ISMS Copilot
ISMS Copilot

NIST CSF 2.0 risk assessment with ISMS Copilot

Run risk assessment through the CSF 2.0 ID.RA outcomes, build Current and Target Profiles, and pick a Tier.

Start Free TrialSee it in action

Risk assessment via the CSF 2.0 ID.RA outcomes

NIST CSF 2.0 is outcome-based across six functions — Govern, Identify, Protect, Detect, Respond, and Recover — and risk assessment lives in the Identify function under the ID.RA category. ISMS Copilot works through the ID.RA subcategories with you: identifying threats and vulnerabilities, determining likelihood and impact, prioritising responses, and recording risk acceptance. Rather than producing a static report, it helps you express the result as a Current Profile (what is true today) against a Target Profile (the desired outcome state), so the gap is explicit and prioritised. The assistant also guides Tier selection — Partial, Risk Informed, Repeatable, or Adaptive — describing how rigorously risk decisions are governed. CSF outcomes cross-map to ISO 27001 and NIST 800-53 controls, so one assessment reports against several frameworks.

Explore the NIST CSF Copilot →

Why teams use ISMS Copilot for CSF 2.0 risk assessment

  • Work the ID.RA subcategories instead of inventing a bespoke risk method
  • Express results as Current versus Target Profiles with a prioritised gap
  • Select a defensible Tier from Partial, Risk Informed, Repeatable, or Adaptive
  • Map CSF outcomes to ISO 27001 and 800-53 to report once across frameworks

Frequently Asked Questions

Where does risk assessment sit in CSF 2.0?

Risk assessment is the ID.RA category within the Identify function, one of the six CSF 2.0 functions — Govern, Identify, Protect, Detect, Respond, and Recover. ISMS Copilot works through the ID.RA subcategories directly.

What is the difference between a Current and Target Profile?

A Current Profile records the outcomes you achieve today; a Target Profile records the outcomes you intend to achieve. ISMS Copilot builds both so the gap, and the work to close it, is explicit and prioritised.

How do Tiers relate to the risk assessment?

Tiers — Partial, Risk Informed, Repeatable, Adaptive — describe how rigorously cybersecurity risk decisions are governed. ISMS Copilot helps you select and justify a Tier consistent with your risk-management practices.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0