new ‘Govern’ function to emphasize strategy, oversight, and risk tolerance, CSF 2.0 is explicitly designed for all organizations, not just critical infrastructure. 

Simply put, NIST CSF 1.0 vs. NIST CSF 2.0:

• CSF 1.0 was intended for critical infrastructure, but usable by anyone. 
• CSF 2.0 was designed for everyone from the start.

Unlike prescriptive standards (e.g., NIST SP 800-53), NIST CSF 2.0 is outcome-focused and control-agnostic. Its structure is organized around:

• Functions: Identify, Protect, Detect, Respond, Recover, and Govern.
• Categories and Subcategories: Granular outcomes tied to security capabilities.
• Profiles: Current vs. Target states for implementation.
• Tiers: Qualitative maturity levels.
  

Today, most organizations can tailor the CSF to fit their size, sector, or regulatory environment. Whether managing internal controls, vendor risks, or audit obligations, CSF 2.0 offers a common language to align cybersecurity strategy with real-world business objectives.

A NIST CSF risk assessment is the process of evaluating your cybersecurity posture against the outcomes defined in CSF 2.0 with a structured risk analysis to identify and prioritize gaps.

To do that effectively, organizations need two things:

• A risk assessment methodology: How you assess risk.
• A control framework: What you assess against.

In this guide, NIST SP 800-30 is the risk assessment methodology framework, and NIST CSF 2.0 is the control framework. 

NIST SP 800-30 provides the methodology: a repeatable process for identifying, analyzing, and documenting risks across assets, controls, and systems. SP 800-30 defines four steps:

1. Prepare
2. Conduct
3. Communicate
4. Maintain

NIST CSF 2.0 serves as the outcome-based control framework. It defines what ‘good’ looks like using a flexible hierarchy. CSF covers:

• Functions (e.g., Identify, Protect)
• Categories (e.g., Asset Management, Access Control)
• Subcategories (granular outcomes tied to controls)
• Profiles (Current vs. Target implementation)
• Tiers (qualitative measures of program maturity)

Unlike prescriptive frameworks (e.g., NIST SP 800-53), the CSF is control-agnostic. That means organizations can assess CSF Subcategories with implementation frameworks like NIST 800-53, CIS Controls, ISO/IEC 27001, or a combination.

In practice, many organizations map the control framework back to CSF to report on posture and maturity. For example, California state agencies are required to implement NIST SP 800-53, but California’s SIMM 5300-A assessment tool uses NIST CSF 2.0 as the reporting structure that connects compliance and outcomes. 

That flexibility makes CSF an effective tool for communicating about risk across technical and executive audiences. Because each Subcategory clearly states a desired outcome and maps to related requirements in other frameworks, tracking control alignment across systems and standards is much easier for teams. 

Beyond checking controls, a NIST CSF risk assessment is about understanding whether your security program is achieving the outcomes CSF defines using a risk-based method that’s consistent, defensible, and aligned to your business priorities. 

A NIST CSF 2.0 risk assessment uses a structured risk analysis process to compare an organization’s current cybersecurity posture against the outcomes defined in the framework. 

In this NIST CSF risk assessment guide:

• NIST SP 800-30 provides the methodology. 
• NIST CSF 2.0 defines the outcomes. 

Together, they help organizations identify gaps, document risks, and measure progress in a consistent, defensible way.

NIST SP 800-30 is the risk assessment methodology referenced in CSF 2.0. It provides a repeatable process for identifying, analyzing, and documenting cybersecurity risks across assets, systems, and control environments. 

The 800-30 methodology helps answer questions like:

• What assets are at risk?
• What vulnerabilities exist?
• What events could occur if exploited?
• How likely are those events, and what would the impact be?

Using SP 800-30 ensures your CSF assessment reflects actual risk, not just control status.

A control-based model applies SP 800-30 by treating unmet controls as vulnerabilities and using system traits – like exposure, ownership, or configuration – as risk modifiers.

The approach helps organizations scale assessments across business units, third parties, or asset groups using observable evidence rather than assumptions.

Control-based risk assessments:

• Are easier to repeat and maintain.
• Align with frameworks like NIST SP 800-53, CIS Controls, and ISO/IEC 27001.
• Support remediation tracking and audit readiness.
• Integrate cleanly with CSF Profiles and Implementation Tiers.

The result is a more practical and consistent risk assessment process that aligns with CSF-defined outcomes and program goals.

The following steps explain how to conduct a NIST CSF 2.0 risk assessment using the control-based methodology defined in NIST SP 800-30.

The first step is to define the purpose, scope, and structure of the assessment using the NIST SP 800-30 methodology and CSF 2.0 outcomes.

NIST SP 800-30 requires organizations to establish: Purpose, scope, assumptions, constraints, information sources, and analytic approach.

In a control-based model, risk is based on observable implementation data and asset context, not hypothetical threats.

Preparation activities align with CSF Functions such as:

• Govern (GV): Define risk strategy, business context, and tolerance
• Identify (ID.AM): Build a complete asset inventory
• GV.ME: Establish how evidence will be measured and maintained
  

To prepare for a NIST CSF 2.0 risk assessment:

• Define the purpose and scope (e.g., vendor risk, compliance, specific systems).
• Map scope to CSF Functions and Categories (e.g., access controls align to Protect > PR.AA).
• List known assumptions and constraints (e.g., incomplete inventories, fixed timelines).
• Select a control-based analytical approach that uses actual implementation data.
• Choose a control framework using CSF Informative References for alignment.
• Define risk tolerance in terms of Target vs. Current Profile.
• Assign clear roles and responsibilities (sponsor, lead, control owners, reviewers).
  

Output: A documented scope and risk methodology recorded in the risk register and mapped to relevant CSF Functions and Categories.

This step identifies, documents, and scores cybersecurity risks based on actual control implementation.

NIST SP 800-30 defines four elements to consider during this phase:

• Threat sources and events
• Vulnerabilities
• Predisposing conditions
• Likelihood and impact
  

In a control-based model, these elements are derived from evidence gathered through structured assessments. Each gap in implementation becomes a risk that can be analyzed and recorded.

To conduct a NIST CSF 2.0 risk assessment:

• Deploy a questionnaire mapped to CSF Subcategories and scoped to systems, vendors, or business units
• Mark each control as Met, Not Met, or Not Applicable, and attach supporting evidence (e.g., screenshots, configuration files, policy links)
• Create risk statements for unmet controls using the format: Because of [cause], the potential [event] could occur, resulting in [impact].
• Score each risk using a consistent scale for likelihood and impact (qualitative or quantitative)
• Document each risk in the register, including CSF Subcategory, affected asset or system, risk owner, status, and planned response
• Aggregate results to build the CSF Current Profile. Track how many Subcategories are fully, partially, or not implemented
  

Output: Risk register entries tied to unmet CSF Subcategories and a baseline CSF Current Profile for reporting and tracking.

The third step is to prepare and share risk assessment results with relevant stakeholders.

NIST SP 800-30 directs organizations to document findings, communicate risks, and identify appropriate responses. In a control-based assessment, this involves summarizing data from the risk register and mapping it to CSF outcomes for both technical and executive review.

To communicate the results of a NIST CSF 2.0 risk assessment:

• Build a report that includes risk register entries tied to controls, assets, and owners, a CSF Current Profile showing implementation status across Functions and Categories, and Gaps between Current and Target Profiles.
• Link each risk response decision (e.g., mitigate, accept, transfer, avoid) to the affected CSF Subcategory.
• Use documented evidence from the assessment to support CSF Implementation Tier statements (e.g., use governance records to justify Tier progression in GV.RM or GV.ME).
• Present detailed findings to operational teams and high-level summaries to executives using CSF-aligned formats.
  

Output: A report containing the updated risk register, CSF profile gaps, and Tier justification evidence, ready for stakeholder review.

The fourth step is to maintain the assessment as part of ongoing cybersecurity operations.

NIST SP 800-30 instructs teams to monitor for changes that affect risk posture, such as new assets, emerging threats, or updated control implementations. As conditions evolve, risk data must be reviewed, rescored, and reflected in CSF Profiles and Implementation Tiers.

To maintain the NIST CSF 2.0 risk assessment over time:

• Monitor for risk changes, including system updates, vendor shifts, threat intelligence, or audit findings
• Refresh or rescore: Risk register entries, the CSF Current Profile (based on new control evidence), progress toward the Target Profile, and Tier justification using current governance, supply chain, and measurement documentation.
• Update internal systems with revised findings and disseminate changes to both technical and executive stakeholders.
• Align reporting cycles with organizational decision points (e.g., budget planning, board reviews, vendor onboarding)
  

Output: Ongoing traceability from risk findings to control status, mapped to CSF Subcategories, Profiles, and Tier statements.

A successful NIST CSF risk assessment requires more than following the basic steps. The following practices can help teams create consistent, traceable, and actionable assessments over time.

Each assessment should reflect the organization’s top priorities. Start by identifying what matters most, like protecting regulated data, reducing downtime, or managing vendor access. 

Then, map the assessment scope to relevant CSF Functions and Categories. This security posture to business impact and clarifies the value of remediation efforts.

Risk assessments should not be treated as one-time projects. Use them to maintain a current view of the organization’s security posture. Risk registers, CSF Current Profiles, and Tier statements should be updated as:

• Control implementations change.
• New systems or vendors are introduced.
• Threats, regulations, or priorities shift.
  

This allows teams to track gaps and address them before they escalate.

Vendors and service providers often introduce risks that internal teams cannot directly control. Include third parties in the first round of assessments. This might involve:

• Sending CSF-mapped questionnaires to vendors using Categories like ID.SC (Supply Chain Risk Management).
• Identifying inherited control gaps within the organization’s CSF Profile.
• Flagging noncompliant vendors in the risk register.
  

Third-party risk should be built into the CSF program, not managed separately.

Scattered documents and spreadsheets increase audit risk and delay decisions. Use a central system to store and manage:

• Control implementation data and supporting evidence
• Risk register entries.
• CSF Profile comparisons (Current vs. Target).
• Linked documentation (e.g., vendor responses, asset inventories).

Centralization improves accuracy, reduces duplication, and supports program maturity.

Spreadsheets are challenging to maintain at scale. A dedicated CSF risk assessment platform improves reliability by supporting:

• Structured assessments aligned to CSF Subcategories
• Consistent control scoring with linked evidence
• Automated risk statement generation for unmet controls
• Profile and Tier tracking with real-time updates
• Full traceability across assets, systems, and third parties
  

This keeps the focus on risk decisions instead of formatting, file management, or version control.

Conducting control-based NIST CSF risk assessments is simple with Isora GRC. It’s a tool built to manage information security risk at scale, across assessments, scoring, evidence collection, and reporting. All in a single platform designed to support collaborative, repeatable, audit-ready workflows for GRC teams.

Organizations can use Isora to:

• Launch CSF-aligned questionnaires scoped to internal systems, vendors, or business units.
• Collect control evidence by Subcategory, including status, documentation, and reviewer context.
• Generate risk register entries when controls aren’t met, using standardized cause–event–impact statements.
• Build CSF Current and Target Profiles from implementation data to guide remediation and reporting.
• Record and manage exceptions with linked controls, mitigation plans, and approval history.
• Map vendors and assets to risk data for visibility into inherited control gaps.

In Isora, all assessment results are tied to CSF Subcategories for complete visibility, traceability, and accountability across systems, third parties, and organizational units. 

NIST CSF 2.0 is a cybersecurity framework that defines what outcomes organizations should achieve. NIST SP 800-30 is a risk assessment methodology that explains how to identify, analyze, and document risks. Together, they allow you to assess risk in a structured way and tie it to actionable security goals.

CSF 2.0 is designed for broad adoption. It’s especially useful for:

• Critical infrastructure operators
• Public sector and higher education institutions
• Organizations with limited resources or without a dedicated GRC team

Because it’s control-agnostic and outcome-based, CSF 2.0 works well for aligning cybersecurity strategy with business objectives—regardless of size or industry.

At a minimum, once per year. But best practice is to maintain a live risk register and update your CSF Current Profile continuously as:

• Control implementations change
• New systems or vendors are added
• Threat conditions evolve
• Business priorities shift
  

This keeps your posture accurate and your reporting audit-ready.

Every CSF Subcategory includes Informative References to control frameworks like:

• NIST SP 800-53
• ISO/IEC 27001
• CIS Controls
• COBIT

This makes it easy to adopt CSF as your organizing structure while using another framework for control implementation, especially if you already follow NIST 800-53 or ISO for compliance purposes.

Spreadsheets may work for small, static assessments—but they fall apart at scale. Common problems include:

• No version control
• No visibility across systems or vendors
• Inconsistent scoring and evidence tracking
• Time-consuming report generation
• Poor audit defensibility
  

A dedicated platform like Isora GRC solves these problems by centralizing assessments, automating risk register entries, and generating CSF-aligned reports in real time