What changed in NIST CSF 2.0?

CSF 2.0, published in 2024, adds a sixth function, Govern, which covers organisational context, risk management strategy, roles and responsibilities, policy and oversight. The 2.0 release is also explicitly intended for organisations of all sizes and sectors, not only US critical infrastructure. KaitoSec ships the 2.0 catalogue out of the box.

How does NIST CSF compare to ISO 27001?

ISO 27001 is an auditable management system standard with mandatory clauses and a control library. NIST CSF is a risk-management framework with functions, categories and subcategories. Many organisations adopt CSF as the strategic frame and ISO 27001 as the management system that delivers it. KaitoSec carries both and shows the mapping at every level.

Can we use CSF profiles to drive improvement work?

Yes. The most common pattern is to build a current profile from where you are today, a target profile from where the business wants to be, and use the gap as the improvement backlog. KaitoSec stores profiles as first-class objects so the gap is always live, not a once-a-year spreadsheet.

Is NIST CSF relevant for European organisations?

Yes. CSF is sector-neutral and increasingly referenced in European supply-chain and customer due-diligence requests, particularly from US-headquartered customers. For European organisations carrying ISO 27001 or NIS2 obligations, CSF is the framing supervisors and customers often expect to see alongside the local standard.

KaitoSec

NIST CSF

NIST CSF 2.0 implemented once, reported many times

All six CSF 2.0 functions, Govern, Identify, Protect, Detect, Respond and Recover, mapped against the same controls that satisfy your ISMS, BCMS and DSMS. One implementation, every relevant audit answered.

Book a Demo Explore Platform

0 functions

Govern (new in 2.0), Identify, Protect, Detect, Respond, Recover

0 frameworks

Cross-mapped to ISO 27001, BSI Grundschutz, NIS2

NIST CSF 2.0 publication year

The Global Standard for Cybersecurity

The NIST Cybersecurity Framework is one of the most widely adopted security frameworks globally. Originally developed for US critical infrastructure, it has become a de facto standard for organisations of all sizes seeking a structured, risk-based approach to cybersecurity.

One implementation, many frameworks

KaitoSec's multi-framework mapping lets you satisfy NIST CSF subcategories using the same controls that cover ISO 27001 Annex A, BSI IT-Grundschutz and NIS2. Implement once, report across frameworks.

Govern function wired into the ISMS

CSF 2.0 elevated governance into a peer function alongside Identify, Protect, Detect, Respond and Recover. KaitoSec's policy and acknowledgement workflows, role assignments and management-review records produce the Govern evidence directly out of the operating ISMS.

Six-function maturity tracker

Each CSF function shows current and target maturity, the underlying ISMS controls implementing it, and the gap between today and the next assessment. The tracker is the input for management reviews and board briefings.

Profile builder for current and target state

Build current and target CSF profiles for each part of the organisation. Profiles compare directly against each other and produce a remediation backlog sorted by residual risk, not framework count.

Cross-mapping view across ISO 27001, Grundschutz and NIS2

Every CSF subcategory is mapped against the corresponding ISO 27001 control, BSI Grundschutz Baustein and NIS2 measure where the substance overlaps. Implement a control once and watch it light up across four frameworks at the same time.

Built on open catalogs: BSI, MITRE, OWASP, ENISA

ISO 27001

ISO 22301

BSI IT-Grundschutz

NIST CSF

GDPR / DSGVO

SOC 2

NIS2

DORA

FAQ

Related platform features

Risk Management Compliance Mapping Asset Management Reporting

NIST CSF 2.0 implemented once, reported many times

The Global Standard for Cybersecurity

One implementation, many frameworks

Govern function wired into the ISMS

Six-function maturity tracker

Profile builder for current and target state

Cross-mapping view across ISO 27001, Grundschutz and NIS2

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal

NIST CSF 2.0 implemented once, reported many times

The Global Standard for Cybersecurity

One implementation, many frameworks

Govern function wired into the ISMS

Six-function maturity tracker

Profile builder for current and target state

Cross-mapping view across ISO 27001, Grundschutz and NIS2

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal