NIST CSF 2.0 for CISOs a board communication tool
CSF 2.0 added the GOVERN function for exactly this reason. The Organizational Profile is the artefact your board can actually read.
Using the CSF 2.0 Organizational Profile as a board communication tool
CSF 2.0's headline change is the GOVERN function — new in the 2024 release — which elevates risk strategy, roles, policy, and oversight to a first-class function alongside Identify through Recover. That is the language a board responds to, so anchor reporting there. Keep two concepts distinct: Tiers describe how rigorous and adaptive your risk management is (Partial through Adaptive) and make a defensible maturity narrative; Profiles describe what outcomes you have chosen to pursue. The Organizational Profile — Current versus Target across the CSF outcomes — is the board artefact: it shows where you are, where you have decided to be, and the gap, in outcome language rather than control minutiae. Present GOVERN-function status, the Current-to-Target delta, and a Tier trajectory, and the board gets risk posture without a control walkthrough. The Copilot builds defensible Profiles and links each outcome to evidence so the story survives scrutiny.
NIST CSF 2.0 framework details →Frequently Asked Questions
What changed in CSF 2.0 that matters at board level?
The GOVERN function is new in the 2024 release. It makes risk strategy, organisational roles, policy, and oversight a first-class function, which is precisely the framing boards engage with. Lead board reporting from GOVERN.
What is the difference between Tiers and Profiles?
Tiers (Partial, Risk Informed, Repeatable, Adaptive) describe how rigorous and adaptive your risk management is — a maturity narrative. Profiles describe which outcomes you pursue. They answer different board questions; do not conflate them.
Why is the Organizational Profile a good board artefact?
It expresses Current versus Target posture in outcome language across the CSF functions, not control detail. Boards can read a Current-to-Target gap and a Tier trajectory without a technical walkthrough.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.