Back to blog
23 October 2024·3 min read

NIST vs NISTv2: why your organisation should adopt these security frameworks

The National Institute of Standards and Technology, better known as NIST, is an agency of the US Department of Commerce that has set important standards for cybersecurity. Its original framework, the NIST Cybersecurity Framework, has become a global benchmark to help organisations manage cyber risk. However, as digital threats have advanced, NISTv2 emerged—an update designed to address more modern security challenges.

In this post we explain the differences between NIST and NISTv2, and why you should consider implementing these frameworks in your cybersecurity strategy.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) was published in 2014 as guidance to help organisations manage and reduce cybersecurity-related risk. It provides common language and a structured approach to identify, protect, detect, respond to, and recover from threats to digital assets.

Key components of the NIST CSF

  • Identify: Assess risks, assets, and critical systems.
  • Protect: Implement security controls to mitigate vulnerabilities.
  • Detect: Have mechanisms to identify threats in real time.
  • Respond: Processes to handle security incidents quickly and effectively.
  • Recover: Planning to restore affected functions after a cyber attack.

NISTv2: evolution of the Cybersecurity Framework

In response to evolving cyber threats and technological change, NISTv2 was introduced to update and improve the existing framework. It aims to address modern issues such as artificial intelligence, IoT, and the growth of advanced persistent threats (APTs).

Main improvements in NISTv2

  • Adaptability and scalability: NISTv2 allows greater flexibility for different industries, organisation sizes, and technology environments.
  • Focus on third-party risk: With more outsourcing and external providers, NISTv2 includes specific guidance to mitigate risks from third parties.
  • Incorporation of new technologies: It considers risks associated with emerging technologies such as artificial intelligence and IoT devices.
  • Updated risk lifecycle: It provides stronger end-to-end risk management, from initial assessment through post-incident recovery.

Key differences between NIST and NISTv2

Scope and flexibility

  • NIST: Offers a solid but somewhat rigid framework that can be hard to adapt to non-traditional IT sectors.
  • NISTv2: Introduces a more flexible structure so organisations across industries can tailor their security measures.

Third-party risk management

  • NIST: Mentions third-party risks but does not detail how to manage them adequately.
  • NISTv2: Increases emphasis on relationships with external suppliers and provides specific guidance to mitigate those risks.

Technology refresh

  • NIST: Was designed before the surge of emerging technologies such as IoT and AI.
  • NISTv2: Includes considerations and security measures for these newer technologies, making it more relevant today.

Why should your organisation apply NIST or NISTv2?

Implementing one of these security frameworks—whether NIST or NISTv2—can significantly improve your organisation’s ability to manage cyber risk.

Benefits of applying NISTv2

  • Resilience to new threats: NISTv2 offers a more modern, comprehensive view of current threats.
  • Better supplier management: With more detail on third-party risk, NISTv2 helps you protect the whole value chain.
  • Technology alignment: It helps you stay ahead in managing risk related to IoT, AI, and other emerging technologies.

In summary, both NIST and NISTv2 are essential tools to improve any organisation’s security posture. However, if your organisation uses emerging technologies or relies heavily on third parties, NISTv2 is likely the better fit.

Cybersecurity cannot be left to chance, and frameworks such as NIST and NISTv2 provide the guidance needed to protect your assets and manage risk efficiently. While NIST remains an excellent option, NISTv2 delivers the updates required to face today’s threats and technologies. Aligning your strategy with either framework will strengthen your organisation’s security and resilience against cyber attacks.