NIST Cybersecurity Framework (CSF) 2.0
Security is easier when everyone uses the same map
Useful when leadership, a customer, or an insurer wants a clearer answer than 'we're working on it' and you need one shared way to explain what is under control.
This page helps when
- A customer, insurer, or board conversation has gone past general security promises
- You need a business-level structure for reporting ownership, gaps, and follow-through
- The organisation has technical activity underway but no clean way to explain it
Best next move
Start with Assurance.
Use the scorecard for a fast benchmark, then move into a working session when this requirement is already affecting customers, insurers, procurement, or internal accountability.
Where This Starts To Hurt
The buyer moment that makes this rule urgent
The moment usually arrives when a US customer, an investor, or a cyber-insurance prospectus asks for the CSF 2.0 profile before the next stage
People usually land on NIST CSF after a security questionnaire, insurer renewal, board discussion, or customer review goes one level deeper than you are ready for. The real question is rarely "Do you use NIST?" It is "Can you show us how security is being run, what is being watched, where the gaps are, and what leadership is doing about them?"
NIST CSF is useful because it gives one clean structure for answering that question. In CSF 2.0, the work is grouped into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. That makes it easier to turn scattered technical activity into a business-level story about ownership, coverage, and follow-through.
For New Zealand organisations, it often becomes the bridge between ad hoc security work and a reporting rhythm leadership can actually use. It also translates well into buyer, insurer, and internal conversations without forcing you straight into certification.
What Starts Breaking
What stalls: deals, audits, or insurer renewals
NIST CSF matters because it gives leadership, IT, and outside reviewers one language for the same problem. When you're being asked what is covered, what is weak, and what needs money next, NIST makes those answers easier to organise and defend.
It also helps with real commercial pressure. Larger customers, insurers, and due-diligence teams increasingly recognise the CSF categories, which means you spend less time translating its security position from scratch every time a new questionnaire arrives.
CSF 2.0's Govern function is especially useful when you have decent technical intent but weak ownership or review rhythm. It pushes accountability upward, which is usually the difference between security work that starts and security work that stays maintained.
What You Will Need To Prove
The first controls, owners, and evidence to put in place
The six functions — Govern, Identify, Protect, Detect, Respond, Recover — each carry weight, but the supply-chain subcategory usually drives the first buyer question
See the main requirements
Govern (GV)
Establish and monitor the organisation's cybersecurity risk management strategy, expectations, and policy. This includes defining organisational context, risk management strategy, roles and responsibilities, policies, and oversight mechanisms.
Identify (ID)
Understand the organisation's current cybersecurity risks by identifying assets, business environment, governance structures, risk assessments, and supply chain risk management requirements.
Protect (PR)
Implement appropriate safeguards to support delivery of critical services. This covers identity management, access control, awareness and training, data security, platform security, and technology infrastructure resilience.
Detect (DE)
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. This includes continuous monitoring and analysis of security events.
Respond (RS)
Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. This includes incident management, analysis, reporting, and mitigation.
Recover (RC)
Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
How We Help You Answer It
When the business usually calls us
We usually get called after a tier-3 request from a US customer — they expect a current-and-target profile and a 12-month improvement plan
Stop Guessing When A Buyer Asks How Secure You Are
Our baseline assessment evaluates your current cybersecurity position against the NIST CSF functions and categories, giving you a clear baseline view of strengths, gaps, and the improvement areas that need attention first across Govern, Identify, Protect, Detect, Respond, and Recover.
Stop Rebuilding The Same Evidence For Every Standard
We map NIST CSF outcomes to your other compliance obligations — ISO 27001, NZISM, CIS Controls, and the Privacy Act — so that your cybersecurity investments count across multiple frameworks and eliminate duplicate compliance effort.
Decide Which Security Risks Are Worth The Money
The NIST CSF's Govern and Identify functions require disciplined risk management. Our ISO 31000-aligned risk management service establishes the methodology, maintains your risk register, and provides the executive reporting that NIST CSF governance demands.
Stop Maintaining Policies Nobody Actually Reads
We develop and maintain the policy suite that supports NIST CSF alignment — from overarching cybersecurity policies through to incident response plans, access control policies, and business continuity procedures — keeping them current and audit-ready.
See what an auditor will ask for before they ask
We continuously track your NIST CSF alignment, providing scored assessments that support customer due diligence responses, board reporting, and cyber insurance applications with clearer evidence of where you stand.
See What Information Runs The Business
The NIST CSF Identify function starts with knowing what you hold — systems, data, suppliers, dependencies. The asset register is the foundation the other five functions read from. We build and maintain it so Identify stops being the soft spot on the scorecard.
If You Need The Detail
Related reading for the implementation detail
Related reading on running a CSF 2.0 tier assessment and how the US profile expectation differs from an NZISM or ISO 27001 assurance pack
Insight
5 things your cyber insurer will ask you
Cyber insurance applications are getting harder. Here are the five questions every NZ insurer asks and how to prepare.
Read article
Insight
Five security gaps that keep showing up in NZ businesses
The same five security gaps keep showing up in NZ businesses. None of them are technology problems.
Read article
Questions Before A Decision
The questions that come up before the contract
What's new in NIST CSF 2.0? +
The most significant change in CSF 2.0 is the addition of the Govern function as a sixth core function, elevating cybersecurity governance to the same level as technical controls. The framework also expanded its scope beyond critical infrastructure to explicitly address organisations of all sizes and sectors, improved supply chain risk management guidance, and enhanced alignment with other frameworks and standards. For New Zealand businesses, the governance emphasis matters because it pushes executive oversight and accountability into the open instead of leaving security as a side task.
Is NIST CSF mandatory in New Zealand? +
The NIST CSF is not mandatory in New Zealand. However, it is widely referenced as a best-practice framework and is increasingly encountered in supplier assessments, customer due diligence processes, and cyber insurance applications. Many New Zealand organisations use the NIST CSF as their primary cybersecurity framework because of its flexibility, global recognition, and practical applicability to organisations of all sizes. Good Security helps you adopt NIST CSF in a way that also supports NZ-specific requirements like NZISM and the Privacy Act.
How does NIST CSF relate to ISO 27001? +
The NIST CSF and ISO 27001 are complementary. The NIST CSF provides a high-level, outcome-focused framework for organising and improving cybersecurity activities, while ISO 27001 provides a certifiable management system for information security. There is substantial alignment — NIST CSF categories map well to ISO 27001 Annex A controls, and the NIST CSF Govern function aligns closely with ISO 27001's management system requirements. Good Security's cross-framework mapping means that progress toward one framework directly supports the other.
How long does it take to align with NIST CSF? +
Initial alignment — establishing a baseline view, identifying gaps, and building an improvement roadmap — can typically be completed within the first two to three months of the work. Reaching the right level across all six functions is an ongoing process that depends on your starting point, the level of assurance your business actually needs, and the resources available for implementation. Good Security's approach shows visible improvement from the first month.
Need a clearer answer on NIST Cybersecurity Framework?
A working session produces the current-state CSF profile, identifies the top-6 tier-boost actions, and leaves the evidence US buyers ask for