Scribd Logo
Carica

Benvenuto in Scribd!

  • Mapping of NIST CSF To ISO

    Caricato da

    pushpendrasb
    1K visualizzazioni9 pagine
    Mapping of NIST CSF to ISO

    Titolo originale

    Mapping of NIST CSF to ISO

    Copyright

    © © All Rights Reserved

    Formati disponibili

    XLSX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Mapping of NIST CSF to ISO

    Copyright:

    © All Rights Reserved
    Scarica in formato XLSX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    1K visualizzazioni9 pagine

    Mapping of NIST CSF To ISO

    Caricato da

    pushpendrasb
    Mapping of NIST CSF to ISO

    Copyright:

    © All Rights Reserved
    Scarica in formato XLSX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 9

    Section No.

    Section Name
    1 Information Technology Governance

    1.1 Roles and Responsibilities

    1.2 IT Governance Structure


    1.3 Recommended Roles and Responsibilities

    2 IT Governance Policy and Procedure

    3 Information Security Governance

    4 Information Security Policy and Procedures

    4.1 Access Control

    4.2 Information security and information asset life


    cycle

    4.3 Physical & Environmental Security

    4.4 User training and awareness


    4.5 Incident management

    4.6 Application Control Security

    4.7 Migration controls

    4.8 Implementation of new technologies

    4.9 Cryptography Controls

    4.10 Data Security

    4.11 Vulnerability Assessment

    4.12 Patch Management


    4.13 Change Management

    4.14 Audit trails

    4.15 Information security and Critical service


    providers/ vendors

    4.16 Network security

    4.17 Remote Access


    4.18 Wireless Security
    4.19 Business Continuity Consideration

    4.20 Information Security Assurance


    5 IT Services Outsourcing
    6 IS Audit
    ISO 27001

    ISO/IEC 27001:2013 A.6.1.1, A.7.2.1

    ISO/IEC 27001:2013 A.6.1.1, A.7.2.1

    ISO/IEC 27001:2013 A.5.1.1, A.6.1.1, A.7.2.1, A.18.1

    ISO/IEC 27001:2013 A.5.1.1, A.6.1.1, A.7.2.1, A.18.1

    ISO/IEC 27001:2013 A.5.1.1, A.6.1.1, A.7.2.1

    ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3,


    A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3, A.6.2.2, A.13.1.1, A.13.2.1, .
    6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.13.1.3,

    ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.13.2.1, A.11.2.6, A.8.2.1, A.6.1.1,

    ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3

    ISO/IEC 27001:2013 A.7.2.2, A.6.1.1,


    ISO/IEC 27001:2013 A.16.1.6, A.16.1.4, A.12.2.1, A.16.1.5

    ISO/IEC 27001:2013 A.12.6.1, A.18.2.2

    ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5

    ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5

    ISO/IEC 27001:2013 A.10.1.1, A.10.1.2

    ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3,


    A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7, A.12.3.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1,
    A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3,
    A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.12.2.1, A.12.5.1, A.14.1.2,
    A.14.1.3, A.12.1.4

    ISO/IEC 27001:2013 A.12.6.1, A.18.2.2

    ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3,


    A.14.2.4. A.12.1.4, A.14.2.4
    ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1

    ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1

    ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.13.1.1, A.13.1.3, A.13.2.1

    ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1


    ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2, A.17.1.3

    ISO/IEC 27001:2013 A.12.7.1


    ISO/IEC 27001:2013 A.14.2.7
    ISO/IEC 27001:2013 A.12.7.1
    NIST Cyber Security Framework
    ID.GV-4: Governance and risk management
    processes address cybersecurity risks
    ID.GV-2: Information security roles &
    responsibilities are coordinated and aligned with
    internal roles and external partners

    ID.GV-2: Information security roles &


    responsibilities are coordinated and aligned with
    internal roles and external partners
    Governance (ID.GV): The policies, procedures,
    and processes to manage and monitor the
    organization’s regulatory, legal, risk,
    environmental, and operational requirements are
    understood and inform the management of
    cybersecurity risk.
    Governance (ID.GV): The policies, procedures,
    and processes to manage and monitor the
    organization’s regulatory, legal, risk,
    environmental, and operational requirements are
    understood and inform the management of
    cybersecurity risk.
    ID.GV-1: Organizational information security
    policy is established
    ID.GV-2: Information security roles &
    responsibilities are coordinated and aligned with
    internal roles and external partners

    Access Control (PR.AC): Access to assets and


    associated facilities is limited to authorized users,
    processes, or devices, and to authorized activities
    and transactions.

    Asset Management (ID.AM): The data, personnel,


    devices, systems, and facilities that enable the
    organization to achieve business purposes are
    identified and managed consistent with their
    relative importance to business objectives and the
    organization’s risk strategy.

    PR.AC-2: Physical access to assets is managed and


    protected
    Awareness and Training (PR.AT): The
    organization’s personnel and partners are
    provided cybersecurity awareness education and
    are adequately trained to perform their
    information security-related duties and
    responsibilities consistent with related policies,
    procedures, and agreements.
    DE.AE-5: Incident alert thresholds are
    established
    DE.AE-4: Impact of events is determined
    RS.AN-2: The impact of the incident is
    understood
    RS.AN-4: Incidents are categorized consistent
    with response plans
    RS.MI-1: Incidents are contained
    RS.MI-2: Incidents are mitigated

    PR.IP-12: A vulnerability management plan is


    developed and implemented
    PR.IP-2: A System Development Life Cycle to
    manage systems is implemented
    PR.IP-2: A System Development Life Cycle to
    manage systems is implemented
    PR.DS-1: Data-at-rest is protected
    PR.DS-2: Data-in-transit is protected
    Data Security (PR.DS): Information and records
    (data) are managed consistent with the
    organization’s risk strategy to protect the
    confidentiality, integrity, and availability of
    information.

    PR.IP-12: A vulnerability management plan is


    developed and implemented

    PR.IP-3: Configuration change control processes


    are in place
    DE.AE-3: Event data are aggregated and
    correlated from multiple sources and sensors
    PR.PT-1: Audit/log records are determined,
    documented, implemented, and reviewed in
    accordance with policy

    ID.GV-2: Information security roles &


    responsibilities are coordinated and aligned with
    internal roles and external partners
    PR.MA-2: Remote maintenance of organizational
    assets is approved, logged, and performed in a
    manner that prevents unauthorized access
    DE.CM-6: External service provider activity is
    monitored to detect potential cybersecurity events

    PR.PT-4: Communications and control networks


    are protected
    PR.AC-5: Network integrity is protected,
    incorporating network segregation where
    appropriate
    PR.AC-3: Remote access is managed
    PR.IP-9: Response plans (Incident Response and
    Business Continuity) and recovery plans (Incident
    Recovery and Disaster Recovery) are in place and
    managed
    PR.IP-10: Response and recovery plans are tested

    Potrebbero piacerti anche