Cybersecurity framework
What is the NIST Cybersecurity Framework?
In short
A plain guide to the NIST Cybersecurity Framework: its core functions, how it maps to maturity, and how it compares with ISO 27001 for Indonesian teams.
A board member asks the one question that is hard to answer well: "How mature is our security, really?" The honest reply is rarely a yes or a no. Security maturity is a spectrum, and without a shared way to describe it, the conversation drifts into a list of tools the company has bought or a vague sense that things are "mostly fine." The NIST Cybersecurity Framework exists to fix that. It gives an organisation a common vocabulary for talking about cyber risk, a structure for assessing where it stands, and a way to set a realistic target. This page explains what the framework is, its six core functions, how it differs from ISO 27001, and how Indonesian teams put it to use.
What the NIST CSF is
The NIST Cybersecurity Framework is a voluntary framework published by the National Institute of Standards and Technology, a United States government agency. It was first released in 2014 and updated to version 2.0 in 2024. Despite its American origin, it is used worldwide because it is not tied to any one country's law. It describes cyber risk management in plain, outcome-based terms rather than dictating specific technologies.
The word to hold onto is voluntary. The CSF is not a law and not a certifiable standard. You do not get "certified in NIST CSF" the way you get certified against ISO 27001. There is no accredited auditor and no certificate. Instead, the framework is a reference you measure yourself against and a language you use to explain your posture to a board, a customer, or an insurer. That flexibility is the point. A ten-person startup and a national bank can both use the same framework, scaled to what each of them actually does.
At its heart the CSF organises everything into a small set of functions, each broken down into categories and subcategories of expected outcomes. You do not have to implement every subcategory. You choose a profile that reflects your risk, your sector, and your resources.
The core functions
Version 2.0 organises the framework around six core functions. This is the detail teams most often get wrong, because the original 2014 framework had only five. The Govern function was added in CSF 2.0 in 2024 and sits at the centre, connecting security decisions to wider business risk. Naming five functions is a sign of working from the old version.
| Function | What it covers |
|---|---|
| Govern | Added in CSF 2.0 (2024). How cyber risk decisions are made, who is accountable, and how security ties into overall business risk, strategy, and policy. |
| Identify | Understanding what you have to protect: assets, data, suppliers, and the risks that apply to them. |
| Protect | The safeguards that limit or contain the impact of an event, from access control and training to data security. |
| Detect | Finding cybersecurity events and anomalies when they happen, through monitoring and analysis. |
| Respond | Acting once an incident is detected: containment, communication, and analysis to limit the damage. |
| Recover | Restoring services and capabilities affected by an incident and learning from what went wrong. |
Govern is the function that changed the shape of the framework. In the 2014 version, governance was scattered through the other functions. Pulling it out as a function of its own reflects a simple lesson from years of breaches: most failures are not purely technical. They come from unclear accountability, risk decisions made without the right people in the room, or security treated as a project rather than an ongoing responsibility. Govern puts those questions front and centre, and the other five functions describe the work that flows from them.
NIST CSF vs ISO 27001
The CSF and ISO 27001 come up together often, and the difference between them is easy to blur. They solve related problems but in structurally different ways.
| NIST CSF | ISO 27001 | |
|---|---|---|
| What it is | A voluntary framework you self-assess against | A certifiable standard audited by an accredited body |
| Deliverable | A current profile and a target profile you set yourself | A certificate buyers and regulators can verify |
| How it is used | Organising, prioritising, and communicating risk work | Proving, through an audit, that your management system meets the standard |
| Recognition | Widely referenced, no formal proof attached | An internationally recognised certificate |
Neither replaces the other, and many organisations use both. The CSF is a strong tool for structuring your programme and deciding what to do next, because its functions and profiles make priorities visible. ISO 27001 is what you reach for when someone external needs proof: a customer's procurement team, a regulator, or a partner who will not take your word for it. Because the underlying controls overlap so heavily, work done against the CSF carries over into an ISO 27001 effort and the reverse holds too. If a certifiable standard is what your buyers want, our guide to ISO 27001 certification in Indonesia walks through what that route involves locally.
Using the framework in Indonesia
The NIST CSF is not mandatory in Indonesia. No law or regulator here requires it, and it does not satisfy local obligations on its own. UU PDP, the sectoral rules that OJK applies to financial institutions, and BSSN's guidance all stand on their own terms, and our overview of Indonesia's cybersecurity regulations sets out what the law here actually demands.
Where the CSF earns its place is as a maturity tool. Regulated sectors in Indonesia, especially banking and other financial services, face rising expectations to demonstrate that their security is managed, not improvised. The framework gives a board a way to see current maturity across the six functions, set a target that matches the organisation's risk appetite, and track progress over time. It also maps cleanly onto local obligations, so the same assessment that shows a bank where its detection or governance gaps sit can also feed the evidence a regulator wants to see. Used this way, the CSF becomes the backbone of a governance, risk, and compliance programme rather than a document that sits on a shelf.
Where Alpha Code fits
Turning the framework into something useful means running an honest current-state assessment across the six functions, agreeing on a target profile the business can live with, and building a prioritised plan to close the gap. Alpha Code does that work through its compliance and GRC service: scoring your posture against the CSF, mapping it to the Indonesian obligations that apply to you, and turning the result into a roadmap that answers the board's question with evidence rather than a shrug.
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
It gives an organisation a common language and a structure for managing cyber risk, from governance and asset identification through protection, detection, response, and recovery. It is voluntary and outcome-focused rather than prescriptive, so it works for any size of organisation and any sector. It describes what good risk management looks like, not the specific tools you must buy.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.