Is this aligned to NIST CSF 2.0 or 1.1?

NIST CSF 2.0, released February 26, 2024. The checklist follows the six-function structure (Govern, Identify, Protect, Detect, Respond, Recover) and uses the CSF 2.0 subcategory IDs (GV.OC, ID.AM, PR.AA, DE.CM, RS.RP, RC.RP, etc.). The new Govern function, added in 2.0 to elevate enterprise risk + executive oversight, is fully scoped, not bolted on. If you have legacy CSF 1.1 evidence, the appendix includes a mapping table so you can transition existing documentation forward.

Is the CIS Controls v8 cross-mapping included?

Yes. The PDF appendix cross-references all 18 CIS Controls v8 (May 2021) to the matching NIST CSF 2.0 subcategories, with the Implementation Group tier (IG1 essentials, IG2 mid-market, IG3 high-risk) marked on each control. A 50-person company can scope to IG1 (~56 safeguards), a regulated mid-market company to IG2 (~130 total), and a critical-infrastructure operator to IG3 (~153 total) using the same document.

Is this for federal-contractor use or general commercial use?

Both. NIST CSF 2.0 is voluntary for the commercial sector but is referenced by the SEC cybersecurity disclosure rule, the FTC Safeguards Rule, the New York DFS Part 500 cybersecurity regulation, and most state breach-notification laws as the de facto reasonable-security baseline. For federal contractors specifically, the checklist also notes where each subcategory maps to NIST SP 800-171 Rev 3 (CUI protection) and CMMC Level 2, but it is not a replacement for a full CMMC C3PAO assessment.

Does it map to ISO/IEC 27001:2022?

Yes. The PDF appendix includes a one-page mapping from NIST CSF 2.0 subcategories to ISO/IEC 27001:2022 Annex A, the post-2022 revision with 93 controls (down from 114 in the 2013 edition) reorganized into four themes: Organizational, People, Physical, Technological. The mapping is bidirectional, so if you already have an ISO 27001:2022 ISMS in place, you can use it to demonstrate CSF 2.0 alignment to a customer or board without duplicate work.

Is this SMB-friendly or enterprise-only?

Both, by design. The CIS Controls v8 Implementation Group tiering is the scope dial. A 25-person startup scopes to IG1 (~56 essential safeguards) and skips the GV oversight cadence that only makes sense at board-level companies. A Fortune 500 enterprise scopes to IG3 with the full Govern function in play. The 28-page checklist is the same document, what changes is which lines are in scope, marked clearly per control.

Free Download · Cyber Security Risk Assessment

The complete cyber security risk assessment checklist

Every NIST CSF 2.0 function, Govern, Identify, Protect, Detect, Respond, Recover, cross-mapped to ISO/IEC 27001:2022 Annex A and the 18 CIS Controls v8 implementation groups. Built for CISOs, GRC leads, and security engineers running enterprise risk reviews, board reporting, or vendor cybersecurity questionnaires without spinning up a Big-Four engagement.

Download free See full cyber assessment platform

No credit card · No call required · Instant link

Free

PDF · 28 pages · last updated 2026

Cyber Security Risk Assessment Checklist

NIST CSF 2.0 · ISO 27001:2022 · CIS Controls v8

Govern + Identify
GV + ID
10 items
Protect + Detect
PR + DE
10 items
Respond + Recover
RS + RC
7 items
CIS v8 + ISO 27001 map
Annex
2 worksheets

What's inside

Every NIST CSF 2.0 function, cross-mapped and ready to assess

The Cybersecurity Framework 2.0 (Feb 2024) organizes outcomes across six functions. The checklist follows that structure exactly so what you complete maps 1:1 to the framework an SEC filer, board audit committee, vendor questionnaire, or insurance carrier expects to see.

Govern

GV · Govern

GV.OC · Organizational context (mission, stakeholders, legal + regulatory obligations)
GV.RM · Risk management strategy (risk appetite, tolerance, acceptance criteria)
GV.RR · Roles, responsibilities, authorities (RACI for cybersecurity decisions)
GV.PO · Policy (cybersecurity policy approved + communicated + enforced)
GV.OV · Oversight (board + executive review of cyber risk performance)

Identify

ID · Identify

ID.AM · Asset management (hardware, software, data, services, suppliers inventoried + classified)
ID.BE · Business environment (mission-critical functions + dependencies mapped)
ID.GV · Cybersecurity governance (policies + legal + regulatory requirements managed)
ID.RA · Risk assessment (threats, vulnerabilities, likelihood, impact documented)
ID.SC · Supply chain risk (third-party + vendor + SBOM risk identified + monitored)

Protect

PR · Protect

PR.AA · Identity, authentication, access control (MFA, privileged access, IAM lifecycle)
PR.AT · Awareness + training (workforce + privileged-user role-based curriculum)
PR.DS · Data security (encryption at rest + in transit, DLP, data destruction)
PR.IP · Information protection processes (baseline configs, change control, SDLC)
PR.MA · Maintenance (patch + vulnerability mgmt, remote maintenance approvals)
PR.PT · Protective technology (audit logs, removable media, network segmentation)

Detect

DE · Detect

DE.AE · Anomalies + events (baselines, event correlation, impact analysis)
DE.CM · Continuous monitoring (network, endpoint, cloud, identity telemetry)
DE.DP · Detection processes (roles, testing, communication, continuous improvement)
DE.SO · Security operations (SOC, MDR, XDR, threat hunting, IR triage)

Respond

RS · Respond

RS.RP · Response planning (IR plan + playbooks + tabletop exercises)
RS.CO · Communications (internal, regulator, customer, public, law enforcement)
RS.AN · Analysis (forensics, scope, root cause, evidence preservation)
RS.MI · Mitigation + improvements (containment, eradication, lessons learned)

Recover

RC · Recover

RC.RP · Recovery planning (RTO + RPO, backup integrity, DR testing)
RC.IM · Improvements (post-incident review, plan + control updates)
RC.CO · Communications (recovery status to stakeholders + media + regulators)

Plus a CIS Controls v8 cross-map + ISO 27001:2022 Annex A worksheet

The PDF appendix cross-references all 18 CIS Controls v8 (Implementation Groups IG1, IG2, IG3) to the matching CSF subcategories, plus a one-page ISO/IEC 27001:2022 Annex A (93-control) mapping so a single completed line satisfies multiple framework asks. 28 pages total.

Why use this checklist

Built for the regulator, the board, and the vendor questionnaire, not for slideware

NIST CSF 2.0 is the new baseline. Released February 26, 2024, the NIST Cybersecurity Framework 2.0 is the first major revision since 2018. It adds a sixth function, Govern (GV), to elevate enterprise risk + executive oversight to the same tier as the technical functions. It expands beyond critical infrastructure to all sectors, all sizes, all geographies. And it formalizes cross-mapping to ISO/IEC 27001:2022, NIST SP 800-53 Rev 5, and the SEC cybersecurity disclosure rule (Item 1.05 of Form 8-K, effective December 2023). The checklist follows CSF 2.0's six-function structure exactly.

NIST · Cybersecurity Framework 2.0

CIS Controls v8 covers the implementation gap. The Center for Internet Security's Critical Security Controls v8 (May 2021) translate framework outcomes into 18 prioritized, prescriptive controls grouped into three Implementation Groups. IG1 is the SMB-essentials baseline (~56 safeguards). IG2 covers the mid-market enterprise (~74 additional safeguards). IG3 covers high-risk targets in regulated industries. The checklist cross-maps each NIST CSF 2.0 subcategory to the corresponding CIS v8 control and IG tier so a 50-person SaaS and a 50,000-person hospital system can both use one document scoped to their size.

CIS · Critical Security Controls v8

The threat data says 'fix the basics first.' The 2024 Verizon Data Breach Investigations Report (DBIR) analyzed 30,458 incidents and 10,626 confirmed breaches across 94 countries. Two findings drive the structure of this checklist. First, 68% of breaches involve a non-malicious human element, phishing, social engineering, or error, which makes PR.AT (awareness + training) and PR.AA (IAM) the highest-leverage controls. Second, ransomware and extortion are present in roughly one-third of breaches, with median losses tracking ~$46K but tail-risk losses reaching the eight-figure range, which makes RC.RP (recovery planning + tested backups) and DE.CM (continuous monitoring) the highest-leverage detection + response investments. The checklist is ordered to surface those controls first.

Verizon · 2024 DBIR

Who is it for

Three roles, one checklist

Security leadership

CISO + Director of Information Security

Owns the cybersecurity program, board reporting, SEC 8-K cyber-disclosure readiness, and cross-framework attestation (NIST CSF, ISO 27001, SOC 2, PCI DSS, HIPAA, FedRAMP). Reports up to the CIO, CTO, or directly to the board.

Outcome · Walk into the audit committee with one document that maps board-level governance (GV) outcomes to operating-level Identify–Recover controls, and to the ISO 27001 + CIS v8 frameworks the rest of the business already references.

Governance, risk, compliance

Risk Manager + Head of GRC

Owns the integrated risk register, third-party risk, vendor security questionnaires, regulatory mapping, and the cross-framework crosswalk between cyber, privacy (GDPR, HIPAA, CCPA), and operational frameworks (SOC 2, ISO 22301).

Outcome · Use the checklist as the readiness diagnostic that gates a full ISO 27001:2022 certification, SOC 2 Type II audit, or CMMC Level 2 assessment, without rebuilding the same control library three times.

Technical operations

Security Engineer + Security Analyst

Implements, monitors, and tunes the controls. Runs the SOC, vulnerability management, IAM, endpoint, and cloud-security stack. Often the only deeply technical person in a small or mid-sized organization.

Outcome · Get a prescriptive control list, CIS v8 IG1/IG2/IG3 tiered, that converts directly into Jira epics, sprint backlogs, and architecture review tickets without translating from policy English first.

FAQ

Common questions, answered

What's in the checklist, NIST CSF 2.0 vs 1.1 alignment, CIS Controls v8 cross-mapping, ISO 27001:2022 Annex A coverage, and SMB vs enterprise scope.

Cyber Security Assessment Software

Run NIST CSF 2.0, ISO 27001:2022, CIS Controls v8, NIST 800-53 Rev 5, and 36 other cyber + privacy frameworks on one platform, with shared evidence, continuous monitoring, and board reporting.

ISO 27001 Compliance Software

Operationalize ISO/IEC 27001:2022 Annex A's 93 controls, risk treatment plan, Statement of Applicability, internal audit, management review, and cross-map to NIST CSF 2.0 inside one library.

NIST CSF Compliance Software

Score and improve your NIST CSF 2.0 maturity across all six functions, Govern through Recover, with CIS v8, NIST 800-53, and ISO 27001 cross-mapping plus board-ready reporting.

Beyond the checklist

Run NIST CSF + ISO 27001 + CIS on one platform?

The PDF is the readiness diagnostic. The platform runs continuous NIST CSF 2.0 scoring across all six functions, ISO/IEC 27001:2022 ISMS evidence, CIS Controls v8 implementation tracking by IG tier, and 36 other framework libraries (SOC 2, PCI DSS, HIPAA, GDPR, NIST 800-53 Rev 5, NIST 800-171, CMMC, FedRAMP), with one shared control library, one evidence pool, and the audit-grade reporting your board, regulators, and customers already accept.

Book a 30-min walkthrough Talk to a cyber specialist

Or call US: +1 941-500-4525