Skip to main contentChat with us

Learn · Cybersecurity Frameworks

The NIST Cybersecurity
Framework (CSF 2.0)

The NIST Cybersecurity Framework is a voluntary, widely adopted framework for managing and reducing cybersecurity risk — built around six core Functions that give any organisation a common language for security.

The six Functions are Govern, Identify, Protect, Detect, Respond, and Recover. The 2024 update — CSF 2.0 — added Govern and widened the scope from critical infrastructure to organisations of every size.

Talk to a Security AdvisorCompare with ISO 27001
6Functions in CSF 2.0
4maturity Tiers (Partial → Adaptive)
2024CSF 2.0 released

Plain-English explainer · CSF 2.0 · Maps to ISO 27001 / SOC 2 · Last reviewed June 2026

The NIST Cybersecurity Framework (CSF) is a voluntary framework that helps organisations understand, manage, and reduce their cybersecurity risk. Created by the US National Institute of Standards and Technology, it’s used worldwide as a common language for security — by organisations of every size and sector, not just US ones. Its heart is the Core: six high-level Functions — Govern, Identify, Protect, Detect, Respond, Recover — broken into Categories and Subcategories of outcomes. The 2024 release, CSF 2.0, added the Govern Function and broadened the framework’s audience. CSF is outcome-based and flexible: it tells you what good security looks like, not exactly how to implement it — which is why it pairs naturally with a certifiable standard like ISO 27001 and sits alongside other risk management frameworks.

The Core

The Six Functions

Each Function answers a different question about your security programme. Together they cover the full lifecycle — from setting strategy to recovering from an incident.

New in 2.0

Govern (GV)

Establish and monitor the organisation’s cybersecurity risk management strategy, expectations, roles, and policy. CSF 2.0 added Govern to put leadership accountability at the centre.

Identify (ID)

Understand your assets, data, suppliers, and the risks to them — you can’t protect what you haven’t mapped.

Protect (PR)

Safeguards that limit or contain the impact of an incident — access control, awareness training, data security, and maintenance.

Detect (DE)

Find cybersecurity events quickly through continuous monitoring and detection processes.

Respond (RS)

Take action once an incident is detected — containment, analysis, communication, and mitigation.

Recover (RC)

Restore the capabilities and services that an incident impaired, and learn from it to improve.

Tiers & Profiles

Measuring & Targeting Maturity

Implementation Tiers

Four tiers describe how rigorous and risk-informed your practices are:

  • Tier 1 — Partial: ad-hoc, reactive.
  • Tier 2 — Risk Informed: aware, but inconsistent.
  • Tier 3 — Repeatable: formal, organisation-wide.
  • Tier 4 — Adaptive: continuously improving.

Profiles

A Profile is your selection of Functions, Categories, and Subcategories tailored to your business. Compare a Current Profile (where you are) with a Target Profile (where you want to be) — the gap between them becomes your prioritised security roadmap.

NIST CSF — Common Questions

The questions people ask most about the NIST Cybersecurity Framework.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a voluntary framework from the US National Institute of Standards and Technology for understanding, managing, and reducing cybersecurity risk. It provides a common, outcome-based language organised around six Functions, and is used by organisations worldwide.

What are the functions of the NIST CSF?

CSF 2.0 has six core Functions: Govern (set strategy and accountability), Identify (understand assets and risks), Protect (safeguards), Detect (find events), Respond (act on incidents), and Recover (restore services). Govern was added in CSF 2.0.

What changed in CSF 2.0?

The 2024 update, CSF 2.0, added a sixth Function — Govern — to emphasise leadership accountability and cybersecurity risk strategy, and it broadened the framework’s scope from critical infrastructure to organisations of all sizes and sectors. It also added implementation examples and improved guidance.

What is the difference between NIST CSF and ISO 27001?

NIST CSF is a voluntary, outcome-based framework that describes what good cybersecurity looks like; it isn’t certifiable. ISO 27001 is an international standard you can be independently certified against, with specific requirements for an ISMS. Many organisations use CSF to organise their programme and ISO 27001 to certify it — the two map closely.

Is the NIST Cybersecurity Framework mandatory?

No. CSF is voluntary for most organisations. However, it is widely adopted (and sometimes required by contract or sector regulation), and it’s a practical foundation for meeting other obligations such as ISO 27001, SOC 2, or India’s DPDP Act.

Related reading: the Learn hub, risk management frameworks, what an ISMS is, and GRC. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations