CAF Outcome B6.a: Cyber Security Culture

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You develop and pursue a positive cyber security culture.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B6.a: Cyber Security Culture to CSF mappings generated from UK Cabinet Office table.

Control ID Description
RS.CO-2 Incidents are reported consistent with established criteria
PR.AT-2 Privileged users understand their roles and responsibilities
PR.AT-4 Senior executives understand their roles and responsibilities
RS.CO-3 Information is shared consistent with response plans
ID.BE-3 Priorities for organizational mission, objectives, and activities are established and communicated
DE.DP-4 Event detection information is communicated
PR.AT-5 Physical and cybersecurity personnel understand their roles and responsibilities
PR.IP-11 Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability
ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
PR.AT-1 All users are informed and trained

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Educate employees on reporting cyber security incidents (4.3.4.5.4)
    ISA/IEC 62443-2-1:2009
  • Document and communicate security expectations and responsibilities (4.3.3.2.5)
    ISA/IEC 62443-2-1:2009
  • Report cyber security incidents in a timely manner (4.3.4.5.5)
    ISA/IEC 62443-2-1:2009
  • Establish a reporting procedure for unusual activities and events (4.3.4.5.3)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Management responsibilities (7.2.1)
    ISO 27001:2013
  • Information security, awareness, education, and training (7.2.2)
    ISO 27001:2013
  • Reporting information security weaknesses (16.1.3)
    ISO 27001:2013
  • Reporting information security events (16.1.2)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
IR-8: Incident Response Plan
AU-6: Audit Record Review, Analysis, and Reporting
IR-6: Incident Reporting
AT-3: Role-based Training
PM-13: Security and Privacy Workforce
RA-5: Vulnerability Monitoring and Scanning
IR-4: Incident Handling
CA-2: Control Assessments
CP-2: Contingency Plan
PE-6: Monitoring Physical Access
CA-7: Continuous Monitoring
SI-4: System Monitoring
SA-14: Criticality Analysis
PM-11: Mission and Business Process Definition
IR-2: Incident Response Training
PS-3: Personnel Screening
PS-6: Access Agreements
PS-7: External Personnel Security
PS-2: Position Risk Designation
SA-21: Developer Screening
PS-1: Policy and Procedures
PS-8: Personnel Sanctions
PS-4: Personnel Termination
PS-5: Personnel Transfer
PM-14: Testing, Training, and Monitoring
PM-2: Information Security Program Leadership Role
PM-1: Information Security Program Plan
AT-2: Literacy Training and Awareness