CAF Outcome A3.a: Asset Management

From the UK NCSC's Cyber Assessment Framework (version 3.1):

Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

A3.a: Asset Management to CSF mappings generated from UK Cabinet Office table.

Control ID Description
PR.AC-2 Physical access to assets is managed and protected
PR.IP-6 Data is destroyed according to policy
PR.IP-5 Policy and regulations regarding the physical operating environment for organizational assets are met
PR.DS-4 Adequate capacity to ensure availability is maintained
PR.DS-3 Assets are formally managed throughout removal, transfers, and disposition
ID.AM-2 Software platforms and applications within the organization are inventoried
ID.AM-1 Physical devices and systems within the organization are inventoried
PR.MA-1 Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
ID.AM-5 Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
ID.BE-4 Dependencies and critical functions for delivery of critical services are established

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Control system component inventory (SR 7.8)
    ISA/IEC 62443-3-3:2013
  • Establish procedures for the addition, removal, and disposal of assets (4.3.3.3.9)
    ISA/IEC 62443-2-1:2009
  • Classify all CSMS information assets (4.3.4.4.3)
    ISA/IEC 62443-2-1:2009
  • Identify the industrial automation and control systems (4.2.3.4)
    ISA/IEC 62443-2-1:2009
  • Maintain equipment assets (4.3.3.3.7)
    ISA/IEC 62443-2-1:2009
  • Prioritise Systems (4.2.3.6)
    ISA/IEC 62443-2-1:2009
  • Determine the impacts and consequences to each system (4.3.2.5.2)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Ownership of assets (8.1.2)
    ISO 27001:2013
  • Disposal of media (8.3.2)
    ISO 27001:2013
  • Handling of assets (8.2.3)
    ISO 27001:2013
  • Removal of assets (11.2.5)
    ISO 27001:2013
  • Management of removable media (8.3.1)
    ISO 27001:2013
  • Classification of information (8.2.1)
    ISO 27001:2013
  • Secure disposal or re-use of equipment (11.2.7)
    ISO 27001:2013
  • Information backup (12.3.1)
    ISO 27001:2013
  • Capacity management (12.1.3)
    ISO 27001:2013
  • Return of assets (8.1.4)
    ISO 27001:2013
  • Supporting utilities (11.2.2)
    ISO 27001:2013
  • Inventory of assets (8.1.1)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
PE-8: Visitor Access Records
PE-5: Access Control for Output Devices
PE-3: Physical Access Control
PE-6: Monitoring Physical Access
PE-4: Access Control for Transmission
PE-2: Physical Access Authorizations
MP-6: Media Sanitization
PE-13: Fire Protection
PE-14: Environmental Controls
PE-15: Water Damage Protection
PE-10: Emergency Shutoff
PE-18: Location of System Components
PE-12: Emergency Lighting
SC-5: Denial-of-service Protection
CP-2: Contingency Plan
AU-4: Audit Log Storage Capacity
CM-8: System Component Inventory
PE-16: Delivery and Removal
PM-5: System Inventory
MA-3: Maintenance Tools
MA-5: Maintenance Personnel
MA-2: Controlled Maintenance
MA-6: Timely Maintenance
SA-14: Criticality Analysis
RA-2: Security Categorization
SC-6: Resource Availability
CP-8: Telecommunications Services
PE-11: Emergency Power
PE-9: Power Equipment and Cabling
PM-8: Critical Infrastructure Plan