NIST Special Publication 800-53 Revision 3

Recommended Security Controls for Federal Information Systems and Organizations

JOINT TASK FORCE TRANSFORMATION INITIATIVE

INFORMATION

S E C U R I T Y

Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930

August 2009
INCLUDES UPDATES AS OF 05-01-2010

U.S. Department of Commerce
Gary Locke, Secretary

National Institute of Standards and Technology
Patrick D. Gallagher, Deputy Director

These security controls primarily focus on policies and procedures for each topic area addressed by the respective security control family. the subject of this appendix. Special Publication 800-53 addresses information flow control broadly in terms of approved authorizations for controlling access between source and destination objects. Table H-2 provides a reverse mapping from the security controls in ISO/IEC 27001 (Annex A) to the security controls in Special Publication 800-53. Phase I. perspective. functionality. Table H-1 provides a forward mapping from the security controls in NIST Special Publication 800-53 to the controls in ISO/IEC 27001 (Annex A). where XX is a placeholder for the two-letter family identifier. The mappings are created by using the primary security topic identified in each of the Special Publication 800-53 security controls and associated control enhancements (if any) and searching for a similar security topic in ISO/IEC 27001 (Annex A). the approach is being expanded to include risk management at the organizational level. maintaining. In some cases. For example.77 76 ISO/IEC 27001 was published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Phase II will provide a two-way mapping between the organization-level risk management concepts in NIST Special Publication 800-39 (forthcoming version) and general requirements in ISO/IEC 27001. While the risk management approach established by NIST originally focused on managing risk from information systems (as required by FISMA and described in NIST Special Publication 800-39). but not the same. operating. The convergence initiative will be carried out in three phases. reviewing. For example.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS SECURITY CONTROL MAPPINGS FOR ISO/IEC 27001 T he mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001. or scope. and improving a documented information security management system (ISMS) within the context of the organization’s overall business risks. NIST intends to pursue convergence to reduce the burden on organizations that must conform to both sets of standards.. A forthcoming version of NIST Special Publication 80039 will incorporate ISO/IEC 27001 to manage organizational information security risk through the establishment of an ISMS. Special Publication 800-53 contingency planning and ISO/IEC 27001 (Annex A) business continuity were deemed to have similar. Security controls with similar functional meaning are included in the mapping table. provides a two-way mapping between the security controls in NIST Special Publication 800-53 and the controls in ISO/IEC 27001 (Annex A). The use of the term XX-1 controls in mapping Table H-2 refers to the set of security controls represented by the first control in each family in NIST Special Publication 800-53. monitoring. Phase III will use the results from Phase I and II to fully integrate ISO/IEC 27001 into NIST’s risk management approach such that an organization that complies with NIST standards and guidelines can also comply with ISO/IEC 27001 (subject to appropriate assessment requirements for ISO/IEC 27001 certification).76 ISO/IEC 27001 applies to all types of organizations (e. whereas ISO/IEC 27001 (Annex A) addresses the information flow more narrowly as it applies to interconnected network domains.g. government) and specifies requirements for establishing. Since NIST’s mission includes the adoption of international and national standards where appropriate. commercial. implementing. similar topics are addressed in the security control sets but provide a different context. 77 APPENDIX H PAGE H-1 . Information technology–Security techniques–Information security management systems–Requirements.

1. A. A.5.3. A.1. A.1. A.1.5 A.1. A.4.4.10.4. A.6.8.11. A.11.2.3. A.4.4.12.4. A.11. Analysis.6 A.11.2 A.1 A. A.1. A.4. A.6.7.8.15.10.2. A.3.2.11.1.2.2 None A.1.1. A. A.1.10.6.3.5.1.2 A.1.4.2.1.11.11.10.3.12.4.15. A10.4. A.3 A.11.6.6.4.7.5 None A. A.11.4.8.10.11. A.3. A. A.2.10. A11.1 A.11.1 A.2.3.6.7. A.1.11.10.1. A.3.7. A.8. A. A. A.11.11.10. A. A. A.7.2 A.11.1 A.7.6.3.4.4.2.10. A.1.2.3.6. A.11.2.12.1 A. A. A. A.1.9.6.2 A. A.1.10. A.1.1.10.1.5.1.3.8.2. A. A.15.11.11.9.1.8.4.11.11.1.15.3.1.1.10. A.15.1.1.1.11.11.6.4.2. A.8. A.2.8. A.2.7.11.10.7.1.3. Organizations that use the security controls in Special Publication 800-53 as an extension to the security controls in Annex A in their ISO/IEC 27001 implementations will have a higher probability of complying with NIST security standards and guidelines than those organizations that use only Annex A.1. A.11.5.10.5.13. A.8.11.2.5. A. A.10.10. A. A. A.1.1.6. A.10.1.1.11.7. A15.4.10.10.1.4.1.2.11. A.10.11.1.3 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AT-1 AT-2 AT-3 AT-4 AT-5 AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11 Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Previous Logon (Access) Notification Concurrent Session Control Session Lock Withdrawn Withdrawn Permitted Actions without Identification or Authentication Withdrawn Security Attributes Remote Access Wireless Access Access Control for Mobile Devices Use of External Information Systems User-Based Collaboration and Information Sharing Publicly Accessible Content Security Awareness and Training Policy and Procedures Security Awareness Security Training Security Training Records Contacts with Security Groups and Associations Audit and Accountability Policy and Procedures Auditable Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review.2.6.10.1.8.7.1.6.1.1.1.4.1.1 A.10.10. A.13. A.1. A.1. A.10.1 --A. A.4.1.11. A. A.1.1 A.10. A.10.2.5.10.8.10.1.10.2.12.1 A. A.4.7.10. A.6.10.1.5.4.1. A.11.2.11. A.10.2 A.4 A.11.1.5. A. A.4.11.1.3 A.2.1 A.4.2.1.1. A.1.6. A.11.1. A.10.4. A.10.1.11.5. A.2.15.4.11.10.1.8.1.1 A.6.5 A.11.1.2.2.2.11.2 A. A.1.8.4.15. A.8.2.1. A. A. A. A.1. A.10. A.1.15.2.5.4.10.2. A.5. A.4.1.2.11.6. A.1.1.1.11.15.7.4. A.5 ----A. A.5.3. A.1.1.2.10.1.1.11.15.1.1.6.1.8. TABLE H-1: MAPPING NIST SP 800-53 TO ISO/IEC 27001 (ANNEX A) NIST SP 800-53 CONTROLS AC-1 Access Control Policy and Procedures ISO/IEC 27001 (Annex A) CONTROLS A5.3.4.1.15.2.1.2.3.1.1.7.1.2.1.11. A. A. A.8.1 A.9.7 A.8.1.1 A.1 A.1.11.3.8.3.10.5. A.1.11.10. A.11.6. A.6.2. A. A.1.1.10.1.1 A. A.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ Organizations are encouraged to use the mapping tables as a starting point for conducting further analyses and interpretation of the extent of compliance with ISO/IEC 27001 from compliance with the NIST security standards and guidelines and visa versa.1.1.4.10.1.11.1.1.3. A.1.6. A.11. A.11.1.15.3.1 A.2 A.10.8.2. A.1.1.11. A11.10.1.5.10.11. A.1.4.6. A. A.1. A.1.10.15.12.2.1.10. A5. A.11.1.11.4.5.11.1.2.1.3. A.10. and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information Non-repudiation Audit Record Retention APPENDIX H PAGE H-2 . A.3.4.11. A.

15.10. A.1.1 None None A.2.11.7.15. A.11.8.1. A.1.1.10.12.6.6. A.1 A.2.12.3 None None A. A.1. A.4.11.10. A.1.1.11.3.3.13.1. A. A.1. A.12.5.1.9.2.1.3 A.3.5.7. A.3 A.1.1.4.5.2.13. A.2.14.1.5. A.2. A.12.6.1.13.5. A.1.5.10.6.14.6.1. A.10.1.1.3 A.1.1.1. A. A.15.1.1.5.2.15.4.2. A.2.5.1.10.14.8.1.1.1. A.1.1.1. A.1. A.8.1.3 A.10.2.1.4.5.12.3.2.1.1. A.4.3.6. A.10.11.14.7. A. A. A.1. A.6.1.1.2. A.2. A.1.3.10.1.1. A.1.1.2.1. A.14.11. A.1. A. A. A.14. A. A. A.8.1.5 --A.1.12. A.10. A.2.6.13.5.14.14.3.6.4.10.5.4.15.2.2. A. A.1.3.2. A.9.1.1. A.1.5.1.1.9.1.1.3. A.1. A. A. A.1 A.1.14.15. A.3 A.1.5.1.1.3 A.1. A. A. A.1.3 A.12.1.2 A.15.12. A.5.15. A.14.15.10.12.5.3.1.14.1 A.1. A.1.2.2. A. A. A.6.8.2.2.1.2.4.2.15.1.8.1. A.2.10.1.1.14. A.1.5.1. A.1 A.1.5.6.1.1.10.5.11.1. A.1.1.1.5. A. A.4.11.5.1.3 A.1.6.12. A. A.9.10.9.1. A.3 A.1.1.3.5. A. A.1.8.1.2 A.1.4.4.6.6.15.9.4.2.10.1.2.1. A. A.3 None A.2.4.1.10.2.1. A. A.1. A.1.14.15.4.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ NIST SP 800-53 CONTROLS AU-12 AU-13 AU-14 CA-1 CA-2 CA-3 CA-4 CA-5 CA-6 CA-7 CM-1 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9 CP-1 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 IA-1 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-8 IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 MA-1 MA-2 Audit Generation Monitoring for Information Disclosure Session Audit Security Assessment and Authorization Policies and Procedures Security Assessments Information System Connections Withdrawn Plan of Action and Milestones Security Authorization Continuous Monitoring Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Configuration Management Plan Contingency Planning Policy and Procedures Contingency Plan Contingency Training Contingency Plan Testing and Exercises Withdrawn Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Information System Recovery and Reconstitution Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) Device Identification and Authentication Identifier Management Authenticator Management Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (NonOrganizational Users) Incident Response Policy and Procedures Incident Response Training Incident Response Testing and Exercises Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan System Maintenance Policy and Procedures Controlled Maintenance ISO/IEC 27001 (Annex A) CONTROLS A.6.5.12. A. A.1.11.10. A. A.5.11.3.12.1. A.2.1. A.4.1.1.14.3.12.2. A.10.2 A.3 A.2.9. A. A.1.2. A.5.4 A. A. A.14.1. A.8.1. A.1.1.1.14.10.15.2 --None A.3 A.6.1.12.8.2.3.5.1.2.2.1.1.15.6. A. A.2.3.1 A.3. A.9.2.3.8.12.5. A.11.1.2.4.1.10. A.3.4. A.9.1.6.4.4.1.1. A.1 A.1.1.1.2.1 A. A. A.5.1.12.4. A.1.3. A.1.1.1.2.2.10. A.10.10.2.10. A.1.1.1.1. A. A.2.2. A.5 A.4.3.13.11.15.10.5.10. A.2 None A.2.8.1.1. A.15.1 A. A.4.15. A. A.6.1.1.4.3.5 None None A.1. A.10.8.15. A. A. A.12.11.1.1.6.1. A. A.5.1. A. A.1.1.1.1. A.11.1.10.11.6.4 APPENDIX H PAGE H-3 . A.11.1.1.3.1.1.1.10.1. A.2 A.6. A.2 A.6.1.10.1. A.5.1.1.5.3 A. A.6.2.15.2. A.14.2 A.1. A.2.1.15.1.10.11.10.1.9.1.4.6. A.12.7.11.1.12.1.1.2.4.8.1.2.9. A. A.11.9.3.6.5.1.6.1.2.8.4.1. A.2.1.3 A.5. A. A.10. A.2.6.1.

2 A.10.2. A.1.1.11.1.1.5.1.1.9. A.9.10.3. A.1. A.2. A.1.1. A. A.4 A.4.9.1.7.9. A.1. A. A.1.2.4.9.5.15.2.1.9.10.10. A.10.5. A.2. A.1. A.11.1.1. A.2. A.10.9.1.11.1.1.11.7.1.2.3.7.1.1. A. A. A.6.1.5. A. A.1. A.11. A.1.11.8. A.6.10.1.1.2.6.1.1.1 None --A.1. A.8.15.2.4. A.5.8.11.1.1.8.4 A.2 A.6. A. A.7.2.1.1.5. A.1.2.9.2.3.9.1.6. A.6. A. A. A. A.1.7.6.5.1.1. A. A.9.3 A.3.10.3.1.2.1.3.1.11.1.15.1 A. A.1.3.2.5 A.3 A.5.10. A.9.3.8.2. A.7.1 A.4.1. A.4 A.1.2.1.1. A.1.11.1.1. A.8.7.1. A.4 A.1 A.4.9. A. A.1.8.2.1.8.5.2.10.2.1. A.12.1.15.9.1.7. A.11.12.10.1.1.2.1.4 A. A. A.3. A.2 A.9. A.3.1.10. A.1.4 A.2 A.15.6.7.8.3.9.1.7. A.1.1. A. A.4 A.7.4. A.10.2.9.1.2.1. A.1.15.1.1. A.1.6.10.1.10. A.1. A.2 A.1.15.1.10.1.1.1.1.1.9.5.2.6.7.3.1.1.3.2.10. A.6.15.3.8.3 A.2.9.8.9.10. A. A.9.15.1. A.1. A. A.13.1. A.9.3.4. A.7.1.1 A.5.15.2.3.15.9.15. A. A.5. A.1 A.7.8.2.1.2. A.7.3 A.8.11.6.4.1.1.1. A.2 A.2.3. A.1. A.3.3 A.3.12.8.11.4.1. A.3. A.1.1.6.1.6.11.2.1.10.12.10. A.1.15.1.1.2.2.2.1. A.3 A. A.6.3.2.1.1.4 A.7.8. A.7.3 A.7.10.1. A.6.15. A. A.2.8. A.5 A.9.12.5.2. A.10. A. A.14.10.1. A.2.15.2.3.9.1.9.3.2.1.2.1.2.2. A.9.1.10. A.9.7.1.2.1.2.10.1.1.1.5.9.1. A. A.9.6. A.6.8.9. A.2.2.1.1.1 A.4 A.5. A.9.1.11.2.5.1.4.9.9.11.9. A.5. A.1.5 A.3.5.1. A.9.14.2.7.15.1.15. A.1.5.10. A.2 A.8.1.2.1. A. A. A.3 A.4.1 A.8.7. A. A. A.5.2.2 A.15. A.2. A.2.1.6.9.10.2 --A.1.15.1.3.1.10.1.6.12.1.2.14.6. A.6 A.8. A.9.3 A. A.9.3.1 A.2. A.2.1.5.1. A. A.9. A.1 A. A.6.2.3 A. A.1.1.10.1. A.6.9.1.3. A. A.3 A.3.5. A.9.1.5.5.8.7.10.1.12.5.8. A. A. A. A.8.15.2.1.2. A.8.1.5.3. A.1.3.2.2. A.1.8.2.7.1.2. A.6.1.1.1.1. A.7.1.1.2.4 A.1.7.8.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ NIST SP 800-53 CONTROLS MA-3 MA-4 MA-5 MA-6 MP-1 MP-2 MP-3 MP-4 MP-5 MP-6 PE-1 Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance Media Protection Policy and Procedures Media Access Media Marking Media Storage Media Transport Media Sanitization Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components Information Leakage Security Planning Policy and Procedures System Security Plan Withdrawn Rules of Behavior Privacy Impact Assessment Security-Related Activity Planning Personnel Security Policy and Procedures Position Categorization Personnel Screening Personnel Termination Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions Risk Assessment Policy and Procedures Security Categorization Risk Assessment Withdrawn Vulnerability Scanning System and Services Acquisition Policy and Procedures Allocation of Resources ISO/IEC 27001 (Annex A) CONTROLS A.1.6.2 A. A.2.2.6.2 A.1.9.2.6.15.1.2.4. A.11.1.1 PE-2 PE-3 PE-4 PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 PL-1 PL-2 PL-3 PL-4 PL-5 PL-6 PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 RA-1 RA-2 RA-3 RA-4 RA-5 SA-1 SA-2 APPENDIX H PAGE H-4 .2.1.11.7.10.10.8.2.2.7. A.9. A.1.11.1.2. A.5. A.2.2.

2 A.10.1.5 A. A.1. A.3.1.5.1.2 None A.1. A.12. A. A.6.10.10. A.15. A.10. A. A.10.6.10.5 A.4.13.3.4.1.1.12.2. A.9.3.4.7.8.6.2.11.1.1 None A. A.6 A.10.1.12. A. A.4.2 A.1.2 A.1. A.9. A.6.5.1 A.2.1.1 A.1.1.1.9.6.5 None A. A. A. A.4.2.2.2. A.1.7. A.5.5.12.1. A.1.12. A.2. A. A.10. A.10.5 A.1.9.6.5.5 A.12. A.1 A.12.1.12.10.4.10.10.12.5.2.12.4.5.5.2.2.12.10.10.4.4.1.10.1 A.9.12. A.6.2.4.11.10.2.2.4.10.8.9.1.2.12. A.1.1.2.1.12.6. A. A.10. A.5.5.10.5.6.1.3.12.10. A.1.2 APPENDIX H PAGE H-5 .10.8.10.2 A.5.2.1.2.4.9.1. A. A.10.10.2.5 A.1 A.1.1 A. A.10.10. A.10. A. A.10.10.1. A.15.6.10.1.3.4. A.5. A.15.1.10.10.10.12. A.8.6 A. A.2.1.1.4.1.1 A.1 A.3.3.9.1.12.1.5.6.1.1.10.6.1.1. A.5.1.1.10. A.13.12. A.13.4.1.5.11.15.3.12.1. A.2.1.12.3.10. A.1.10.6.10.12. A.9.2. A.10. A.5 None A.15.6.1 A.2. A.10. A.1.1.10.10.9.8.12.10.1.2.1.10.2.5.1 A.5. A.5.2.2. A.10.11.5. A.1.10.1. A.2.10.6.6.2.1.3.1. A.15.1.2.2.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ NIST SP 800-53 CONTROLS SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9 SA-10 SA-11 SA-12 SA-13 SA-14 SC-1 SC-2 SC-3 SC-4 SC-5 SC-6 SC-7 SC-8 SC-9 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-30 SC-31 SC-32 SC-33 SC-34 SI-1 SI-2 SI-3 SI-4 Life Cycle Support Acquisitions Information System Documentation Software Usage Restrictions User-Installed Software Security Engineering Principles External Information System Services Developer Configuration Management Developer Security Testing Supply Chain Protections Trustworthiness Critical Information System Components System and Communications Protection Policy and Procedures Application Partitioning Security Function Isolation Information In Shared Resources Denial of Service Protection Resource Priority Boundary Protection Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Use of Cryptography Public Access Protections Collaborative Computing Devices Transmission of Security Attributes Public Key Infrastructure Certificates Mobile Code Voice Over Internet Protocol Secure Name /Address Resolution Service (Authoritative Source) Secure Name /Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name/Address Resolution Service Session Authenticity Fail in Known State Thin Nodes Honeypots Operating System-Independent Applications Protection of Information at Rest Heterogeneity Virtualization Techniques Covert Channel Analysis Information System Partitioning Transmission Preparation Integrity Non-Modifiable Executable Programs System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring ISO/IEC 27001 (Annex A) CONTROLS A.9.2 A.10. A.3.10. A.11.10.2 A.4.12.3.5.8. A.2.5 A.4.3 None A.5. A.1. A.5. A. A.6.4.4.1 None None None None None None None None None None None A.1.15. A.3.6.6.8.3 A.15.6. A.1.3. A.2. A.10.11. A.1 A.1.10.1. A.5 A.1. A.10.4. A.6.2.

2. Advisories.2. A.13.2.12.3 A.7.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ NIST SP 800-53 CONTROLS SI-5 SI-6 SI-7 SI-8 SI-9 SI-10 SI-11 SI-12 SI-13 PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 Security Alerts.1.12.3.6. A.1.15.1.5.4.1. A.1.1.1.2.1.15.14.2.6.1. A. A. A.1.13. A. A. A.2 A.7. A.2.4 None APPENDIX H PAGE H-6 .1.12. A.1.3.1.2.15.1.3 None None A.5. A.11.6.2 None None None A.6.1.10.1.2.11.12.1.1.2.2 None A. and Directives Security Functionality Verification Software and Information Integrity Spam Protection Information Input Restrictions Information Input Validation Error Handling Information Output Handling and Retention Predictable Failure Prevention Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition ISO/IEC 27001 (Annex A) CONTROLS A.1.8.1. A. A.1.12.6.1. A.1.15.8.2 A.10.7.1.1.1.1.1.3 None A.10.12. A.4. A. A.2 None A.2. A. A.2.2.15.1.1. A.6.6.6.6.6.1 A.2.1.1.1 None A.

2.3.1 Information security policy document A. AC-6. PE-4. MP-3.6. PM-5 CM-8.7. PM-2.2 Physical entry controls A.8.5 Working in secure areas A.1 Management responsibilities A.2 During employment A. AT-3. CM-9. CM-9. PS-6.1 Roles and Responsibilities A.8.2.2.7. PE-2.1. PS-4.8. SP 800-37 PL-4. PE-6. AC-5.1.1. PE-4.6. PL-4.3 Addressing security in third party agreements A. RA-3. PS-7. CP-4. PE-8 PE-3 .8 Human Resources Security A. IR-2 PS-8 PS-4. SA-1. PS-5 PS-4.6. AT-3 .6.9.1. CA-6. SA-9 Multiple controls with contact reference (e.4 Equipment maintenance NIST SP 800-53 CONTROLS XX-1 controls XX-1 controls XX-1 controls. PL-6. SP 800-37 XX-1 controls.1.7 Contact with special interest groups A.9 Physical and environmental security A.2 Ownership of assets A. AC-6.5.5 Security Policy A.6. CA-7.5. PL-4 RA-2 AC-16. PE-5. PE-1.2. PE-7.3. PM-2. SP 800-39. AC-8.9.4 Authorization process for information processing facilities A.1. IR-6.7. PS-2. PL-4 CA-3.1.1 Inventory of assets A. PM-2.1. CM-9. facilities A.2. PS-6.6 Contact with authorities A.1 Equipment siting and protection A.9.6.1 Responsibility for assets A.5 Confidentiality agreements A. IR-4. PS-7. PE-9. PS-5 AC-2.4 Protecting against external and environmental threats A. SP 800-39.3 Acceptable use of assets A.2.3 Securing offices.1.9. and training A.8.2. PE-9.9.3 Disciplinary process A.2 Screening A.2 Information labeling and handling A.7. CM-9. PM-10.1. PE-10.1 Physical security perimeter A. PE-11.1.2.3 Cabling security A. PS-5 PE-3 PE-3. PM-5 AC-20. SP 800-39.1. PE-7. PE-7 PE-3.2 Equipment security A.8 Independent review of information security A.1 Prior to Employment A.7 Asset Management A.7.1 Secure areas A. PE-15 AT-2.9. PE-11. PE-16 PE-1. PS-6.1 Identification of risks related to external parties A. SP 800-39.6. PS-7.3 Termination or change of employment A. PE-14 PE-4. AT-2.7.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ TABLE H-2: MAPPING ISO/IEC 27001 (ANNEX A) TO NIST SP 800-53 ISO/IEC 27001 (Annex A) CONTROLS A.1. MP-2.9. PM-9.7. SC-16 XX-1 controls.1. SP 800-37 CA-3. AC-20. delivery and loading areas A.1. SA-9.9.. AC-5. SP 800-39. PE-13.1.9.9.8. PE-18 PE-1.1.6.2 Return of assets A. PE-3. AT-3.8.6.2 External Parties A.1 Management commitment to information security A. PS-6. PE-5 CP Family. PE-12. SP 800-37 AT-5 CA-2. PL-4. PL-4.2 Review of the information security policy A. PS-7 PL-4. PE-9 MA Family APPENDIX H PAGE H-7 .3 Allocation of information security responsibilities A.1. SA-9 PS-3 AC-20. SP 800-37 CP-2.6 Public access.6.1.1.1 Classification Guidelines A.2 Information security coordination A.2.2.8.9. PE-6. SA-9 AT-2. rooms.8. education.8.2 Information Classification A. PS-6.3 Terms and conditions of employment A.9.6 Organization of information security A.8.3 Removal of access rights A.6. AT-2.1 Internal A.2. SC-7 AC-8 .3.8.1.g.2. SA-9 CM-8.1.1 Termination responsibilities A.2 Supporting utilities A.1 Information security policy A.5. SA-2. SI-5).2 Awareness.6.2 Addressing security when dealing with customers A.6.8. PL-1. SP 800-37 CA-1.

10.10. SC-14 SC-14 AU-1. SC-9 MP Family. CA-3. SC-7.10.4.10. AT-2. AC-18.7. AU-4.10. SC-8.10.1 User registration A. PE-2.3 Physical media in transit A. SC-10. PS-6.7 Media handling A.2 Monitoring system use A. SC-18 CP-9 AC-4. CM-3. CA-6.11. AC-18.10. test and operational facilities A.2 Monitoring and review of third-party services A.9. AC-21. SA-2. SC-16. SC-22.3 Information handling procedures A.1 Electronic commerce A. PE-8.1 Business requirement for access control A.10. SI-4 AU-9 AU-2. AU-7.10. PE-17 MP-6 MP-5. AU-5. PE-6.3.1.1 Operational procedures and responsibilities A.6 Network security management A.10.2 User access management A.2. SC-9. SC-7.7. AC-20. AC-18.10. SA-11 AC-19.9.11.5 Backup A.3. CA-3 AU-10. SC-7. SC-8.10.10 Communications and operations management A. AC-2.4 Security of system documentation A. PE-16 MP-6 MP Family. AC-17.1 Information exchange policies and procedures A.1 Management of removable media A.4.1 Audit logging A.6 Secure disposal or reuse of equipment A.3 Publicly available information A.10. SC-7.10.10. SI-9 IA-5 APPENDIX H PAGE H-8 . AU-5.8.11. AU-8.1 Controls against malicious code A.10.2 Controls against mobile code A.10. AC-19.10.1. CP-8. PE-5. AC-6.4 Electronic messaging A.9.10.10. AU-3.2. PE-1. IA-5. SC-3.2 Security of network services A.8.10.10.2 Disposal of media A.5.10.1 Information backup A.10.4 Administrator and operator logs A. AU-6.2 Change management A.2 System acceptance A.3 Segregation of duties A. SC-19.7.10.7 Removal of property A.2.1. IA-8. CM-3.10. SI-3. CM-4.10.10.10.8 Exchange of information A. AU-11. SC-14. AU-12 AU-2.1 Capacity management A. SC-8.11.1 Network controls NIST SP 800-53 CONTROLS MP-5. CM-5. CM-9 AC-5 CM-2 SA-9 SA-9 RA-3.2 Privilege management A.2 Third-party service delivery management A. CM-9 CM-1.10.6. SC-21. SI-7 SA-8. AC-21. SI-12 MP-4. SC-9. SC-14.10. AC-17.9. SA-9 AU-4.2 Exchange agreements A. AU-12. SC-3.10.2.10. SC-20.11.10 Monitoring A.8.2. SI-9 CA-3.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ ISO/IEC 27001 (Annex A) CONTROLS A.1 Documented operating procedures A.1 Access control policy A.10. SC-2.10. SA-8.10.6 Clock synchronization A.2.8.3 Managing changes to third-party services A.4 Protection against malicious and mobile code A. SA-5 AC-1.10. SA-9 MP-5 Multiple controls.1. AU-2.6.5 Security of equipment off-premises A. AC-20.10. AU-6.10. SI-2 AU-8 A. electronic messaging not addressed separately in SP 800-53 CA-1. PE-1.10. SC-7. SC-23 SA-9. AU-12 AU-1.10. SC-3.1. AC-2.3 System planning and acceptance A.2.10. SI-9 AC-1. CM-4.5 Business information systems A. PE-2 AC-1. SC-5 CA-2.7. SC-8. AC-3. SC-9. CM-9.9. MP-1. CP-2.4 Separation of development. SC-7. SC-2.1 Service delivery A.3 User password management AC-1. PL-4.5 Fault logging A.10. SC-14 SC-3.10. CM-5.10.2.10.11.11 Access Control A. PE-16 XX-1 controls.10. SC-7. AC-4.2 Online transactions A.10. AC-17. CA-3. AC-6.3 Protection of log information A.2.9 Electronic commerce services A. SC-8.9.8. AC-5.

PE-3. AC-10.5. SA-9. PS-6 AC-1.11.11.. AC-3.5.12.3.3. AC-4.11.12.4.6 Limitation of connection time A. MA-4 AC-4. AC-18. AC-17. AC-9.6 Network connection control A. AC-17.3 Restrictions on changes to software packages A.4 Network access control A.11.5 Security in development and support processes A. PL-4. SI-5 A. SC-8. MA-3.3.11. SC-7 AC-3. SC-12.1 Password use A.4 Information leakage A. IA-2. IR-1. PL-4.1 Control of operational software A.11. SC10 IA-2.5.5 Outsourced software development A. AC-6.3 Cryptographic controls A.g.3.2 Unattended user equipment A.12.11. SA-10 CM-1.1 Change control procedures A.2.6. CM-4. SP 800-39 AC-1.12.1 Security requirements analysis and specification A. IA-8 IA-2.4 Review of user access rights A 11.1 Secure log-on procedures A.2 Key management A.2 User identification and authentication A.5 Segregation in networks A. SA-11. AC-14. SC-13) SC-12.12.4. AC-4) AC-3. SC-8.4.5.1 Reporting information security events and weaknesses A.1 Policy on the use of cryptographic controls A.6 Application and information access control A.11. PE-2 IA-2. protection of test data not addressed separately in SP 800-53 (e.13. PE-3. SA-13 RA-3. PE-19 SA-1.12.5. CM-4. CM-4. AC-18.1 Policy on use of network services A. SA-7.12.3 Equipment identification in networks A.11. CM-3.11.2. IA-5. IA-7.2 Control of internal processing A. AC-20. MA-5.12. CA-3. AC-8.3 Clear desk and clear screen policy A. CM-9.1. CM-9. SI-9.12 Information systems acquisition. IA-5 AC-11. SA-10 CM-3.4.4 Output data validation A.11. IA-5 AC-3. IA-2. IR-6.12.11.12.7 Network routing control A 11.2 Correct processing in applications A.11.12.12. CM-9 AC-4. IA-3 AC-3. SI-10 AU-10.11. development and maintenance A. SA-8. IA-6. SI-4.11.4. IA-2. AC-6.5 Operating system access control A..4 Use of system utilities A.12.3 Password management system A. SC-7 AC-4.3 Message integrity A.1 Information access restriction A.5.6.3 Access control to program source code A.11. AC-17. SI-2 CM-3.11.5 Session time-out A.4.11. PE-17. AC-18.12. SA-8. AC-17. PE-5.11.12.7.12.2 Technical review of applications after operating system changes A.2.5. SC-10 AC-11 AC-1.1 Reporting information security events AU-6.11.4. SC-9.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ ISO/IEC 27001 (Annex A) CONTROLS A.13.6. AC-17.4.4 Security of system files A. SI-7 None Multiple controls address cryptography (e. SA-12. SC-10 None AC-3.5.7 Mobile computing and teleworking A.5.11. SA-4 SI-10 SI-7. CM-5 None. CM-5. AC-18.g.3 User responsibilities A.1 Mobile computing and communications A.4. IA-8 AC-19. AC-6.11. SC-17 CM-1.1 Control of technical vulnerabilities A.4.5. CM-3.1 Security requirements of information systems A. PL-4. AC-17. AC-6.12. CM-9. AC-5. AC-18.2 User authentication for external connections A. PS-6 SA-1.5.2.12. CM-5. CM-5. CM-9. CM-2.1 Input data validation A. AC-19. SA-7 Multiple controls.7.2 Protection of system test data NIST SP 800-53 CONTROLS AC-2.12. AC-20 AC-17.13 Information security incident management A.3.12.12. AC-18 AC-7.4 Remote diagnostic and configuration port protection A. IA-4. SA-3. SI-5 APPENDIX H PAGE H-9 .2.12. SI-2. PE-18. AC-18. SA-6.11. IA-8. RA-5. SA-6. AC-6 AC-11.6 Technical Vulnerability Management A.2 Sensitive system isolation A.2 Teleworking A. AC-6. SA-4.1.11.

4 Data protection and privacy of personal information A. SA-7 IA-7.13.15.5 Prevention of misuse of information processing facilities A. PS-8.15.2 Compliance with security policies and standards.15. SC-13 XX-1 controls.1.2 Protection of information systems audit tools NIST SP 800-53 CONTROLS PL-4.15.3. PM-9. SI-4. IA-7.2 Technical compliance checking A.2 Reporting security weaknesses A.15. and technical compliance A. AU-6. CP-2.14. MP-1.1.6 Regulation of cryptographic controls A.3 Protection of organizational records A. AU-11.5 Testing.15.13.15.1 Including information security in the business continuity management process A. IR-4 CP-1.1. CP-4 XX-1 controls.1. PE-8.14.15.3 Collection of evidence A.3 Developing and implementing continuity plans including information security A. MP-4.14.4 Business continuity planning framework A.14.1.3.2 Business continuity and risk assessment A.1 Compliance with legal requirements A. CP-9. SI-5 IR-1 IR-4 AU-9.1. CP-4 CP-2. maintaining and reassessing business continuity plans A.1 Information systems audit controls A.15. PL-6 AU-9 APPENDIX H PAGE H-10 . CA-7. RA-5 AU-1. RA Family CP Family CP-2.1.1.14.3 Information systems audit considerations A.2.Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________ ISO/IEC 27001 (Annex A) CONTROLS A. SA-5. SI-2.1 Information security aspects of business continuity management A.2 Intellectual property rights (IPR) A. CA-2.15.2.15 Compliance A.13.2 Learning from information security incidents A. CA-7.15. IA-7 SA-6 AU-9. CP-4 CP-2.14 Business continuity management A.15.1.15.1 Compliance with security policies and standards A.14.2. AU-2. AC-2. PS-6.13. SI-12 PL-5.1 Identification of applicable legislation A.1. SI-12 AC-8.2. PL-4.1.13.2.1 Responsibilities and procedures A. SI-12 CA-2.2 Management of information security incidents and improvements A.1.

Sign up to vote on this title
UsefulNot useful