If you’re planning to sit for the Information Systems & Controls (ISC) discipline, cybersecurity on the CPA Exam just leveled up.
The NIST Cybersecurity Framework (CSF) 2.0 is now the framework referenced in ISC starting with Q1 2025, replacing the older NIST CSF v1.1.
That means if your ISC notes still talk about the “original five functions” only, you’re officially out of date!
This article breaks down what changed, why it matters, and how to adjust your ISC study plan, especially around the new Govern function.
The NIST Cybersecurity Framework is a risk-based framework used globally to help organizations identify, manage, and reduce cybersecurity risk. It’s widely referenced in audit, IT, and risk conversations.
Version 2.0, finalized in 2024, keeps the familiar structure of Functions → Categories → Sub-categories, but it reorganizes and expands the framework to make it more:
- Enterprise-wide (not just “IT’s problem”)
- Governance-focused
- Applicable beyond “critical infrastructure” to all sectors and organization sizes
The six CSF 2.0 Functions are now:
- Govern – Identify – Protect – Detect – Respond – Recover
If you memorized only “Identify, Protect, Detect, Respond, Recover,” you’re missing the new core piece: Govern.
The biggest headline change in CSF 2.0 is the addition of Govern, which NIST explicitly positions as central to the other five functions. Govern outcomes inform how an organization prioritizes and executes Identify, Protect, Detect, Respond, and Recover.
Think of Govern as the “tone at the top” plus the system of accountability around cybersecurity. For ISC candidates, key Govern themes include:
Strategy & risk appetite
- Cybersecurity integrated with enterprise risk management
- Clear risk tolerance and prioritization set by leadership
Roles, responsibilities & accountability
- Defined governance structures
- Board / senior leadership oversight of cybersecurity
Policies, procedures & oversight
- Formal policies aligned with laws, regulations, and standards
- Regular review and update mechanisms
Third-party & supply chain governance
- How organizations manage cybersecurity risk from vendors and service providers
Continuous improvement
- Using incidents, metrics, and assessments to refine the program
For the CPA/ISC lens, Govern is where you connect controls, risk, compliance, and strategy together. It’s the bridge between “IT security activities” and business, financial, and regulatory consequences.
Why did AICPA move ISC to NIST CSF 2.0?
The CPA Exam is designed to reflect the skills needed by a newly licensed CPA in the first 1–2 years of practice. With CPA Evolution and the Core-plus-Discipline model, ISC specifically targets technology, controls, and cybersecurity competencies.
Updating to NIST CSF 2.0 lets AICPA & CIMA:
- Align the exam with current industry practice, not a legacy framework
- Emphasize governance, risk, and accountability—areas where CPAs naturally play a role
- Reinforce the idea that cybersecurity is a major enterprise risk, alongside financial and compliance risks
In simple terms: CPAs aren’t just number-checkers anymore. They’re expected to engage in conversations about cyber risk, governance structures, and control design—and ISC is the discipline that tests exactly that.
What ISC candidates should actually know about NIST CSF 2.0?
a) Big-picture understanding
- Purpose of NIST CSF as a risk-based, outcomes-focused framework
- The six Functions and what each one represents at a high level
- How organizations use CSF to assess current state, define target state, and close gaps
b) Key differences between CSF v1.1 and 2.0
- Moving from 5 to 6 Functions with Govern added
- The stronger emphasis on:
- Supply chain / third-party risk
- Applicability across all sectors, not just “critical infrastructure”
c) Where CPAs fit in?
- As an ISC-focused CPA, you should be able to:
- Explain to management or an audit committee how CSF 2.0 frames cybersecurity risk.
- Connect Govern principles (policy, oversight, risk appetite) to internal controls and assurance.
- Evaluate whether a described organization has appropriate governance over cybersecurity, or where gaps exist.
How NIST CSF 2.0 might appear on the ISC exam?
You won’t necessarily see a question that says, “In NIST CSF 2.0, which subcategory ID is this?” That’s too granular.
Instead, expect:
Possible MCQ styles:
- A scenario where management treats cybersecurity as “an IT issue” with minimal board oversight → you identify that Govern outcomes are weak.
- A question asking which Function relates to setting cyber risk appetite and roles (answer: Govern).
- A comparison of two organizations, where one aligns cybersecurity with enterprise risk management and the other doesn’t → “Which organization better aligns with CSF 2.0 Govern principles?”
Possible TBS (Task-Based Simulation) styles:
- A case study of a mid-sized entity with missing policies, unclear ownership, and ad-hoc incident handling.
You might be asked to:
- Map issues to CSF Functions (Govern vs Identify vs Protect, etc.)
- Recommend governance improvements (e.g., establishing a cyber risk committee, formal policies, defined roles).
The existing Blueprints for ISC already emphasize understanding frameworks such as NIST CSF, NIST Privacy Framework, NIST SP 800-53, and CIS Controls. CSF 2.0 simply updates the specific version and strengthens the governance dimension you’ll be tested on.
Here’s a practical approach to a study plan for NIST CSF 2.0 (ISC):
- Read the official NIST CSF 2.0 overview
Focus on the high-level explanation of the six Functions and the purpose of the framework, not every line of detail.
- Build a one-page summary of the six Functions
One row per Function: Objective, Typical activities, and how a CPA/assurance professional might interact with it.
- Deep-dive the Govern function
List key themes: Governance structures, policies, roles, risk management integration, third-party governance, continuous improvement.
Link each theme to examples an ISC candidate might see on the exam (e.g., an audit committee asking about cyber risk reporting).
- Tie NIST CSF 2.0 to other ISC topics
Connect Govern to: - IT governance and enterprise risk management (ERM)
- Internal control frameworks (e.g., COSO)
- Compliance and regulatory oversight
Practice “exam thinking”: - Take any cybersecurity scenario and ask:
- “Which Function(s) apply here?”
- “What would a CPA look for in terms of governance and controls?”
What this means if you’re choosing ISC as your Discipline?
Picking ISC means you’re telling the market, “I speak both accounting and cybersecurity governance.”
With NIST CSF 2.0 now examinable, ISC becomes even more aligned with:
- Internal audit & IT audit roles
- Risk & compliance positions
- Advisory work around cyber risk, SOC reporting, and controls assurance
If you can confidently discuss Govern, Identify, Protect, Detect, Respond, Recover—and especially explain how Govern drives the rest—you’ll be in a strong position both for the exam and in real-world conversations with CISOs, controllers, and audit committees.
If you’re an ISC candidate, make sure “NIST CSF 2.0 + Govern” has its own dedicated page in your study plan. This isn’t just a minor tweak; it’s a clear signal that governance over cyber risk is now core to what the profession expects from new CPAs.
Stay ahead with the latest insights, strategies, and updates on the U.S. CPA Exam, licensing pathways, and professional growth tips.
Join Us Below!
JESCPA
Journey to Exam Success : US CPA https://jescpa.learnworlds.com/courses
