NIST Cybersecurity Framework (CSF 2.0)
A risk-based framework for cybersecurity programme management
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Widely adopted in the US and increasingly recognised globally as a best-practice standard.
The NIST Cybersecurity Framework (CSF), developed by the US National Institute of Standards and Technology, provides a structured approach to managing cybersecurity risk. CSF 2.0, released in February 2024, expanded the framework's scope to organisations of all sizes and sectors globally — not just US critical infrastructure. The framework is organised around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Unlike ISO 27001 or SOC 2, NIST CSF is a voluntary framework rather than a certifiable standard. However, it is widely used as a baseline for cybersecurity programme design, gap assessments, and risk communication with leadership. US government contractors, critical infrastructure operators, and organisations selling to US federal agencies frequently use NIST as their primary security framework.
Who Needs It
Who Needs NIST CSF?
US federal government contractors and suppliers subject to NIST-based security requirements
Critical infrastructure operators in energy, healthcare, finance, and transportation sectors
Organisations wanting a flexible, risk-based cybersecurity programme framework
Companies using NIST as the basis for mapping to other frameworks (ISO 27001, SOC 2, PCI DSS)
Businesses needing to communicate cybersecurity posture to boards, executives, and regulators
Organisations undergoing CMMC (Cybersecurity Maturity Model Certification) assessment
Key Requirements
What It Covers
Govern
Establish organisational context, risk strategy, supply chain risk management, policies, and accountability for cybersecurity — the new function added in CSF 2.0.
Identify
Develop organisational understanding of cybersecurity risk — asset management, risk assessment, business environment, and improvement processes.
Protect
Implement appropriate safeguards — identity management, access control, awareness training, data security, and platform protection.
Detect
Develop and implement activities to identify cybersecurity events — continuous monitoring, anomaly detection, and adverse event analysis.
Respond
Take action when a cybersecurity incident is detected — incident management, analysis, mitigation, and communication.
Recover
Restore capabilities or services impaired by a cybersecurity incident — recovery planning, improvements, and communications.
Business Value
Benefits of NIST CSF
A common language for communicating cybersecurity risk to executives, boards, and stakeholders
Flexible framework that maps to other standards — reduces duplication across ISO 27001, SOC 2, PCI DSS
Recognised baseline for US government and critical infrastructure security requirements
Scalable from small businesses to large enterprises without prescriptive implementation mandates
Provides a maturity model for measuring and improving cybersecurity programme effectiveness over time
Our Process
How We Help You Achieve It
Current Profile
We assess your current cybersecurity practices against the six CSF functions to establish a baseline profile.
Target Profile
We work with your leadership to define a target profile reflecting your desired cybersecurity outcomes and risk appetite.
Gap Analysis
We identify the gaps between current and target profiles and develop a prioritised implementation roadmap.
Implementation
We support implementation of controls and processes across all six framework functions.
Framework Mapping
We map your NIST CSF implementation to other applicable frameworks to minimise duplication of effort.
Reporting
We help you produce board-level cybersecurity posture reports using the NIST CSF language and metrics.
FAQ
Frequently Asked Questions
Ready to Start Your NIST CSF Journey?
Begin with a free cybersecurity gap assessment to understand where you stand, then let our experts guide you to certification.