NIST Cybersecurity Framework (CSF) and ISO/IEC 27001

Sharing is caring
This entry is part 2 of 3 in the series Cyber Security Frameworks

Views: 3

NIST Cybersecurity Framework (CSF) and ISO/IEC 27001

NIST CSF Functions and Categories to ISO/IEC 27001 Annex A Controls

Identify (ID)

  • Asset Management (ID.AM): A.8 (Asset Management)
  • Business Environment (ID.BE): A.5 (Information Security Policies)
  • Governance (ID.GV): A.6 (Organization of Information Security)
  • Risk Assessment (ID.RA): A.6, A.12.6.1 (Technical Vulnerability Management)
  • Risk Management Strategy (ID.RM): A.6, A.12.6.1
  • Supply Chain Risk Management (ID.SC): A.15 (Supplier Relationships)

Protect (PR)

  • Identity Management and Access Control (PR.AC): A.9 (Access Control)
  • Awareness and Training (PR.AT): A.7.2.2 (Information Security Awareness, Education, and Training)
  • Data Security (PR.DS): A.8 (Asset Management), A.13 (Communications Security)
  • Information Protection Processes and Procedures (PR.IP): A.10 (Cryptographic Controls), A.12 (Operations Security)
  • Maintenance (PR.MA): A.12 (Operations Security)
  • Protective Technology (PR.PT): A.13 (Communications Security)

Detect (DE)

  • Anomalies and Events (DE.AE): A.16 (Information Security Incident Management)
  • Security Continuous Monitoring (DE.CM): A.12.4 (Logging and Monitoring)
  • Detection Processes (DE.DP): A.16 (Information Security Incident Management)

Respond (RS)

  • Response Planning (RS.RP): A.16.1.5 (Response to Information Security Incidents)
  • Communications (RS.CO): A.16 (Information Security Incident Management)
  • Analysis (RS.AN): A.16 (Information Security Incident Management)
  • Mitigation (RS.MI): A.16 (Information Security Incident Management)
  • Improvements (RS.IM): A.16 (Information Security Incident Management)

Recover (RC)

  • Recovery Planning (RC.RP): A.17 (Information Security Aspects of Business Continuity Management)
  • Improvements (RC.IM): A.17 (Information Security Aspects of Business Continuity Management)
  • Communications (RC.CO): A.17 (Information Security Aspects of Business Continuity Management)

NIST SP 800-53 to ISO/IEC 27001 Annex A Controls

Access Control (AC)

  • ISO/IEC 27001: A.9 (Access Control)

Awareness and Training (AT)

  • ISO/IEC 27001: A.7.2.2 (Information Security Awareness, Education, and Training)

Audit and Accountability (AU)

  • ISO/IEC 27001: A.12.4 (Logging and Monitoring)

Security Assessment and Authorization (CA)

  • ISO/IEC 27001: A.18 (Compliance)

Configuration Management (CM)

  • ISO/IEC 27001: A.12.1 (Operational Procedures and Responsibilities)

Contingency Planning (CP)

  • ISO/IEC 27001: A.17 (Information Security Aspects of Business Continuity Management)

Identification and Authentication (IA)

  • ISO/IEC 27001: A.9 (Access Control)

Incident Response (IR)

  • ISO/IEC 27001: A.16 (Information Security Incident Management)

Maintenance (MA)

  • ISO/IEC 27001: A.12.7 (Operations Security)

Media Protection (MP)

  • ISO/IEC 27001: A.8.3 (Media Handling)

Physical and Environmental Protection (PE)

  • ISO/IEC 27001: A.11 (Physical and Environmental Security)

Planning (PL)

  • ISO/IEC 27001: A.5 (Information Security Policies)

Personnel Security (PS)

  • ISO/IEC 27001: A.7 (Human Resource Security)

Risk Assessment (RA)

  • ISO/IEC 27001: A.6 (Organization of Information Security)

System and Services Acquisition (SA)

  • ISO/IEC 27001: A.15 (Supplier Relationships)

System and Communications Protection (SC)

  • ISO/IEC 27001: A.13 (Communications Security)

System and Information Integrity (SI)

  • ISO/IEC 27001: A.12.6.1 (Technical Vulnerability Management)
Series Navigation<< Pyramid of PainDigital Operational Resilience Act (DORA) >>