Your Incident Response Plan is Outdated: NIST CSF 2.0 Changes Everything

TL;DR

  • NIST released Cybersecurity Framework 2.0 in February 2024, the first major update since the framework's creation in 2014. CSF 2.0 adds a new Govern function, expands scope from critical infrastructure to all organisations, and significantly updates incident response guidance.
  • The new Govern function makes cybersecurity governance a board-level responsibility, not just an IT concern. Incident response plans must now demonstrate executive oversight, defined risk tolerances, and integration with broader organisational risk management.
  • IBM's Cost of a Data Breach Report found that the global average cost of a data breach reached USD $4.88 million in 2024, with organisations that have a tested incident response plan experiencing significantly lower costs than those without.
  • Australia's breach notification timelines are among the most demanding globally. Under the NDB scheme, organisations must assess and notify within 30 days, with proposed reforms expected to tighten these requirements further.

The Problem: Your IRP Was Built for a Different Framework

If your organisation has an incident response plan, there is a strong chance it was written to align with the original NIST Cybersecurity Framework (CSF 1.1) or — more commonly — no framework at all. It probably sits in a shared drive somewhere, last updated when it was first created, tested never.​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

NIST CSF 2.0 changes the game. Released in February

2024 after two years of development and public consultation, it represents the first major overhaul of the framework that has become the global benchmark for cybersecurity programme management. The changes are not cosmetic. They fundamentally alter what a mature incident response capability looks like.

If your IRP does not account for the Govern function, does not address supply chain incident response, does not include defined recovery objectives, and has not been tested against current threat scenarios, it is not just outdated — it may actively harm you in a crisis by giving your team false confidence in a plan that does not work.​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

What Changed in NIST CSF 2.0

The New Govern Function

The most significant change in CSF 2.0 is the addition of a sixth function: Govern. The original framework had five functions — Identify, Protect, Detect, Respond, and Recover. Govern sits at the centre, underpinning all other functions.

The Govern function establishes that cybersecurity governance is an organisational responsibility, not an IT responsibility. It requires:

  • Organisational context — understanding how cybersecurity risk management aligns with business objectives, stakeholder expectations, and legal obligations.
  • Risk management strategy — defining the organisation's risk appetite and tolerance, and ensuring cybersecurity risk is integrated into enterprise risk management.
  • Roles and responsibilities — clearly defining who is accountable for cybersecurity at the executive and board level, not just within IT.
  • Policy — establishing and maintaining cybersecurity policies that are communicated to and understood by all relevant stakeholders.
  • Oversight — regular review and adjustment of cybersecurity strategy based on performance metrics, risk assessments, and changes in the threat landscape.
  • Supply chain risk management — managing cybersecurity risks arising from the supply chain, including third-party service providers and software dependencies.

For incident response planning, the Govern function means your IRP must now demonstrate executive oversight. It is no longer sufficient to have a technical runbook maintained by the IT team. The plan must show that the organisation's leadership understands incident response roles, has approved risk tolerance decisions, and has allocated appropriate resources.

Expanded Scope: Beyond Critical Infrastructure

CSF 1.1 was primarily written for critical infrastructure organisations — utilities, financial services, healthcare, and government agencies. CSF 2.0 explicitly expands scope to all organisations, regardless of size or sector. The updated title drops the "Framework for Improving Critical Infrastructure Cybersecurity" framing in favour of broader applicability.

This expansion matters for SMBs because it eliminates the "that framework is not for us" objection. NIST CSF 2.0 is explicitly designed to be scalable and applicable to organisations of all sizes. The framework acknowledges that a 20-person business will implement controls differently from a 20,000-person enterprise, but the principles and structure apply equally.

For incident response, this means every organisation — including yours — should have a documented, tested plan that aligns with the framework's Respond and Recover functions. The days of incident response being "something the big companies do" are over.

Updated Respond Function

The Respond function in CSF 2.0 has been updated with more granular subcategories that address the full lifecycle of incident response:

Incident Management (RS.MA) — Incidents are managed through defined processes including detection, analysis, containment, eradication, and recovery. This subcategory emphasises that incident management is a process, not a reaction.

Incident Analysis (RS.AN) — Investigations are conducted to determine the scope, impact, and root cause of incidents. This includes correlation with threat intelligence and analysis of indicators of compromise across the environment.

Incident Response Reporting and Communication (RS.CO) — Internal and external stakeholders are notified of incidents according to established plans. This explicitly includes regulatory notification obligations, which is critical for Australian organisations subject to the NDB scheme.

Incident Mitigation (RS.MI) — Actions are performed to prevent expansion of the incident, mitigate its effects, and resolve the incident. This includes both technical containment measures and business continuity actions.

The key change from CSF 1.1 is the emphasis on integration. Incident response is not a standalone capability — it must be integrated with detection capabilities, recovery processes, and governance oversight. An IRP that treats incident response as an isolated workflow, without connecting it to detection tools, communication plans, and recovery objectives, no longer meets the framework's expectations.

Updated Recover Function

The Recover function has been enhanced to emphasise two critical areas that many IRPs underserve: recovery planning and communication during recovery.

Recovery Planning (RC.RP) — Recovery activities are planned and prioritised based on the severity of the incident and pre-defined recovery objectives. This means your IRP must include defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems and data.

Recovery Communication (RC.CO) — Restoration activities are communicated to internal and external stakeholders, including customers, partners, regulators, and the public as appropriate. This goes beyond the initial breach notification — it covers ongoing communication throughout the recovery process.

For SMBs, the practical implication is that your IRP needs a recovery section, not just a response section. Many IRPs focus entirely on the first 72 hours — detection, containment, and notification — but say nothing about how the business returns to normal operations. CSF 2.0 makes recovery an equal priority.

Why Your Existing IRP Probably Falls Short

Based on the CSF 2.0 changes, here are the most common gaps in existing incident response plans:

No Executive Governance

Most SMB IRPs are technical documents created by IT staff. They may reference "management" in general terms but do not define specific executive roles, escalation criteria for board notification, or risk tolerance decisions. Under CSF 2.0's Govern function, the IRP must demonstrate that leadership is engaged — not just informed — in incident response.

No Supply Chain Coverage

Supply chain incidents are now one of the most common attack vectors. The compromise of a third-party vendor, a software dependency, or a managed service provider can have cascading effects on your organisation. Yet most IRPs address only direct attacks on the organisation's own systems.

Your IRP should include: a process for receiving and acting on vendor security notifications, defined response procedures when a critical supplier is compromised, criteria for when to invoke your own incident response based on a vendor incident, and communication templates for notifying your customers about incidents originating from your supply chain.

No Defined Recovery Objectives

How long can your business operate without its email system? Its customer database? Its accounting software? If your IRP does not specify RTOs and RPOs for critical systems, your recovery will be improvised rather than planned.

A practical approach: identify your top five business-critical systems, define the maximum acceptable downtime for each (RTO), and define the maximum acceptable data loss for each (RPO). These numbers inform your backup strategy, your disaster recovery investment, and your communication during an incident.

Never Tested

An incident response plan that has never been tested is a hypothesis, not a plan. You do not know if your team can execute it, if the contact details are current, if the procedures actually work, or if critical steps have been missed.

Tabletop exercises — structured discussions where the team walks through a simulated incident scenario — are the most practical and cost-effective way for SMBs to test their IRP. A single two-hour tabletop exercise will reveal more gaps than any amount of document review.

No Regulatory Notification Procedures

Australian organisations subject to the NDB scheme must assess whether a data breach is likely to result in serious harm and, if so, notify the OAIC and affected individuals as soon as practicable and no later than 30 days. GDPR requires notification within 72 hours. Your IRP must include specific procedures, timelines, templates, and assigned responsibilities for regulatory notification.

The Cost of Getting It Wrong

IBM's Cost of a Data Breach Report 2024 found that the global average cost of a data breach reached USD $4.88 million. But the report also identified the factors that most significantly reduce breach costs, and incident response is at the top of the list.

Organisations with a tested incident response plan and an incident response team experienced breach costs significantly below the average. Conversely, organisations without these capabilities faced higher costs, longer breach lifecycles, and greater regulatory consequences.

For Australian SMBs, the financial calculus is even more stark. The OAIC has been increasingly active in enforcement actions, pursuing civil penalty proceedings against organisations that failed to take reasonable steps to protect personal information. Under the Privacy Act 1988, penalties for serious or repeated breaches can reach up to $50 million or three times the value of any benefit obtained from the breach.

Beyond direct financial costs, a poorly handled breach damages customer trust, business relationships, and reputation. For an SMB, losing a major client due to a mishandled security incident can be existential.

Australian Breach Notification Requirements

Australia's Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act 1988, requires organisations covered by the Act to notify the OAIC and affected individuals when a data breach is likely to result in serious harm.

Who Is Covered

The NDB scheme applies to organisations with an annual turnover of more than $3 million, as well as health service providers, Australian Government agencies, and businesses that trade in personal information, regardless of turnover. Some small businesses are also covered if they are related to a larger entity, provide health services, or have opted in.

Assessment Obligations

When an organisation becomes aware that there are reasonable grounds to suspect a data breach has occurred, it must conduct an assessment within 30 days to determine whether the breach is likely to result in serious harm. During this assessment period, the organisation must take reasonable steps to contain the breach and mitigate harm.

Notification Requirements

If the assessment determines that serious harm is likely, the organisation must notify the OAIC by submitting a statement that includes the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and recommendations for affected individuals. The organisation must also notify each affected individual or, if that is not practicable, publish a notice on its website and take reasonable steps to publicise it.

Proposed Reforms

The Australian Government's Cyber Security Strategy 2023-2030 includes measures that may further tighten breach notification requirements. Proposed changes include mandatory reporting of ransomware payments, a Cyber Incident Review Board to review major incidents, and strengthened obligations for critical infrastructure operators. These reforms reinforce the need for robust incident response capabilities.

How to Update Your IRP for NIST CSF 2.0

Add the Govern Layer

Update your IRP to include an executive governance section that defines:

  • Executive sponsor — a named individual at the leadership level who is accountable for the IRP.
  • Board reporting — criteria for when incidents are escalated to the board, and the format of board reporting during and after incidents.
  • Risk tolerance — documented decisions about acceptable risk levels that inform incident response priorities (for example, prioritising customer data protection over operational continuity).
  • Resource allocation — confirmation that appropriate resources — budget, personnel, tools — have been allocated for incident response.

Expand to Cover Supply Chain Incidents

Add a supply chain incident playbook that includes:

  • Procedures for receiving and triaging vendor security notifications.
  • Response procedures when a critical supplier is compromised.
  • Decision criteria for when a vendor incident triggers your own IRP.
  • Communication templates for notifying customers about supply chain incidents.
  • A maintained list of critical vendors and their security contacts.

Define Recovery Objectives

For each business-critical system, document:

  • Recovery Time Objective (RTO) — the maximum acceptable downtime.
  • Recovery Point Objective (RPO) — the maximum acceptable data loss.
  • Recovery procedure — specific steps to restore the system from backup or alternative.
  • Recovery owner — the person responsible for executing the recovery.
  • Recovery verification — how you confirm the system is restored and functioning correctly.

Include Regulatory Notification Procedures

Create a notification section that covers:

  • Australian NDB scheme — 30-day assessment and notification procedure, OAIC statement template, individual notification template.
  • GDPR (if applicable) — 72-hour notification to supervisory authority, data subject notification procedure.
  • Other jurisdictions — as applicable based on your customer base and data processing locations.
  • Notification decision tree — a clear flowchart that helps your team determine whether notification is required and to whom.

Build in Testing

Commit to testing your IRP at least annually through a tabletop exercise. A basic tabletop exercise requires:

  • A scenario — a realistic incident description (for example, ransomware encrypting your file server, or a vendor notifying you of a data breach affecting your data).
  • Participants — everyone named in the IRP, including the executive sponsor.
  • A facilitator — someone who guides the discussion through the scenario and records gaps.
  • An action log — a documented list of issues identified during the exercise and assigned remediation actions.

One two-hour tabletop exercise per year is the minimum. After a real incident, conduct a full post-incident review and update the IRP based on lessons learned.

The Australian Cyber Security Strategy and Incident Response

The Australian Government's Cyber Security Strategy 2023-2030 sets a national vision to become a world leader in cybersecurity by 2030. Several elements of the strategy directly impact incident response requirements for businesses.

Mandatory ransomware payment reporting — the strategy includes measures for mandatory reporting of ransomware payments. If enacted, organisations that pay a ransom will be required to report the payment to the Australian Government. Your IRP should already include a section on ransomware response, including the decision framework for whether to pay (noting that the Australian Government strongly discourages ransomware payments).

Cyber Incident Review Board — similar to the US Cyber Safety Review Board, Australia is establishing a body to review major cyber incidents and publish findings. These reviews will inform best practice, and organisations whose incident response falls short of reasonable standards may face scrutiny.

Strengthened critical infrastructure obligations — the Security of Critical Infrastructure Act 2018 (SOCI Act) has been progressively strengthened, and the Cyber Security Strategy signals further tightening. If your business is classified as a responsible entity or critical asset under the SOCI Act, you face specific incident reporting obligations with tight timelines — in some cases, within 12 hours of becoming aware of a significant cyber incident.

Frequently Asked Questions

The addition of the Govern function is the most significant change. It establishes cybersecurity governance as a foundational activity that underpins all other functions. For incident response, this means plans must now demonstrate executive oversight, defined risk tolerances, and integration with broader organisational risk management — not just technical response procedures.

NIST CSF is a US framework, not an Australian regulation. However, it is widely used internationally as a benchmark for cybersecurity programme maturity. Many Australian organisations, particularly those serving US clients or operating in regulated industries, use NIST CSF as their primary framework. The ASD Essential Eight and NIST CSF are complementary — Essential Eight provides specific technical controls while CSF provides the broader governance and programme structure.

At minimum, annually through a tabletop exercise. Best practice is to test twice per year: one planned tabletop exercise and one unannounced drill or simulation. Additionally, the IRP should be reviewed and updated after every real incident, after significant changes to the IT environment, and when new team members join the incident response team.

An incident response plan focuses on detecting, containing, eradicating, and recovering from security incidents. A business continuity plan focuses on maintaining critical business operations during and after a disruption of any kind (not just cyber incidents). They are complementary documents that should be developed and tested together. Under NIST CSF 2.0, the Recover function bridges both — your IRP should connect to your BCP for the recovery phase.

Under the NDB scheme, once an organisation has reasonable grounds to suspect a data breach has occurred, it has 30 days to complete an assessment of whether the breach is likely to result in serious harm. If serious harm is likely, notification to the OAIC and affected individuals must happen as soon as practicable. In practice, the OAIC expects notification well within the 30-day assessment window where the nature and extent of the breach are clear early on.

Your IRP should have a supply chain incident playbook for this scenario. The immediate steps are: acknowledge the notification and request full details of the breach (what data, how many records, when it occurred, what containment measures are in place), assess whether your obligations under the NDB scheme or other regulations are triggered, notify your executive sponsor, and begin your own assessment and communication process. Do not assume the vendor has everything under control — verify independently.

Yes. Most cyber insurance providers assess incident response capability as part of their underwriting process. Having a documented, tested IRP — particularly one that aligns with a recognised framework like NIST CSF — can positively influence premiums. Conversely, not having an IRP, or having one that has never been tested, can result in higher premiums, coverage exclusions, or difficulty obtaining coverage at all.

Stop Hoping Your Current Plan Will Work

Hope is not a strategy, and an untested IRP is not a plan. NIST CSF 2.0 raises the bar for what a mature incident response capability looks like, and the Australian regulatory environment is tightening in parallel.

The Incident Response Plan Template gives you a ready-to-deploy IRP aligned with NIST CSF 2.0, including the new Govern function requirements, incident-specific playbooks for ransomware, BEC, data breaches, and supply chain compromises, communication templates for regulatory notification under the Australian NDB scheme and GDPR, a tabletop exercise scenario, and evidence collection guidance. Customise it in two to three hours and deploy it today. $47 AUD, instant download, 30-day money-back guarantee.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation