NIST Cybersecurity Framework for UK Businesses

‍‌​‌‌‌‌‌​​‌​​‌‌​‌‌​‌‌​​‌‌​‌‌​​​​​‌​‌‌​‌‌​​​‌​‌​​‌​​‌​​‌​​‌‌​​‌‌​‌‍People reference NIST CSF constantly, but barely anyone explains it properly. Most guides assume you already know what it does, or they bury the useful bits under academic language. So this is the plain English version: what the framework is, what each function actually means, and how it connects to Cyber Essentials.

What NIST CSF actually is

The National Institute of Standards and Technology (NIST) published the Cybersecurity Framework in 2014. Version 2.0 landed in February 2024 with a significant structural change. It's American, but organisations worldwide use it because it does one thing well: it organises everything a business should be doing about cyber security into six functions.

Those six functions are: Govern, Identify, Protect, Detect, Respond, and Recover.

It's not prescriptive about specific products or vendors. Nobody at NIST is telling you which firewall to buy or which antivirus to install. The framework sets out categories of activity your security programme should include. How you do it depends on your size, sector, risk appetite, and (honestly) your budget.

Think of it as a map showing you the whole territory. It doesn't pick the route for you.

The six functions

1. Govern (GV)

Govern was added in version 2.0 as the sixth function. It didn't exist in the original 2014 release. The addition reflects something the industry has known for years: technical controls without governance behind them are reactive, not strategic.

Govern covers:

• Risk management strategy: How does your organisation decide which risks to accept, mitigate, or transfer?
• Policy: What are the rules your business operates under, and who enforces them?
• Board oversight: Does someone at leadership level own cyber security risk?
• Supply chain risk: Do you understand the security posture of your critical suppliers?
• Regulatory alignment: Are you meeting the obligations your sector imposes?

For a 50-person business, governance doesn't mean a 200-page policy document. It means someone owns security decisions, there's a risk register (even a basic one), and you know which regulations apply to you.

CE coverage: None. CE doesn't test governance, policy, risk management, or supply chain oversight. (consistent with the 2026 posture evaluation criteria).

2. Identify (ID)

Identify is about knowing what you've got. You can't protect systems you don't know exist, and you can't assess risk against assets you haven't catalogued.

Identify covers:

• Asset management: What devices, software, and data does your business use? Where does it sit?
• Risk assessment: What are the threats to those assets, and how likely is each one?
• Vulnerability management: What weaknesses exist in your current setup?
• Business environment: Which services are critical to your operations?

CE requires you to list in-scope devices and software during the assessment questionnaire. That's a snapshot, taken once a year. Identify, as a continuous function, means maintaining a current inventory and scanning for vulnerabilities on an ongoing basis.

CE coverage: Partial. CE requires a device and software inventory at assessment time. It doesn't require continuous discovery, vulnerability scanning, or risk assessment.

3. Protect (PR)

Protect is where CE lives and where it does its best work. The five CE controls (firewalls, secure configuration, user access control, malware protection, and patch management) map directly to this function.

Protect covers:

• Access control: Who can access what, and how is that enforced?
• Security awareness: Do your people know how to recognise threats?
• Data security: Is sensitive data encrypted, classified, and controlled?
• Platform security: Are devices and software configured securely?
• Technology resilience: Are protective technologies maintained and updated?

CE covers this function well for the threats it targets. The Lancaster University study tested 200 internet-borne vulnerabilities against the five controls and found 131 fully mitigated and another 60 partially mitigated. That's strong evidence that the Protect function works against commodity threats.

The limitation is that Protect alone assumes prevention is enough. With 43% of UK businesses reporting a breach or attack in 2025, it clearly isn't. When prevention fails, the other five functions determine whether you're looking at a contained incident or a crisis.

CE coverage: This is CE's function. Firewalls, secure configuration, access control, malware protection, and patch management all sit here.

4. Detect (DE)

Detect is about knowing when something has gone wrong. Prevention reduces the probability of a breach. Detection reduces the gap between a breach occurring and someone noticing.

Detect covers:

• Continuous monitoring: Are your systems watched for unusual behaviour?
• Adverse event analysis: When something anomalous happens, is it investigated?
• Alerting: Do the right people get notified when a threat is detected?

For most UK SMEs, detection means endpoint detection and response (EDR). EDR monitors device behaviour and flags suspicious activity: a process encrypting files rapidly, an application making unusual network connections. Basic antivirus (which CE requires) scans for known malware signatures. EDR catches behaviour that doesn't match known signatures. And that difference matters when dealing with modern threats.

The Qilin group's attack on Synnovis shows this in practice. Antivirus would not have detected it because the ransomware bypassed signature-based detection. EDR looks at behaviour rather than relying on known signatures.

CE coverage: None. CE requires antivirus or antimalware, but doesn't require monitoring, EDR, log analysis, or alerting.

5. Respond (RS)

Respond is what happens after a detected event. It's the difference between an incident contained in hours and one that escalates for weeks.

Respond covers:

• Incident management: Who does what when a breach is confirmed?
• Incident analysis: What happened, how did it happen, and what's the scope?
• Reporting: Who needs to be told, in what timeframe? (The ICO requires notification within 72 hours, the FCA as soon as possible, and the SRA promptly.)
• Mitigation: How do you contain the damage and prevent it from spreading?

An incident response plan is the minimum. It names the decision-maker, lists the contacts (printed, not stored on systems that might be encrypted), documents containment steps for your specific setup, and includes pre-populated regulatory reporting templates.

Testing the plan through a tabletop exercise, even once a year, separates a document from a capability. Most businesses skip this part, but that's another problem.

CE coverage: None. CE doesn't test incident response capability, regulatory reporting procedures, or containment processes.

6. Recover (RC)

Recover is about getting back to normal after an incident. It's the function that determines whether a ransomware attack costs you a day or six months.

Recover covers:

• Recovery planning: Do you have documented procedures for restoring systems?
• Recovery execution: Can you actually restore from backup? Have you tested it?
• Communication: How do you update stakeholders, customers, and regulators during recovery?
• Improvement: What did you learn, and what changes to prevent recurrence?

The British Library's recovery from the Rhysida ransomware attack took months and consumed 40% of their financial reserves. Recovery procedures that haven't been tested take longer and cost more when they're actually needed.

For most SMEs, recovery means: test your backup restore once a year, know how long it takes, and confirm that your critical data is included.

CE coverage: None. CE doesn't test backup procedures, recovery plans, or business continuity capability.

How UK schemes map to NIST CSF

NIST Function	Cyber Essentials	ISO 27001	Sector Regulators
Govern	Not covered	Covered (ISMS governance)	FCA: operational resilience. SRA: Rules 2.1/2.5
Identify	Partial (asset list at assessment)	Covered (risk assessment)	DSPT: asset management standards
Protect	Covered (5 controls)	Covered (Annex A controls)	All sectors reference protective controls
Detect	Not covered	Covered (monitoring controls)	FCA: detection capability expected
Respond	Not covered	Covered (incident management)	ICO: 72-hour reporting. FCA: immediate. SRA: prompt
Recover	Not covered	Covered (business continuity)	FCA: recovery and resumption testing

CE covers one function out of the six. ISO 27001 covers all six but requires significant investment in documentation and audit. Most UK SMEs sit somewhere between the two, with CE in place and the other five functions either addressed informally or not at all.

Why this matters for UK SMEs

NIST CSF isn't mandatory in the UK. Nobody will audit you against it or penalise you for ignoring it. But it's useful because it shows you what your security programme covers and what it doesn't.

If you have CE and nothing else, you cover Protect. That's one out of six, which is worth knowing. The framework doesn't tell you that's wrong. It tells you that's a decision, and you should make it consciously rather than by default.

If you want to see what a structured programme covering all six functions looks like for a UK SME, read how Cyber 365 maps each function to specific services. If you want to assess whether your current setup needs to go beyond CE, read the self-assessment guide.

If your starting point is understanding where you stand on the controls CE does test, the readiness quiz covers those five controls in five minutes. No commitment required, and no sales call unless you want one.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Why Cyber Essentials Isn't Enough
• The 6 Things Cyber Essentials Doesn't Cover
• Cyber 365: How Our Security Framework Works
• Do You Need More Than Cyber Essentials?

netsec-canary-37aa7afed837.