What Is the NIST Cybersecurity Framework – and why should ESG professionals care?
A framework with a confusing name
If you work in ESG, sustainability or corporate responsibility, you have probably come across the term NIST Cybersecurity Framework – or NIST CSF – in a risk committee meeting, a disclosure questionnaire or a conversation with your colleagues in IT security. You may have nodded along and moved on, assuming it was something the technology team handled.
That assumption is worth revisiting. The NIST CSF is one of the most widely adopted risk management frameworks in the world and its latest version – CSF 2.0, published in February 2024 by the US National Institute of Standards and Technology – makes explicit what practitioners have understood for years: cybersecurity is not a technology problem. It is a governance and risk management problem. And that puts it squarely in the ESG professional's territory.
This article is a plain-English introduction to what the NIST CSF is, what it does and why it matters to you as someone working at the intersection of sustainability, governance and risk.
What NIST actually is
NIST – the National Institute of Standards and Technology – is a US federal agency that develops standards, guidelines and frameworks used by organisations around the world to manage technology-related risks. Despite its American origins, the NIST CSF has been adopted globally by private companies, public sector organisations and regulators across Europe, Asia and beyond. It is not a legal requirement in most jurisdictions, but it has become a de facto standard for how organisations structure their approach to cybersecurity risk management.
The CSF was first published in 2014, primarily aimed at operators of critical infrastructure – energy grids, water systems, financial networks. Version 1.1 followed in 2018, broadening the scope. Version 2.0, released in 2024, is the most significant update yet. It explicitly extends the framework to organisations of all sizes and sectors, strengthens its focus on governance and leadership accountability and introduces supply chain risk management as a core concern. These changes make CSF 2.0 directly and practically relevant to ESG professionals in a way that earlier versions were not.
The six functions – a simple mental model
The NIST CSF organises cybersecurity risk management around six core functions. In CSF 2.0, these are: Govern, Identify, Protect, Detect, Respond and Recover. Think of them as a continuous cycle of activity rather than a one-time checklist.
Govern is the new function added in CSF 2.0 and the one most relevant to ESG professionals. It covers the organisational policies, processes and accountability structures that shape how cybersecurity risk is understood, prioritised and managed across the enterprise. It is about leadership, strategy and culture – all territory that ESG professionals work in every day.
Identify covers understanding the organisation's assets, systems, data and the risks associated with them – including risks in the supply chain. Protect covers the safeguards and controls put in place to reduce the likelihood of a cybersecurity incident. Detect covers the processes for identifying when an incident has occurred. Respond covers how the organisation reacts. Recover covers how it restores normal operations and learns from what happened.
Together, these six functions describe not just a technical security programme but a risk management lifecycle that maps directly onto the kind of enterprise risk thinking that ESG professionals apply to environmental and social risks every day.
Why cyber risk is an ESG issue
The connection between cybersecurity and ESG is not a marketing stretch. It is a reflection of how material cyber risk has become for organisations across every sector.
On the governance dimension, cybersecurity is now a board-level accountability issue in most major jurisdictions. The US Securities and Exchange Commission requires listed companies to disclose material cybersecurity risks and the board's oversight of those risks. The EU's NIS2 Directive imposes personal liability on senior executives for cybersecurity failures in organisations deemed to operate essential or important services. The UK's Corporate Governance Code and equivalent frameworks globally increasingly treat cyber resilience as a component of sound governance. For ESG professionals responsible for governance disclosures – whether under GRI, SASB, ESRS or equivalent standards – cybersecurity governance is a disclosure obligation, not just an IT concern.
On the social dimension, data breaches and cyber incidents cause real harm to real people. Customers lose control of their personal data. Employees have their information exposed. Communities dependent on essential services suffer when those services are disrupted. The human cost of inadequate cybersecurity is a social impact issue that belongs in an organisation's ESG risk assessment alongside labour practices, health and safety and community impacts.
On the environmental dimension, the growing role of technology in environmental monitoring, reporting and management means that the integrity of environmental data is now a cybersecurity concern. An organisation that relies on sensor networks for emissions monitoring, on digital systems for environmental compliance reporting or on connected infrastructure for resource management is exposed to cybersecurity risks that could directly affect the accuracy and reliability of its environmental disclosures.
CSF 2.0 as a common language
One of the practical challenges for ESG professionals engaging with cybersecurity risk is the language barrier. Cybersecurity practitioners use technical terminology that can make the subject feel inaccessible to non-specialists. The NIST CSF is deliberately designed to bridge that gap. It describes cybersecurity risk management in terms of outcomes and activities rather than technical controls, making it accessible to risk managers, governance professionals, auditors and senior leaders who are not cybersecurity specialists.
This makes it a useful common language for ESG professionals working across teams. When you need to assess your organisation's cybersecurity risk posture for a materiality assessment, CSF 2.0's six functions give you a structured way to ask the right questions without needing a technical background. When you need to report on cybersecurity governance for an ESG disclosure, the framework's Govern function provides the structure for organising what you need to say.
Where to start
If you are new to the NIST CSF, the best starting point is the CSF 2.0 Core document, which is freely available on the NIST website. It is structured, readable and organised around practical outcomes rather than technical specifications. Alongside that, the CSF 2.0 Quick Start Guides provide accessible entry points for different audiences, including small organisations and those new to the framework.
But the most important starting point is a mindset shift: cybersecurity is part of your ESG remit, not outside it. The NIST CSF 2.0 is one of the most useful tools available for bringing structure and rigour to that part of your work. The following articles in this series explore specific aspects of CSF 2.0 in more depth – each designed to help ESG professionals build practical fluency with a framework that matters more to their work every year.
Key takeaway: NIST CSF 2.0 is a risk management framework, not a technical manual. Its six functions – Govern, Identify, Protect, Detect, Respond, Recover – describe a risk lifecycle that ESG professionals can and should engage with directly.