Security Framework Categories

Comprehensive view of NIST CSF and ISO 27001 security controls and requirements

NIST Cybersecurity Framework 2.0

A comprehensive framework for managing and reducing cybersecurity risk

The NIST Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.

Framework Structure

Functions

6

Organize cybersecurity activities at highest level

Categories

23

Subdivisions of Functions into groups of outcomes

Subcategories

108

Specific outcomes of activities

Informative References

Multiple

Specific sections of standards and practices

Core Functions

Govern (GV)

Develop and implement governance structures, processes, and policies

Categories: 6
Subcategories: 31

Identify (ID)

Develop understanding to manage cybersecurity risk to systems, assets, data, and capabilities

Categories: 3
Subcategories: 21

Protect (PR)

Develop and implement appropriate safeguards to ensure delivery of critical services

Categories: 5
Subcategories: 22

Detect (DE)

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event

Categories: 2
Subcategories: 11

Respond (RS)

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident

Categories: 4
Subcategories: 13

Recover (RC)

Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities or services

Categories: 2
Subcategories: 8

Govern (GV) Categories

Identify (ID) Categories

Protect (PR) Categories

Detect (DE) Categories

Respond (RS) Categories

Recover (RC) Categories

ISO/IEC 27001:2022

Information Security Management System (ISMS) standard

ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013 and 2022. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).

Framework Structure

Clauses (4-10)

7

Main requirements of the standard

Themes

4

Organization of controls in Annex A

Controls

93

Specific security controls in Annex A

Statement of Applicability

1

Document listing all controls and their implementation status

Main Clauses (4-10)

4

Context of the Organization

Understanding the organization and its context, needs and expectations of interested parties, and scope of the ISMS

5

Leadership

Leadership commitment, policy, and organizational roles, responsibilities, and authorities

6

Planning

Actions to address risks and opportunities, information security objectives and planning to achieve them

7

Support

Resources, competence, awareness, communication, and documented information

8

Operation

Operational planning and control, information security risk assessment and treatment

9

Performance Evaluation

Monitoring, measurement, analysis and evaluation, internal audit, and management review

10

Improvement

Nonconformity and corrective action, and continual improvement

Annex A Control Themes

Organizational Controls (5)

Controls related to the overall governance of information security

Controls: 37

People Controls (6)

Controls related to the human aspects of information security

Controls: 8

Physical Controls (7)

Controls related to the physical aspects of information security

Controls: 14

Technological Controls (8)

Controls related to the technical aspects of information security

Controls: 34

Organizational Controls (5)

5.1 Policies for information security

A.5.1
Information security policy and topic-specific policies

Migration

Comprehensive mapping between NIST CSF and ISO 27001 controls

This mapping provides a comprehensive view of how NIST Cybersecurity Framework functions, categories, and subcategories align with ISO 27001:2022 controls. Use this mapping to identify common requirements and streamline your compliance efforts across both frameworks.

NIST CSF Function NIST CSF Category NIST CSF Subcategory ISO 27001 Control Implementation Status Actions
Govern (GV) Cybersecurity Risk Management Strategy (GV.RM)
GV.RM-1
Risk management processes are established, managed, and agreed to by organizational stakeholders.
A.5.7
Identification of information security risks
 Implemented
Govern (GV) Cybersecurity Risk Management Strategy (GV.RM)
GV.RM-2
Organizational risk tolerance is determined and clearly expressed.
A.5.9
Information security risk treatment
 Partially Implemented