Five Questions That Expose an Ad-Hoc Security Practice
TL;DR
- A security checklist tells you what you configured; a framework like NIST CSF 2.0 tells you why, and the gap between the two is where MSP security practices stay ad-hoc.
- NIST CSF 2.0, published in 2024, expands the framework's scope from critical infrastructure to organizations of every size.
- Scoring a current profile and a target profile across the six CSF functions turns vague security goals into a prioritized roadmap.
- Mapping Microsoft 365 controls across Entra ID, Intune, Exchange, Teams, SharePoint, OneDrive, Defender, and Purview to CSF functions gives every checklist item a documented why.
Ask an MSP which security settings they deploy at onboarding and you get a confident answer. Ask which framework those settings serve, which policy document describes them, and when they were last formally reviewed, and the conversation usually goes quiet. The checklist exists; the why behind it does not.
That gap matters because checklists do not equal compliance. Plenty of MSPs implement a Microsoft 365 baseline at onboarding, then lean on Secure Score recommendations to fill holes and show the customer some posture improvement. What is missing is the connective tissue: written policy definitions and a north-star framework that organizes the whole practice. Time and resources are always constrained, so knowing which actions are most impactful, for your MSP and for every downstream customer, is the difference between a strategy and a pile of settings.
How mature is your practice? Five questions
Score yourself honestly against these:
- Do we follow a framework or standard that gives our cybersecurity strategy a consistent approach?
- Do we have written, implemented policy definitions across customers, such as an incident response plan, vulnerability management, and backup and disaster recovery?
- Do we keep base policy definitions that can be modified for the uniqueness of each customer environment?
- Do we run a formal review process for the policies and controls already in place?
- Do we set current and target profiles for our cybersecurity improvements?
If most answers are no, your security lifecycle is ad-hoc and reactive, and you are in the majority. The fix is not another checklist. It is anchoring the checklist to a framework, which is exactly what the NIST CSF 2.0 template below does. If you would rather anchor to the CIS Controls, that version is here.
Why NIST CSF 2.0 is a sensible north star

NIST published the official CSF 2.0 release in 2024, and the timing made it worth building a fresh enablement guide that maps Microsoft security controls to the framework with a self-scoring assessment attached. The framework has been reducing cybersecurity risk since its initial publication in 2014, and organizations consistently told NIST that CSF 1.1 still worked. The major shift in 2.0 is scope: the framework now explicitly addresses all organizations, not just critical infrastructure. For MSPs serving SMBs, that makes it a legitimate north star rather than an enterprise hand-me-down.
How does the self-scoring assessment work?
The template includes a basic self-scoring assessment to surface where your gaps exist today. The goal is to rank yourself across the NIST CSF functions against a current profile and a target profile, with sheets for Govern, Identify, Protect, Detect, Respond, and Recover. Scores follow a profile logic derived from the official CSF tiers:

Each CSF function gets its own tab with the self-assessment, a current score, and target scores:

Where do Microsoft 365 controls fit the framework?
The piece that turns the assessment into an operational tool is the control matrix: recommended Microsoft security controls across Entra ID, Intune, Exchange, Teams, SharePoint, OneDrive, Defender, and Purview, each mapped to the NIST CSF function it serves. The matrix includes the base license requirement for every control plus checklist columns, so you can track implementation progress across customers and answer the why question for any setting in your baseline.

Tracking it across every customer, every quarter
A one-time self-assessment is a snapshot. For MSPs who want the longitudinal view, there is an enablement ebook and a multi-tenant Power BI template that tracks these assessments over time across all of your customers. The ebook bundles the operational extras:
- Setup instructions for each Microsoft control
- PowerShell scripts
- Video tutorials
- 40+ end-user notification templates for controls that impact end users

As of April 2024, the template is discounted 25 percent with code NISTMATRIX at checkout: NIST 2.0 with Microsoft 365 Power BI template and ebook (opens in new tab).
Frequently asked questions
What changed between NIST CSF 1.1 and 2.0?
The headline change is scope. CSF 1.1 was framed around critical infrastructure; CSF 2.0 explicitly targets all organizations regardless of size or sector. The 2.0 release also adds Govern as a function alongside Identify, Protect, Detect, Respond, and Recover.
Why score both a current and a target profile?
A single score tells you where you are but not where you intend to go. Setting current and target profiles per CSF function, using tiers derived from the official CSF tiers, turns the assessment into a prioritized improvement plan you can show clients and insurers.
Is the CIS Controls a better fit than NIST CSF for MSPs?
They serve different jobs. NIST CSF organizes your overall program and policy definitions; the CIS Controls give you prescriptive, prioritized technical safeguards. Many MSPs map their Microsoft 365 baseline to CIS and frame their practice maturity with CSF.
The framework gives you the why. We collect the evidence.
Self-assessments are where the journey starts. CloudCapsule automates the technical half, assessing 250+ Microsoft 365 controls per tenant in about 60 seconds, so your framework scores rest on current evidence instead of last quarter's memory.
Book a demo
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


