Mapping NIST Controls to ISO Standards

Assuring Security of Data Shared by Government, Business

The National Institute of Standards and Technology is revising a map to link its core security controls, Special Publication 800-53 Rev. 4: Security and Privacy Controls for Federal Information Systems and Organizations, to complementary standards issued by the International Organization for Standardization, known as ISO/IEC 27001.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Such mapping is important because federal agencies conducting business with the private sector - and vice versa - want to assure that the controls they implement to secure IT systems and data and maintain privacy conform with those of their partners.





Listen to NIST's Ron Ross discuss the mapping.

"The mapping can save a federal agency a significant amount of resources," says NIST Fellow Ron Ross, who leads the federal government joint task force that wrote the NIST guidance. "We don't want to have that private contractor repeat all of those security controls if they're already doing controls that are very similar with regard to protection. That is where the mapping table really comes into play and can be a great benefit."

NIST has issued a draft of the map, known as Appendix H, to its controls guidance, and is seeking stakeholders' comments as it fine tunes the document. It's revising Appendix H because of recent changes to ISO 27001.

Using its map, NIST says, can provide evidence that certain security controls are implemented correctly, operating as intended and producing the desired effect in satisfying stated security requirements.

For instance, the map shows that SP 800-53 control for contingency plan testing, CP-4, maps to ISO/IEC 27001 control A.17.1.3. When NIST and ISO controls are similar, but not identical, the map shows an asterisk in the table.

While the revised security control mappings are more accurate than previous ones, NIST says, there remains some degree of subjectivity in the mapping analysis; that is, the mappings are not always one-to-one and may not be completely equivalent. For example, SP 800-53 contingency planning and ISO/IEC 27001 business continuity management were deemed to have similar, but not the same, functionality.

Mapping's Role in Cybersecurity Framework

The map also would help organizations adopting the federal government's cybersecurity framework because the framework references the NIST and ISO controls as well as other security and privacy guidance and tools (see Cyber Framework: Setting Record Straight). The cybersecurity framework - produced to help critical infrastructure operators to secure their IT systems - highlights tools and documents organizations can employ to develop a risk management program without stipulating specific solutions. That allows each organization to decide what controls fit within their own enterprise.

"This is the big story of the cybersecurity framework and we want our mapping tables to continue to promote that dialogue and that normalization of security across all sectors." Ross says.

Stakeholders can submit comments on the draft by Sept. 26 to sec-cert@nist.gov with the subject line: "Comments Draft SP 800-53, Appendix H."