The Cybersecurity Risk Foundation (CRF) has released the 2025 version of its Governance & Risk Model, and the biggest change is also the most helpful:
It now follows a step-by-step roadmap to guide teams through the work.
The core ideas in the model haven’t changed. It’s still based on practical risk management, good governance, and aligning cybersecurity work with business goals. But the new format makes it much easier to understand what to do next, and how to make steady progress.
If you’re managing or building a cybersecurity program, this version is designed to make your job more focused and more manageable.
Why the Step-by-Step Format Matters
In previous versions, the CRF model followed a lifecycle approach. It offered important guidance, but many users found it hard to apply in the real world. The steps were clear in theory, but how to move through them wasn’t always obvious.
The 2025 version introduces a new structure — a seven-step roadmap. Each step is presented in order, with specific goals and suggested actions.
These seven simple steps help bring structure and clarity to your cybersecurity efforts:
- Initiate – Set up your program charter, leadership support, and governance roles.
- Inventory – Identify your technology assets, systems, and data.
- Select – Choose safeguards based on risk and threat modeling.
- Educate – Train your people and build security awareness.
- Implement – Put safeguards in place and track issues.
- Validate – Check if safeguards are working as expected.
- Communicate – Report risks and progress to the right people.
Each step builds on the last. And instead of high-level advice, the model now gives you practical, doable tasks within each phase — so you can see progress, make decisions, and keep your team aligned.
Designed for Real Work, Not Just Strategy
The new roadmap makes it easier to:
- Start with clarity: The “Initiate” phase helps you define ownership, scope, and leadership support.
- Stay on track: You can plan and measure your progress one step at a time.
- Communicate better: The roadmap helps you explain your program to executives, business leaders, and technical teams.
- Work across tools: The structure fits well with project tracking, GRC tools, and business reporting systems.
You still get the same strengths from the CRF model — flexibility, risk focus, and practical guidance — but now it’s easier to use with your team and stakeholders.
No Need to Start Over
If you’re already using the 2024 version of the model, there’s no need to rebuild everything. The key principles remain the same. What the 2025 version offers is a clearer structure that helps you organize, communicate, and take action more easily.
You can adjust your current work to match the new steps or use the roadmap to identify gaps and move forward with more confidence.
A Simple but Powerful Update
The 2025 update doesn’t introduce new cybersecurity ideas — and that’s the point. It takes what’s already working and makes it more usable.
If your team has struggled with vague frameworks or has asked “what comes next?”, this version of the model gives you a clear answer.
Get the Model and Move Forward
The CRF Governance & Risk Model v2025 is available now, free to download. It also works well alongside the CRF-Safeguards and the new Business Intelligence Model, which help with safeguard selection and validation.
👉 Visit the CRF Research Page to download the model and start applying the roadmap to your program.