NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001



NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001The mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001, Information technology–Security techniques–Information security management systems–Requirements. ISO/IEC 27001 may be applied to all types of organizations and specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks. NIST Special Publication 800-39 includes guidance on managing risk at the organizational level, mission/business process level, and information system level, is consistent with ISO/IEC 27001, and provides additional implementation detail for the federal government and its contractors. The mapping of SP 800-53 Revision 5 controls to ISO/IEC 27001:2013 requirements and controls reflects whether the implementation of a security control from Special Publication 800-53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800-53. To successfully meet the mapping criteria, the implementation of the mapped controls should result in an equivalent information security posture. However, organizations should not assume security requirement and control equivalency based solely on the mapping tables herein since there is always some degree of subjectivity in the mapping analysis because the mappings are not always one-to-one and may not be completely equivalent. Organization-specific implementations may also play a role in control equivalency. The following examples illustrate some of the mapping issues:Example 1: Special Publication 800-53 contingency planning and ISO/IEC 27001 business continuity management were deemed to have similar, but not the same, functionality.Example 2: Similar topics addressed in the two security control sets may have a different context, perspective, or scope. Special Publication 800-53 addresses information flow control broadly in terms of approved authorizations for controlling access between source and destination objects, whereas ISO/IEC 27001 addresses information flow more narrowly as it applies to interconnected network domains.Example 3: Security control A.6.1.1, Information Security Roles and Responsibilities, in ISO/IEC 27001 states that “all information security responsibilities shall be defined and allocated” while security control PM-10, Security Authorization Process, in Special Publication 800-53 that is mapped to A.6.1.1, has three distinct parts. Part b. of PM-10 requires designation of “individuals to fulfill specific roles and responsibilities…” If A.6.1.1 is mapped to PM-10 without any additional information, organizations might assume that if A.6.1.1 is implemented (i.e., all responsibilities are defined and allocated), then the intent of PM-10 is also fully satisfied. However, this may not be the case since the parts a. and c. of PM-10 may not have been addressed. To resolve and clarify the security control mappings, when a security requirement or control in the right column of Tables 1 and 2 does not fully satisfy the intent of the security requirement or control in the left column of the tables, the control or controls (i.e., the entire set of controls listed) in the right column is designated with an asterisk (*).Example 4: Privacy controls were integrated into the SP 800-53, Revision 5, control set to address privacy requirements for the processing of personally identifiable information (PII) and thus are included in the mapping table; however, ISO/IEC 27001 does not specifically address privacy beyond the inherent benefits provided by maintaining the security of PII. Users of this mapping table may assume that the ISO/IEC 27001 controls do not satisfy privacy requirements with respect to PII processing. In a few cases, an ISO/IEC 27001 security requirement or control could only be directly mapped to a Special Publication 800-53 control enhancement. In such cases, the relevant enhancement is specified in Table 2 indicating that the corresponding ISO/IEC 27001 requirement or control satisfies only the intent of the specified enhancement and does not address the associated base control from Special Publication 800-53 or any other enhancements under that base control. Where no enhancement is specified, the ISO/IEC 27001 requirement or control is relevant only to the Special Publication 800-53 base control.And finally, the security controls from ISO/IEC 27002 were not considered in the mapping analysis since the 27002 standard is informative rather than normative.Table 1 provides a mapping from the security controls in NIST Special Publication 800-53 to the security controls in ISO/IEC 27001. Please review the introductory text above before employing the mappings in Table 1.TABLE 1: MAPPING NIST SP 800-53 TO ISO/IEC 27001NIST SP 800-53 CONTROLSISO/IEC 27001 CONTROLSNote: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control.AC-1Access Control Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2AC-2Account ManagementA.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6AC-3Access EnforcementA.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3AC-4Information Flow EnforcementA.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3AC-5Separation of DutiesA.6.1.2AC-6Least PrivilegeA.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5AC-7Unsuccessful Logon AttemptsA.9.4.2AC-8System Use NotificationA.9.4.2AC-9Previous Logon NotificationA.9.4.2AC-10Concurrent Session ControlNoneAC-11Device LockA.11.2.8, A.11.2.9AC-12Session TerminationNoneAC-13Withdrawn---AC-14Permitted Actions without Identification or Authentication NoneAC-15Withdrawn---AC-16Security and Privacy AttributesNoneAC-17Remote AccessA.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2AC-18Wireless AccessA.6.2.1, A.13.1.1, A.13.2.1AC-19Access Control for Mobile DevicesA.6.2.1, A.11.1.5, A.11.2.6, A.13.2.1AC-20Use of External SystemsA.11.2.6, A.13.1.1, A.13.2.1AC-21Information SharingNoneAC-22Publicly Accessible ContentNoneAC-23Data Mining ProtectionNoneAC-24Access Control DecisionsA.9.4.1*AC-25Reference MonitorNoneAT-1Awareness and Training Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2AT-2Literacy Training and Awareness7.3, A.7.2.2, A.12.2.1AT-3Role-Based TrainingA.7.2.2*AT-4Training RecordsNoneAT-5Withdrawn ---AT-6Training FeedbackNoneAU-1Audit and Accountability Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2AU-2Event LoggingNoneAU-3Content of Audit RecordsA.12.4.1*AU-4Audit Log Storage CapacityA.12.1.3AU-5Response to Audit Logging Process FailuresNoneAU-6Audit Record Review, Analysis, and ReportingA.12.4.1, A.16.1.2, A.16.1.4AU-7Audit Record Reduction and Report GenerationNoneAU-8Time StampsA.12.4.4AU-9Protection of Audit InformationA.12.4.2, A.12.4.3, A.18.1.3AU-10Non-repudiationNoneAU-11Audit Record RetentionA.12.4.1, A.16.1.7AU-12Audit Record GenerationA.12.4.1, A.12.4.3AU-13Monitoring for Information DisclosureNoneAU-14Session AuditA.12.4.1*AU-15Withdrawn---AU-16Cross-Organizational Audit LoggingNone CA-1Assessment and Authorization Policies and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2CA-2Control AssessmentsA.14.2.8, A.18.2.2, A.18.2.3CA-3Information ExchangeA.13.1.2, A.13.2.1, A.13.2.2CA-4Withdrawn---CA-5Plan of Action and Milestones8.3, 9.2, 10.1*CA-6Authorization9.3*CA-7Continuous Monitoring9.1, 9.2, A.18.2.2, A.18.2.3*CA-8Penetration TestingNoneCA-9Internal System ConnectionsNoneCM-1Configuration Management Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2CM-2Baseline ConfigurationNoneCM-3Configuration Change Control8.1, A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4CM-4Impact AnalysesA.14.2.3CM-5Access Restrictions for ChangeA.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1CM-6Configuration SettingsNoneCM-7Least FunctionalityA.12.5.1*CM-8System Component InventoryA.8.1.1, A.8.1.2CM-9Configuration Management PlanA.6.1.1*CM-10Software Usage RestrictionsA.18.1.2CM-11User-Installed SoftwareA.12.5.1, A.12.6.2CM-12Information LocationNoneCM-13Data Action MappingNoneCM-14Signed ComponentsNoneCP-1Contingency Planning Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2CP-2Contingency Plan7.5.1, 7.5.2, 7.5.3, A.6.1.1, A.17.1.1, A.17.2.1CP-3Contingency TrainingA.7.2.2*CP-4Contingency Plan TestingA.17.1.3CP-5Withdrawn---CP-6Alternate Storage SiteA.11.1.4, A.17.1.2, A.17.2.1CP-7Alternate Processing SiteA.11.1.4, A.17.1.2, A.17.2.1CP-8Telecommunications ServicesA.11.2.2, A.17.1.2CP-9System BackupA.12.3.1, A.17.1.2, A.18.1.3CP-10System Recovery and ReconstitutionA.17.1.2CP-11Alternate Communications ProtocolsA.17.1.2*CP-12Safe ModeNoneCP-13Alternative Security MechanismsA.17.1.2*IA-1Identification and Authentication Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2IA-2Identification and Authentication (Organizational Users)A.9.2.1IA-3Device Identification and AuthenticationNoneIA-4Identifier ManagementA.9.2.1IA-5Authenticator ManagementA.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3IA-6Authentication FeedbackA.9.4.2IA-7Cryptographic Module AuthenticationA.18.1.5IA-8Identification and Authentication (Non-Organizational Users)A.9.2.1IA-9Service Identification and AuthenticationNoneIA-10Adaptive Identification and AuthenticationNoneIA-11Re-authenticationNoneIA-12Identity ProofingNoneIR-1Incident Response Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2IR-2Incident Response TrainingA.7.2.2*IR-3Incident Response TestingNoneIR-4Incident HandlingA.16.1.4, A.16.1.5, A.16.1.6IR-5Incident MonitoringNoneIR-6Incident ReportingA.6.1.3, A.16.1.2IR-7Incident Response AssistanceNoneIR-8Incident Response Plan7.5.1, 7.5.2, 7.5.3, A.16.1.1IR-9Information Spillage ResponseNoneIR-10Withdrawn---MA-1System Maintenance Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2MA-2Controlled MaintenanceA.11.2.4*, A.11.2.5*MA-3Maintenance ToolsNoneMA-4Nonlocal MaintenanceNoneMA-5Maintenance PersonnelNoneMA-6Timely MaintenanceA.11.2.4MA-7Field MaintenanceNoneMP-1Media Protection Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2MP-2Media AccessA.8.2.3, A.8.3.1, A.11.2.9MP-3Media MarkingA.8.2.2MP-4Media StorageA.8.2.3, A.8.3.1, A.11.2.9MP-5Media TransportA.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6MP-6Media SanitizationA.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7MP-7Media UseA.8.2.3, A.8.3.1MP-8Media DowngradingNonePE-1Physical and Environmental Protection Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2PE-2Physical Access AuthorizationsA.11.1.2*PE-3Physical Access ControlA.11.1.1, A.11.1.2, A.11.1.3PE-4Access Control for Transmission MediumA.11.1.2, A.11.2.3PE-5Access Control for Output DevicesA.11.1.2, A.11.1.3PE-6Monitoring Physical AccessNonePE-7Withdrawn---PE-8Visitor Access RecordsNonePE-9Power Equipment and CablingA.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3PE-10Emergency ShutoffA.11.2.2*PE-11Emergency PowerA.11.2.2PE-12Emergency LightingA.11.2.2*PE-13Fire ProtectionA.11.1.4, A.11.2.1PE-14Environmental ControlsA.11.1.4, A.11.2.1, A.11.2.2PE-15Water Damage ProtectionA.11.1.4, A.11.2.1, A.11.2.2PE-16Delivery and RemovalA.8.2.3, A.11.1.6, A.11.2.5PE-17Alternate Work SiteA.6.2.2, A.11.2.6, A.13.2.1PE-18Location of System ComponentsA.8.2.3, A.11.1.4, A.11.2.1PE-19Information LeakageA.11.1.4, A.11.2.1PE-20Asset Monitoring and TrackingA.8.2.3*PE-21Electromagnetic Pulse ProtectionNonePE-22Component MarkingA.8.2.2PE-23Facility LocationA.11.1.4, A.11.2.1PL-1Planning Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2PL-2System Security and Privacy Plans7.5.1, 7.5.2, 7.5.3, 10.1, A.14.1.1PL-3Withdrawn---PL-4Rules of BehaviorA.7.1.2, A.7.2.1, A.8.1.3PL-5Withdrawn---PL-6Withdrawn---PL-7Concept of Operations8.1, A.14.1.1PL-8Security and Privacy ArchitecturesA.14.1.1*PL-9Central ManagementNonePL-10Baseline SelectionNonePL-11Baseline TailoringNonePM-1Information Security Program Plan4.1, 4.2, 4.3, 4.4, 5.2, 5.3, 6.1.1, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3, 8.1, 9.3, 10.2, A.5.1.1, A.5.1.2, A.6.1.1, A.18.1.1, A.18.2.2PM-2Information Security Program Leadership Role5.1, 5.3, A.6.1.1PM-3Information Security and Privacy Resources5.1, 6.2, 7.1PM-4Plan of Action and Milestones Process6.1.1, 6.2, 7.5.1, 7.5.2, 7.5.3, 8.3, 9.2, 9.3, 10.1PM-5System InventoryNonePM-6Measures of Performance5.3, 6.1.1, 6.2, 9.1, PM-7Enterprise ArchitectureNonePM-8Critical Infrastructure PlanNonePM-9Risk Management Strategy4.3, 4.4, 6.1.1, 6.1.2, 6.2, 7.5.1, 7.5.2, 7.5.3, 9.3, 10.2PM-10Authorization Process9.3, A.6.1.1*PM-11Mission and Business Process Definition4.1PM-12Insider Threat ProgramNonePM-13Security and Privacy Workforce7.2, A.7.2.2*PM-14Testing, Training, and Monitoring6.2*PM-15Security and Privacy Groups and Associations7.4, A.6.1.4PM-16Threat Awareness ProgramNonePM-17Protecting Controlled Unclassified Information on External SystemsNonePM-18Privacy Program PlanNonePM-19Privacy Program Leadership RoleNonePM-20Dissemination of Privacy Program InformationNonePM-21Accounting of DisclosuresNonePM-22Personally Identifiable Information Quality ManagementNonePM-23Data Governance BodyNonePM-24Data Integrity BoardNonePM-25Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchNonePM-26Complaint ManagementNonePM-27Privacy ReportingNonePM-28Risk Framing4.3, 6.1.2, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3PM-29Risk Management Program Leadership Roles5.1, 5.3, 9.2, A.6.1.1PM-30Supply Chain Risk Management Strategy4.4, 6.2, 7.5.1, 7.5.2, 7.5.3, 10.2*PM-31Continuous Monitoring Strategy4.4, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3, 9.1, 10.1, 10.2PM-32 PurposingNonePS-1Personnel Security Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2PS-2Position Risk DesignationNonePS-3Personnel ScreeningA.7.1.1PS-4Personnel TerminationA.7.3.1, A.8.1.4PS-5Personnel TransferA.7.3.1, A.8.1.4PS-6Access AgreementsA.7.1.2, A.7.2.1, A.13.2.4PS-7External Personnel SecurityA.6.1.1, A.7.2.1*PS-8Personnel Sanctions7.3, A.7.2.3PS-9Position DescriptionsA.6.1.1PT-1Personally Identifiable Information Processing and Transparency Policy and ProceduresNonePT-2Authority to Process Personally Identifiable InformationNonePT-3Personally Identifiable Information Processing PurposesNonePT-4ConsentNonePT-5Privacy NoticeNonePT-6System of Records NoticeNonePT-7Specific Categories of Personally Identifiable InformationNonePT-8Computer Matching RequirementsNoneRA-1Risk Assessment Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2RA-2Security CategorizationA.8.2.1RA-3Risk Assessment6.1.2, 8.2, A.12.6.1*RA-4Withdrawn---RA-5Vulnerability Monitoring and ScanningA.12.6.1*RA-6Technical Surveillance Countermeasures SurveyNoneRA-7Risk Response6.1.3, 8.3, 10.1RA-8Privacy Impact AssessmentsNoneRA-9Criticality AnalysisA.15.2.2*RA-10Threat HuntingNoneSA-1System and Services Acquisition Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, 8.1, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2SA-2Allocation of ResourcesNoneSA-3System Development Life CycleA.6.1.1, A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.6SA-4Acquisition Process8.1, A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2SA-5System Documentation7.5.1, 7.5.2, 7.5.3, A.12.1.1*SA-6Withdrawn---SA-7Withdrawn---SA-8Security Engineering PrinciplesA.14.2.5SA-9External System ServicesA.6.1.1, A.6.1.5, A.7.2.1, A.13.1.2, A.13.2.2, A.15.2.1, A.15.2.2SA-10Developer Configuration ManagementA.12.1.2, A.14.2.2, A.14.2.4, A.14.2.7SA-11Developer Testing and EvaluationA.14.2.7, A.14.2.8SA-12Withdrawn---SA-13Withdrawn---SA-14Withdrawn---SA-15Development Process, Standards, and ToolsA.6.1.5, A.14.2.1 SA-16Developer-Provided TrainingNoneSA-17Developer Security and Privacy Architecture and DesignA.14.2.1, A.14.2.5SA-18Withdrawn---SA-19Withdrawn---SA-20Customized Development of Critical ComponentsNoneSA-21Developer ScreeningA.7.1.1SA-22Unsupported System ComponentsNoneSA-23SpecializationNoneSC-1System and Communications Protection Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2SC-2Separation of System and User FunctionalityNoneSC-3Security Function IsolationNoneSC-4Information In Shared System ResourcesNoneSC-5Denial-of Service-ProtectionNoneSC-6Resource AvailabilityNoneSC-7Boundary ProtectionA.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3SC-8Transmission Confidentiality and IntegrityA.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3SC-9Withdrawn---SC-10Network DisconnectA.13.1.1SC-11Trusted PathNoneSC-12Cryptographic Key Establishment and ManagementA.10.1.2SC-13Cryptographic ProtectionA.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5SC-14Withdrawn---SC-15Collaborative Computing Devices and ApplicationsA.13.2.1*SC-16Transmission of Security and Privacy AttributesNoneSC-17Public Key Infrastructure CertificatesA.10.1.2SC-18Mobile CodeNoneSC-19WithdrawnNoneSC-20Secure Name/Address Resolution Service (Authoritative Source)NoneSC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)NoneSC-22Architecture and Provisioning for Name/Address Resolution ServiceNoneSC-23Session AuthenticityNoneSC-24Fail in Known StateNoneSC-25Thin NodesNoneSC-26DecoysNoneSC-27Platform-Independent Applications NoneSC-28Protection of Information at RestA.8.2.3*SC-29HeterogeneityNoneSC-30Concealment and MisdirectionNoneSC-31Covert Channel AnalysisNoneSC-32System PartitioningNoneSC-33Withdrawn---SC-34Non-Modifiable Executable ProgramsNoneSC-35External Malicious Code IdentificationNoneSC-36Distributed Processing and StorageNoneSC-37Out-of-Band ChannelsNoneSC-38Operations SecurityA.12.xSC-39Process IsolationNoneSC-40Wireless Link ProtectionNoneSC-41Port and I/O Device AccessNoneSC-42Sensor Capability and DataA.11.1.5*SC-43Usage RestrictionsNoneSC-44Detonation ChambersNoneSC-45System Time SynchronizationNoneSC-46Cross Domain Policy EnforcementNoneSC-47Alternate Communications PathsNoneSC-48Sensor RelocationNoneSC-49Hardware-Enforced Separation and Policy EnforcementNoneSC-50Software-Enforced Separation and Policy EnforcementNoneSC-51Hardware-Based ProtectionNoneSI-1System and Information Integrity Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2SI-2Flaw RemediationA.12.6.1, A.14.2.2, A.14.2.3, A.16.1.3SI-3Malicious Code ProtectionA.12.2.1SI-4System MonitoringNoneSI-5Security Alerts, Advisories, and DirectivesA.6.1.4*SI-6Security and Privacy Function VerificationNoneSI-7Software, Firmware, and Information IntegrityNoneSI-8Spam ProtectionNoneSI-9Withdrawn---SI-10Information Input ValidationNoneSI-11Error HandlingNoneSI-12Information Management and RetentionNoneSI-13Predictable Failure PreventionNoneSI-14Non-PersistenceNoneSI-15Information Output FilteringNoneSI-16Memory ProtectionNoneSI-17Fail-Safe ProceduresNoneSI-18Personally Identifiable Information Quality OperationsNoneSI-19De-identificationNoneSI-20TaintingNoneSI-21 Information RefreshNoneSI-22Information DiversityNoneSI-23Information FragmentationNoneSR-1Supply Chain Risk Management Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.15.1.1, A.18.1.1, A.18.2.2 SR-2Supply Chain Risk Management PlanA.14.2.7*SR-3Supply Chain Controls and ProcessesA.15.1.2, A.15.1.3*SR-4ProvenanceA.14.2.7*SR-5Acquisition Strategies, Tools, and MethodsA.15.1.3SR-6Supplier Assessments and ReviewsA.15.2.1SR-7Supply Chain Operations SecurityA.15.2.2*SR-8Notification AgreementsNoneSR-9Tamper Resistance and DetectionNoneSR-10Inspection of Systems or ComponentsNoneSR-11Component AuthenticityNoneSR-12Component DisposalNoneTable 2 provides a mapping from the security requirements and controls in ISO/IEC 27001 to the security controls in Special Publication 800-53. Please review the introductory text provided above before employing the mappings in Table 2.TABLE 2: MAPPING ISO/IEC 27001 TO NIST SP 800-53ISO/IEC 27001 REQUIREMENTS AND CONTROLSNIST SP 800-53 CONTROLSNote: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control.ISO/IEC 27001 Requirements4. Context of the Organization4.1 Understanding the organization and its contextPM-1, PM-114.2 Understanding the needs and expectations of interested partiesPM-14.3 Determining the scope of the information security management systemPM-1, PM-9, PM-284.4 Information security management systemPM-1, PM-9, PM-30, PM-315. Leadership5.1 Leadership and commitmentPM-2, PM-3, PM-295.2 PolicyAll XX-1 controls5.3 Organizational roles, responsibilities, and authoritiesAll XX-1 controls, PM-2, PM-6, PM-296. Planning6.1 Actions to address risks and opportunities6.1.1 GeneralPM-1, PM-4, PM-6, PM-96.1.2 Information security risk assessmentPM-9, PM-28, RA-36.1.3 Information security risk treatmentRA-76.2 Information security objectives and planningPM-1, PM-3, PM-4, PM-6, PM-9, PM-14, PM-28, PM-30, PM-317. Support7.1 ResourcesPM-37.2 CompetencePM-137.3 AwarenessAT-2, PS-87.4 CommunicationPM-1, PM-15, PM-28, PM-317.5 Documented information7.5.1 GeneralAll XX-1 controls, CP-2, IR-8, PL-2, PM-4, PM-9, PM-28, PM-30, PM-31, SA-5 7.5.2 Creating and updatingAll XX-1 controls, CP-2, IR-8, PL-2, PM-4, PM-9, PM-28, PM-30, PM-31, SA-57.5.3 Control of documented informationAll XX-1 controls, CP-2, IR-8, PL-2, PM-4, PM-9, PM-28, PM-30, PM-31, SA-58. Operation8.1 Operation planning and controlCM-3, PL-7, PM-1, SA-1, SA-48.2 Information security risk assessmentRA-38.3 Information security risk treatmentCA-5, PM-4, RA-79. Performance evaluation9.1 Monitoring, measurement, analysis, and evaluationCA-1, CA-7, PM-6, PM-319.2 Internal auditCA-1, CA-2, CA-5, CA-7, PM-49.3 Management reviewCA-6, PM-1, PM-4, PM-9, PM-10, PM-2910. Improvement10.1 Nonconformity and corrective actionCA-5, PL-2, PM-4, PM-31, RA-710.2 Continual improvementPM-1, PM-9, PM-30, PM-31ISO/IEC 27001 ControlsA.5 Information Security PoliciesA.5.1 Management direction for information securityA.5.1.1 Policies for information securityAll XX-1 controlsA.5.1.2 Review of the policies for information securityAll XX-1 controlsA.6 Organization of information securityA.6.1 Internal organizationA.6.1.1 Information security roles and responsibilitiesAll XX-1 controls, CM-9, CP-2, PS-7, PS-9, SA-3, SA-9, PM-2, PM-10A.6.1.2 Segregation of dutiesAC-5A.6.1.3 Contact with authoritiesIR-6A.6.1.4 Contact with special interest groupsSI-5, PM-15A.6.1.5 Information security in project managementSA-3, SA-9, SA-15A.6.2 Mobile devices and teleworkingA.6.2.1 Mobile device policyAC-17, AC-18, AC-19A.6.2.2 TeleworkingAC-3, AC-17, PE-17A.7 Human Resources SecurityA.7.1 Prior to EmploymentA.7.1.1 ScreeningPS-3, SA-21A.7.1.2 Terms and conditions of employmentPL-4, PS-6A.7.2 During employmentA.7.2.1 Management responsibilitiesPL-4, PS-6, PS-7, SA-9A.7.2.2 Information security awareness, education, and trainingAT-2, AT-3, CP-3, IR-2, PM-13A.7.2.3 Disciplinary processPS-8A.7.3 Termination and change of employmentA.7.3.1 Termination or change of employment responsibilitiesPS-4, PS-5A.8 Asset ManagementA.8.1 Responsibility for assetsA.8.1.1 Inventory of assetsCM-8A.8.1.2 Ownership of assetsCM-8A.8.1.3 Acceptable use of assetsPL-4A.8.1.4 Return of assetsPS-4, PS-5A.8.2 Information ClassificationA.8.2.1 Classification of informationRA-2A.8.2.2 Labelling of InformationMP-3, PE-22A.8.2.3 Handling of AssetsMP-2, MP-4, MP-5, MP-6, MP-7, PE-16, PE-18, PE- 20, SC-8, SC-28A.8.3 Media HandlingA.8.3.1 Management of removable mediaMP-2, MP-4, MP-5, MP-6, MP-7A.8.3.2 Disposal of mediaMP-6A.8.3.3 Physical media transferMP-5A.9 Access ControlA.9.1 Business requirement of access controlA.9.1.1 Access control policyAC-1A.9.1.2 Access to networks and network servicesAC-3, AC-6A.9.2 User access managementA.9.2.1 User registration and de-registrationAC-2, IA-2, IA-4, IA-5, IA-8A.9.2.2 User access provisioningAC-2A.9.2.3 Management of privileged access rightsAC-2, AC-3, AC-6, CM-5A.9.2.4 Management of secret authentication information of usersIA-5A.9.2.5 Review of user access rightsAC-2A.9.2.6 Removal or adjustment of access rightsAC-2A.9.3 User responsibilitiesA.9.3.1 Use of secret authentication informationIA-5A.9.4 System and application access controlA.9.4.1 Information access restrictionAC-3, AC-24A.9.4.2 Secure logon proceduresAC-7, AC-8, AC-9, IA-6A.9.4.3 Password management systemIA-5A.9.4.4 Use of privileged utility programsAC-3, AC-6A.9.4.5 Access control to program source codeAC-3, AC-6, CM-5A.10 CryptographyA.10.1 Cryptographic controlsA.10.1.1 Policy on the use of cryptographic controlsSC-13A.10.1.2 Key ManagementSC-12, SC-17A.11 Physical and environmental securityA.11.1 Secure areasA.11.1.1 Physical security perimeterPE-3*A.11.1.2 Physical entry controlsPE-2, PE-3, PE-4, PE-5A.11.1.3 Securing offices, rooms and facilitiesPE-3, PE-5A.11.1.4 Protecting against external and environmental threatsCP-6, CP-7, PE-9, PE-13, PE-14, PE-15, PE-18, PE-19, PE-23A.11.1.5 Working in secure areasAC-19(4), SC-42*A.11.1.6 Delivery and loading areasPE-16A.11.2 EquipmentA.11.2.1 Equipment siting and protectionPE-9, PE-13, PE-14, PE-15, PE-18, PE-19, PE-23A.11.2.2 Supporting utilitiesCP-8, PE-9, PE-10, PE-11, PE-12, PE-14, PE-15A.11.2.3 Cabling securityPE-4, PE-9A.11.2.4 Equipment maintenanceMA-2, MA-6A.11.2.5 Removal of assetsMA-2, MP-5, PE-16A.11.2.6 Security of equipment and assets off-premisesAC-19, AC-20, MP-5, PE-17A.11.2.7 Secure disposal or reuse of equipmentMP-6A.11.2.8 Unattended user equipmentAC-11A.11.2.9 Clear desk and clear screen policyAC-11, MP-2, MP-4A.12 Operations securityA.12.1 Operational procedures and responsibilitiesA.12.1.1 Documented operating proceduresAll XX-1 controls, SA-5A.12.1.2 Change managementCM-3, CM-5, SA-10A.12.1.3 Capacity managementAU-4, CP-2(2), SC-5(2)A.12.1.4 Separation of development, testing, and operational environmentsCM-4(1), CM-5*A.12.2 Protection from malwareA.12.2.1 Controls against malwareAT-2, SI-3A.12.3 BackupA.12.3.1 Information backupCP-9A.12.4 Logging and monitoringA.12.4.1 Event loggingAU-3, AU-6, AU-11, AU-12, AU-14A.12.4.2 Protection of log informationAU-9A.12.4.3 Administrator and operator logsAU-9, AU-12A.12.4.4 Clock synchronizationAU-8A.12.5 Control of operational softwareA.12.5.1 Installation of software on operational systemsCM-5, CM-7(4), CM-7(5), CM-11A.12.6 Technical vulnerability managementA.12.6.1 Management of technical vulnerabilitiesRA-3, RA-5, SI-2, SI-5A.12.6.2 Restrictions on software installationCM-11A.12.7 Information systems audit considerationsA.12.7.1 Information systems audit controlsAU-5*A.13 Communications securityA.13.1 Network security managementA.13.1.1 Network controlsAC-3, AC-17, AC-18, AC-20, SC-7, SC-8, SC-10A.13.1.2 Security of network servicesCA-3, SA-9A.13.1.3 Segregation in networksAC-4, SC-7A.13.2 Information transferA.13.2.1 Information transfer policies and proceduresAC-4, AC-17, AC-18, AC-19, AC-20, CA-3, PE-17, SC-7, SC-8, SC-15A.13.2.2 Agreements on information transferCA-3, PS-6, SA-9A.13.2.3 Electronic messagingSC-8A.13.2.4 Confidentiality or nondisclosure agreementsPS-6A.14 System acquisition, development and maintenanceA.14.1 Security requirements of information systemsA.14.1.1 Information security requirements analysis and specificationPL-2, PL-7, PL-8, SA-3, SA-4A.14.1.2 Securing application services on public networksAC-3, AC-4, AC-17, SC-8, SC-13A.14.1.3 Protecting application services transactionsAC-3, AC-4, SC-7, SC-8, SC-13A.14.2 Security in development and support processesA.14.2.1 Secure development policySA-3, SA-15, SA-17A.14.2.2 System change control proceduresCM-3, SA-10, SI-2A.14.2.3 Technical review of applications after operating platform changesCM-3, CM-4, SI-2A.14.2.4 Restrictions on changes to software packagesCM-3, SA-10A.14.2.5 Secure system engineering principlesSA-8A.14.2.6 Secure development environmentSA-3*A.14.2.7 Outsourced developmentSA-4, SA-10, SA-11, SA-15, SR-2, SR-4A.14.2.8 System security testingCA-2, SA-11A.14.2.9 System acceptance testingSA-4, SR-5(2) A.14.3 Test dataA.14.3.1 Protection of test dataSA-15(9)*A.15 Supplier RelationshipsA.15.1 Information security in supplier relationshipsA.15.1.1 Information security policy for supplier relationshipsSR-1A.15.1.2 Address security within supplier agreementsSA-4, SR-3 A.15.1.3 Information and communication technology supply chainSR-3, SR-5A.15.2 Supplier service delivery managementA.15.2.1 Monitoring and review of supplier servicesSA-9, SR-6A.15.2.2 Managing changes to supplier servicesRA-9, SA-9, SR-7A.16 Information security incident managementA.16.1 Managing of information security incidents and improvementsA.16.1.1 Responsibilities and proceduresIR-8A.16.1.2 Reporting information security eventsAU-6, IR-6A.16.1.3 Reporting information security weaknessesSI-2A.16.1.4 Assessment of and decision on information security eventsAU-6, IR-4A.16.1.5 Response to information security incidentsIR-4A.16.1.6 Learning from information security incidentsIR-4A.16.1.7 Collection of evidenceAU-4, AU-9, AU-10(3), AU-11*A.17 Information security aspects of business continuity managementA.17.1 Information security continuityA.17.1.1 Planning information security continuityCP-2A.17.1.2 Implementing information security continuityCP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-13A.17.1.3 Verify, review, and evaluate information security continuityCP-4A.17.2 RedundanciesA.17.2.1 Availability of information processing facilitiesCP-2,CP-6, CP-7A.18 ComplianceA.18.1 Compliance with legal and contractual requirementsA.18.1.1 Identification of applicable legislation and contractual requirementsAll XX-1 controlsA.18.1.2 Intellectual property rightsCM-10A.18.1.3 Protection of recordsAC-3, AC-23, AU-9, AU-10, CP-9, SC-8, SC-8(1), SC-13, SC-28, SC-28(1)A.18.1.4 Privacy and protection of personal informationAppendix J Privacy controlsA.18.1.5 Regulation of cryptographic controlsIA-7, SC-12, SC-13, SC-17A.18.2 Information security reviewsA.18.2.1 Independent review of information securityCA-2(1), SA-11(3)A.18.2.2 Compliance with security policies and standardsAll XX-1 controls, CA-2A.18.2.3 Technical compliance reviewCA-2 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download