NIST Cybersecurity Framework 2.0

What is NIST Cybersecurity Framework 2.0?

NIST CSF 2.0 is a voluntary framework that helps organisations of all sizes understand, assess, prioritise, and communicate cybersecurity risks. Released in February 2024 as the first major revision since the original 2014 publication, CSF 2.0 is structured around six core functions that provide a high-level strategic view of an organisation's cybersecurity risk management lifecycle. While not mandated by regulation, it is widely adopted across the private and public sectors and is referenced by numerous other standards.

What are the 6 functions of NIST CSF 2.0?

The framework is organised into six functions, each broken down into categories and subcategories:

1. Govern (GV): New in CSF 2.0. Establishes and monitors the organisation's cybersecurity risk management strategy, expectations, and policy. Covers organisational context, risk management strategy, roles and responsibilities, policies, oversight, and cybersecurity supply chain risk management.
2. Identify (ID): Understanding the organisation's assets, business environment, risk assessment, and risk management strategy. Helps prioritise efforts based on business needs.
3. Protect (PR): Implementing safeguards to ensure delivery of critical services. Covers identity management, access control, awareness training, data security, platform security, and technology infrastructure resilience.
4. Detect (DE): Developing capabilities to identify cybersecurity events in a timely manner through continuous monitoring and anomaly detection.
5. Respond (RS): Taking action when a cybersecurity incident is detected. Covers incident management, analysis, reporting, and mitigation.
6. Recover (RC): Restoring capabilities or services impaired by a cybersecurity incident. Covers incident recovery plan execution and communication.

What changed from NIST CSF 1.1 to 2.0?

The CSF 2.0 update introduced several significant changes:

• New Govern function elevates cybersecurity governance, risk management strategy, and supply chain risk to a top-level concern
• Expanded scope from critical infrastructure to all organisations regardless of size, sector, or maturity
• CSF 2.0 Profiles provide a mechanism for describing current and target cybersecurity postures
• Implementation Examples added as a new online resource with practical guidance for each subcategory
• Improved integration with other NIST resources including the Privacy Framework and NIST SP 800-53

How does NIST CSF map to ISO 27001?

NIST CSF and ISO 27001 are complementary. CSF provides a risk-based strategic framework (the 'what'), while ISO 27001 provides a certifiable management system (the 'how'). Our database maps NIST CSF 2.0 to 584 other frameworks at the subcategory-to-control level. The overlap between NIST CSF and ISO 27001 Annex A is approximately 85%, meaning organisations that implement one framework have significant coverage toward the other.