NIST Cybersecurity Framework 2.0: What Is It and Why Is It Important?

Explore the intricacies of this vital framework designed to fortify businesses against diverse cyber threats. Core principles and actionable guidance.

Daisy Dyson
Content Executive

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (NCF) is one of the most widely adopted tools for managing cyber risk. It’s used by organisations of all sizes, across every sector, to build and measure their security programmes.

In February 2024, NIST released a significant update: NCF 2.0. If your team is still working with the original framework, or if you’re evaluating NIST for the first time, here’s what you need to know.

Key takeaways:
NIST CSF 2.0 introduces a sixth core function (Govern), placing cybersecurity accountability at senior leadership level for the first time.
The framework is now explicitly designed for any organisation globally, regardless of size, sector, or security maturity.
NIST CSF is free and flexible. ISO 27001 is certifiable and internationally recognised. Most mature organisations use both.
Regular penetration testing directly supports the Identity, Protect, and Detect functions of NIST CSF, providing evidence of control effectiveness for auditors and stakeholders.

What is the NIST Cybersecurity Framework?

The NCF is a voluntary set of guidelines that helps organisations understand, manage, and reduce their cybersecurity risk. Originally published in 2014 for critical infrastructure sectors, it has since become the de facto standard for cybersecurity risk management across industries.

With NIST 2.0, the framework has made universal applicability explicit. It’s now designed for any organisation, regardless of size, sector, or existing security maturity.

Unlike mandatory regulatory standards, NIST CSF is free to adopt and flexible by design. It doesn’t tell you exactly which tools to buy or controls to implement, but it gives you a structured way to assess where you are, identify where you need to be, and prioritise the steps in between.

What’s new in NIST CSF 2.0?

The biggest change in version 2.0 is the addition of a sixth core function: Govern.

This sits alongside the original five functions (outlined below) and reflects a broader recognition that cybersecurity isn’t just a technical problem – it’s a governance and leadership challenge that needs to be managed at the organisational level.

The Govern function covers how an organisation establishes and monitors its cybersecurity risk management strategy, expectations, and policies. It puts accountability firmly at the senior leadership level, and introduces dedicated guidance on supply chain risk management – an area that’s grown significantly in importance since the original framework was written.

NIST CSF 2.0 also expands its scope beyond US critical infrastructure, making it explicitly applicable to global organisations. NIST has published quick-start guides for specific audiences (including small businesses), implementation examples, and a searchable reference tool to help teams map the framework to over 50 other standards and guidelines.

NIST core functions: What is the framework core?

Together, the six functions of NIST CSF 2.0 form a continuous cycle for managing cybersecurity risk.

Govern

Establish the strategy, policies, roles, and oversight structures that inform how the organisation manages cybersecurity risk. This is the foundation on which everything else is built.

Identify

Understand your assets, data, systems, and the risks associated with them. You can’t protect what you don’t know you have.

Protect

Put safeguards in place to prevent or limit the impact of a cyber incident, ensuring critical services can continue to operate.

Detect

Identify and analyse potential threats in a timely way, so you can act before a vulnerability becomes a breach.

Respond

Have the plans and procedures ready to act when an incident occurs – containing the impact and communicating effectively.

Recover

Restore affected systems and services, and incorporate lessons learned to build greater resilience for the future.

NIST framework components

Beyond the core functions, NIST CSF 2.0 is structured around three components:

The Framework Core

The Framework Core provides the full set of cybersecurity outcomes organised into categories and subcategories. This is the detailed guidance that security teams work from when building or assessing their programmes.

Implementation Tiers

Implementation Tiers help organisations understand their current level of cybersecurity maturity, ranging from Tier 1 (Partial) through to Tier 4 (Adaptive).

Tiers aren’t a compliance target in themselves – they’re a way of contextualising how rigorously risk management practices are applied and how well they integrate with broader business decisions.

Profiles

Profiles allow organisations to map the framework to their specific situation. A Current Profile describes the cybersecurity measures you have in place today – a Target Profile outlines where you need to be. The gap between the two drives your roadmap.

NIST CSF vs ISO 27001: Which is right for you?

NIST CSF and ISO 27001 are the two most commonly referenced cybersecurity frameworks, and they’re often discussed as alternatives – though in practice, many organisations use both.

Here’s how they compare:

Feature	ISO 27001	NIST CSF
Certification	Yes (3 years)	No formal certification
Cost	£40K-£160K+	Free
Audit required	Yes	No
Best for	Formal certification & global recognition	Flexible risk management & US alignment
Maturity level	More suited to mature organisations	Suitable at any stage

ISO 27001

ISO 27001 is an internationally recognised certifiable standard for information security management systems (ISMS). It requires a formal third-party audit and, if passed, grants a certification that’s valid for three years (with annual surveillance audits).

It’s especially useful for mature organisations that need to show their security posture to global clients, partners, or regulators. Certification typically costs between £40,000 and £160,000, depending on organisation size.

Best suited for:

Organisations operating internationally
Businesses needing formal certification for tenders or contracts
Companies with established governance and compliance functions
Regulated industries

NIST CSF

NIST CSF is a free, voluntary framework that’s more flexible and less prescriptive than ISO 27001.

It’s particularly useful for organisations earlier in their security journey, or those looking to improve their risk management approach without committing to a formal audit process. It’s also the more natural choice for organisations operating in or alongside the US federal government.

Best suited for:

Organisations building or maturing their security programme
US-based companies or federal contractors
Businesses seeking structured guidance without certification
Organisations prioritising flexibility

How to choose between them

The two frameworks have significant overlap – roughly 80% of their controls are shared – and they’re designed to be complementary. An organisation that has already achieved ISO 27001 certification has already met the majority of NIST CSF requirements, and vice versa.

The right choice depends on your organisation’s goals, maturity, and audience:

If you need to win international business and demonstrate compliance to global clients, ISO 27001 certification carries more weight.
If you’re building or maturing your security programme and want a structured, flexible approach to risk management, NIST CSF is an excellent starting point.
Many organisations adopt NIST CSF as a framework for improvement and then pursue ISO 27001 certification once controls are embedded and mature.

How penetration testing supports your NIST compliance

Whichever framework you’re working towards, penetration testing plays a direct role in meeting the Identify, Protect, and Detect functions of NIST CSF – and in demonstrating the effectiveness of your controls under ISO 27001.

Regular testing helps you:

Validate that the safeguards you’ve implemented are working as expected
Surface vulnerabilities before attackers do
Provide evidence of ongoing security assurance to auditors and stakeholders

OnSecurity’s CREST-approved penetration testing is designed to fit into exactly this kind of continuous compliance cycle, giving you clear, prioritised findings and a retesting window to validate fixes.

Ready to strengthen your security posture? Get an instant pentesting quote for your next penetration test.

Agentic AI Security Risks: What Businesses Need to Know

Explore agentic AI security risks, including memory poisoning, NHI sprawl, and tool misuse, and how businesses can safeguard autonomous AI systems

3 March 2026

Web Application Pentesting vs Network Pentesting: What’s the Difference?

Discover the key differences between web application pentesting vs network pentesting, when you need each type, and why both are essential for comprehensive security.

26 February 2026

Banner image reads: Secure by Design in Practice: A guide for government product and delivery teams" with a gradient blue background

Secure by Design in Practice: A Guide for UK Government Product and Delivery Teams

A practical guide to implementing Secure by Design in UK government product delivery. Covers risk-driven design, lifecycle security activities, compliance with the PSTI Act, and how regular penetration testing keeps your security posture continuously validated.

26 February 2026

Latest Articles

Case Studies

From Engineering to Enterprise Security: How a Renowned Automotive Business Closed Critical Gaps with OnSecurity

Secure and Streamlined: Why Countingup Chooses OnSecurity for Annual Testing

Why Early-Stage Security Testing Builds Client Trust

Driving Secure Growth Through Seamless Testing