NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001



NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001July 2023The mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001, Information security, cybersecurity and privacy protection– Information security management systems–Requirements. ISO/IEC 27001 may be applied to all types of organizations and specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks. NIST Special Publication 800-39 includes guidance on managing risk at the organizational level, mission/business process level, and system level, is consistent with ISO/IEC 27001, and provides additional implementation detail for the federal government and its contractors. The mapping of SP 800-53 Revision 5 controls to ISO/IEC 27001:2022 requirements and controls reflects whether the implementation of a security control from Special Publication 800-53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800-53. To successfully meet the mapping criteria, the implementation of the mapped controls should result in an equivalent information security posture. However, organizations should not assume security requirement and control equivalency based solely on the mapping tables herein since there is always some degree of subjectivity in the mapping analysis because the mappings are not always one-to-one and may not be completely equivalent. Organization-specific implementations may also play a role in control equivalency. The following examples illustrate some of the mapping issues:Example 1: Special Publication 800-53 contingency planning and ISO/IEC 27001 ICT readiness for business continuity were deemed to have similar, but not the same, functionality.Example 2: Similar topics addressed in the two security control sets may have a different context, perspective, or scope. Special Publication 800-53 addresses information flow control broadly in terms of approved authorizations for controlling access between source and destination objects, whereas ISO/IEC 27001 addresses information flow more narrowly as it applies to interconnected network domains.Example 3: Security control 5.2, Information security roles and responsibilities, in ISO/IEC 27001 Annex A states that “Information security roles and responsibilities shall be defined and allocated according to the organization needs” while security control PM-10, Authorization Process, in Special Publication 800-53 that is mapped to 5.2, has three distinct parts. Part b. of PM-10 requires designation of “individuals to fulfill specific roles and responsibilities…” If 5.2 is mapped to PM-10 without any additional information, organizations might assume that if 5.2 is implemented (i.e., all responsibilities are defined and allocated), then the intent of PM-10 is also fully satisfied. However, this may not be the case since the parts a. and c. of PM-10 may not have been addressed. To resolve and clarify the security control mappings, when a security requirement or control in the right column of Tables 1 and 2 does not fully satisfy the intent of the security requirement or control in the left column of the tables, the control or controls (i.e., the entire set of controls listed) in the right column is designated with an asterisk (*).Example 4: Privacy controls were integrated into the SP 800-53, Revision 5, control set to address privacy requirements for the processing of personally identifiable information (PII) and thus are included in the mapping table; however, ISO/IEC 27001 does not specifically address privacy beyond the inherent benefits provided by maintaining the security of PII. Users of this mapping table may assume that the ISO/IEC 27001 controls do not satisfy privacy requirements with respect to PII processing. In a few cases, an ISO/IEC 27001 security requirement or control could only be directly mapped to a Special Publication 800-53 control enhancement. In such cases, the relevant enhancement is specified in Table 2 indicating that the corresponding ISO/IEC 27001 requirement or control satisfies only the intent of the specified enhancement and does not address the associated base control from Special Publication 800-53 or any other enhancements under that base control. Where no enhancement is specified, the ISO/IEC 27001 requirement or control is relevant only to the Special Publication 800-53 base control.Table 1 provides a mapping from the security controls in NIST Special Publication 800-53 to the security controls in ISO/IEC 27001. Please review the introductory text above before employing the mappings in Table 1. Note: although the prefix “A.” was removed from Annex A in 27001:2022, the prefix was maintained in Tables 1 and 2 below to distinguish between requirements and controls (controls from Annex A).TABLE 1: MAPPING NIST SP 800-53, REVISION 5 TO ISO/IEC 27001:2022NIST SP 800-53, REVISION 5 CONTROLSISO/IEC 27001:2022 REQUIREMENTS AND CONTROLSNote: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control.AC-1Access Control Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.15, A.5.31, A.5.36, A.5.37AC-2Account ManagementA.5.16, A.5.18, A.8.2AC-3Access EnforcementA.5.15, A.5.33*, A.8.3, A.8.4*, A.8.18, A.8.20, A.8.26AC-4Information Flow EnforcementA.5.14, A.8.22, A.8.23AC-5Separation of DutiesA.5.3AC-6Least PrivilegeA.5.15*, A.8.2, A.8.18AC-7Unsuccessful Logon AttemptsA.8.5*AC-8System Use NotificationA.8.5*AC-9Previous Logon NotificationA.8.5*AC-10Concurrent Session ControlNoneAC-11Device LockA.7.7, A.8.1AC-12Session TerminationNoneAC-13Withdrawn---AC-14Permitted Actions without Identification or Authentication NoneAC-15Withdrawn---AC-16Security and Privacy AttributesNoneAC-17Remote AccessA.5.14, A.6.7, A.8.1, AC-18Wireless AccessA.5.14, A.8.1, A.8.20AC-19Access Control for Mobile DevicesA.5.14, A.7.9, A.8.1AC-20Use of External SystemsA.5.14, A.7.9, A.8.20AC-21Information SharingNoneAC-22Publicly Accessible ContentNoneAC-23Data Mining ProtectionNoneAC-24Access Control DecisionsA.8.3*AC-25Reference MonitorNoneAT-1Awareness and Training Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37AT-2Literacy Training and Awareness7.3, A.6.3, A.8.7*AT-3Role-Based TrainingA.6.3*AT-4Training RecordsNoneAT-5Withdrawn ---AT-6Training FeedbackNoneAU-1Audit and Accountability Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37AU-2Event LoggingA.8.15AU-3Content of Audit RecordsA.8.15*AU-4Audit Log Storage CapacityA.8.6AU-5Response to Audit Logging Process FailuresNoneAU-6Audit Record Review, Analysis, and ReportingA.5.25, A.6.8, A.8.15AU-7Audit Record Reduction and Report GenerationNoneAU-8Time StampsA.8.17AU-9Protection of Audit InformationA.5.33, A.8.15AU-10Non-repudiationNoneAU-11Audit Record RetentionA.5.28, A.8.15AU-12Audit Record GenerationA.8.15AU-13Monitoring for Information DisclosureA.8.12, A.8.16*AU-14Session AuditA.8.15*AU-15Withdrawn---AU-16Cross-Organizational Audit LoggingNone CA-1Assessment and Authorization Policies and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, 9.2.2*, 9.3.1*, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37CA-2Control Assessments9.2.1*, 9.2.2*, A.5.30*, A.5.36, A.8.29CA-3Information ExchangeA.5.14, A.8.21CA-4Withdrawn---CA-5Plan of Action and Milestones8.3, 9.3.3*, 10.2*CA-6Authorization9.3.1*, 9.3.3*CA-7Continuous Monitoring9.1, 9.3.2*, 9.3.3*, A.5.36*CA-8Penetration TestingNoneCA-9Internal System ConnectionsNoneCM-1Configuration Management Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37, A.8.9CM-2Baseline ConfigurationA.8.9CM-3Configuration Change Control8.1, 9.3.3*, A.8.9, A.8.32CM-4Impact AnalysesA.8.9CM-5Access Restrictions for ChangeA.8.2, A.8.4, A.8.9, A.8.19, A.8.31, A.8.32CM-6Configuration SettingsA.8.9CM-7Least FunctionalityA.8.19*CM-8System Component InventoryA.5.9, A.8.9CM-9Configuration Management PlanA.5.2*, A.8.9CM-10Software Usage RestrictionsA.5.32*CM-11User-Installed SoftwareA.8.19*CM-12Information LocationNoneCM-13Data Action MappingNoneCM-14Signed ComponentsNoneCP-1Contingency Planning Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37CP-2Contingency Plan7.5.1, 7.5.2, 7.5.3, A.5.2, A.5.29, A.8.14CP-3Contingency TrainingA.6.3*CP-4Contingency Plan TestingA.5.29, A.5.30*CP-5Withdrawn---CP-6Alternate Storage SiteA.5.29*, A.7.5*, A.8.14*CP-7Alternate Processing SiteA.5.29*, A.7.5*, A.8.14*CP-8Telecommunications ServicesA.5.29*, A.7.11CP-9System BackupA.5.29*, A.5.33*, A.8.13CP-10System Recovery and ReconstitutionA.5.29*CP-11Alternate Communications ProtocolsA.5.29*CP-12Safe ModeNoneCP-13Alternative Security MechanismsA.5.29*IA-1Identification and Authentication Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37IA-2Identification and Authentication (Organizational Users)A.5.16IA-3Device Identification and AuthenticationNoneIA-4Identifier ManagementA.5.16IA-5Authenticator ManagementA.5.16, A.5.17IA-6Authentication FeedbackA.8.5*IA-7Cryptographic Module AuthenticationNoneIA-8Identification and Authentication (Non-Organizational Users)A.5.16IA-9Service Identification and AuthenticationNoneIA-10Adaptive Identification and AuthenticationNoneIA-11Re-authenticationNoneIA-12Identity ProofingNoneIR-1Incident Response Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37IR-2Incident Response TrainingA.6.3*IR-3Incident Response TestingNoneIR-4Incident HandlingA.5.25, A.5.26, A.5.27IR-5Incident MonitoringNoneIR-6Incident ReportingA.5.5*, A.6.8IR-7Incident Response AssistanceNoneIR-8Incident Response Plan7.5.1, 7.5.2, 7.5.3, A.5.24IR-9Information Spillage ResponseNoneIR-10Withdrawn---MA-1System Maintenance Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.37, A.18.1.1, A.18.2.2MA-2Controlled MaintenanceA.7.10*, A.7.13*, A.8.10*MA-3Maintenance ToolsNoneMA-4Nonlocal MaintenanceNoneMA-5Maintenance PersonnelNoneMA-6Timely MaintenanceA.7.13MA-7Field MaintenanceNoneMP-1Media Protection Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37MP-2Media AccessA.5.10*, A.7.7*, A.7.10*MP-3Media MarkingA.5.13MP-4Media StorageA.5.10*, A.7.7*, A.7.10, A.8.10*MP-5Media TransportA.5.10*, A.7.9, A.7.10MP-6Media SanitizationA.5.10, A.7.10*, A.7.14, A.8.10MP-7Media UseA.5.10, A.7.10MP-8Media DowngradingNonePE-1Physical and Environmental Protection Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37PE-2Physical Access AuthorizationsA.7.2*PE-3Physical Access ControlA.7.1, A.7.2, A.7.3, A.7.4PE-4Access Control for Transmission MediumA.7.2, A.7.12PE-5Access Control for Output DevicesA.7.2, A.7.3, A.7.7PE-6Monitoring Physical AccessA.7.4, A.8.16*PE-7Withdrawn---PE-8Visitor Access RecordsNonePE-9Power Equipment and CablingA.7.5, A.7.8, A.7.11, A.7.12PE-10Emergency ShutoffA.7.11*PE-11Emergency PowerA.7.11PE-12Emergency LightingA.7.11*PE-13Fire ProtectionA.7.5, A.7.8PE-14Environmental ControlsA.7.5, A.7.8, A.7.11PE-15Water Damage ProtectionA.7.5, A.7.8, A.7.11PE-16Delivery and RemovalA.5.10*, A.7.2*, A.7.10*PE-17Alternate Work SiteA.5.14*, A.6.7, A.7.9PE-18Location of System ComponentsA.5.10*, A.7.5, A.7.8PE-19Information LeakageA.7.5*, A.7.8*, A.8.12PE-20Asset Monitoring and TrackingA.5.10*PE-21Electromagnetic Pulse ProtectionNonePE-22Component MarkingA.5.13PE-23Facility LocationA.7.5, A.7.8PL-1Planning Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37PL-2System Security and Privacy Plans7.5.1, 7.5.2, 7.5.3, 10.2, A.5.8*PL-3Withdrawn---PL-4Rules of BehaviorA.5.4, A.5.10, A.6.2*PL-5Withdrawn---PL-6Withdrawn---PL-7Concept of Operations8.1, A.5.8*PL-8Security and Privacy ArchitecturesA.5.8*PL-9Central ManagementNonePL-10Baseline SelectionNonePL-11Baseline TailoringNonePM-1Information Security Program Plan4.1, 4.2, 4.3, 4.4, 5.2, 5.3, 6.1.1, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3, 8.1, 9.3.1*, 10.1, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36PM-2Information Security Program Leadership Role5.1, 5.3, A.5.2PM-3Information Security and Privacy Resources5.1, 6.2, 7.1PM-4Plan of Action and Milestones Process6.1.1, 6.2, 7.5.1, 7.5.2, 7.5.3, 8.3, 9.3.2*, 10.2PM-5System InventoryNonePM-6Measures of Performance5.3, 6.1.1, 6.2, 9.1PM-7Enterprise ArchitectureNonePM-8Critical Infrastructure PlanNonePM-9Risk Management Strategy4.3, 4.4, 6.1.1, 6.1.2, 6.2, 7.5.1, 7.5.2, 7.5.3, 10.1PM-10Authorization ProcessA.5.2*PM-11Mission and Business Process Definition4.1PM-12Insider Threat ProgramNonePM-13Security and Privacy Workforce7.2, A.6.3*PM-14Testing, Training, and Monitoring6.2*PM-15Security and Privacy Groups and Associations7.4, A.5.6PM-16Threat Awareness ProgramA.5.7PM-17Protecting Controlled Unclassified Information on External SystemsNonePM-18Privacy Program PlanA.5.4PM-19Privacy Program Leadership RoleNonePM-20Dissemination of Privacy Program InformationNonePM-21Accounting of DisclosuresNonePM-22Personally Identifiable Information Quality ManagementNonePM-23Data Governance BodyNonePM-24Data Integrity BoardNonePM-25Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchNonePM-26Complaint ManagementNonePM-27Privacy ReportingNonePM-28Risk Framing4.3, 6.1.2, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3PM-29Risk Management Program Leadership Roles5.1, 5.3, 9.3.1*, A.5.2PM-30Supply Chain Risk Management Strategy4.4, 6.2, 7.5.1, 7.5.2, 7.5.3, 10.2*PM-31Continuous Monitoring Strategy4.4, 6.2, 7.4, 7.5.1, 7.5.2, 7.5.3, 9.1, 9.2.2*, 10.1, 10.2PM-32 PurposingNonePS-1Personnel Security Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37PS-2Position Risk DesignationNonePS-3Personnel ScreeningA.6.1PS-4Personnel TerminationA.5.11, A.6.5PS-5Personnel TransferA.5.11, A.6.5PS-6Access AgreementsA.5.4*, A.6.2, A.6.6*PS-7External Personnel SecurityA.5.2, A.5.4*PS-8Personnel Sanctions7.3, A.6.4PS-9Position DescriptionsA.5.2PT-1Personally Identifiable Information Processing and Transparency Policy and ProceduresA.5.4PT-2Authority to Process Personally Identifiable InformationNonePT-3Personally Identifiable Information Processing PurposesNonePT-4ConsentNonePT-5Privacy NoticeNonePT-6System of Records NoticeNonePT-7Specific Categories of Personally Identifiable InformationNonePT-8Computer Matching RequirementsNoneRA-1Risk Assessment Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37RA-2Security CategorizationA.5.12*RA-3Risk Assessment6.1.2, 8.2, 9.3.2*, A.8.8*RA-4Withdrawn---RA-5Vulnerability Monitoring and ScanningA.8.8*RA-6Technical Surveillance Countermeasures SurveyNoneRA-7Risk Response6.1.3, 8.3, 10.2RA-8Privacy Impact AssessmentsNoneRA-9Criticality AnalysisA.5.22*RA-10Threat HuntingA.5.7*SA-1System and Services Acquisition Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, 8.1, A.5.1, A.5.2, A.5.4, A.5.23, A.5.31, A.5.36, A.5.37SA-2Allocation of ResourcesNoneSA-3System Development Life CycleA.5.2*, A.5.8, A.8.25, A.8.31*SA-4Acquisition Process8.1, A.5.8, A.5.20, A.5.23, A.8.29, A.8.30SA-5System Documentation7.5.1, 7.5.2, 7.5.3, A.5.37*SA-6Withdrawn---SA-7Withdrawn---SA-8Security Engineering PrinciplesA.8.27, A.8.28*SA-9External System ServicesA.5.2*, A.5.4*, A.5.8*, A.5.14*, A.5.22, A.5.23, A.8.21SA-10Developer Configuration ManagementA.8.9, A.8.28*, A.8.30*, A.8.32SA-11Developer Testing and EvaluationA.8.29, A.8.30*SA-12Withdrawn---SA-13Withdrawn---SA-14Withdrawn---SA-15Development Process, Standards, and ToolsA.5.8*, A.8.25 SA-16Developer-Provided TrainingNoneSA-17Developer Security and Privacy Architecture and DesignA.8.25, A.8.27SA-18Withdrawn---SA-19Withdrawn---SA-20Customized Development of Critical ComponentsNoneSA-21Developer ScreeningA.6.1SA-22Unsupported System ComponentsNoneSA-23SpecializationNoneSC-1System and Communications Protection Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37SC-2Separation of System and User FunctionalityNoneSC-3Security Function IsolationNoneSC-4Information In Shared System ResourcesNoneSC-5Denial-of Service-ProtectionNoneSC-6Resource AvailabilityNoneSC-7Boundary ProtectionA.5.14*, A.8.16*, A.8.20*, A.8.22*, A.8.23*, A.8.26*SC-8Transmission Confidentiality and IntegrityA.5.10*, A.5.14, A.8.20*, A.8.26*SC-9Withdrawn---SC-10Network DisconnectA.8.20SC-11Trusted PathNoneSC-12Cryptographic Key Establishment and ManagementA.8.24SC-13Cryptographic ProtectionA.8.24, A.8.26, A.5.31SC-14Withdrawn---SC-15Collaborative Computing Devices and ApplicationsA.5.14*SC-16Transmission of Security and Privacy AttributesNoneSC-17Public Key Infrastructure CertificatesA.8.24SC-18Mobile CodeNoneSC-19WithdrawnNoneSC-20Secure Name/Address Resolution Service (Authoritative Source)NoneSC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)NoneSC-22Architecture and Provisioning for Name/Address Resolution ServiceNoneSC-23Session AuthenticityNoneSC-24Fail in Known StateNoneSC-25Thin NodesNoneSC-26DecoysNoneSC-27Platform-Independent Applications NoneSC-28Protection of Information at RestA.5.10*SC-29HeterogeneityNoneSC-30Concealment and MisdirectionNoneSC-31Covert Channel AnalysisNoneSC-32System PartitioningNoneSC-33Withdrawn---SC-34Non-Modifiable Executable ProgramsNoneSC-35External Malicious Code IdentificationNoneSC-36Distributed Processing and StorageNoneSC-37Out-of-Band ChannelsNoneSC-38Operations SecurityA.8.xSC-39Process IsolationNoneSC-40Wireless Link ProtectionNoneSC-41Port and I/O Device AccessNoneSC-42Sensor Capability and DataNoneSC-43Usage RestrictionsNoneSC-44Detonation ChambersNoneSC-45System Time SynchronizationNoneSC-46Cross Domain Policy EnforcementNoneSC-47Alternate Communications PathsNoneSC-48Sensor RelocationNoneSC-49Hardware-Enforced Separation and Policy EnforcementNoneSC-50Software-Enforced Separation and Policy EnforcementNoneSC-51Hardware-Based ProtectionNoneSI-1System and Information Integrity Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.31, A.5.36, A.5.37SI-2Flaw RemediationA.6.8*, A.8.8, A.8.32*SI-3Malicious Code ProtectionA.8.7SI-4System MonitoringA.8.16*SI-5Security Alerts, Advisories, and DirectivesA.5.6*SI-6Security and Privacy Function VerificationNoneSI-7Software, Firmware, and Information IntegrityNoneSI-8Spam ProtectionNoneSI-9Withdrawn---SI-10Information Input ValidationNoneSI-11Error HandlingNoneSI-12Information Management and RetentionNoneSI-13Predictable Failure PreventionNoneSI-14Non-PersistenceNoneSI-15Information Output FilteringNoneSI-16Memory ProtectionNoneSI-17Fail-Safe ProceduresNoneSI-18Personally Identifiable Information Quality OperationsNoneSI-19De-identificationNoneSI-20TaintingA.8.12SI-21 Information RefreshA.8.10SI-22Information DiversityNoneSI-23Information FragmentationNoneSR-1Supply Chain Risk Management Policy and Procedures5.2, 5.3, 7.5.1, 7.5.2, 7.5.3, A.5.1, A.5.2, A.5.4, A.5.19, A.5.31, A.5.36, A.5.37SR-2Supply Chain Risk Management PlanA.5.19, A.5.20*, A.5.21*, A.8.30*SR-3Supply Chain Controls and ProcessesA.5.20, A.5.21*SR-4ProvenanceA.5.21*, A.8.30*SR-5Acquisition Strategies, Tools, and MethodsA.5.20, A.5.21, A.5.23SR-6Supplier Assessments and ReviewsA.5.22SR-7Supply Chain Operations SecurityA.5.22*SR-8Notification AgreementsNoneSR-9Tamper Resistance and DetectionNoneSR-10Inspection of Systems or ComponentsNoneSR-11Component AuthenticityNoneSR-12Component DisposalNoneTable 2 provides a mapping from the security requirements and controls in ISO/IEC 27001 to the security controls in Special Publication 800-53 including mappings of ISO/IEC 27001 requirements and controls to control enhancements. Please review the introductory text provided above before employing the mappings in Table 2.TABLE 2: MAPPING ISO/IEC 27001:2022 TO NIST SP 800-53, REVISION 5ISO/IEC 27001:2022 REQUIREMENTS AND CONTROLSNIST SP 800-53, REVISION 5 CONTROLSNote: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control.ISO/IEC 27001 Requirements4. Context of the Organization4.1 Understanding the organization and its contextPM-1, PM-114.2 Understanding the needs and expectations of interested partiesPM-14.3 Determining the scope of the information security management systemPM-1, PM-9, PM-284.4 Information security management systemPM-1, PM-9, PM-30, PM-315. Leadership5.1 Leadership and commitmentPM-2, PM-3, PM-295.2 PolicyAll XX-1 controls5.3 Organizational roles, responsibilities, and authoritiesAll XX-1 controls, PM-2, PM-6, PM-296. Planning6.1 Actions to address risks and opportunities6.1.1 GeneralPM-1, PM-4, PM-6, PM-96.1.2 Information security risk assessmentPM-9, PM-28, RA-36.1.3 Information security risk treatmentRA-76.2 Information security objectives and planning to achieve themPM-1, PM-3, PM-4, PM-6, PM-9, PM-14, PM-28, PM-30, PM-317. Support7.1 ResourcesPM-37.2 CompetencePM-137.3 AwarenessAT-2, PS-87.4 CommunicationPM-1, PM-15, PM-28, PM-317.5 Documented information7.5.1 GeneralAll XX-1 controls, CP-2, IR-8, PL-2, PM-4, PM-9, PM-28, PM-30, PM-31, SA-5 7.5.2 Creating and updatingAll XX-1 controls, CP-2, IR-8, PL-2, PM-4, PM-9, PM-28, PM-30, PM-31, SA-57.5.3 Control of documented informationAll XX-1 controls, CP-2, IR-8, PL-2, PM-4, PM-9, PM-28, PM-30, PM-31, SA-58. Operation8.1 Operation planning and controlCM-3, PL-7, PM-1, SA-1, SA-48.2 Information security risk assessmentRA-38.3 Information security risk treatmentCA-5, PM-4, RA-79. Performance evaluation9.1 Monitoring, measurement, analysis and evaluationCA-1, CA-7, PM-6, PM-319.2 Internal audit9.2.1 GeneralCA-2*, CA-7*9.2.2 Internal audit programmeCA-1*, CA-2*, CA-2(1)*, CA-7(1)*, PM-31*9.3 Management review9.3.1 GeneralCA-1*, CA-6*, PM-1*, PM-299.3.2 Management review inputsCA-7*, CA-7(3)*, CA-7(4)*, PM-4*, RA-3*9.3.3 Management review resultsCA-5*, CA-6*, CA-7*, CM-3*10. Improvement10.1 Continual improvementPM-1, PM-9, PM-30, PM-3110.2 Nonconformity and corrective actionCA-5, PL-2, PM-4, PM-31, RA-7ISO/IEC 27001 Controls5 Organizational controls5.1 Policies for information securityAll XX-1 controls5.2 Information security roles and responsibilitiesAll XX-1 controls, CM-9, CP-2, PS-7, PS-9, SA-3, SA-9, PM-2, PM-105.3 Segregation of dutiesAC-55.4 Management responsibilitiesAll XX-1 controls, PM-18*5.5 Contact with authoritiesIR-65.6 Contact with special interest groupsPM-15, SI-55.7 Threat intelligencePM-16, PM-16(1), RA-105.8 Information security in project managementPL-2, PL-7, PL-8, SA-3, SA-4, SA-9, SA-155.9 Inventory of information and other associated assetsCM-85.10 Acceptable use of information and other associated assetsMP-2, MP-4, MP-5, MP-6, MP-7, PE-16, PE-18, PE-20, PL-4, SC-8, SC-285.11 Return of assetsPS-4, PS-55.12 Classification of informationRA-25.13 Labelling of informationMP-3, PE-225.14 Information transferAC-4, AC-17, AC-18, AC-19, AC-20, CA-3, PE-17, PS-6, SA-9, SC-7, SC-8, SC-155.15 Access controlAC-1, AC-3, AC-65.16 Identity managementAC-2, IA-2, IA-4, IA-5, IA-85.17 Authentication informationIA-55.18 Access rightsAC-25.19 Information security in supplier relationshipsSR-15.20 Addressing information security within supplier agreementsSA-4, SR-35.21 Managing information security in the information and communication technology (ICT) supply chainSR-3, SR-55.22 Monitoring, review and change management of supplier servicesRA-9, SA-9, SR-6, SR-75.23 Information security for use of cloud servicesSA-1, SA-4, SA-9, SA-9(3), SR-55.24 Information security incident management planning and preparationIR-85.25 Assessment and decision on information security eventsAU-6, IR-45.26 Response to information security eventsIR-45.27 Learning from information security incidentsIR-45.28 Collection of evidenceAU-3, AU-4, AU-9, AU-10(3), AU-11*5.29 Information security during disruptionCP-2, CP-4, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-135.30 ICT readiness for business continuityCP-2(1)*, CP-2(8)*, CP-4*, CP-4(1)*5.31 Legal, statutory, regulatory and contractual requirementsAll XX-1 controls, SC-12, SC-13, SC-175.32 Intellectual property rightsCM-10*5.33 Protection of recordsAC-3*, AC-23, AU-9, CP-9, SC-8, SC-8(1)*, SC-13, SC-28, SC-28(1)*5.34 Privacy and protection of personal identifiable information (PII)PM-18, PT-1, PT-3, PT-7, CA-9*, CA-3*, PL-2*, PL-8*5.35 Independent review of information securityCA-2(1)5.36 Compliance with policies, rules and standards for information securityAll XX-1 controls, CA-25.37 Documented operating proceduresAll XX-1 controls, SA-56 People controls6.1 ScreeningPS-3, SA-216.2 Terms and conditions of employmentPL-4, PS-66.3 Information security awareness, education, and trainingAT-2, AT-3, CP-3, IR-2, PM-136.4 Disciplinary processPS-86.5 Responsibilities after termination or change of employment PS-4, PS-56.6 Confidentiality or non-disclosure agreementsPS-66.7 Remote workingNone6.8 Information security event reportingAU-6, IR-6, SI-27 Physical Controls7.1 Physical security perimetersPE-3*7.2 Physical entryPE-2, PE-3, PE-4, PE-5, PE-167.3 Securing offices, rooms and facilitiesPE-3, PE-57.4 Physical security monitoringAU-6(6)*, PE-3, PE-3(3), PE-6, PE-6(1), PE-6(4)*7.5 Protecting against physical and environmental threatsCP-6, CP-7, PE-9, PE-13, PE-14, PE-15, PE-18, PE-19, PE-237.6 Working in secure areasSC-42*7.7 Clear desk and clear screenAC-11, MP-2, MP-47.8 Equipment siting and protectionPE-9, PE-13, PE-14, PE-15, PE-18, PE-19, PE-237.9 Security of assets off-premisesAC-19, AC-20, MP-5, PE-177.10 Storage mediaMA-2, MP-2, MP-4, MP-5, MP-6, MP-7, PE-167.11 Supporting utilitiesCP-8, PE-9, PE-10, PE-11, PE-12, PE-14, PE-157.12 Cabling securityPE-4, PE-97.13 Equipment maintenanceMA-2, MA-67.14 Secure disposal or re-use of equipmentMP-68 Technological controls8.1 User end point devicesAC-118.2 Privileged access rightsAC-2, AC-3, AC-6, CM-58.3 Information access restrictionAC-3, AC-248.4 Access to source codeAC-3*, AC-3(11), CM-58.5 Secure authenticationAC-7, AC-8, AC-9, IA-68.6 Capacity managementAU-4, CP-2(2), SC-5(2)*8.7 Protection against malwareAT-2, SI-38.8 Management of technical vulnerabilitiesRA-3, RA-5, SI-2, SI-58.9 Configuration managementCM-1, CM-2, CM-2(3)*, CM-3, CM-3(7), CM-3(8), CM-4, CM-5, CM-6, CM-8, CM-9, CM-9(1)*, SA-108.10 Information deletionAC-4(25)*, AC-7(2)*, MA-2, MA-3(3)*, MA-4(3)*, MP-4, MP-6, MP-6(1)*, SI-218.11 Data maskingAC-4(23), SI-19(4)8.12 Data leakage preventionAU-13, PE-3(2)*, PE-19, SC-7(10)*, SI-208.13 Information backupCP-98.14 Redundancy of information processing facilitiesCP-2, CP-6, CP-78.15 LoggingAU-3, AU-6, AU-9, AU-11, AU-12, AU-148.16 Monitoring activitiesAC-2(12), AC-17(1), AU-13*, IR-4(13)*, MA-4(1)*, PE-6*, PE-6(3)*, SI-4, SI-4(4)*, SI-4(13)*, SI-4(16)*8.17 Clock synchronizationAU-88.18 Use of privileged utility programsAC-3, AC-68.19 Installation of software on operational systemsCM-5, CM-7(4)*, CM-7(5)*, CM-11*8.20 Networks securityAC-3, AC-18, AC-20, SC-7, SC-8, SC-108.21 Security of network servicesCA-3, SA-98.22 Segregation of networksAC-4, SC-78.23 Web filteringAC-4, SC-7, SC-7(8)8.24 Use of cryptographySC-12, SC-13, SC-178.25 Secure development life cycleSA-3, SA-15, SA-178.26 Application security requirementsAC-3, SC-8*, SC-138.27 Secure system architecture and engineering principlesSA-88.28 Secure codingSA-4(3)*, SA-8, SA-11(1)*, SA-15(5)*, SI-108.29 Security testing in development and acceptanceCA-2, SA-4, SA-11, SR-5(2)*8.30 Outsourced developmentSA-4, SA-10, SA-11, SA-15, SR-2, SR-48.31 Separation of development, test and production environmentsCM-4(1), CM-5*, SA-3*8.32 Change managementCM-3, CM-5, SA-10, SI-2 8.33 Test informationSA-3(2)*8.34 Protection of information systems during audit testingAU-5* ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download