Governance, risk and compliance quick reference
The NIST CSF 2.0 functions, the incident response lifecycle, UK GDPR Article 5 principles and the Computer Misuse Act offences.
NIST CSF 2.0 functions
Version 2.0 has six functions. Govern is the function added in 2.0 and it wraps around the other five.
| Function | Scope | Example activity |
|---|---|---|
| Govern | Sets the strategy, roles, policy and risk appetite that steer the rest | Assigning cyber risk accountability to a named executive |
| Identify | Understands assets, data and the risks to them | Maintaining an asset inventory and running risk assessments |
| Protect | Puts safeguards in place to limit or contain impact | Enforcing MFA and least-privilege access |
| Detect | Finds and analyses possible attacks and compromises | Continuous monitoring of network traffic for anomalies |
| Respond | Takes action once an incident is detected | Triaging an alert and executing the response plan |
| Recover | Restores assets and operations after an incident | Restoring systems from clean backups and reviewing lessons learned |
Incident response lifecycle
Current guidance is NIST SP 800-61r3 (April 2025), which reframes incident response as a CSF 2.0 Community Profile: IR activity maps onto the six functions above rather than a fixed sequence of phases. It supersedes Revision 2.
The classic four-phase lifecycle from Revision 2 is still worth knowing, since most other material and the SANS PICERL variant follow it:
- Preparation
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity
UK GDPR Article 5 principles
The principles that govern all processing of personal data.
| Principle | Meaning |
|---|---|
| Lawfulness, fairness and transparency | Process data with a valid legal basis and tell people how you use it |
| Purpose limitation | Collect data for specified, explicit purposes and do not reuse it for incompatible ones |
| Data minimisation | Hold only the data that is adequate and relevant to the purpose |
| Accuracy | Keep data correct and up to date, and correct or erase errors |
| Storage limitation | Keep data in identifiable form no longer than needed |
| Integrity and confidentiality | Secure data against unauthorised access, loss or damage |
| Accountability | Be responsible for, and able to demonstrate, compliance with the above |
Computer Misuse Act 1990
The core UK offences for unauthorised computer activity.
| Section | Offence | What it criminalises |
|---|---|---|
| Section 1 | Unauthorised access to computer material | Knowingly accessing a system or data without authorisation |
| Section 2 | Unauthorised access with intent | Section 1 access committed to commit or facilitate a further offence |
| Section 3 | Unauthorised acts impairing operation | Acts intended, or reckless as to whether they, impair, hinder or alter a system or data |