NIST Special Publication 800-53 Revision 3

Recommended Security Controls for Federal Information Systems and Organizations

JOINT TASK FORCE TRANSFORMATION INITIATIVE

INFORMATION

S E C U R I T Y

Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930

August 2009
INCLUDES UPDATES AS OF 05-01-2010

U.S. Department of Commerce

Gary Locke, Secretary

National Institute of Standards and Technology

Patrick D. Gallagher, Deputy Director

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

APPENDIX H

INTERNATIONAL INFORMATION SECURITY STANDARDS

SECURITY CONTROL MAPPINGS FOR ISO/IEC 27001

he mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001, Information technologySecurity techniquesInformation security management systemsRequirements.76 ISO/IEC 27001 applies to all types of organizations (e.g., commercial, government) and specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of the organizations overall business risks. While the risk management approach established by NIST originally focused on managing risk from information systems (as required by FISMA and described in NIST Special Publication 800-39), the approach is being expanded to include risk management at the organizational level. A forthcoming version of NIST Special Publication 80039 will incorporate ISO/IEC 27001 to manage organizational information security risk through the establishment of an ISMS. Since NISTs mission includes the adoption of international and national standards where appropriate, NIST intends to pursue convergence to reduce the burden on organizations that must conform to both sets of standards. The convergence initiative will be carried out in three phases. Phase I, the subject of this appendix, provides a two-way mapping between the security controls in NIST Special Publication 800-53 and the controls in ISO/IEC 27001 (Annex A). Phase II will provide a two-way mapping between the organization-level risk management concepts in NIST Special Publication 800-39 (forthcoming version) and general requirements in ISO/IEC 27001. Phase III will use the results from Phase I and II to fully integrate ISO/IEC 27001 into NISTs risk management approach such that an organization that complies with NIST standards and guidelines can also comply with ISO/IEC 27001 (subject to appropriate assessment requirements for ISO/IEC 27001 certification). Table H-1 provides a forward mapping from the security controls in NIST Special Publication 800-53 to the controls in ISO/IEC 27001 (Annex A). The mappings are created by using the primary security topic identified in each of the Special Publication 800-53 security controls and associated control enhancements (if any) and searching for a similar security topic in ISO/IEC 27001 (Annex A). Security controls with similar functional meaning are included in the mapping table. For example, Special Publication 800-53 contingency planning and ISO/IEC 27001 (Annex A) business continuity were deemed to have similar, but not the same, functionality. In some cases, similar topics are addressed in the security control sets but provide a different context, perspective, or scope. For example, Special Publication 800-53 addresses information flow control broadly in terms of approved authorizations for controlling access between source and destination objects, whereas ISO/IEC 27001 (Annex A) addresses the information flow more narrowly as it applies to interconnected network domains. Table H-2 provides a reverse mapping from the security controls in ISO/IEC 27001 (Annex A) to the security controls in Special Publication 800-53.77

76

ISO/IEC 27001 was published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The use of the term XX-1 controls in mapping Table H-2 refers to the set of security controls represented by the first control in each family in NIST Special Publication 800-53, where XX is a placeholder for the two-letter family identifier. These security controls primarily focus on policies and procedures for each topic area addressed by the respective security control family.

77

APPENDIX H

PAGE H-1

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

Organizations are encouraged to use the mapping tables as a starting point for conducting further analyses and interpretation of the extent of compliance with ISO/IEC 27001 from compliance with the NIST security standards and guidelines and visa versa. Organizations that use the security controls in Special Publication 800-53 as an extension to the security controls in Annex A in their ISO/IEC 27001 implementations will have a higher probability of complying with NIST security standards and guidelines than those organizations that use only Annex A.
TABLE H-1: MAPPING NIST SP 800-53 TO ISO/IEC 27001 (ANNEX A)

NIST SP 800-53 CONTROLS

AC-1 Access Control Policy and Procedures

ISO/IEC 27001 (Annex A) CONTROLS

A5.1.1, A5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A10.1.1, A.10.8.1, A.11.1.1, A.11.2.1, A11.2.2, A11.4.1, A.11.7.1, A.11.7.2, A.15.1.1, A.15.2.1 A.8.3.3, A.11.2.1, A.11.2.2, A.11.2.4, A15.2.1 A.10.8.1 A.11.4.4, A.11.4.6, A.11.5.4, A.11.6.1, A.12.4.2 A.10.6.1, A.10.8.1, A.11.4.5, A.11.4.7, A.11.7.2, A.12.4.2, A.12.5.4 A.6.1.3, A.8.1.1, A.10.1.3, A.11.1.1, A.11.4.1 A.6.1.3, A.8.1.1, A.11.1.1, A.11.2.2, A.11.4.1, A.11.4.4, A.11.4.6, A.11.5.4, A.11.6.1, A.12.4.3 A.11.5.1 A.6.2.2, A.8.1.1, A.11.5.1, A.15.1.5 A.11.5.1 A.11.5.1 A.11.3.2, A.11.3.3, A.11.5.5 ----A.11.6.1 --A.7.2.2 A.10.6.1, A.10.8.1, A.11.1.1, A.11.4.1, A.11.4.2, A.11.4.4, A.11.4.6, A.11.4.7, A.11.7.1, A.11.7.2 A.10.6.1, A.10.8.1, A.11.1.1, A.11.4.1, A.11.4.2, A.11.4.4, A.11.4.6, A.11.4.7, A.11.7.1, A.11.7.2 A.10.4.1, A.11.1.1, A.11.4.3, A.11.7.1 A.7.1.3, A.8.1.1, A.8.1.3, A.10.6.1, A.10.8.1, A.11.4.1, A.11.4.2 A.11.2.1, A.11.2.2 None A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.15.1.1, A.15.2.1 A.6.2.2, A.8.1.1, A.8.2.2, A.9.1.5, A.10.4.1 A.8.1.1, A.8.2.2, A.9.1.5 None A.6.1.7 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.10.10.2, A.15.1.1, A.15.2.1, A.15.3.1 A.10.10.1, A.10.10.4, A.10.10.5, A.15.3.1 A.10.10.1 A.10.10.1, A.10.3.1 A.10.3.1, A.10.10.1 A.10.10.2, A.10.10.5, A.13.1.1, A.15.1.5 A.10.10.2 A.10.10.1, A.10.10.6 A.10.10.3, A.13.2.3, A.15.1.3, A.15.3.2 A.10.9.1, A.12.2.3 A.10.10.1, A.10.10.2, A.15.1.3

AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AT-1 AT-2 AT-3 AT-4 AT-5 AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11

Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Previous Logon (Access) Notification Concurrent Session Control Session Lock Withdrawn Withdrawn Permitted Actions without Identification or Authentication Withdrawn Security Attributes Remote Access Wireless Access Access Control for Mobile Devices Use of External Information Systems User-Based Collaboration and Information Sharing Publicly Accessible Content Security Awareness and Training Policy and Procedures Security Awareness Security Training Security Training Records Contacts with Security Groups and Associations Audit and Accountability Policy and Procedures Auditable Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information Non-repudiation Audit Record Retention

APPENDIX H

PAGE H-2

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

NIST SP 800-53 CONTROLS

AU-12 AU-13 AU-14 CA-1 CA-2 CA-3 CA-4 CA-5 CA-6 CA-7 CM-1 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9 CP-1 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 IA-1 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-8 IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 MA-1 MA-2 Audit Generation Monitoring for Information Disclosure Session Audit Security Assessment and Authorization Policies and Procedures Security Assessments Information System Connections Withdrawn Plan of Action and Milestones Security Authorization Continuous Monitoring Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Configuration Management Plan Contingency Planning Policy and Procedures Contingency Plan Contingency Training Contingency Plan Testing and Exercises Withdrawn Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Information System Recovery and Reconstitution Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) Device Identification and Authentication Identifier Management Authenticator Management Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (NonOrganizational Users) Incident Response Policy and Procedures Incident Response Training Incident Response Testing and Exercises Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan System Maintenance Policy and Procedures Controlled Maintenance

ISO/IEC 27001 (Annex A) CONTROLS

A.10.10.1, A.10.10.4, A.10.10.5 None None A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3 A.6.1.4, A.8.1.1, A.10.1.1, A.15.1.1, A.15.2.1 A.6.1.8, A.10.3.2, A.15.2.1, A.15.2.2 A.6.2.1, A.6.2.3, A.10.6.1, A.10.8.1, A.10.8.2, A.10.8.5, A.11.4.2 --None A.6.1.4, A.10.3.2 A.6.1.8, A.15.2.1, A.15.2.2 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.10.1.2, A.12.4.1, A.12.5.1, A.15.1.1, A.15.2.1 A.12.4.1, A.10.1.4 A.10.1.1, A.10.1.2, A.10.3.2, A.12.4.1, A.12.5.1, A.12.5.2, A.12.5.3 A.10.1.2, A.10.3.2, A.12.4.1, A.12.5.2, A.12.5.3 A.10.1.2, A.11.1.1, A.11.6.1, A.12.4.1, A.12.4.3, A.12.5.3 None None A.7.1.1, A.7.1.2 A.6.1.3. A.7.1.1, A.7.1.2, A.8.1.1, A.10.1.1, A.10.1.2, A.10.3.2, A.12.4.1, A.12.4.3, A.12.5.1, A.12.5.2, A.12.5.3 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.9.1.4, A.10.1.1, A.10.1.2, A.14.1.1, A.14.1.3, A.15.1.1, A.15.2.1 A.6.1.2, A.9.1.4, A.10.3.1, A.14.1.1, A.14.1.2, A.14.1.3, A.14.1.4, A.14.1.5 A.8.2.2, A.9.1.4, A.14.1.3 A.6.1.2, A.9.1.4, A.14.1.1, A.14.1.3, A.14.1.4, A.14.1.5 --A.9.1.4, A.14.1.3 A.9.1.4, A.14.1.3 A.9.1.4, A.10.6.1, A.14.1.3 A.9.1.4, A.10.5.1, A.14.1.3, A.15.1.3 A.9.1.4, A.14.1.3 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.11.2.1, A.15.1.1, A.15.2.1 A.11.3.2, A.11.5.1, A.11.5.2, A.11.5.3 A.11.4.3 A.11.5.2 A.11.2.1, A.11.2.3, A.11.3.1, A.11.5.2, A.11.5.3 A.11.5.1 A.12.3.1, A.15.1.1, A.15.1.6, A.15.2.1 A.10.9.1, A.11.4.2, A.11.5.1, A.11.5.2 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.13.1.1, A.13.2.1, A.15.1.1, A.15.2.1 A.8.2.2 None A.6.1.2, A.13.2.2, A.13.2.3 None A.6.1.6, A.13.1.1 None None A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.9.2.4, A.10.1.1, A.15.1.1, A.15.2.1 A.9.2.4

APPENDIX H

PAGE H-3

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

NIST SP 800-53 CONTROLS

MA-3 MA-4 MA-5 MA-6 MP-1 MP-2 MP-3 MP-4 MP-5 MP-6 PE-1 Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance Media Protection Policy and Procedures Media Access Media Marking Media Storage Media Transport Media Sanitization Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components Information Leakage Security Planning Policy and Procedures System Security Plan Withdrawn Rules of Behavior Privacy Impact Assessment Security-Related Activity Planning Personnel Security Policy and Procedures Position Categorization Personnel Screening Personnel Termination Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions Risk Assessment Policy and Procedures Security Categorization Risk Assessment Withdrawn Vulnerability Scanning System and Services Acquisition Policy and Procedures Allocation of Resources

ISO/IEC 27001 (Annex A) CONTROLS

A.9.2.4, A.11.4.4 A.9.2.4, A.11.4.4 A.9.2.4, A.12.4.3 A.9.2.4 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.10.7.1, A.10.7.2, A.10.7.3, A.11.1.1, A.15.1.1, A.15.1.3, A.15.2.1 A.7.2.2, A.10.7.1, A.10.7.3 A.7.2.2, A.10.7.1, A.10.7.3 A.10.7.1, A.10.7.3, A.10.7.4, A.15.1.3 A.9.2.5, A.9.2.7, A.10.7.1, A.10.7.3, A.10.8.3 A.9.2.6, A.10.7.1, A.10.7.2, A.10.7.3 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.9.1.4, A.9.2.1, A.9.2.2, A.10.1.1, A.11.1.1, A.11.2.1, A.11.2.2, A.15.1.1, A.15.2.1 A.9.1.5, A.11.2.1, A.11.2.2, A.11.2.4 A.9.1.1, A.9.1.2, A.9.1.3, A.9.1.5, A.9.1.6, A.11.3.2, A.11.4.4 A.9.1.3, A.9.1.5, A.9.2.3 A.9.1.2, A.9.1.3, A.10.6.1, A.11.3.2 A.9.1.2, A.9.1.5, A.10.10.2 A.9.1.2, A.9.1.5, A.9.1.6 A.9.1.5, A.10.10.2, A.15.2.1 A.9.1.4, A.9.2.2, A.9.2.3 A.9.1.4 A.9.1.4, A.9.2.2 A.9.2.2 A.9.1.4 A.9.2.2 A.9.1.4 A.9.1.6, A.9.2.7, A.10.7.1 A.9.2.5, A.11.7.2 A.9.2.1, A.11.3.2 A.12.5.4 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.2, A.6.1.3, A.8.1.1, A.10.1.1, A.15.1.1, A.15.2.1 None --A.6.1.5, A.6.2.2, A.7.1.3. A.8.1.1, A.8.1.3, A.8.2.1, A.9.1.5, A.10.8.1, A.11.7.1, A.11.7.2, A.12.4.1, A.13.1.2, A.15.1.5 A.15.1.4 A.6.1.2, A.15.3.1 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.15.1.1, A.15.2.1 A.8.1.1 A.8.1.2 A.8.3.1, A.8.3.2, A.8.3.3 A.8.3.1, A.8.3.2, A.8.3.3 A.6.1.5, A.8.1.1, A.8.1.3, A.8.2.1, A.9.1.5, A.10.8.1, A.11.7.1, A.11.7.2, A.15.1.5 A.6.2.3, A.8.1.1, A.8.2.1, A.8.1.3 A.8.2.3, A.15.1.5 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.14.1.2, A.15.1.1, A.15.2.1 A.7.2.1, A.14.1.2 A.6.2.1, A.10.2.3, A.12.6.1, A.14.1.2 --A.12.6.1, A.15.2.2 A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.6.2.1, A.8.1.1, A.10.1.1, A.12.1.1, A.12.5.5, A.15.1.1, A.15.2.1 A.6.1.2, A.10.3.1

PE-2 PE-3 PE-4 PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 PL-1 PL-2 PL-3 PL-4 PL-5 PL-6 PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 RA-1 RA-2 RA-3 RA-4 RA-5 SA-1 SA-2

APPENDIX H

PAGE H-4

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

NIST SP 800-53 CONTROLS

SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9 SA-10 SA-11 SA-12 SA-13 SA-14 SC-1 SC-2 SC-3 SC-4 SC-5 SC-6 SC-7 SC-8 SC-9 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-30 SC-31 SC-32 SC-33 SC-34 SI-1 SI-2 SI-3 SI-4 Life Cycle Support Acquisitions Information System Documentation Software Usage Restrictions User-Installed Software Security Engineering Principles External Information System Services Developer Configuration Management Developer Security Testing Supply Chain Protections Trustworthiness Critical Information System Components System and Communications Protection Policy and Procedures Application Partitioning Security Function Isolation Information In Shared Resources Denial of Service Protection Resource Priority Boundary Protection Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Use of Cryptography Public Access Protections Collaborative Computing Devices Transmission of Security Attributes Public Key Infrastructure Certificates Mobile Code Voice Over Internet Protocol Secure Name /Address Resolution Service (Authoritative Source) Secure Name /Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name/Address Resolution Service Session Authenticity Fail in Known State Thin Nodes Honeypots Operating System-Independent Applications Protection of Information at Rest Heterogeneity Virtualization Techniques Covert Channel Analysis Information System Partitioning Transmission Preparation Integrity Non-Modifiable Executable Programs System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring

ISO/IEC 27001 (Annex A) CONTROLS

A.12.1.1 A.12.1.1, A.12.5.5 A.10.7.4, A.15.1.3 A.12.4.1, A.12.5.5, A.15.1.2 A.12.4.1, A.12.5.5, A.15.1.5 A.10.4.1, A.10.4.2, A.11.4.5, A.12.5.5 A.6.1.5, A.6.2.1, A.6.2.3, A.8.1.1, A.8.2.1, A.10.2.1, A.10.2.2, A.10.2.3, A.10.6.2, A.10.8.2, A.12.5.5 A.12.4.3, A.12.5.1, A.12.5.5 A.10.3.2, A.12.5.5 A.12.5.5 A.12.5.5 None A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.15.1.1, A.15.2.1 A.10.4.1, A.10.4.2 A.10.4.1, A.10.4.2, A.10.9.1, A.10.9.2 None A.10.3.1 None A.6.2.1, A.10.4.1, A.10.4.2, A.10.6.1, A.10.8.1, A.10.9.1, A.10.9.2, A.10.10.2, A.11.4.5, A.11.4.6 A.10.4.2, A.10.6.1, A.10.6.2, A.10.9.1, A.10.9.2, A.12.2.3, A.12.3.1 A.10.6.1, A.10.6.2, A.10.9.1, A.10.9.2, A.12.3.1 A.10.6.1, A.11.3.2, A.11.5.1, A.11.5.5 None A.12.3.2 A.12.3.1, A.15.1.6 A.10.4.1, A.10.4.2, A.10.9.1, A.10.9.2, A.10.9.3 None A.7.2.2, A.10.8.1 A.12.3.2 A.10.4.2 A.10.6.1 A.10.6.1 A.10.6.1 A.10.6.1 A.10.6.1 None None None None None None None None None None None A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.15.1.1, A.15.2.1 A.10.10.5, A.12.5.2, A.12.6.1, A.13.1.2 A.10.4.1 A.10.10.2, A.13.1.1, A.13.1.2

APPENDIX H

PAGE H-5

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

NIST SP 800-53 CONTROLS

SI-5 SI-6 SI-7 SI-8 SI-9 SI-10 SI-11 SI-12 SI-13 PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 Security Alerts, Advisories, and Directives Security Functionality Verification Software and Information Integrity Spam Protection Information Input Restrictions Information Input Validation Error Handling Information Output Handling and Retention Predictable Failure Prevention Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition

ISO/IEC 27001 (Annex A) CONTROLS

A.6.1.6, A.12.6.1, A.13.1.1, A.13.1.2 None A.10.4.1, A.12.2.2, A.12.2.3 None A.10.8.1, A.11.1.1, A.11.2.2, A.12.2.2 A.12.2.1, A.12.2.2 None A.10.7.3, A.15.1.3, A.15.1.4, A.15.2.1 None A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3 A.8.1.1, A.15.1.1, A.15.2.1 A.6.1.1, A.6.1.2, A.6.1.3 None None A.7.1.1, A.7.1.2 None None None A.6.2.1, A.14.1.2 A.6.1.4 None

APPENDIX H

PAGE H-6

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________
TABLE H-2: MAPPING ISO/IEC 27001 (ANNEX A) TO NIST SP 800-53

ISO/IEC 27001 (Annex A) CONTROLS

A.5 Security Policy A.5.1 Information security policy A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy A.6 Organization of information security A.6.1 Internal A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security A.6.2 External Parties A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements A.7 Asset Management A.7.1 Responsibility for assets A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets A.7.2 Information Classification A.7.2.1 Classification Guidelines A.7.2.2 Information labeling and handling A.8 Human Resources Security A.8.1 Prior to Employment A.8.1.1 Roles and Responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment A.8.2 During employment A.8.2.1 Management responsibilities A.8.2.2 Awareness, education, and training A.8.2.3 Disciplinary process A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms, facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas A.9.2 Equipment security A.9.2.1 Equipment siting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance

NIST SP 800-53 CONTROLS

XX-1 controls XX-1 controls

XX-1 controls, PM-2; SP 800-39, SP 800-37 CP-2, CP-4, IR-4, PL-1, PL-6, PM-2, SA-2; SP 800-39, SP 800-37 XX-1 controls, AC-5, AC-6, CM-9. PM-2; SP 800-39, SP 800-37 CA-1, CA-6, PM-10; SP 800-37 PL-4, PS-6, SA-9 Multiple controls with contact reference (e.g., IR-6, SI-5); SP 800-39; SP 800-37 AT-5 CA-2, CA-7; SP 800-39, SP 800-37 CA-3, PM-9, RA-3, SA-1, SA-9, SC-7 AC-8 , AT-2, PL-4 CA-3, PS-7, SA-9

CM-8, CM-9, PM-5 CM-8, CM-9, PM-5 AC-20, PL-4 RA-2 AC-16, MP-2, MP-3, SC-16

XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2, AT-3, CM-9, PL-4, PS-2, PS-6, PS-7, SA-9 PS-3 AC-20, PL-4, PS-6, PS-7 PL-4, PS-6, PS-7, SA-9 AT-2, AT-3, IR-2 PS-8 PS-4, PS-5 PS-4, PS-5 AC-2, PS-4, PS-5

PE-3 PE-3, PE-5, PE-6, PE-7 PE-3, PE-4, PE-5 CP Family; PE-1, PE-9, PE-10, PE-11, PE-13, PE-15 AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-7, PE-8 PE-3 , PE-7, PE-16 PE-1, PE-18 PE-1, PE-9, PE-11, PE-12, PE-14 PE-4, PE-9 MA Family

APPENDIX H

PAGE H-7

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________ ISO/IEC 27001 (Annex A) CONTROLS

A.9.2.5 Security of equipment off-premises A.9.2.6 Secure disposal or reuse of equipment A.9.2.7 Removal of property A.10 Communications and operations management A.10.1 Operational procedures and responsibilities A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test and operational facilities A.10.2 Third-party service delivery management A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third-party services A.10.2.3 Managing changes to third-party services A.10.3 System planning and acceptance A.10.3.1 Capacity management A.10.3.2 System acceptance A.10.4 Protection against malicious and mobile code A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code A.10.5 Backup A.10.5.1 Information backup A.10.6 Network security management A.10.6.1 Network controls

NIST SP 800-53 CONTROLS

MP-5, PE-17 MP-6 MP-5, PE-16

XX-1 controls, CM-9 CM-1, CM-3, CM-4, CM-5, CM-9 AC-5 CM-2 SA-9 SA-9 RA-3, SA-9 AU-4, AU-5, CP-2, SA-2, SC-5 CA-2, CA-6, CM-3, CM-4, CM-9, SA-11 AC-19, AT-2, SA-8, SC-2, SC-3, SC-7, SC-14, SI-3, SI-7 SA-8, SC-2, SC-3, SC-7, SC-14, SC-8, SC-18 CP-9 AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5, SC-7, SC-8, SC-9, SC-10, SC-19, SC-20, SC-21, SC-22, SC-23 SA-9, SC-8, SC-9 MP Family, PE-16 MP-6 MP Family, SI-12 MP-4, SA-5 AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16, SI-9 CA-3, SA-9 MP-5 Multiple controls; electronic messaging not addressed separately in SP 800-53 CA-1, CA-3 AU-10, IA-8, SC-7, SC-8, SC-9, SC-3, SC-14 SC-3, SC-7, SC-8, SC-9, SC-14 SC-14 AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12 AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4 AU-9 AU-2, AU-12 AU-2, AU-6, AU-12, SI-2 AU-8

A.10.6.2 Security of network services A.10.7 Media handling A.10.7.1 Management of removable media A.10.7.2 Disposal of media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systems A.10.9 Electronic commerce services A.10.9.1 Electronic commerce A.10.9.2 Online transactions A.10.9.3 Publicly available information A.10.10 Monitoring A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.5 Fault logging A.10.10.6 Clock synchronization A.11 Access Control A.11.1 Business requirement for access control A.11.1.1 Access control policy A.11.2 User access management A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management

AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5, MP-1, SI-9 AC-1, AC-2, AC-21, IA-5, PE-1, PE-2 AC-1, AC-2, AC-6, AC-21, PE-1, PE-2, SI-9 IA-5

APPENDIX H

PAGE H-8

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________ ISO/IEC 27001 (Annex A) CONTROLS

A.11.2.4 Review of user access rights A 11.3 User responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy A.11.4 Network access control A.11.4.1 Policy on use of network services A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote diagnostic and configuration port protection A.11.4.5 Segregation in networks A.11.4.6 Network connection control A.11.4.7 Network routing control A 11.5 Operating system access control A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.11.6 Application and information access control A.11.6.1 Information access restriction A.11.6.2 Sensitive system isolation A.11.7 Mobile computing and teleworking A.11.7.1 Mobile computing and communications A.11.7.2 Teleworking A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems A.12.1.1 Security requirements analysis and specification A.12.2 Correct processing in applications A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management A.12.4 Security of system files A.12.4.1 Control of operational software A.12.4.2 Protection of system test data

NIST SP 800-53 CONTROLS

AC-2, PE-2 IA-2, IA-5 AC-11, IA-2, PE-3, PE-5, PE-18, SC-10 AC-11 AC-1, AC-5, AC-6, AC-17, AC-18, AC-20 AC-17, AC-18, AC-20, CA-3, IA-2, IA-8 AC-19, IA-3 AC-3, AC-6, AC-17, AC-18, PE-3, MA-3, MA-4 AC-4, SA-8, SC-7 AC-3, AC-6, AC-17, AC-18, SC-7 AC-4, AC-17, AC-18 AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC10 IA-2, IA-4, IA-5, IA-8 IA-2, IA-5 AC-3, AC-6 AC-11, SC-10 None AC-3, AC-6, AC-14, CM-5 None; SP 800-39 AC-1, AC-17, AC-18, AC-19, PL-4, PS-6 AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6

SA-1, SA-3, SA-4 SI-10 SI-7, SI-9, SI-10 AU-10, SC-8, SI-7 None Multiple controls address cryptography (e.g., IA-7, SC-8, SC-9, SC-12, SC-13) SC-12, SC-17 CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, PL-4, SA-6, SA-7 Multiple controls; protection of test data not addressed separately in SP 800-53 (e.g., AC-3, AC-4) AC-3, AC-6, CM-5, CM-9, MA-5, SA-10 CM-1, CM-3, CM-9, SA-10 CM-3, CM-4, CM-9, SI-2 CM-3, CM-4, CM-5, CM-9 AC-4, PE-19 SA-1, SA-4, SA-6, SA-7, SA-8, SA-9, SA-11, SA-12, SA-13 RA-3, RA-5, SI-2, SI-5

A.12.4.3 Access control to program source code A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software development A.12.6 Technical Vulnerability Management A.12.6.1 Control of technical vulnerabilities A.13 Information security incident management A.13.1 Reporting information security events and weaknesses A.13.1.1 Reporting information security events

AU-6, IR-1, IR-6, SI-4, SI-5

APPENDIX H

PAGE H-9

Special Publication 800-53

Recommended Security Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________ ISO/IEC 27001 (Annex A) CONTROLS

A.13.1.2 Reporting security weaknesses A.13.2 Management of information security incidents and improvements A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence A.14 Business continuity management A.14.1 Information security aspects of business continuity management A.14.1.1 Including information security in the business continuity management process A.14.1.2 Business continuity and risk assessment A.14.1.3 Developing and implementing continuity plans including information security A.14.1.4 Business continuity planning framework A.14.1.5 Testing, maintaining and reassessing business continuity plans A.15 Compliance A.15.1 Compliance with legal requirements A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controls A.15.2 Compliance with security policies and standards, and technical compliance A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking A.15.3 Information systems audit considerations A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools

NIST SP 800-53 CONTROLS

PL-4, SI-2, SI-4, SI-5

IR-1 IR-4 AU-9, IR-4

CP-1, CP-2, CP-4 CP-2, PM-9, RA Family CP Family CP-2, CP-4 CP-2, CP-4

XX-1 controls, IA-7 SA-6 AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12 PL-5; SI-12 AC-8, AU-6, PL-4, PS-6, PS-8, SA-7 IA-7, SC-13

XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8, SI-12 CA-2, CA-7, RA-5 AU-1, AU-2, PL-6 AU-9

APPENDIX H

PAGE H-10