NIST CSF 2.0 for consultants the gap-assessment method
Current Profile, Target Profile, prioritized delta. Plus the crosswalk that lets one engagement feed ISO 27001 and SOC 2.
Running a Current→Target Profile gap assessment for a client
The method is disciplined and repeatable. First, build the Current Profile: assess the client against the CSF 2.0 outcomes, including the GOVERN function, and record the achieved state per subcategory with evidence. Second, agree the Target Profile with the client's leadership — the outcomes they have decided to reach, driven by risk appetite and obligations, not a blanket maximum. Third, the gap is the delta between the two, prioritized by risk and effort into a remediation roadmap the client can fund. The multiplier is the crosswalk: CSF describes outcomes while ISO 27001 and SOC 2 describe controls, so each CSF subcategory maps to specific Annex A controls and Trust Services Criteria. Run the Profile assessment once and you can report the same evidence against an ISO 27001 gap analysis and a SOC 2 readiness in the same engagement. The Copilot maps subcategories to ISO 27001, SOC 2, and 800-53 so the crosswalk is not hand-built per client.
NIST CSF 2.0 framework details →Frequently Asked Questions
What is the Current-to-Target Profile method?
Assess the client against CSF 2.0 outcomes to set the Current Profile, agree a Target Profile with leadership based on risk appetite, and prioritize the delta into a funded remediation roadmap. It is repeatable across clients.
How does the crosswalk save engagement time?
CSF describes outcomes; ISO 27001 and SOC 2 describe controls. Each CSF subcategory maps to specific Annex A controls and Trust Services Criteria, so one Profile assessment can also drive an ISO 27001 gap analysis and SOC 2 readiness.
Should the Target Profile be the maximum tier everywhere?
No. The Target Profile reflects the outcomes the client has decided to reach based on risk appetite and obligations. A blanket maximum produces an unfundable roadmap and signals weak advisory judgement.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.