NCSC CAF to ISO 27001 Mappings
The NCSC's Cyber Assessment Framework (CAF) was developed to help critical national infrastructure (CNI) and government organisationsto effectively manage cyber security risk. The table below details Ofgem mappings to ISO 27001 clauses and controls. ISO/IEC 27001:2013 is an IT security standard for establishing, implementing maintaining and continually improving and information security management system (ISMS). To see more detailed information and additional mappings, click through to individual outcomes.
| CAF ID | CAF Outcome | ISO 27001 (2013) |
|---|---|---|
| A1.a | Board Direction | |
| A1.b | Roles and Responsibilities |
16.1.1: Responsibilities and procedures 6.1.1: Information security roles and responsibilities |
| A1.c | Decision-making | |
| A2.a | Risk Management Process | 6.1.5: Information security in project management |
| A2.b | Assurance |
12.7.1: Information systems audit controls 14.2.8: System security testing 18.2.3: Technical compliance review |
| A3.a | Asset Management |
11.2.2: Supporting utilities 11.2.5: Removal of assets 11.2.7: Secure disposal or re-use of equipment 12.1.3: Capacity management 12.3.1: Information backup 8.1.1: Inventory of assets 8.1.2: Ownership of assets 8.1.4: Return of assets 8.2.1: Classification of information 8.2.3: Handling of assets 8.3.1: Management of removable media 8.3.2: Disposal of media |
| A4.a | Supply Chain |
13.1.2: Security of network services 13.2.2: Agreements on information transfer 14.2.7: Outsourced development 15.1.1: Information security policy for supplier relationships 15.1.2: Addressing security within supplier agreements 15.1.3: Information and communication technology supply chain 15.2.1: Monitoring and review of supplier services 15.2.2: Managing changes to supplier services |
| B1.a | Policy and Process Development |
10.1.1: Policy on the use of cryptographic controls 10.1.2: Key management 11.2.9: Clear desk and clear screen policy 12.1.1: Documented operating procedures 12.1.2: Change management 12.3.1: Information backup 14.1.1: Information security requirements analysis and specification 14.2.1: Secure development policy 14.2.5: Secure system engineering principles 14.2.9: System acceptance testing 17.1.2: Implementing information security continuity 17.1.3: Verify, review, and evaluate information security continuity 18.1.1: Identification of applicable legislation and contractual requirements 18.1.2: Intellectual property rights 18.1.5: Regulation of cryptographic controls 18.2.1: Independent review of information security 18.2.3: Technical compliance review 5.1.1: Policies for information Security 5.1.2: Review of the policies for information security 8.2.2: Labelling of information 8.2.3: Handling of assets 9.1.1: Access control policy 9.3.1: Use of secret authentication information |
| B1.b | Policy and Process Implementation |
10.1.1: Policy on the use of cryptographic controls 10.1.2: Key management 11.1.5: Working in secure areas 11.2.9: Clear desk and clear screen policy 12.1.1: Documented operating procedures 13.2.1: Information transfer policies and procedures 14.2.1: Secure development policy 14.2.5: Secure system engineering principles 16.1.7: Collection of evidence 18.2.2: Compliance with security policies and standards 5.1.1: Policies for information Security 6.2.1: Mobile Device Policy 6.2.2: Teleworking 7.2.1: Management responsibilities 7.2.3: Disciplinary process 8.1.3: Acceptable use of assets 8.2.2: Labelling of information 8.2.3: Handling of assets 8.3.1: Management of removable media 9.1.1: Access control policy 9.2.1: User registration and de-registration 9.2.2: User access provisioning 9.2.4: Management of secret authentication information of users 9.3.1: Use of secret authentication information 9.4.1: Information access restriction 9.4.2: Secure log-on procedures |
| B2.a | Identity Verification, Authentication and Authorisation |
11.1.2: Physical entry controls 11.1.3: Securing offices, rooms, and facilities 13.1.1: Network controls 9.1.2: Access to networks and network services 9.2.5: Review of user access rights 9.4.1: Information access restriction 9.4.2: Secure log-on procedures |
| B2.b | Device Management | |
| B2.c | Privileged User Management |
11.1.1: Physical security perimeter 11.1.2: Physical entry controls 12.4.3: Administrator and operator logs 9.1.2: Access to networks and network services 9.2.3: Management of privileged access rights 9.2.5: Review of user access rights 9.4.2: Secure log-on procedures |
| B2.d | Identity and Access Management (IdAM) |
12.4.1: Event Logging 7.1.1: Screening 9.1.2: Access to networks and network services 9.2.1: User registration and de-registration 9.2.2: User access provisioning 9.2.3: Management of privileged access rights 9.2.5: Review of user access rights 9.2.6: Removal or adjustment of access rights |
| B3.a | Understanding Data |
12.1.3: Capacity management 14.1.3: Protecting application services transactions 8.1.1: Inventory of assets 8.2.1: Classification of information |
| B3.b | Data in Transit |
11.1.1: Physical security perimeter 11.2.3: Cabling security 13.2.3: Electronic messaging 14.1.2: Securing application services on public networks 14.1.3: Protecting application services transactions |
| B3.c | Stored Data |
11.1.1: Physical security perimeter 12.3.1: Information backup 14.2.9: System acceptance testing 18.1.3: Protection of records 18.1.4: Privacy and protection of personally identifiable information 9.4.5: Access control to program source code |
| B3.d | Mobile Data | 8.3.3: Physical media transfer |
| B3.e | Media Equipment Sanitisation |
11.2.7: Secure disposal or re-use of equipment 8.3.2: Disposal of media |
| B4.a | Secure by Design |
12.1.4: Separation of development, testing, and operational environments 13.1.3: Segregation in networks 6.1.5: Information security in project management |
| B4.b | Secure Configuration |
12.1.2: Change management 12.2.1: Controls against malware 12.5.1: Installation of software on operational systems 12.6.2: Restrictions on software installation 13.1.1: Network controls 14.2.2: System changes control procedures 14.2.3: Technical review of applications after operating platform changes 14.2.4: Restrictions on changes to software packages 14.2.6: Secure development environment 17.1.3: Verify, review, and evaluate information security continuity |
| B4.c | Secure Management |
12.1.4: Separation of development, testing, and operational environments 12.2.1: Controls against malware 13.1.1: Network controls |
| B4.d | Vulnerability Management |
12.2.1: Controls against malware 12.5.1: Installation of software on operational systems 12.6.1: Management of technical vulnerabilities 18.2.3: Technical compliance review |
| B5.a | Resilience Preparation |
11.1.4: Protecting against external and environmental threats 12.2.1: Controls against malware 17.1.1: Planning information security continuity 17.1.2: Implementing information security continuity 18.1.3: Protection of records 6.1.4: Contact with special interest groups |
| B5.b | Design for Resilience |
11.2.2: Supporting utilities 12.1.3: Capacity management 13.1.3: Segregation in networks 17.2.1: Availability of information processing facilities |
| B5.c | Backups |
12.1.3: Capacity management 12.3.1: Information backup |
| B6.a | Cyber Security Culture |
16.1.2: Reporting information security events 16.1.3: Reporting information security weaknesses 7.2.1: Management responsibilities 7.2.2: Information security, awareness, education, and training |
| B6.b | Cyber Security Training |
11.2.9: Clear desk and clear screen policy 12.2.1: Controls against malware 7.2.2: Information security, awareness, education, and training 7.3.1: Termination or change of employment responsibilities |
| C1.a | Monitoring Coverage |
12.2.1: Controls against malware 12.4.1: Event Logging 12.4.3: Administrator and operator logs 13.1.1: Network controls |
| C1.b | Securing Logs |
12.4.2: Protection of log information 12.4.3: Administrator and operator logs 12.4.4: Clock synchronisation |
| C1.c | Generating Alerts | 12.4.1: Event Logging |
| C1.d | Identifying Security Incidents | 6.1.4: Contact with special interest groups |
| C1.e | Monitoring Tools and Skills | |
| C2.a | System Abnormalities for Attack Detection | |
| C2.b | Proactive Attack Discovery | |
| D1.a | Response Plan |
16.1.1: Responsibilities and procedures 16.1.5: Response to information security incidents |
| D1.b | Response and Recovery Capability | |
| D1.c | Testing and Exercising | |
| D2.a | Incident Root Cause Analysis |
16.1.6: Learning from information security incidents 16.1.7: Collection of evidence |
| D2.b | Using Incidents to Drive Improvements | 16.1.6: Learning from information security incidents |