NIST CSF V2.0: A look into the changes

I mentioned previously that version 2 of the CSF had been launched and gave a brief initial overview of what the changes are. After further research and discussions with peers this is a more detailed look at the changes and how they may help you improve the security posture of your organisation.?

The key term that has come out of this further research is “measure”. The CSF has often been seen as a more detailed approach to security/risk management than say ISO27001. It’s more specific in areas and obviously links with the more technical standards of the NIST-800 series. The problem has always been with non-technical controls and how you measure the improvement in security across a broad spectrum of a large company. This is what CSF V2.0 has tried to address – there is much more guidance on managing and measuring outcomes and how best to achieve them.?

I mentioned previously the new Govern function. This is key to understanding the changes and brings information security to the c-suite, in an attempt to align the business objectives with security objectives and business risks with security risks. To achieve this though, the CSF needed to more clearly align cyber security risk management with organisational risk management. This is re-enforced across the CSF.?

Govern is also being used as a single place to define the management and measurement of policies and procedures, rather than them being spread around the rest of the framework. This, to me, has a plus and a minus. In the past you would hand a whole section of the CSF to a department or person to respond to and it would cover both the practical and management elements of what that section was, be it monitoring (DE.CM) or risk assessment (ID.RA), but now the policies are all in one place. There is the possibility that policies could be written and managed by someone with little understanding of the technical requirements, but it will create a coherent policy structure with hopefully a common language.?

While there are a number of changes to specific controls and some areas being merged or re-sequenced, the other key aspect of the update is the number of clarifications, examples and guidance that has been provided with this release. These include implementation examples, an extended set of guidance notes for profiles and clarification on the framework tiers. There has also been a lot of work on ensuring the framework aligns with other NIST guidance such as the privacy framework, CIS controls and the Secure Software development framework.?

For a more detailed discussion about CSF V2.0, look out for our full analysis in the final part of this series, coming soon, or contact us on 0113 532 3763 or [email protected] for more details to see how we can help you implement CSF V2.0.?