Mapping between NIST 800-53 and ISO/IEC 27001 - SCADAhacker

More documents

Recommendations

Info

Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations________________________________________________________________________________________________NIST SP 800-53 CONTROLSISO/IEC 27001 (Annex A) CONTROLSAU-12 Audit Generation A.10.10.1, A.10.10.4, A.10.10.5AU-13 Monitoring for Information Disclosure NoneAU-14 Session Audit NoneCA-1 Security Assessment and AuthorizationPolicies and ProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3 A.6.1.4, A.8.1.1, A.10.1.1,A.15.1.1, A.15.2.1CA-2 Security Assessments A.6.1.8, A.10.3.2, A.15.2.1, A.15.2.2CA-3 Information System Connections A.6.2.1, A.6.2.3, A.10.6.1, A.10.8.1, A.10.8.2, A.10.8.5,A.11.4.2CA-4 Withdrawn ---CA-5 Plan of Action and Milestones NoneCA-6 Security Authorization A.6.1.4, A.10.3.2CA-7 Continuous Monitoring A.6.1.8, A.15.2.1, A.15.2.2CM-1 Configuration Management Policy andProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.10.1.2,A.12.4.1, A.12.5.1, A.15.1.1, A.15.2.1CM-2 Baseline Configuration A.12.4.1, A.10.1.4CM-3 Configuration Change Control A.10.1.1, A.10.1.2, A.10.3.2, A.12.4.1, A.12.5.1, A.12.5.2,A.12.5.3CM-4 Security Impact Analysis A.10.1.2, A.10.3.2, A.12.4.1, A.12.5.2, A.12.5.3CM-5 Access Restrictions for Change A.10.1.2, A.11.1.1, A.11.6.1, A.12.4.1, A.12.4.3, A.12.5.3CM-6 Configuration Settings NoneCM-7 Least Functionality NoneCM-8 Information System Component Inventory A.7.1.1, A.7.1.2CM-9 Configuration Management Plan A.6.1.3. A.7.1.1, A.7.1.2, A.8.1.1, A.10.1.1, A.10.1.2, A.10.3.2,A.12.4.1, A.12.4.3, A.12.5.1, A.12.5.2, A.12.5.3CP-1 Contingency Planning Policy andProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.9.1.4, A.10.1.1,A.10.1.2, A.14.1.1, A.14.1.3, A.15.1.1, A.15.2.1CP-2 Contingency Plan A.6.1.2, A.9.1.4, A.10.3.1, A.14.1.1, A.14.1.2, A.14.1.3,A.14.1.4, A.14.1.5CP-3 Contingency Training A.8.2.2, A.9.1.4, A.14.1.3CP-4 Contingency Plan Testing and Exercises A.6.1.2, A.9.1.4, A.14.1.1, A.14.1.3, A.14.1.4, A.14.1.5CP-5 Withdrawn ---CP-6 Alternate Storage Site A.9.1.4, A.14.1.3CP-7 Alternate Processing Site A.9.1.4, A.14.1.3CP-8 Telecommunications Services A.9.1.4, A.10.6.1, A.14.1.3CP-9 Information System Backup A.9.1.4, A.10.5.1, A.14.1.3, A.15.1.3CP-10 Information System Recovery andA.9.1.4, A.14.1.3ReconstitutionIA-1 Identification and Authentication Policyand ProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.11.2.1,A.15.1.1, A.15.2.1IA-2 Identification and AuthenticationA.11.3.2, A.11.5.1, A.11.5.2, A.11.5.3(Organizational Users)IA-3 Device Identification and Authentication A.11.4.3IA-4 Identifier Management A.11.5.2IA-5 Authenticator Management A.11.2.1, A.11.2.3, A.11.3.1, A.11.5.2, A.11.5.3IA-6 Authenticator Feedback A.11.5.1IA-7 Cryptographic Module Authentication A.12.3.1, A.15.1.1, A.15.1.6, A.15.2.1IA-8 Identification and Authentication (Non- A.10.9.1, A.11.4.2, A.11.5.1, A.11.5.2Organizational Users)IR-1 Incident Response Policy and Procedures A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.13.1.1,A.13.2.1, A.15.1.1, A.15.2.1IR-2 Incident Response Training A.8.2.2IR-3 Incident Response Testing and Exercises NoneIR-4 Incident Handling A.6.1.2, A.13.2.2, A.13.2.3IR-5 Incident Monitoring NoneIR-6 Incident Reporting A.6.1.6, A.13.1.1IR-7 Incident Response Assistance NoneIR-8 Incident Response Plan NoneMA-1 System Maintenance Policy andProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.9.2.4, A.10.1.1,A.15.1.1, A.15.2.1MA-2 Controlled Maintenance A.9.2.4APPENDIX H PAGE H-3
Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations________________________________________________________________________________________________NIST SP 800-53 CONTROLSISO/IEC 27001 (Annex A) CONTROLSMA-3 Maintenance Tools A.9.2.4, A.11.4.4MA-4 Non-Local Maintenance A.9.2.4, A.11.4.4MA-5 Maintenance Personnel A.9.2.4, A.12.4.3MA-6 Timely Maintenance A.9.2.4MP-1 Media Protection Policy and Procedures A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.10.7.1,A.10.7.2, A.10.7.3, A.11.1.1, A.15.1.1, A.15.1.3, A.15.2.1MP-2 Media Access A.7.2.2, A.10.7.1, A.10.7.3MP-3 Media Marking A.7.2.2, A.10.7.1, A.10.7.3MP-4 Media Storage A.10.7.1, A.10.7.3, A.10.7.4, A.15.1.3MP-5 Media Transport A.9.2.5, A.9.2.7, A.10.7.1, A.10.7.3, A.10.8.3MP-6 Media Sanitization A.9.2.6, A.10.7.1, A.10.7.2, A.10.7.3PE-1Physical and Environmental ProtectionPolicy and ProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.9.1.4, A.9.2.1,A.9.2.2, A.10.1.1, A.11.1.1, A.11.2.1, A.11.2.2, A.15.1.1,A.15.2.1PE-2 Physical Access Authorizations A.9.1.5, A.11.2.1, A.11.2.2, A.11.2.4PE-3 Physical Access Control A.9.1.1, A.9.1.2, A.9.1.3, A.9.1.5, A.9.1.6, A.11.3.2, A.11.4.4PE-4 Access Control for Transmission Medium A.9.1.3, A.9.1.5, A.9.2.3PE-5 Access Control for Output Devices A.9.1.2, A.9.1.3, A.10.6.1, A.11.3.2PE-6 Monitoring Physical Access A.9.1.2, A.9.1.5, A.10.10.2PE-7 Visitor Control A.9.1.2, A.9.1.5, A.9.1.6PE-8 Access Records A.9.1.5, A.10.10.2, A.15.2.1PE-9 Power Equipment and Power Cabling A.9.1.4, A.9.2.2, A.9.2.3PE-10 Emergency Shutoff A.9.1.4PE-11 Emergency Power A.9.1.4, A.9.2.2PE-12 Emergency Lighting A.9.2.2PE-13 Fire Protection A.9.1.4PE-14 Temperature and Humidity Controls A.9.2.2PE-15 Water Damage Protection A.9.1.4PE-16 Delivery and Removal A.9.1.6, A.9.2.7, A.10.7.1PE-17 Alternate Work Site A.9.2.5, A.11.7.2PE-18 Location of Information SystemA.9.2.1, A.11.3.2ComponentsPE-19 Information Leakage A.12.5.4PL-1 Security Planning Policy and Procedures A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.2, A.6.1.3, A.8.1.1, A.10.1.1,A.15.1.1, A.15.2.1PL-2 System Security Plan NonePL-3 Withdrawn ---PL-4 Rules of Behavior A.6.1.5, A.6.2.2, A.7.1.3. A.8.1.1, A.8.1.3, A.8.2.1, A.9.1.5,A.10.8.1, A.11.7.1, A.11.7.2, A.12.4.1, A.13.1.2, A.15.1.5PL-5 Privacy Impact Assessment A.15.1.4PL-6 Security-Related Activity Planning A.6.1.2, A.15.3.1PS-1 Personnel Security Policy and Procedures A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.15.1.1,A.15.2.1PS-2 Position Categorization A.8.1.1PS-3 Personnel Screening A.8.1.2PS-4 Personnel Termination A.8.3.1, A.8.3.2, A.8.3.3PS-5 Personnel Transfer A.8.3.1, A.8.3.2, A.8.3.3PS-6 Access Agreements A.6.1.5, A.8.1.1, A.8.1.3, A.8.2.1, A.9.1.5, A.10.8.1, A.11.7.1,A.11.7.2, A.15.1.5PS-7 Third-Party Personnel Security A.6.2.3, A.8.1.1, A.8.2.1, A.8.1.3PS-8 Personnel Sanctions A.8.2.3, A.15.1.5RA-1 Risk Assessment Policy and Procedures A.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.8.1.1, A.10.1.1, A.14.1.2,A.15.1.1, A.15.2.1RA-2 Security Categorization A.7.2.1, A.14.1.2RA-3 Risk Assessment A.6.2.1, A.10.2.3, A.12.6.1, A.14.1.2RA-4 Withdrawn ---RA-5 Vulnerability Scanning A.12.6.1, A.15.2.2SA-1 System and Services Acquisition Policyand ProceduresA.5.1.1, A.5.1.2, A.6.1.1, A.6.1.3, A.6.2.1, A.8.1.1, A.10.1.1,A.12.1.1, A.12.5.5, A.15.1.1, A.15.2.1SA-2 Allocation of Resources A.6.1.2, A.10.3.1APPENDIX H PAGE H-4
Page 1 and 2: NIST Special Publication 800-53Revi
Page 3: Special Publication 800-53 Recommen
Page 7 and 8: Special Publication 800-53 Recommen
Page 9 and 10: Special Publication 800-53 Recommen
Page 11: Special Publication 800-53 Recommen

Mapping between NIST 800-53 and ISO/IEC 27001 - SCADAhacker

Create successful ePaper yourself

Delete template?

Save as template?