NIST CSF, ISO 27001 and the standards landscape – a plain-English guide for ESG teams
Too many frameworks, not enough clarity
One of the most common frustrations for ESG professionals engaging with cybersecurity governance is the apparent proliferation of frameworks, standards and guidelines – each with its own acronym, structure and advocates. NIST CSF. ISO 27001. ISO 27002. SOC 2. CIS Controls. COBIT. The list goes on. It can feel like a landscape designed to confuse rather than clarify.
The good news is that the major frameworks are far more complementary than competing. Understanding how they relate to each other – and where each one fits in a coherent governance programme – is genuinely useful for ESG professionals who need to engage with cybersecurity risk without becoming cybersecurity specialists. This article provides that orientation, with a focus on the two frameworks most likely to be relevant to ESG professionals in practice: NIST CSF 2.0 and ISO 27001.
NIST CSF 2.0 – the risk management framework
NIST CSF 2.0 is a risk management framework. Its primary purpose is to help organisations understand, assess, communicate and manage cybersecurity risk in a structured and consistent way. It is outcomes-oriented: it describes what good cybersecurity risk management looks like, without prescribing the specific technical controls required to achieve it.
This outcomes orientation is one of its greatest strengths for ESG professionals. It means that CSF 2.0 can be applied to an organisation of any size, in any sector, with any technology stack. It provides a common language for discussing cybersecurity risk that does not require technical expertise to use meaningfully. And it integrates naturally with enterprise risk management frameworks, making it easier to incorporate cybersecurity risk into the broader risk governance processes that ESG professionals work within.
CSF 2.0 is also explicitly non-prescriptive about implementation. It tells you what outcomes to aim for, not how to achieve them. This means it is designed to be used alongside other frameworks and standards – including ISO 27001 – that provide more specific implementation guidance.
ISO 27001 – the management system standard
ISO 27001 is a management system standard. It specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Unlike NIST CSF, ISO 27001 is certifiable – organisations can seek independent third-party certification that their ISMS meets the requirements of the standard. That certification is auditable and globally recognised.
ISO 27001 is more prescriptive than NIST CSF. Where CSF 2.0 says that organisations should have processes for identifying assets and understanding their risk exposure (the Identify function), ISO 27001 specifies particular controls and management system requirements – risk assessment methodologies, treatment plans, documented procedures, internal audit processes, management review – that together constitute a functioning management system.
The practical difference is this: ISO 27001 certification demonstrates that an organisation has implemented and sustains a specific set of information security practices to a verified standard. NIST CSF alignment demonstrates that an organisation understands and manages its cybersecurity risks in a structured way. Both are valuable and for most organisations, they are complementary rather than alternative.
A useful way to think about the relationship: NIST CSF 2.0 tells you where you need to be and gives you the map. ISO 27001 tells you in detail how to get there and gives you a way to prove you have arrived.
How they work together
Many organisations use NIST CSF 2.0 as their primary cybersecurity risk management framework – using its six functions and associated outcomes to structure how they identify, assess and manage cyber risk – while using ISO 27001 as the implementation standard for their information security management system. The two frameworks map well onto each other and NIST has published reference materials that make the mapping explicit.
For ESG professionals, this relationship is important to understand because it explains why an organisation might reference both. A reference to NIST CSF in a governance disclosure or ESG report indicates that the organisation uses a recognised framework to structure its cybersecurity risk management. A reference to ISO 27001 certification indicates that the organisation has independently verified that its information security management meets a specific standard. Both are meaningful and neither makes the other redundant.
ISO 27001 also connects naturally to the broader ISO management system family that ESG professionals are likely already familiar with. ISO 9001 (quality management), ISO 14001 (environmental management), ISO 45001 (occupational health and safety) and ISO 42001 (AI management) all share the same high-level structure as ISO 27001 – a structure called the Harmonised Structure that makes it easier for organisations to integrate multiple management systems rather than running them in isolation.
Where other standards fit
For completeness, it is worth briefly noting where some of the other frameworks ESG professionals may encounter fit in this landscape. SOC 2 is a reporting standard developed by the American Institute of Certified Public Accountants (AICPA) that audits the security, availability, processing integrity, confidentiality and privacy of service organisations' systems. It is most relevant to technology vendors and cloud service providers and is commonly requested in supply chain due diligence.
The CIS Controls are a prioritised set of cybersecurity best practices developed by the Center for Internet Security. They are highly practical and implementation-focused, making them useful for organisations seeking specific technical guidance. They map well onto NIST CSF and can be thought of as a practical implementation guide for CSF outcomes.
COBIT (Control Objectives for Information and Related Technologies) is a governance framework for enterprise IT, developed by ISACA. It is broader than a cybersecurity framework and covers the full scope of IT governance, including alignment with business objectives, value delivery, risk management and performance measurement. ESG professionals with a governance background may find COBIT's structure familiar.
What ESG professionals actually need to know
For most ESG professionals, deep expertise in any of these frameworks is neither required nor practical. What is required is sufficient fluency to ask good questions, interpret responses from technical teams and assess whether an organisation's cybersecurity governance meets the standard that stakeholders expect.
The most useful questions for an ESG professional to be able to ask are: Does the organisation use a recognised framework to structure its cybersecurity risk management – and if so, which one? Does it hold any cybersecurity-related certifications – such as ISO 27001 – and what do those certifications cover? How does cybersecurity risk information flow to the board and senior leadership? How does the organisation manage cybersecurity risk in its supply chain? And how does it respond to and recover from cyber incidents?
These questions align directly with NIST CSF 2.0's six functions and with the governance disclosure requirements of major ESG reporting frameworks. An organisation that can answer them clearly and specifically is demonstrating the kind of cybersecurity governance maturity that stakeholders – investors, regulators, customers and community members – are increasingly expecting.
The standards landscape does not need to be intimidating. It is a toolkit and the job of the ESG professional is not to master every tool in it, but to know which ones are appropriate for which purposes – and to ask the right questions about how they are being used.
Key takeaway: NIST CSF 2.0 and ISO 27001 are complementary, not competing. CSF 2.0 provides the risk management framework and common language; ISO 27001 provides the implementation standard and independent certification. Together they describe what good cybersecurity governance looks like for ESG disclosure purposes.