Security Control Mapping
Cross-framework security control mappings to help organisations leverage existing compliance work across multiple frameworks.
Purpose
Many security controls serve multiple compliance requirements. This guide provides mappings between common frameworks to:
- Reduce duplicate effort when complying with multiple frameworks
- Leverage existing controls to demonstrate compliance
- Understand equivalencies and gaps between frameworks
- Streamline audit preparation
Key Framework Relationships
ISO 27001 → NIST CSF 2.0
ISO 27001:2022 Annex A controls mapped to NIST Cybersecurity Framework 2.0 functions.
| NIST CSF 2.0 Function | ISO 27001:2022 Annex A Controls (Subset) |
|---|---|
| GOVERN | 5.1 Policies, 5.2 Roles & responsibilities, 5.3 Segregation of duties, 5.7 Threat intelligence, 5.8 Information security in project management, 5.10 Acceptable use, 5.37 Documented procedures |
| IDENTIFY | 5.9 Inventory of assets, 5.12 Classification, 5.29 Information security during disruption, 8.8 Management of technical vulnerabilities, 8.9 Configuration management |
| PROTECT | 5.15 Access control, 5.16 Identity management, 5.17 Authentication, 5.18 Access rights, 8.1 User endpoint devices, 8.2 Privileged access rights, 8.3 Information access restriction, 8.4 Source code access, 8.5 Secure authentication, 8.10 Information deletion, 8.11 Data masking, 8.12 Data leakage prevention, 8.13 Information backup, 8.23 Web filtering, 8.24 Cryptographic keys |
| DETECT | 5.25 Security event assessment, 8.15 Logging, 8.16 Monitoring activities, 8.17 Clock synchronization |
| RESPOND | 5.24 Incident management planning, 5.25 Assessment and decision on information security events, 5.26 Response to information security incidents, 5.27 Learning from incidents |
| RECOVER | 5.29 Information security during disruption, 5.30 ICT readiness for business continuity, 8.13 Information backup, 8.14 Redundancy |
ISO 27001 → CIS Controls v8
ISO 27001:2022 controls mapped to CIS Controls v8 Implementation Groups.
| CIS Control | Description | Related ISO 27001:2022 Controls |
|---|---|---|
| 1. Inventory and Control of Enterprise Assets | Active management of all enterprise assets | 5.9, 8.9 |
| 2. Inventory and Control of Software Assets | Active management of software inventory | 5.9, 8.9 |
| 3. Data Protection | Protect data at rest and in transit | 5.12, 8.10, 8.11, 8.24 |
| 4. Secure Configuration of Enterprise Assets | Establish and maintain secure configurations | 8.9, 8.19 |
| 5. Account Management | Use processes and tools to manage credentials | 5.16, 5.17, 5.18, 8.2, 8.5 |
| 6. Access Control Management | Use processes to grant access based on need to know | 5.15, 5.18, 8.3 |
| 7. Continuous Vulnerability Management | Develop and maintain plans to detect, assess, remediate | 8.8 |
| 8. Audit Log Management | Collect, review, retain audit logs | 8.15, 8.16 |
| 9. Email and Web Browser Protections | Block malicious content | 8.23, 8.7 |
| 10. Malware Defenses | Control installation and spread of malware | 8.7 |
| 11. Data Recovery | Establish and maintain data recovery practices | 8.13, 5.29, 5.30 |
| 12. Network Infrastructure Management | Secure network infrastructure | 8.20, 8.21, 8.22 |
| 13. Network Monitoring and Defense | Monitor and defend network perimeter | 8.16, 8.20, 8.21 |
| 14. Security Awareness and Skills Training | Conduct training to address security risks | 6.3 |
| 15. Service Provider Management | Manage suppliers and partners | 5.19, 5.20, 5.21, 5.22, 5.23 |
| 16. Application Software Security | Manage security of in-house and acquired software | 8.25, 8.26, 8.27, 8.28, 8.29 |
| 17. Incident Response Management | Establish process for detecting, responding, recovering | 5.24, 5.25, 5.26, 5.27, 5.28 |
| 18. Penetration Testing | Test security posture through simulated attacks | 8.8, 8.29 |
NIST CSF 2.0 → NIST SP 800-53 Rev. 5
NIST CSF 2.0 core functions mapped to NIST 800-53 control families.
| NIST CSF Function | NIST SP 800-53 Rev. 5 Control Families |
|---|---|
| GOVERN | PM (Program Management), PL (Planning), SA (System and Services Acquisition), RA (Risk Assessment), CA (Assessment, Authorization, and Monitoring), SI-12 (Information Management), SR (Supply Chain Risk Management) |
| IDENTIFY | CM (Configuration Management), RA (Risk Assessment), PM (Program Management), ID (Identification and Authentication), CA (Assessment) |
| PROTECT | AC (Access Control), IA (Identification and Authentication), SC (System and Communications Protection), CM (Configuration Management), MP (Media Protection), PE (Physical and Environmental Protection), PS (Personnel Security), SA (System and Services Acquisition), SR (Supply Chain) |
| DETECT | AU (Audit and Accountability), CA (Continuous Monitoring), SI (System and Information Integrity), RA (Risk Assessment) |
| RESPOND | IR (Incident Response), CP (Contingency Planning), SI (System and Information Integrity) |
| RECOVER | CP (Contingency Planning), IR (Incident Response) |
UK GDPR → ISO 27001:2022
GDPR principles and requirements mapped to ISO 27001 controls.
| GDPR Requirement | Related ISO 27001:2022 Controls |
|---|---|
| Article 5: Principles (Lawfulness, fairness, transparency) | 5.1, 5.12, 5.34 |
| Article 25: Data protection by design and default | 5.36, 8.25 |
| Article 30: Records of processing activities | 5.9, 5.37 |
| Article 32: Security of processing | 5.10, 5.14, 8.1-8.34 (most technical controls) |
| Article 32: Encryption | 8.24, 8.11 |
| Article 32: Pseudonymisation | 8.11 |
| Article 32: Availability and resilience | 5.29, 5.30, 8.13, 8.14 |
| Article 32: Regular testing and evaluation | 8.8, 8.29 |
| Article 33: Breach notification | 5.24, 5.25, 5.26 |
| Article 35: Data Protection Impact Assessment (DPIA) | 5.7, 5.8 (risk assessment) |
| Article 37: Data Protection Officer | 6.1, 6.2 (roles and responsibilities) |
PCI DSS v4.0 → ISO 27001:2022
PCI DSS requirements mapped to ISO 27001 controls.
| PCI DSS v4.0 Requirement | Related ISO 27001:2022 Controls |
|---|---|
| 1. Network Security Controls | 8.20, 8.21, 8.22 |
| 2. Secure Configurations | 8.9, 8.19 |
| 3. Protect Stored Account Data | 8.10, 8.11, 8.24 |
| 4. Protect Cardholder Data in Transit | 8.24 (cryptography) |
| 5. Protect from Malware | 8.7 |
| 6. Develop Secure Systems and Software | 8.25, 8.26, 8.27, 8.28, 8.29 |
| 7. Restrict Access to Cardholder Data | 5.15, 8.2, 8.3 |
| 8. Identify Users and Authenticate Access | 5.16, 5.17, 8.5 |
| 9. Restrict Physical Access | 7.1, 7.2, 7.3, 7.4 |
| 10. Log and Monitor | 8.15, 8.16 |
| 11. Test Security Systems | 8.8, 8.29 |
| 12. Support Information Security with Policies | 5.1, 5.2, 5.10, 5.37 |
SOC 2 Trust Services Criteria → ISO 27001:2022
SOC 2 (Security) Common Criteria mapped to ISO 27001 controls.
| SOC 2 Criterion Category | Related ISO 27001:2022 Controls |
|---|---|
| CC1: Control Environment | 5.1, 5.2, 5.3, 6.1, 6.2 |
| CC2: Communication and Information | 5.6, 5.37 |
| CC3: Risk Assessment | 5.7, 8.8 |
| CC4: Monitoring Activities | 5.25, 8.16 |
| CC5: Control Activities | 5.10, 5.37 |
| CC6: Logical and Physical Access Controls | 5.15, 5.16, 5.17, 5.18, 7.1, 7.2, 7.3, 8.2, 8.3, 8.5 |
| CC7: System Operations | 8.6, 8.13, 8.14, 8.32 |
| CC8: Change Management | 8.9, 8.32 |
| CC9: Risk Mitigation | 5.24, 5.25, 5.26 |
Additional SOC 2 Criteria (if applicable):
- Availability: Maps to 5.29, 5.30, 8.13, 8.14
- Confidentiality: Maps to 8.10, 8.11, 8.24
- Privacy: Requires additional privacy-specific controls beyond ISO 27001
HIPAA Security Rule → NIST CSF 2.0
HIPAA Security Rule safeguards mapped to NIST CSF functions.
| HIPAA Safeguard | NIST CSF 2.0 Function | Examples |
|---|---|---|
| Administrative Safeguards (164.308) | GOVERN, IDENTIFY | Risk analysis (a)(1), workforce training (a)(5), incident response (a)(6), contingency planning (a)(7) |
| Physical Safeguards (164.310) | PROTECT | Facility access controls (a)(1), workstation security (c), device and media controls (d) |
| Technical Safeguards (164.312) | PROTECT, DETECT | Access control (a)(1), audit controls (b), integrity (c)(1), authentication (d), encryption (a)(2)(iv) and (e)(2)(ii) |
| Breach Notification (164.410) | RESPOND | Incident response, communications |
Common Control Baselines
Control Inheritance in Cloud Environments
When using cloud services (IaaS, PaaS, SaaS), certain controls are inherited from the cloud provider. Understanding this inheritance reduces duplicate effort.
Example: AWS Shared Responsibility Model
| Control Type | Customer Responsibility | AWS Responsibility |
|---|---|---|
| Physical Security (ISO 27001: 7.x) | None | Full (data centre physical security) |
| Network Infrastructure (Partial) | Customer VPC, security groups, NACLs | Underlying network infrastructure |
| Compute/Storage Encryption at Rest | Enable and configure | Provide encryption capability |
| Access Control (IAM) | Configure IAM policies, users, roles | Provide IAM service |
| Patch Management (OS) | Customer (EC2), Shared (RDS), AWS (Lambda) | Underlying infrastructure |
| Application Security | Full | None |
| Data Classification & Protection | Full | None |
Key Takeaway: Cloud provider SOC 2 or ISO 27001 certification covers inherited controls. Customer must address customer-responsible controls.
Control Mapping Best Practices
1. Leverage Existing Mappings
Many frameworks provide official mapping documents:
- NIST CSF Reference Tool - Maps CSF to 100+ frameworks
- ISO 27001 to various frameworks - Check ISO documentation
- CIS Controls Mapping - Interactive mapping tool
2. Create a Control Library
Build a centralised control library with:
- Unique control ID
- Control description
- Implementation details
- Evidence/documentation
- Mapped framework requirements
Example Tool: GRC platforms (ServiceNow, Archer, LogicManager) support control libraries and automated mapping.
3. Avoid Over-Mapping
Not all controls are exact matches. Document:
- Full Match: Control fully satisfies requirement
- Partial Match: Control partially satisfies, additional work needed
- No Match: New control required
4. Maintain Mapping Documentation
- Document mapping rationale
- Update when frameworks change
- Review during audits
Control Mapping Tools
| Tool | Description | Cost |
|---|---|---|
| NIST CSF Reference Tool | Official NIST tool for CSF mappings | Free |
| CIS Controls Navigator | Interactive CIS Controls mapping | Free |
| Unified Compliance Framework (UCF) | Commercial control mapping database | Paid |
| GRC Platforms (ServiceNow, Archer, LogicManager) | Integrated control libraries with mapping | Paid |
| Vanta / Drata / Secureframe | Compliance automation with control mapping | Paid (SaaS) |
Sample Multi-Framework Control
Example: Multi-Factor Authentication (MFA)
A single MFA implementation satisfies multiple framework requirements:
| Framework | Requirement | How MFA Satisfies |
|---|---|---|
| ISO 27001:2022 | 8.5 Secure authentication | MFA is strong authentication mechanism |
| NIST CSF 2.0 | PR.AC-1: Identities and credentials managed | MFA for privileged and remote access |
| NIST SP 800-53 | IA-2(1): Multi-factor authentication | Direct requirement |
| CIS Controls v8 | 6.3, 6.4: MFA for remote and privileged access | Direct requirement |
| PCI DSS v4.0 | 8.4, 8.5: MFA for access to CDE and critical systems | MFA for cardholder data environment access |
| HIPAA | 164.312(d): Person or entity authentication | Strong authentication for ePHI systems |
| UK GDPR | Article 32: Security of processing | Technical measure for secure access |
| Cyber Essentials Plus | Access Control section | MFA for admin accounts |
Implementation Evidence:
- MFA enabled on all administrator accounts
- MFA required for VPN/remote access
- MFA policy documented
- User training on MFA usage
- Audit logs of MFA usage
Audit Benefit: Single control implementation and evidence set satisfies 8+ framework requirements.
Quick Reference: Framework Comparison
| Framework | Scope | Controls | Certification | Best For |
|---|---|---|---|---|
| ISO 27001:2022 | ISMS, broad security | 93 controls (Annex A) | Yes (external audit) | International recognition, broad security programme |
| NIST CSF 2.0 | Cybersecurity risk management | Framework (not prescriptive controls) | No (self-assessment) | Risk-based approach, US organisations |
| NIST SP 800-53 Rev. 5 | Federal systems security | 1000+ controls (tailorable) | No (ATO process) | US federal/contractors |
| CIS Controls v8 | Cybersecurity best practices | 18 controls, 153 safeguards | No (self-assessment) | Practical, prioritised implementation |
| PCI DSS v4.0 | Payment card security | 12 requirements, 300+ sub-requirements | Yes (QSA audit or SAQ) | Merchants, payment processors |
| SOC 2 | Service provider security | 5 Trust Service Criteria | Yes (CPA audit) | SaaS, cloud providers demonstrating security to customers |
| HIPAA Security Rule | Healthcare data protection | 3 safeguard categories (Admin, Physical, Technical) | No (regulatory compliance) | US healthcare organisations with PHI |