NIST CSF to ISO 27001 Mappings
The NIST's Cybersecurity Framework v1.1 (CSF) was developed to help organizations begin, or develop, their cybersecurity programme. The table below details NIST Mappings to ISO 27001 with additional data from Ofgem. ISO 27001 is an IT security standard for establishing, implementing maintaining and continually improving and information security management system (ISMS). To see more detailed information and additional mappings, click through to individual outcomes.
| CSF ID | CSF Description | ISO 27001 (2013) |
|---|---|---|
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
12.1.1: Documented operating procedures 12.1.2: Change management 13.1.1: Network controls 13.1.2: Security of network services |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
12.4.1: Event Logging 16.1.1: Responsibilities and procedures 16.1.4: Assessment of and decision on information security events |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
12.4.1: Event Logging 16.1.7: Collection of evidence |
| DE.AE-4 | Impact of events is determined | 16.1.4: Assessment of and decision on information security events |
| DE.AE-5 | Incident alert thresholds are established | 16.1.4: Assessment of and decision on information security events |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events | |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
11.1.1: Physical security perimeter 11.1.2: Physical entry controls |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
12.4.1: Event Logging 12.4.3: Administrator and operator logs |
| DE.CM-4 | Malicious code is detected | 12.2.1: Controls against malware |
| DE.CM-5 | Unauthorized mobile code is detected |
12.5.1: Installation of software on operational systems 12.6.2: Restrictions on software installation |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
14.2.7: Outsourced development 15.2.1: Monitoring and review of supplier services |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
12.4.1: Event Logging 14.2.7: Outsourced development 15.2.1: Monitoring and review of supplier services |
| DE.CM-8 | Vulnerability scans are performed | 12.6.1: Management of technical vulnerabilities |
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
6.1.1: Information security roles and responsibilities 7.2.2: Information security, awareness, education, and training |
| DE.DP-2 | Detection activities comply with all applicable requirements |
18.1.4: Privacy and protection of personally identifiable information 18.2.2: Compliance with security policies and standards 18.2.3: Technical compliance review |
| DE.DP-3 | Detection processes are tested | 14.2.8: System security testing |
| DE.DP-4 | Event detection information is communicated |
16.1.2: Reporting information security events 16.1.3: Reporting information security weaknesses |
| DE.DP-5 | Detection processes are continuously improved | 16.1.6: Learning from information security incidents |
| ID.AM-1 | Physical devices and systems within the organization are inventoried |
8.1.1: Inventory of assets 8.1.2: Ownership of assets |
| ID.AM-2 | Software platforms and applications within the organization are inventoried |
12.5.1: Installation of software on operational systems 8.1.1: Inventory of assets 8.1.2: Ownership of assets |
| ID.AM-3 | Organizational communication and data flows are mapped |
13.2.1: Information transfer policies and procedures 13.2.2: Agreements on information transfer |
| ID.AM-4 | External information systems are catalogued | 11.2.6: Security of equipment and assets off-premises |
| ID.AM-5 | Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value | 8.2.1: Classification of information |
| ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | 6.1.1: Information security roles and responsibilities |
| ID.BE-1 | The organization’s role in the supply chain is identified and communicated |
15.1.1: Information security policy for supplier relationships 15.1.2: Addressing security within supplier agreements 15.1.3: Information and communication technology supply chain 15.2.1: Monitoring and review of supplier services 15.2.2: Managing changes to supplier services |
| ID.BE-2 | The organization’s place in critical infrastructure and its industry sector is identified and communicated | |
| ID.BE-3 | Priorities for organizational mission, objectives, and activities are established and communicated | |
| ID.BE-4 | Dependencies and critical functions for delivery of critical services are established |
11.2.2: Supporting utilities 11.2.3: Cabling security 12.1.3: Capacity management |
| ID.BE-5 | Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) |
11.1.4: Protecting against external and environmental threats 17.1.1: Planning information security continuity 17.1.2: Implementing information security continuity 17.2.1: Availability of information processing facilities |
| ID.GV-1 | Organizational cybersecurity policy is established and communicated | 5.1.1: Policies for information Security |
| ID.GV-2 | Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners |
15.1.1: Information security policy for supplier relationships 6.1.1: Information security roles and responsibilities 7.2.1: Management responsibilities |
| ID.GV-3 | Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed |
18.1.1: Identification of applicable legislation and contractual requirements 18.1.2: Intellectual property rights 18.1.3: Protection of records 18.1.4: Privacy and protection of personally identifiable information 18.1.5: Regulation of cryptographic controls |
| ID.GV-4 | Governance and risk management processes address cybersecurity risks | |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
12.6.1: Management of technical vulnerabilities 18.2.3: Technical compliance review |
| ID.RA-2 | Cyber threat intelligence is received from information sharing forums and sources | 6.1.4: Contact with special interest groups |
| ID.RA-3 | Threats, both internal and external, are identified and documented | 6.1.2: Segregation of duties |
| ID.RA-4 | Potential business impacts and likelihoods are identified |
16.1.6: Learning from information security incidents 6.1.2: Segregation of duties |
| ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | 12.6.1: Management of technical vulnerabilities |
| ID.RA-6 | Risk responses are identified and prioritized | 6.1.3: Contact with authorities |
| ID.RM-1 | Risk management processes are established, managed, and agreed to by organizational stakeholders | 6.1.3: Contact with authorities |
| ID.RM-2 | Organizational risk tolerance is determined and clearly expressed | 6.1.3: Contact with authorities |
| ID.RM-3 | The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | 6.1.3: Contact with authorities |
| ID.SC-1 | Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders |
15.1.1: Information security policy for supplier relationships 15.1.2: Addressing security within supplier agreements 15.1.3: Information and communication technology supply chain 15.2.1: Monitoring and review of supplier services 15.2.2: Managing changes to supplier services |
| ID.SC-2 | Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
15.2.1: Monitoring and review of supplier services 15.2.2: Managing changes to supplier services |
| ID.SC-3 | Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. |
15.1.1: Information security policy for supplier relationships 15.1.2: Addressing security within supplier agreements 15.1.3: Information and communication technology supply chain |
| ID.SC-4 | Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. |
15.2.1: Monitoring and review of supplier services 15.2.2: Managing changes to supplier services |
| ID.SC-5 | Response and recovery planning and testing are conducted with suppliers and third-party providers | 17.1.3: Verify, review, and evaluate information security continuity |
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
9.2.1: User registration and de-registration 9.2.2: User access provisioning 9.2.3: Management of privileged access rights 9.2.4: Management of secret authentication information of users 9.2.6: Removal or adjustment of access rights 9.3.1: Use of secret authentication information 9.4.2: Secure log-on procedures 9.4.3: Password management system |
| PR.AC-2 | Physical access to assets is managed and protected |
11.1.1: Physical security perimeter 11.1.2: Physical entry controls 11.1.3: Securing offices, rooms, and facilities 11.1.4: Protecting against external and environmental threats 11.1.5: Working in secure areas 11.1.6: Delivery and loading areas 11.2.1: Equipment siting and protection 11.2.3: Cabling security 11.2.5: Removal of assets 11.2.6: Security of equipment and assets off-premises 11.2.7: Secure disposal or re-use of equipment 11.2.8: Unattended user equipment |
| PR.AC-3 | Remote access is managed |
11.2.6: Security of equipment and assets off-premises 13.1.1: Network controls 13.2.1: Information transfer policies and procedures 6.2.1: Mobile Device Policy 6.2.2: Teleworking |
| PR.AC-4 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
6.1.2: Segregation of duties 9.1.2: Access to networks and network services 9.2.3: Management of privileged access rights 9.4.1: Information access restriction 9.4.4: Use of privileged utility programs 9.4.5: Access control to program source code |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
13.1.1: Network controls 13.1.3: Segregation in networks 13.2.1: Information transfer policies and procedures 14.1.2: Securing application services on public networks 14.1.3: Protecting application services transactions |
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
7.1.1: Screening 9.2.1: User registration and de-registration |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
18.1.4: Privacy and protection of personally identifiable information 9.2.1: User registration and de-registration 9.2.4: Management of secret authentication information of users 9.3.1: Use of secret authentication information 9.4.2: Secure log-on procedures 9.4.3: Password management system |
| PR.AT-1 | All users are informed and trained |
12.2.1: Controls against malware 7.2.2: Information security, awareness, education, and training |
| PR.AT-2 | Privileged users understand their roles and responsibilities |
6.1.1: Information security roles and responsibilities 7.2.2: Information security, awareness, education, and training |
| PR.AT-3 | Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities |
6.1.1: Information security roles and responsibilities 7.2.1: Management responsibilities 7.2.2: Information security, awareness, education, and training |
| PR.AT-4 | Senior executives understand their roles and responsibilities |
6.1.1: Information security roles and responsibilities 7.2.2: Information security, awareness, education, and training |
| PR.AT-5 | Physical and cybersecurity personnel understand their roles and responsibilities |
6.1.1: Information security roles and responsibilities 7.2.2: Information security, awareness, education, and training |
| PR.DS-1 | Data-at-rest is protected | 8.2.3: Handling of assets |
| PR.DS-2 | Data-in-transit is protected |
13.1.1: Network controls 13.2.1: Information transfer policies and procedures 13.2.3: Electronic messaging 14.1.2: Securing application services on public networks 14.1.3: Protecting application services transactions 8.2.3: Handling of assets |
| PR.DS-3 | Assets are formally managed throughout removal, transfers, and disposition |
11.2.5: Removal of assets 11.2.7: Secure disposal or re-use of equipment 8.2.3: Handling of assets 8.3.1: Management of removable media 8.3.2: Disposal of media 8.3.3: Physical media transfer |
| PR.DS-4 | Adequate capacity to ensure availability is maintained |
12.1.3: Capacity management 17.2.1: Availability of information processing facilities |
| PR.DS-5 | Protections against data leaks are implemented |
10.1.1: Policy on the use of cryptographic controls 11.1.4: Protecting against external and environmental threats 11.1.5: Working in secure areas 11.2.1: Equipment siting and protection 13.1.1: Network controls 13.1.3: Segregation in networks 13.2.1: Information transfer policies and procedures 13.2.3: Electronic messaging 13.2.4: Confidentiality or non-disclosure agreement 14.1.2: Securing application services on public networks 14.1.3: Protecting application services transactions 6.1.2: Segregation of duties 7.1.1: Screening 7.1.2: Terms and conditions of employment 7.3.1: Termination or change of employment responsibilities 8.2.2: Labelling of information 8.2.3: Handling of assets 9.1.1: Access control policy 9.1.2: Access to networks and network services 9.2.3: Management of privileged access rights 9.4.1: Information access restriction 9.4.4: Use of privileged utility programs 9.4.5: Access control to program source code |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
12.2.1: Controls against malware 12.5.1: Installation of software on operational systems 14.1.2: Securing application services on public networks 14.1.3: Protecting application services transactions 14.2.4: Restrictions on changes to software packages |
| PR.DS-7 | The development and testing environment(s) are separate from the production environment | 12.1.4: Separation of development, testing, and operational environments |
| PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity | 11.2.4: Equipment maintenance |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
12.1.2: Change management 12.5.1: Installation of software on operational systems 12.6.2: Restrictions on software installation 14.2.2: System changes control procedures 14.2.3: Technical review of applications after operating platform changes 14.2.4: Restrictions on changes to software packages |
| PR.IP-10 | Response and recovery plans are tested | 17.1.3: Verify, review, and evaluate information security continuity |
| PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
7.1.1: Screening 7.1.2: Terms and conditions of employment 7.2.1: Management responsibilities 7.2.2: Information security, awareness, education, and training 7.2.3: Disciplinary process 7.3.1: Termination or change of employment responsibilities 8.1.4: Return of assets |
| PR.IP-12 | A vulnerability management plan is developed and implemented |
12.6.1: Management of technical vulnerabilities 14.2.3: Technical review of applications after operating platform changes 16.1.3: Reporting information security weaknesses 18.2.2: Compliance with security policies and standards 18.2.3: Technical compliance review |
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
14.1.1: Information security requirements analysis and specification 14.2.1: Secure development policy 14.2.5: Secure system engineering principles 6.1.5: Information security in project management |
| PR.IP-3 | Configuration change control processes are in place |
12.1.2: Change management 12.5.1: Installation of software on operational systems 12.6.2: Restrictions on software installation 14.2.2: System changes control procedures 14.2.3: Technical review of applications after operating platform changes 14.2.4: Restrictions on changes to software packages |
| PR.IP-4 | Backups of information are conducted, maintained, and tested |
12.3.1: Information backup 17.1.2: Implementing information security continuity 17.1.3: Verify, review, and evaluate information security continuity 18.1.3: Protection of records |
| PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met |
11.1.4: Protecting against external and environmental threats 11.2.1: Equipment siting and protection 11.2.2: Supporting utilities 11.2.3: Cabling security |
| PR.IP-6 | Data is destroyed according to policy |
11.2.7: Secure disposal or re-use of equipment 8.2.3: Handling of assets 8.3.1: Management of removable media 8.3.2: Disposal of media |
| PR.IP-7 | Protection processes are improved | 16.1.6: Learning from information security incidents |
| PR.IP-8 | Effectiveness of protection technologies is shared | 16.1.6: Learning from information security incidents |
| PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
16.1.1: Responsibilities and procedures 17.1.1: Planning information security continuity 17.1.2: Implementing information security continuity 17.1.3: Verify, review, and evaluate information security continuity |
| PR.MA-1 | Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools |
11.1.2: Physical entry controls 11.2.4: Equipment maintenance 11.2.5: Removal of assets 11.2.6: Security of equipment and assets off-premises |
| PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
11.2.4: Equipment maintenance 15.1.1: Information security policy for supplier relationships 15.2.1: Monitoring and review of supplier services |
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
12.4.1: Event Logging 12.4.2: Protection of log information 12.4.3: Administrator and operator logs 12.4.4: Clock synchronisation 12.7.1: Information systems audit controls |
| PR.PT-2 | Removable media is protected and its use restricted according to policy |
11.2.9: Clear desk and clear screen policy 8.2.1: Classification of information 8.2.2: Labelling of information 8.2.3: Handling of assets 8.3.1: Management of removable media 8.3.3: Physical media transfer |
| PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities | 9.1.2: Access to networks and network services |
| PR.PT-4 | Communications and control networks are protected |
13.1.1: Network controls 13.2.1: Information transfer policies and procedures 14.1.3: Protecting application services transactions |
| PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
17.1.2: Implementing information security continuity 17.2.1: Availability of information processing facilities |
| RC.CO-1 | Public relations are managed | 6.1.4: Contact with special interest groups |
| RC.CO-2 | Reputation is repaired after an incident | |
| RC.CO-3 | Recovery activities are communicated to internal and external stakeholders as well as executive and management teams | |
| RC.IM-1 | Recovery plans incorporate lessons learned | 16.1.6: Learning from information security incidents |
| RC.IM-2 | Recovery strategies are updated | 16.1.6: Learning from information security incidents |
| RC.RP-1 | Recovery plan is executed during or after a cybersecurity incident | 16.1.5: Response to information security incidents |
| RS.AN-1 | Notifications from detection systems are investigated |
12.4.1: Event Logging 12.4.3: Administrator and operator logs 16.1.5: Response to information security incidents |
| RS.AN-2 | The impact of the incident is understood |
16.1.4: Assessment of and decision on information security events 16.1.6: Learning from information security incidents |
| RS.AN-3 | Forensics are performed | 16.1.7: Collection of evidence |
| RS.AN-4 | Incidents are categorized consistent with response plans | 16.1.4: Assessment of and decision on information security events |
| RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) | |
| RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
16.1.1: Responsibilities and procedures 6.1.1: Information security roles and responsibilities 7.2.2: Information security, awareness, education, and training |
| RS.CO-2 | Incidents are reported consistent with established criteria |
16.1.2: Reporting information security events 6.1.3: Contact with authorities |
| RS.CO-3 | Information is shared consistent with response plans | 16.1.2: Reporting information security events |
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans | |
| RS.CO-5 | Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness | 6.1.4: Contact with special interest groups |
| RS.IM-1 | Response plans incorporate lessons learned | 16.1.6: Learning from information security incidents |
| RS.IM-2 | Response strategies are updated | 16.1.6: Learning from information security incidents |
| RS.MI-1 | Incidents are contained |
12.2.1: Controls against malware 16.1.5: Response to information security incidents |
| RS.MI-2 | Incidents are mitigated |
12.2.1: Controls against malware 16.1.5: Response to information security incidents |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks | 12.6.1: Management of technical vulnerabilities |
| RS.RP-1 | Response plan is executed during or after an incident | 16.1.5: Response to information security incidents |