Simplify IS
NIST CSF 2.0 Implementation Tiers

Simplify IS
Maturity Model

A data-driven methodology for continuous security evolution. We don't just assess status; we measure your organisation's posture and chart the path to predictable resilience.

Sample Maturity Benchmark
GovernYou 2.4Ind 2.8IdentifyYou 2.1Ind 2.6ProtectYou 1.9Ind 2.7DetectYou 1.8Ind 2.1RespondYou 2.3Ind 2.0RecoverYou 2.2Ind 2.51234
This is youThis is industry
NIST 6-FUNCTION VIEWYOU VS INDUSTRY

NIST CSF 2.0 Implementation Tiers

Cypher measures organisational security against the four tiers defined by NIST CSF 2.0, each representing a leap in predictability and control. ISO 27001 and APRA CPS 234 results are mapped onto the same scale so your maturity reads consistently across frameworks.

01

Partial

Cyber security risk is managed ad hoc. Awareness is limited, practices are reactive, and there is little organisational visibility across controls.

Reactive
02

Risk Informed

Risk-management practices are approved by leadership but are not yet established as organisation-wide policy. Decisions are informed but inconsistent.

Approved
03

Repeatable

Risk management is formalised, expressed as organisation-wide policy, and updated regularly as the threat landscape and the business shift.

Standardised
04

Adaptive

Continuous improvement, threat-informed defence, and predictive risk decisions integrated with strategic planning. The organisation learns from every incident.

Predictive

Conversational Signals

Cypher captures evidence from your responses — process descriptions, control owners, review cadence — and turns them into tier signals.

Auditable Trail

Every answer, score, and recommendation is timestamped against the control it came from, ready for your next auditor.

Cross-Framework Mapping

Tier signals flow across ISO 27001:2022, NIST CSF 2.0, and APRA CPS 234 — fix a gap once, see it clear in every framework it satisfies.

Drift Awareness

Reassess on your cadence and Cypher highlights where tiers have moved since the last assessment.

The Cypher Engine

Quantifying Security Through Discussions.

Maturity isn't an opinion; it's a calculation. Cypher scores every answer against the framework's tier criteria, so two assessments of the same control land at the same place.

  • Consistent Scoring

    Tiers are derived from the conversation Cypher has with you — not a yes/no survey — so the score reflects how the control actually runs.

  • Living Maturity

    Your tier moves whenever you reassess, edit a finding, or capture new evidence — so the score on screen reflects what you ran today, not what you ran last quarter.

Next Horizon

Coming Soon

Real-time signal capture

Direct telemetry ingestion from your security stack to automate the assessment of control effectiveness without manual intervention.

Evidence chaining

Cryptographic linking of system logs and configuration data to specific compliance requirements, creating an unbreakable audit trail.

Start measuring your maturity today.

Cypher is ready to guide your organisation through its first maturity assessment.

How It Works