Frameworks

NIST CSF 2.0, explained for smaller businesses.

Of all the frameworks we map audits against, NIST CSF is the one most mid-size New Zealand organisations, startups and small businesses actually find useful day to day. It is free, flexible, and built to scale down as well as up.

What NIST CSF actually is

The NIST Cybersecurity Framework was developed in the United States as a common language for managing cyber risk, organised around six functions: Govern, Identify, Protect, Detect, Respond and Recover. Version 2.0, released in 2024, added Govern as a standalone function, reflecting a shift toward treating cyber security as a leadership responsibility rather than purely a technical one.

Why it suits mid-size organisations and small businesses

Unlike government-specific standards, NIST CSF was never written for one sector or one size of organisation. There is no exam to pass and no certification body to pay. It gives a business a structure to answer a simple question, in each of the six areas, in plain language: where are we strong, and where are we exposed. That makes it a practical fit whether you are a five-person startup or a hundred-person operation.

Where it shows up in practice

Cyber insurance applications increasingly reference CSF-style categories. Enterprise customers running supplier due diligence often frame their questionnaires around it, even without naming it directly. And because it maps cleanly onto operational reality, it is usually easier to hold a productive conversation with a board or investor using CSF's six functions than a page of technical jargon.

How this fits into an audit

Our Standard and Complex audit tiers map findings against NIST CSF 2.0 by default, since it is the framework most clients get ongoing practical value from. Where a client needs ISO 27001 alignment or certification readiness instead, we scope that specifically rather than assuming one framework fits every engagement.

Common questions

NIST CSF FAQs

Is NIST CSF a legal requirement in New Zealand?+

No. NIST CSF is voluntary in New Zealand. It is a US-originated framework that has become a de facto international benchmark because it is practical, flexible, and not tied to any one industry or country. Many NZ insurers and enterprise customers now reference it in due diligence questionnaires.

What are the six functions in NIST CSF 2.0?+

Govern, Identify, Protect, Detect, Respond and Recover. Govern was added in the 2.0 update released in 2024, reflecting that cyber risk is now treated as a leadership and governance issue, not just an IT one.

Do we need to be fully compliant, or can we just use parts of it?+

Most mid-size organisations and small businesses use NIST CSF as a structure for prioritising work, not as a formal certification to achieve. There is no official certification for CSF itself. An audit typically maps findings against the functions most relevant to your risk profile, rather than scoring every single sub-category.

How is NIST CSF different from ISO 27001?+

NIST CSF is a free, flexible framework with no formal certification. ISO 27001 is a certifiable standard with a more prescriptive structure, usually chosen by businesses that need to prove compliance to an enterprise customer or regulator. Many businesses use CSF internally and only pursue ISO 27001 certification if a specific contract requires it.

Want to know where you sit against NIST CSF?

A fixed-price audit maps your organisation against the six functions and prioritises what to fix first.

Book an Audit