[Reading time: 33 seconds]

It’s a big day over here in the alternative universe of ‘Cyber Security Land’*.

Because the latest version of the NIST CSF (Cyber Security Framework) has just been released.

Here are answers to the questions you never wanted to ask.


What is NIST CSF?

The NIST CSF is voluntary guidance that helps organisations —regardless of size, sector, or maturity— better understand, assess, prioritise, and communicate their cybersecurity efforts.

NIST CSF is organised around ‘functions’**, including:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

If you work in financial services and these function names ring a bell, it’s probably because they are reflected in the names of Articles 8-11 in the DORA regulation. That’s not a coincidence.

NIST CSF is one of the most well-known and highly-rated cyber security frameworks out there.


Why is this latest version better?

Because it’s called Version 2.0.

And Version 2.0 is always better than Version 1.0.


Any other reasons?

Plenty. For example:

  • Version 2.0 reflects the reality that NIST CSF is being used by all types of organisations rather than just the original intended audience of NIST CSF 1.0 (e.g. large organisations and critical infrastructure providers).
  • Version 2.0 now includes a GOVERN ‘function’. This is significant because you can’t identify, protect, detect, respond, and recover if you haven’t got the budget or buy-in from the people who sign the cheques. GOVERN should help you get their attention, and ensure they realise that their reputations are on the line if they don’t get this right.


Any other?

It now includes some excellent ‘Implementation Guides’.

For example, if you are in a small business, this guide could be very useful for you: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf

Each section includes ‘Actions to consider’ and ‘Questions to consider’ which you should.. consider.


So what?

Aligning to NIST CSF or a security standard such as ISO27001 is a great way to demonstrate that you are taking reasonable steps to manage the risks.

If you need help, you know where I am.


* You should visit some day, although you may need Google Translate to speak to the locals.

** because calling them ‘categories’ would make it too easy for normal people to understand.