What's new in CSF 2.0?

Added Govern function, tightened supply-chain controls, broadened applicability beyond critical infrastructure to all organisations.

NIST CSF 2.0 · Govern · Identify · Protect · Detect · Respond · Recover

NIST Cybersecurity Framework Audit

The maturity model boards understand and regulators reference everywhere.

Full NIST Cybersecurity Framework 2.0 maturity audit + roadmap. CSF 2.0 added the Govern function and tightened supply-chain controls. Macksofy uses CSF as the connective tissue across ISO 27001 / SOC 2 / RBI / SEBI / UAE regulators — one assessment, many outputs.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

NIST Cybersecurity Framework 2.0 (2024)
NIST SP 800-53 (control catalog)
NIST SP 800-171 (controlled unclassified info — for US gov contractors)
ISO 27001 (mapped)
CIS Controls v8 (mapped)

Why this matters

Compliance is leverage, not paperwork.

NIST CSF is the lingua franca of cybersecurity maturity globally. Boards understand it; insurers price it; regulators reference it. CSF 2.0's new Govern function makes it directly auditable for board accountability. Macksofy's CSF audit produces both a maturity tier (Partial → Adaptive) and a tier-by-function map that drives investment decisions for the next 12–24 months.

Applicability

Boards seeking quantifiable cybersecurity maturity
Listed companies + Big-4 audit committees
Multinationals harmonising cyber across geographies
Insurers pricing cyber-insurance premiums
M&A diligence (target + acquirer)

Standards & frameworks

Aligned to the regulations that matter.

NIST Cybersecurity Framework 2.0 (2024)

NIST SP 800-53 (control catalog)

NIST SP 800-171 (controlled unclassified info — for US gov contractors)

ISO 27001 (mapped)

CIS Controls v8 (mapped)

Methodology

How we run a NIST CSF engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 5

1 · Profile + tier baseline

Current Profile authoring (per CSF Core)
Target Profile (12–24 month aspiration)
Tier 1–4 baseline assessment

Deliverables

Everything you need to satisfy auditors.

Current + Target Profile (CSF Core)
Tier scorecard (per function + per subcategory)
Supply-chain risk maturity report
12–24 month investment roadmap
Board-ready maturity dashboard
Annual re-audit + tier-uplift evidence

Recent engagements

Listed Manufacturer (India)

Annual CSF 2.0 maturity audit

Outcome: Maturity moved from Tier 2 (Risk-Informed) to Tier 3 (Repeatable) inside 14 months; cyber-insurance premium reduced 22%

At a glance

The shape of a NIST CSF engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Govern (CSF 2.0)3 pts
Identify3 pts
Protect3 pts
Detect3 pts
Respond3 pts
Recover3 pts

Pillar 01

Govern (CSF 2.0)

The new function in CSF 2.0 — anchors all the rest.

Organisational context + cyber strategy
Cyber-risk appetite + tolerance
Roles, RACI, supply-chain governance

Pillar 02

Identify

Asset, data, supplier and risk inventories that the rest of CSF rests on.

Asset management evidence
Risk assessment + business environment
Supply-chain risk register

Pillar 03

Protect

The largest function — preventative controls across access, awareness, data, tech.

Identity & access management
Awareness + training programmes
Data security + protective tech

Pillar 04

Detect

Continuous monitoring, anomaly detection, security-event analysis.

Continuous-monitoring posture
Security-event correlation (SIEM)
ATT&CK detection coverage

Pillar 05

Respond

Response planning, communications, analysis, mitigation, improvements.

IR plan + playbooks
Mitigation + recovery activities
Post-incident lessons learned

Pillar 06

Recover

Recovery planning, improvements, communications.

Recovery plan + RTO / RPO
Communications with stakeholders
Continuous improvement loop

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a NIST CSF engagement. Click any station for detail in the methodology section above.

Week 1

Profile + tier baseline

Week 2

Function-by-function audit

Week 3

Supply chain (CSF 2.0)

Week 4

Roadmap + investment plan

Week 5

Board reporting + cycle

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Not directly mandatory in India / UAE, but referenced by RBI / SEBI / NESA / DESC. Most multinationals adopt it as the connective layer across regulator obligations.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.