Cyber Security Framework 2 - the US equivalent of NIS2 and ISO 27001?

Cyber Security Framework 2

In the last week of January, a new version of the CSF2 (Cyber Security Framework 2) concept was published by the US organization NIST (National Institute for Standards and Technology), which is best known for its critical vulnerability monitoring (CVE).

CSF2 is intended as a general tool - it is intended to improve the level of cybersecurity for organizations ranging from small public schools to large corporations. The CSF2 concept is based on 6 key "features" that are intended to encompass the entire topic of cybersecurity in organizations.

These functions are then divided into categories and subcategories. Compared to the previous version, a new feature is the introduction of the 'govern' function, which covers topics such as the context of the organisation, roles and responsibilities, policies and supply chain management.

When studying the CSF2 documents, you can't help but feel that much of what is contained in this concept is not too different from existing regulations such as ISO 27001 or the NIS2 directive and the resulting draft law on cybersecurity. NIS2/New Cybersecurity Act, ISO 27001 and CFS2 are very similar - so it is possible to say with exaggeration that if an organisation has implemented the requirements of one of these regulations, it will have met 30-90% of the requirements of the others.

The level of compliance is determined by the degree of implementation (for instance, a higher or lower level of obligations under the NZkb) and the overall cybersecurity posture. Consequently, when implementing one of these regulations, the organization will gain a better understanding of what to anticipate when implementing others, resulting in reduced time and financial costs for the organization.

All these regulations are interconnected through a risk-based approach. Identifying assets, their vulnerabilities, threats, and subsequent risk mitigation are the foundational building blocks of each.

In practical application of risk management-related concepts, such as in creating business continuity plans (BCP), we can say it's common sense transferred onto paper. 

If CFS2, ISO 27001 and NIS2/NZkb are so similar, what 5 areas do they all require and should every organisation address?
1) Identification of assets
2) Threats & Vulnerabilities
  3) Incident management
  4) Business continuity
  5) Documentation

Get ready

We can help you to prepare your company for the new DORA regulation

More articles

Deepfakes have become a common tool in the hands of attackers due to rapid advancements in artificial intelligence. How can companies effectively defend themselves against them?
Bigger responsibility for top management in cybersecurity also means stricter penalties. What will attract the highest fines?
The new Cybersecurity Act will significantly affect the responsibilities and duties of top management. What will top management be responsible for?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.