Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The CertiKit NIST CSF 2.0 Toolkit is Updated


We recently launched a toolkit based on the draft of Version 2.0 of the NIST Cybersecurity Framework, and I’m delighted to say it’s been well received. Impressively on schedule, NIST has now published the final version of CSF 2.0, so we have updated our NIST CSF2 Toolkit to cater for the changes made between the draft and the final versions. Existing customers will of course get this updated toolkit free of charge.

NIST Cybersecurity Framework V2.0 Toolkit with Updated Symbol

How Big Are the Changes?

Based on the amount of feedback NIST received for the draft of CSF 2.0 (all of which they published online) you could be forgiven for expecting that the final version could be significantly different. However, NIST seems to have taken the view that the draft, which was derived from a comprehensive series of in-person and virtual workshops they held over a year or so timeframe, was substantially correct and the changes made have actually been fairly small.

So, What Are the Changes?

Firstly, within the new Govern function, they have moved the category Cybersecurity Supply Chain Risk Management to the end of the list of categories. They have also renamed the category Policies, Processes, and Procedures to be simply Policy. All of the remaining functions and categories remain the same. Some of the objective statements for the functions have been revamped, for example for the Govern function the draft statement “Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy” has become “The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored” in the final version. Obviously this is merely a case of rewording rather than anything more significant.

Within the subcategories, there have been some changes to the text. Some of these have just been the replacement of a single word, for example “determined” has generally been replaced with “understood” across the board.

Subcategory Numbering Conventions

Interestingly, NIST has decided to maintain the numbering of the subcategories from Version 1.1 of the Framework. Where subcategories have been moved or deleted, this means there are now gaps in the numbering. For example, in the subcategory Incident Analysis (RS.AN) the numbering starts at three, misses out four and five, before going from six to eight as follows:

Incident Analysis (RS.AN): Investigations are conducted to ensure effective response and support forensics and recovery activities

  • AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident
  • AN-06: Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved
  • AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved
  • AN-08: An incident’s magnitude is estimated and validated

Only time will tell whether this leads to confusion amongst users of the Framework.

Other Subcategory Changes

A new subcategory has been added in Risk Assessment (ID.RA):

  • RA-10: Critical suppliers are assessed prior to acquisition

And a subcategory that was in the draft has been removed in the final version:

  • DS-09: Data is managed throughout its life cycle, including destruction

Cybersecurity Framework Tiers

In the draft (and in Version 1.1 before it) there were three columns in the Tiers table:

  • Cybersecurity Risk Governance
  • Cybersecurity Risk Management
  • Third-Party Cybersecurity Risks

The last of these has been merged in with the second in the final version of CSF 2.0.

Informative References and Implementation Examples

In Version 1.1 of the CSF and to some extent in the draft of Version 2.0, informative references and implementation examples were included in the core description of the framework. In the final version of CSF 2.0 these have been moved out into an online Reference Tool so that they can be updated more frequently.

Updating the Certikit CSF2 Toolkit

As part of our ongoing commitment to keep the CertiKit NIST CSF2 Toolkit up to date and relevant, we have amended those documents that are affected by the changes between the draft and the final version of CSF 2.0.

In the main, this has meant that the following documents have been amended:

  • NIST CSF2 Toolkit Completion Instructions
  • CERTIKIT NIST CSF2 Implementation Guide
  • CERTIKIT NIST CSF2 Toolkit Index
  • CSF Documentation Log
  • CSF Current and Target Profile

Where subcategories have changed, the index information in each affected document has also been updated, and references to Version 1.1 of the CSF removed.

In Summary

The changes between the draft and final versions of the CSF 2.0 have not been major, and the essential structure and most of the wording has been kept. Where tweaks have been made, we have updated the CertiKit NIST CSF Toolkit to ensure it is accurate and reflects the published final version of the CSF 2.0.

Now that the wait is over and the Cybersecurity Framework has been officially revamped, we look forward to increased adoption of the Framework worldwide and to it making a significant contribution to the ongoing fight against cybercrime.

For more information on the latest version of NIST CSF, our blog: NIST CSF – Here comes version 2 goes into more details about the changes between V1.1 and V2.0.


Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

We’ve helped more than 4000 businesses with their compliance


The example documents provided were of high quality, so the decision to purchase the document pack in full was made easy. I looked around, but couldn't find anything that had the same level of quality.

SMG Health

View all Testimonials