ISO27k Controls (2005 2013 NIST)

ISO 27001-2013
ISO/IEC
27001: 2013 Control
4 Context Organization
4.1 Understanding of the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the ISMS
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities, authorities
6 Planning
6.1 Screening
6.1.1 General
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment
6.2 Terms and conditions of employment
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating documentation
7.5.3 Conntrol of documented information
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
383995320.xlsx 129
AnnexA-2013
ISO/IEC
27002: 2013 Control
5 Security policy
5.1 Information security policy
5.1.1 Policies for information security
5.1.2 Review of the policies for information security
6 Organization of information security
6.1 Internal Organization
6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information Security in Project Management
6.2 Mobile Devices
6.2.1 Mobile device policy
6.2.2 Teleworking
7 Human Resources Security
7.1 Prior to employment
7.1.1 Screening
7.1.2 Terms and conditions of employment
7.2 During employment
7.2.1 Management responsibilities
7.2.2 Information security awareness, education and training
7.2.3 Disciplinary process
7.3 Termination or change of employment
7.3.1 Termination or change of employment responsibilities
8 Asset Management
8.1 Responsibility for Assets
8.1.1 Inventory of Assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.2 Information classification
8.2.1 Classification guidelines
8.2.2 Labelling of information Han
8.2.3 Handling of assets
8.3 Media handling
8.3.1 Management of removeable media
8.3.2 Disposal of media
8.3.3 Physical Media transfer
9 Access Control
9..1 Business requirements for access control
9.1.1 Access control policy
9.1.2 Access to networks and network services
9.2 User access management
9.2.1 User registration and deregistration
9.2.2 User access provisioning
9.2.3 Management of privileged access rights
383995320.xlsx 229
AnnexA-2013
9.2.4 Management of secret authentication information of users

9.2.5 Review of user access rights
9.2.6 Removal or adjustment of access rights
9.3 User responsibilities
9.3.1 Use of secret authentication information
9.4 Application and information access control
9.4.1 Information access restriction
9.4.2 Sensitive system isolation
9.4.3 Password management system
9.4.4 Use of privileged utility programs
9.4.5 Access control to program source code
10 Cryptography
10.1 Cryptographic controls
10.1.1 Policy on the use of cryptographic controls
10.1.2 Key management
11 Physical and Environmental Security
11.1 Secure Areas
11.1.1 Physical security perimeter
11.1.2 Physical entry controls
11.1.3 Securing offices, rooms and facilities
11.1.4 Protecting against external and environmental attacks
11.1.5 Working in secure areas
11.1.6 Delivery and loading areas
11.2 Equipment security
11.2.1 Equipment siting and protection
11.2.2 Supporting utilities
11.2.3 Cabling Security
11.2.5 Security of equipment off-premises
11.2.4 Equipment maintenance
11.2.5 Removal of assets
11.2.6 Security of equipment and assets off-premises
11.2.7 Secure disposal or re-use of equipment
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
12 Operations Security
12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures
12.1.2 Change management
12.1.3 Capacity management
12.1.4 Separation of development, testing and operational environments
12.2 Protection against malicious and mobile code
12.2.1 Controls against malicious code
12.3 Backup
12.3.1 Information Backup
12.4 Logging and monitoring
12.4.1 Event logging
12.4.2 Protection of log information
12.4.3 Administrator and operator logs
383995320.xlsx 329
AnnexA-2013
12.12.4 Clock synchronisation

12.5 Control of operational software
12.5.1 Installation of software on operational systems
12.6 Technical Vulnerability Management
12.6.1 Management of technical vulnerabilities
12.6.2 Restrictions on software installation
12.7 Information Systems audit considerations
12.7.1 Information systems audit controls
13 Communications Security
13.1 Network security management
13.1.1 Network controls
13.1.2 Security of network services
13.1.3 Segregation in networks
13.2 Information transfer
13.2.1 Information transfer policies and procedures
13.2.2 Agreements on information transfer
13.2.4 Electronic messaging
13.2.5 Confidentiality or non-disclosure agreements
14 Systems acquisition, development and maintenance
14.1 Security requirements of information systems
14.1.1 Information security requirements analysis and specification
14.1.2 Securing application services on public networks
14.1.3 Protecting application services transactions
14.2 Security in development and support processes
14.2.1 Secure development policy
14.2.2 System change control procedures
14.2.3 Technical review of applications after operating platform changes
14.2.4 Restrictions on changes to software packages
14.2.5 Secure system engineering principles
14.2.6 Secure development environment
14.2.7 Outsourced software development
14.2.8 System security testing
14.2.9 System acceptance testing
14.3 Test data
14.3.1 Protection of test data
15 Supplier relationships
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships
15.1.2 Addressing security within supplier agreements
15.1.2 Informaiton and communication technology supply chain
15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services
15.2.2 Managing changes to supplier services
16 Information security incident management
16.1 Reporting information security events and weaknesses
16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
16.1.3 Reporting information security weaknesses
383995320.xlsx 429
AnnexA-2013
16.1.4 Assessment of and decision on information security events

16.1.5 Response in information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
17 Information security aspects of business continuity management

17.1 Information security continuity
17.1.1 Planning information security continuity
17.1.2 Implementing information security continuity
17.1.3 Verify, review and evaluate information security continuity
17.2 Redundancies
17.2.1 Availability of information processing facilities
18 Compliance
18.1 Compliance with legal and contractual requirements
18.1.1 Identification of applicable legislation
18.1.2 Intellectual Property Rights (IPR)
18.1.3 Protection of records
18.1.4 Privacy and protection of personally identifiable information
18.1.5 Regulation of cryptographic controls
18.2 Information security reviews
18.2.1 Independent review of information security
18.2.1 Compliance with security policies and standards
18.2.2 Technical compliance review
383995320.xlsx 529
AnnexA-2005
ISO/IEC
27002:2005 Control
5 Security policy
5.1 Management direction for information security
5.1.1 Information Security Policy document
5.1.2 Review of the information security policy
6.1.1 Management commitment to information security
6.1.2 Information security coordination
6.1.3 Allocation of information security responsibilities
6.1.4 Authorization process for information processing facilities
6.1.5 Confidentiality agreements
6.2 External Parties
6.2.1 Identification of risks related to external parties
6.2.2 Addressing security when dealing with customers
6.2.3 Addressing security in third party agreements
7 Asset Management
7.2.2 Information labelling and handling
8.1.1 Roles and responsibilities
8.1.2 Screening
8.3.1 Termination responsibilities
8.3.2 Return of assets
8.3.3 Removal of access rights
9.1 Secure Areas
9.1.6 Public access, delivery and loading areas
383995320.xlsx 629
AnnexA-2005

9.2.7 Removal of property
10 Communications and Operations Management
10.1.4 Separation of development, test and operational facilities
10.2 Third party service delivery management
10.2.1 Service delivery
10.2.2 Monitoring and review of third party services
10.2.3 Managing changes to third party services
10.3 System planning and acceptance
10.3.2 System acceptance
10.4.2 Controls against mobile code
10.5 Back-up
10.5.1 Information back-up
10.7 Media handling
10.7.3 Information handling procedures
10.7.4 Security of system documentation
10.8 Exchange of information
10.8.1 Information exchange policies and procedures
10.8.2 Exchange agreements
10.8.3 Physical media in transit
10.8.5 Business information systems
10.9 E-commerce services
10.9.1 Electronic commerce
10.9.2 On-line transactions
10.9.3 Publicily available information
10.1 Monitoring
10.10.1 Audit logging
10.10.2 Monitoring system use
10.10.5 Fault logging
383995320.xlsx 729
AnnexA-2005

11 Access Control
11.1 Business requirements for access control
11.2.1 User registration
11.2.2 Privilege management
11.2.3 User password management
11.3.1 Password use
11.4 Network access control
11.4.1 Policy on use network services
11.4.2 User authentication for external connections
11.4.3 Equipment identification in networks
11.4.4 Remote diagnostic and configuration port protection
11.4.6 Network connection control
11.4.7 Network routing control
11.5 Operating system access control
11.5.1 Secure log-on procedures
11.5.2 User identification and authentication
11.5.4 Use of system utilities
11.5.5 Session time-out
11.5.6 Limitation of connection time
11.7 Mobile computing and teleworking
11.7.1 Mobile computing and communications
11.7.2 Teleworking
12 Information systems acquisition, development and maintenance
12.1.1 Security requirements analysis and specification
12.2 Correct processing in applications
12.2.1 Input data validation
12.2.2 Control of internal processing
12.2.3 Message integrity
12.2.4 Output data validation
12.3.1 Policy on the use of crhptographic controls
12.4 Security of system files
12.4.1 Control of operational software
12.4.2 Protection of system test data
383995320.xlsx 829
AnnexA-2005
12.5.1 Change control procedures

12.5.2 Technical review of applications after operating system changes
12.5.4 Information leakage
12.6.1 Control of technical vulnerabilities
13.1.2 Reporting weaknesses
13.2 Management of information security incidents and improvements
14 Business Continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity management process
14.1.2 Business continuity and risk assessment
14.1.3 Developing and implementing continuity plans including information security
14.1.4 Business continuity planning framework
14.1.5 Test maintaining and re-assessing business continuity plans
15 Compliance
15.1 Compliance with legal requirements
15.1.3 Protection of organisational records
15.1.4 Data protection and privacy of personal information
15.1.5 Prevention of misuse of information processing facilities
15.2 Compliance with security policies and standards, and technical compliance
15.2.2 Technical compliance checking
15.3 Information systems audit considerations
15.3.2 Protection of information system audit tools
383995320.xlsx 929
AnnexA-2005-NIST
ISO/IEC
27002:2005 Control NIST SP 800-53r4 Controls
5 Security policy
5.1 Management direction for information security
5.1.1 Information Security Policy document XX-1 controls
5.1.2 Review of the information security policy XX-1 controls
XX-1 controls, PM-2, PM-3, PM-9; SP 800-39,
6.1.1 Management commitment to information security SP 800-37
CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2;
6.1.2 Information security coordination SP 800-39, SP 800-37
XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP
6.1.3 Allocation of information security responsibilities
800-39, SP 800-37
6.1.4 Authorization process for information processing facilities CA-1, CA-6, PM-10; SP 800-37
6.1.5 Confidentiality agreements PL-4, PS-6, SA-9
Multiple controls with contact reference (e.g.,
IR-6, SI-5); SP 800-39; SP 800-37
6.1.7 Contact with special interest groups PM-15, SI-5
6.1.8 Independent review of information security CA-2, CA-7; SP 800-39, SP 800-37
6.2 External Parties
6.2.1 Identification of risks related to external parties CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
6.2.2 Addressing security when dealing with customers AC-8 , AT-2, PL-4
6.2.3 Addressing security in third party agreements AU-16, CA-2, CA-3, PS-7, SA-9
7 Asset Management
7.1.1 Inventory of Assets CM-8, CM-9, PM-5
7.1.2 Ownership of assets CM-8, CM-9, PM-5
7.1.3 Acceptable use of assets AC-20, PL-4
7.2.1 Classification guidelines RA-2
7.2.2 Information labelling and handling AC-16, MP-2, MP-3, SC-16
XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2,
8.1.1 Roles and responsibilities
AT-3, CM-9, PL-4, PS-2, PS-6, PS-7, SA-9
8.1.2 Screening PS-3
8.1.3 Terms and conditions of employment AC-16 ,MP-2, MP-3, SC-16
8.2.1 Management responsibilities PL-4, PM-13, PM-14, PS-6, PS-7, SA-9
8.2.2 Information security awareness, education and training AT-2, AT-3, IR-2
8.2.3 Disciplinary process PS-8
8.3.1 Termination responsibilities PS-4, PS-5
8.3.2 Return of assets PS-4, PS-5PE-3
8.3.3 Removal of access rights AC-2, PS-4, PS-5
9.1 Secure Areas
9.1.1 Physical security perimeter PE-3
9.1.2 Physical entry controls PE-3, PE-5, PE-6
383995320.xlsx 1029
AnnexA-2005-NIST
9.1.3 Securing offices, rooms and facilities PE-3, PE-4, PE-5

9.1.4 Protecting against external and environmental attacks CP Family; PE-1, PE-9, PE-10, PE-11, PE-13, PE-15
9.1.5 Working in secure areas AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8
9.1.6 Public access, delivery and loading areas PE-3 , PE-16
9.2.1 Equipment siting and protection PE-1, PE-18
9.2.2 Supporting utilities PE-1, PE-9, PE-11, PE-12, PE-14
9.2.3 Cabling Security PE-4, PE-9
9.2.4 Equipment maintenance MA Family
9.2.5 Security of equipment off-premises SA-9
9.2.6 Secure disposal or re-use of equipment MP-6
9.2.7 Removal of property MP-5, PE-16
10 Communications and Operations Management
10.1.1 Documented operating procedures XX-1 controls, CM-9
10.1.2 Change management CM-1, CM-3, CM-4, CM-5, CM-9
10.1.3 Segregation of duties AC-5
10.1.4 Separation of development, test and operational facilities CM-2
10.2 Third party service delivery management
10.2.1 Service delivery SA-9
10.2.2 Monitoring and review of third party services SA-9
10.2.3 Managing changes to third party services RA-3, SA-9, SA-10
10.3 System planning and acceptance
10.3.1 Capacity management AU-4, AU-5, CP-2, SA-2, SC-5
10.3.2 System acceptance CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15,
10.4.1 Controls against malicious code AC-19, AT-2, SA-8, SC-2, SC-3, SC-7, SC-42, SI-3, SI-7
10.4.2 Controls against mobile code SA-8, SC-2, SC-3, SC-7, SC-8, SC-18
10.5 Back-up
10.5.1 Information back-up CP-9
AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5,
10.6.1 Network controls SC-7, SC-8, SC-10, SC-19, SC-20, SC-21,
SC-22, SC-23
10.6.2 Security of network services CA-3, SA-9, SC-8
10.7 Media handling
10.7.1 Management of removeable media MP Family, PE-16
10.7.2 Disposal of media MP-6
10.7.3 Information handling procedures MP Family, SI-12
10.7.4 Security of system documentation MP-4, SA-5
10.8 Exchange of information
AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3,
10.8.1 Information exchange policies and procedures
PL-4, PS-6, SC-7, SC-16
10.8.2 Exchange agreements CA-3, SA-9, SC-8
10.8.3 Physical media in transit MP-5
10.8.4 Electronic messaging Multiple controls; electronic messaging not addressed separately in SP 800-53
10.8.5 Business information systems CA-1, CA-3
10.9 E-commerce services
10.9.1 Electronic commerce AU-10, IA-8, SC-7, SC-8, SC-3
383995320.xlsx 1129
AnnexA-2005-NIST
10.9.2 On-line transactions SC-7, SC-8, SC-3

10.9.3 Publicily available information
10.1 Monitoring
AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11,
10.10.1 Audit logging
AU-12
10.10.2 Monitoring system use AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4
10.10.3 Protection of log information AU-9
10.10.4 Administrator and operator logs AU-2, AU-12
10.10.5 Fault logging AU-2, AU-6, AU-12, SI-2
10.10.6 Clock synchronisation AU-8
11 Access Control
11.1 Business requirements for access control
AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5,
MP-1
11.2.1 User registration AC-1, AC-2, AC-21, IA-5, PE-1, PE-2
11.2.2 Privilege management AC-1, AC-2, AC-6, AC-21, PE-1, PE-2
11.2.3 User password management IA-5
11.2.4 Review of user access rights AC-2, PE-2
11.3.1 Password use IA-2, IA-5
11.3.2 Unattended user equipment AC-11, IA-2, PE-3, PE-5, PE-18, SC-10
11.3.3 Clear desk and clear screen policy AC-11, MP-4
11.4 Network access control
11.4.1 Policy on use network services AC-1, AC-5, AC-6, AC-17, AC-18, AC-20
11.4.2 User authentication for external connections AC-17, AC-18, AC-20, CA-3, IA-2, IA-8
11.4.3 Equipment identification in networks AC-19, IA-3
11.4.4 Remote diagnostic and configuration port protection AC-3, AC-6, AC-17, AC-18, PE-3, MA-3, MA-4
11.4.5 Segregation in networks AC-4, SA-8, SC-7
11.4.6 Network connection control AC-3, AC-6, AC-17, AC-18, SC-7
11.4.7 Network routing control AC-4, AC-17, AC-18
11.5 Operating system access control
11.5.1 Secure log-on procedures AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC-10
11.5.2 User identification and authentication IA-2, IA-4, IA-5, IA-8AC-3, AC-6, AC-14, CM-5
11.5.3 Password management system IA-2, IA-5
11.5.4 Use of system utilities AC-3, AC-6
11.5.5 Session time-out AC-11, SC-10
11.5.6 Limitation of connection time AC-2
11.6.1 Information access restriction AC-3, AC-6, AC-14, CM-5
11.6.2 Sensitive system isolation SC-7; SP 800-39
11.7 Mobile computing and teleworking
11.7.1 Mobile computing and communications AC-1, AC-17, AC-18, AC-19, PL-4, PS-6
11.7.2 Teleworking AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6
12 Information systems acquisition, development and maintenance
12.1.1 Security requirements analysis and specification PL-7, PL-8, SA-1, SA-3, SA-4
12.2 Correct processing in applications
12.2.1 Input data validation SI-10
12.2.2 Control of internal processing SI-7, SI-10
12.2.3 Message integrity AU-10, SC-8, SC-23, SI-7
383995320.xlsx 1229
AnnexA-2005-NIST
12.2.4 Output data validation SI-7

12.3.1 Policy on the use of crhptographic controls Multiple controls address cryptography (e.g., IA-7, SC-8, SC-12, SC-13)
12.3.2 Key management SC-12, SC-17
12.4 Security of system files
12.4.1 Control of operational software CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
Multiple controls; protection of test data not addressed separately in SP 800-53
12.4.2 Protection of system test data
(e.g., AC-3, AC-4)
12.4.3 Access control to program source code AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
12.5.1 Change control procedures CM-1, CM-3, CM-9, SA-10
12.5.2 Technical review of applications after operating system changes CM-3, CM-4, CM-9, SI-2
12.5.3 Restrictions on changes to software packages CM-3, CM-4, CM-5, CM-9
12.5.4 Information leakage AC-4, IR-9, PE-19
12.5.5 Outsourced software development CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-13, SA-15, SA-17
12.6.1 Control of technical vulnerabilities RA-3, RA-5, SI-2, SI-5
13.1.1 Reporting information security events AU-6, IR-1, IR-6, SI-4, SI-5
13.1.2 Reporting weaknesses PL-4, SI-2, SI-4, SI-5
13.2 Management of information security incidents and improvements
13.2.1 Responsibilities and procedures IR-1
13.2.2 Learning from information security incidents IR-4
13.2.3 Collection of evidence AU-7, AU-9, IR-4
14 Business Continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity management process CP-1, CP-2, CP-4
14.1.2 Business continuity and risk assessment CP-2, PM-9, RA Family
14.1.3 Developing and implementing continuity plans including information security CP Family
14.1.4 Business continuity planning framework CP-2, CP-4
14.1.5 Test maintaining and re-assessing business continuity plans CP-2, CP-4
15 Compliance
15.1 Compliance with legal requirements
15.1.1 Identification of applicable legislation XX-1 controls, IA-7
15.1.2 Intellectual Property Rights (IPR) CM-10
15.1.3 Protection of organisational records AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12
15.1.4 Data protection and privacy of personal information Appendix J; SI-12
15.1.5 Prevention of misuse of information processing facilities AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
15.1.6 Regulation of cryptographic controls IA-7, SC-13
15.2 Compliance with security policies and standards, and technical compliance
XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8,
SI-12
15.2.2 Technical compliance checking CA-2, CA-7, RA-5
15.3 Information systems audit considerations
15.3.1 Information systems audit controls AU-1, AU-2
15.3.2 Protection of information system audit tools AU-9
383995320.xlsx 1329
ISO/IEC
27002: 2013 Control
5 Security policy
6.2 Mobile Devices
6.2.2 Teleworking
7.1.1 Screening
8 Asset Management
8.2.2 Labelling of information
8.3 Media handling
9 Access Control

10 Cryptography
11.1 Secure Areas
12.3 Backup
14.3 Test data
15.1.3 Information and communication technology supply chain

17.2 Redundancies
18 Compliance
ISO/IEC
27002:2005
5
5.1
5.1.1
5.1.2
6
6.1
6.1.3, 8.1.1
10.1.3
6.1.6
6.1.7
NEW CONTROL
11.7.1
11.7.2
7
8.1.2
8.1.3
8.2.1
8.2.2
8.2.3
8.3.1
8
7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
10.7.3
10.7.1
10.7.2
10.8.3
9
11.1.1
11.4.1
11.2.1, 11.5.2
11.2.3
11.2.3
11.2.4
8.3.3
11.3.1
11.6.1
11.5.1, 11.5.5, 11.5.6
11.5.3
11.5.4
12.4.3
10
12.3.1
12.3.2
11
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.1.6
9.2.1
9.2.2
9.2.3
9.2.5
9.2.4
9.2.7
9.2.5
9.2.6
11.3.2
11.3.3
12
10.1.1
10.1.2 10.1.1
10.3.1
10.1.4
10.4.1
10.5.1
10.10.1
10.10.3
10.10.3, 10.10.4
10.10.6
12.4.1
12.6.1
NEW CONTROL
11.1
15.3.1
13
10.6.1
10.6.2
11.4.5
10.8.1
10.8.2
10.8.4
6.1.5
13
12.1.1
10.9.1, 10.9.3
10.9.2
NEW CONTROL
12.5.1
12.5.2
12.5.3
NEW CONTROL
NEW CONTROL
12.5.5
NEW CONTROL
10.3.2
12.4.2
NEW CONTROL
NEW CONTROL
6.2.3
6.2.3
NEW CONTROL
10.2.2
10.2.3
16
13.2.1
13.1.1
13.1.2
NEW CONTROL
NEW CONTROL
13.2.2
13.2.3
17
14.1.2
NEW CONTROL
14.1.5
NEW CONTROL
NEW CONTROL
18
15.1.1
15.2.1
15.1.3
15.1.4
15.1.6
6.1.8
15.2.1
15.2.2
ISO/IEC
27002: 2013 Control
5 Security policy

6.2 Mobile Devices
6.2.2 Teleworking
7.1.1 Screening
8 Asset Management
8.2.2 Labelling of information
8.3 Media handling
9 Access Control


10 Cryptography
11.1 Secure Areas
12.3 Backup

14.3 Test data
15.1.3 Information and communication technology supply chain

17.2 Redundancies
18 Compliance
ISO/IEC
27002:2005 NIST SP 800-53r4 Controls
5
5.1
5.1.1
5.1.2 XX-1 controls
6
6.1
XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP
800-39, SP 800-37 and AC-5, AC-6, AC-8, AC-20, AT-2,
6.1.3, 8.1.1 AT-3, CM-9, PL-4, PS-2, PS-6, PS-7, SA-9
10.1.3 AC-5
Multiple controls with contact reference (e.g.,
6.1.6 IR-6, SI-5); SP 800-39; SP 800-37
6.1.7 PM-15, SI-5

NEW CONTROL
11.7.1 AC-1, AC-17, AC-18, AC-19, PL-4, PS-6

11.7.2 AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6
7
8.1.2 PS-3
8.1.3 AC-16 ,MP-2, MP-3, SC-16
8.2.1 PL-4, PM-13, PM-14, PS-6, PS-7, SA-9

8.2.2 AT-2, AT-3, IR-2
8.2.3 PS-8
8.3.1 PS-4, PS-5

8
7.1.1 CM-8, CM-9, PM-5

7.1.2 CM-8, CM-9, PM-5
7.1.3 AC-20, PL-4
7.2.1 RA-2
7.2.2 AC-16, MP-2, MP-3, SC-16
10.7.3 MP Family, SI-12
10.7.1 MP Family, PE-16

10.7.2 MP-6
10.8.3 MP-5
9
11.1.1 AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5,MP-1
11.4.1 AC-1, AC-5, AC-6, AC-17, AC-18, AC-20
11.2.1, 11.5.2 AC-1, AC-2, AC-21, IA-5, PE-1, PE-2 and IA-2, IA-4, IA-5, IA-8AC-3, AC-6, AC-14,
CM-5
11.2.3 IA-5
11.2.3 IA-5
11.2.4 AC-2, PE-2
8.3.3 AC-2, PS-4, PS-5
11.3.1 IA-2, IA-5
11.6.1 AC-3, AC-6, AC-14, CM-5

AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC-10 and AC-11, SC-10 and AC-2
11.5.1, 11.5.5, 11.5.6
11.5.3 IA-2, IA-5

11.5.4 AC-3, AC-6
12.4.3 AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
10
12.3.1 Multiple controls address cryptography (e.g., IA-7, SC-8, SC-12, SC-13)
12.3.2 SC-12, SC-17
11
9.1.1 PE-3
9.1.2 PE-3, PE-5, PE-6
9.1.3 PE-3, PE-4, PE-5
9.1.4 CP Family; PE-1, PE-9, PE-10, PE-11, PE-13, PE-15
9.1.5 AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8
9.1.6 PE-3 , PE-16
9.2.1 PE-1, PE-18

9.2.2 PE-1, PE-9, PE-11, PE-12, PE-14
9.2.3 PE-4, PE-9
9.2.5 SA-9
9.2.4 MA-Family
9.2.7 MP-5, PE-16
9.2.5 SA-9
9.2.6 MP-6
11.3.2 AC-11, IA-2, PE-3, PE-5, PE-18, SC-10
11.3.3 AC-11, MP-4
12
10.1.1 AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12

10.1.2 AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4
10.1.3 AC-5
10.1.4 CM-2
10.4.1 AC-19, AT-2, SA-8, SC-2, SC-3, SC-7, SC-42, SI-3, SI-7
10.5.1 CP-9
10.10.1 AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12

10.10.3 AU-9
10.10.3, 10.10.4 AU-9 and AU-2, AU-12
10.10.6 AU-8
12.4.1 CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
12.6.1 RA-3, RA-5, SI-2, SI-5

NEW CONTROL
11.1
15.3.1 AU-1, AU-2
13
10.6.1 AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5, SC-7, SC-8, SC-10, SC-19, SC-20,
SC-21,SC-22, SC-23
10.6.2 CA-3, SA-9, SC-8
11.4.5 AC-4, SA-8, SC-7
10.8.1 AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16
10.8.2 CA-3, SA-9, SC-8
10.8.4 Multiple controls; electronic messaging not addressed separately in SP 800-53
6.1.5 PL-4, PS-6, SA-9
13
12.1.1 PL-7, PL-8, SA-1, SA-3, SA-4

10.9.1, 10.9.3 AU-10, IA-8, SC-7, SC-8, SC-3
10.9.2
NEW CONTROL
12.5.1 CM-1, CM-3, CM-9, SA-10
12.5.2 CM-3, CM-4, CM-9, SI-2
12.5.3 CM-3, CM-4, CM-5, CM-9
NEW CONTROL
NEW CONTROL
12.5.5 CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-13, SA-15, SA-17
NEW CONTROL
10.3.2 CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15,
12.4.2 Multiple controls; protection of test data not addressed separately in SP 800-53
(e.g., AC-3, AC-4)
NEW CONTROL
NEW CONTROL
6.2.3 AU-16, CA-2, CA-3, PS-7, SA-9
6.2.3 AU-16, CA-2, CA-3, PS-7, SA-9
NEW CONTROL
10.2.2 SA-9
10.2.3 RA-3, SA-9, SA-10
16
13.2.1 IR-1
13.1.1 AU-6, IR-1, IR-6, SI-4, SI-5
13.1.2 PL-4, SI-2, SI-4, SI-5
NEW CONTROL
NEW CONTROL
13.2.2 IR-4
13.2.3 AU-7, AU-9, IR-4
17
14.1.2 CP-1, CP-2, CP-4

NEW CONTROL
14.1.5 CP-2, CP-4
NEW CONTROL
NEW CONTROL
18
15.1.1 XX-1 controls, IA-7

15.1.2 CM-10
15.1.3 AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12
15.1.4 Appendix J; SI-12
15.1.6 IA-7, SC-13
6.1.8 CA-2, CA-7; SP 800-39, SP 800-37

15.2.1 XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8, SI-12
15.2.2 CA-2, CA-7, RA-5

ISO27k Controls (2005 2013 NIST)

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ISO27k Controls (2005 2013 NIST)

Caricato da

Copyright:

Formati disponibili

ISO 27001-2013

9.2.4 Management of secret authentication information of users

12.12.4 Clock synchronisation

16.1.4 Assessment of and decision on information security events

17 Information security aspects of business continuity management

9.2 Equipment security

10.10.6 Clock synchronisation

12.5.1 Change control procedures

9.1.3 Securing offices, rooms and facilities PE-3, PE-4, PE-5

10.9.2 On-line transactions SC-7, SC-8, SC-3

12.2.4 Output data validation SI-7

9.4.2 Sensitive system isolation

9.4.3 Password management system

17 Information security aspects of business continuity management

11.5.1, 11.5.5, 11.5.6

6.1.1 Information security roles and responsibilities

6.1.2 Segregation of duties

6.1.3 Contact with authorities

6.1.4 Contact with special interest groups

9.2.1 User registration and deregistration

9.2.2 User access provisioning

9.4.2 Sensitive system isolation

9.4.3 Password management system

13.1.1 Network controls

13.1.2 Security of network services

14.3.1 Protection of test data

17 Information security aspects of business continuity management

6.1.7 PM-15, SI-5

11.7.1 AC-1, AC-17, AC-18, AC-19, PL-4, PS-6

8.2.1 PL-4, PM-13, PM-14, PS-6, PS-7, SA-9

8.3.1 PS-4, PS-5

7.1.1 CM-8, CM-9, PM-5

10.7.1 MP Family, PE-16

11.3.1 IA-2, IA-5

11.6.1 AC-3, AC-6, AC-14, CM-5

11.5.3 IA-2, IA-5

9.2.1 PE-1, PE-18

10.1.1 AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12

10.10.1 AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12

12.6.1 RA-3, RA-5, SI-2, SI-5

12.1.1 PL-7, PL-8, SA-1, SA-3, SA-4

14.1.2 CP-1, CP-2, CP-4

15.1.1 XX-1 controls, IA-7

6.1.8 CA-2, CA-7; SP 800-39, SP 800-37

Potrebbero piacerti anche