Skip to content
Privacy & Security Hub
Privacy and Security Hub
GRC Hub
World of Privacy
CISO Zone
About
CIS Controls v.8.1 to ISO 27001

icon picker
CIS Safeguards to ISO 27001

megaphone

References:

cis
CIS Critical Security Controls Version 8.1
iso
ISO/IEC 27001:2022
Source of mapping:
CIS Controls v8 Mapping to ISO/IEC 27001:2022
Search
CIS Control name
CIS Safeguard number
Title
IG1
IG2
IG3
Control ISO 27001
ISO 27001 Control title
1. Inventory and Control of Enterprise Assets
1
Establish and Maintain Detailed Enterprise Asset Inventory
A5.9 Inventory of information and other associated assets
A8.8 Management of technical vulnerabilities
2. Inventory and Control of Software Assets
3
Establish and Maintain a Software Inventory
A5.9 Inventory of information and other associated assets
Allowlist Authorized Software
A8.7 Protection against malware
A8.19 Installation of software on operational systems
Allowlist Authorized Libraries
A8.19 Installation of software on operational systems
3. Data Protection
14
Establish and Maintain a Data Management Process
A5.10 Acceptable use of information and other associated assets
A5.9 Inventory of information and other associated assets
A8.1 User end point devices
Establish and Maintain a Data Inventory
A5.9 Inventory of information and other associated assets
Configure Data Access Control Lists
A5.10 Acceptable use of information and other associated assets
A5.15 Access control
A8.3 Information access restriction
A8.4 Access to source code
Enforce Data Retention
A5.33 Protection of records
Securely Dispose of Data
A5.10 Acceptable use of information and other associated assets
Encrypt Data on End-User Devices
A6.7 Remote working
A8.1 User end point devices
Establish and Maintain a Data Classification Scheme
A5.9 Inventory of information and other associated assets
A5.12 Classification of information
A5.13 Labelling of information
A5.33 Protection of records
A8.12 Data leakage prevention
Document Data Flows
A5.14 Information transfer
Encrypt Data on Removable Media
A5.14 Information transfer
Encrypt Sensitive Data in Transit
A5.14 Information transfer
Encrypt Sensitive Data at Rest
A5.33 Protection of records
Segment Data Processing and Storage Based on Sensitivity
A8.20 Networks security
A8.22 Segregation of networks
Deploy a Data Loss Prevention Solution
A5.14 Information transfer
A8.12 Data leakage prevention
Log Sensitive Data Access
A8.15 Logging
4. Secure Configuration of Enterprise Assets and Software
9
Establish and Maintain a Secure Configuration Process
A8.1 User end point devices
A8.9 Configuration management
Establish and Maintain a Secure Configuration Process for Network Infrastructure
A8.9 Configuration management
Configure Automatic Session Locking on Enterprise Assets
A8.5 Secure authentication
A8.9 Configuration management
Implement and Manage a Firewall on End-User Devices
A6.7 Remote working
A8.1 User end point devices
Manage Default Accounts on Enterprise Assets and Software
A8.2 Privileged access rights
A8.9 Configuration management
Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
A8.9 Configuration management
Enforce Automatic Device Lockout on Portable End-User Devices
A8.5 Secure authentication
Enforce Remote Wipe Capability on Portable End-User Devices
A8.1 User end point devices
A8.10 Information deletion
Separate Enterprise Workspaces on Mobile End-User Devices
A6.7 Remote working
A8.1 User end point devices
5. Account Management
5
Establish and Maintain an Inventory of Accounts
A5.16 Identity management
Use Unique Passwords
A5.17 Authentication information
Restrict Administrator Privileges to Dedicated Administrator Accounts
A5.15 Access control
A8.2 Privileged access rights
Establish and Maintain an Inventory of Service Accounts
A5.15 Access control
A8.18 Use of privileged utility programs
Centralize Account Management
A5.15 Access control
6. Access Control Management
8
Establish an Access Granting Process
A5.15 Access control
A5.16 Identity management
A5.18 Access rights
Establish an Access Revoking Process
A5.16 Identity management
A5.18 Access rights
A6.5 Responsibilities after termination or change of employment
Require MFA for Externally-Exposed Applications
A5.15 Access control
Require MFA for Remote Network Access
A6.7 Remote working
Require MFA for Administrative Access
A8.2 Privileged access rights
Establish and Maintain an Inventory of Authentication and Authorization Systems
A8.5 Secure authentication
Centralize Access Control
A5.18 Access rights
Define and Maintain Role-Based Access Control
A5.3 Segregation of duties
A5.15 Access control
A8.2 Privileged access rights
A8.3 Information access restriction
7. Continuous Vulnerability Management
7
Establish and Maintain a Vulnerability Management Process
A8.8 Management of technical vulnerabilities
Establish and Maintain a Remediation Process
A8.8 Management of technical vulnerabilities
Perform Automated Operating System Patch Management
A8.8 Management of technical vulnerabilities
Perform Automated Application Patch Management
A8.8 Management of technical vulnerabilities
Perform Automated Vulnerability Scans of Internal Enterprise Assets
A8.8 Management of technical vulnerabilities
Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
A8.8 Management of technical vulnerabilities
Remediate Detected Vulnerabilities
A8.8 Management of technical vulnerabilities
8. Audit Log Management
8
Establish and Maintain an Audit Log Management Process
A8.15 Logging
Collect Audit Logs
A8.20 Networks security
Ensure Adequate Audit Log Storage
A8.6 Capacity management
Standardize Time Synchronization
A8.17 Clock synchronization
Collect Detailed Audit Logs
A5.28 Collection of evidence
A8.15 Logging
Collect Command-Line Audit Logs
A8.15 Logging
Retain Audit Logs
A5.28 Collection of evidence
Conduct Audit Log Reviews
A5.25 Assessment and decision on information security events
9. Email and Web Browser Protections
4
Ensure Use of Only Fully Supported Browsers and Email Clients
A8.1 User end point devices
Use DNS Filtering Services
A8.23 Web filtering
Maintain and Enforce Network-Based URL Filters
A8.7 Protection against malware
A8.23 Web filtering
Deploy and Maintain Email Server Anti-Malware Protections
A8.7 Protection against malware
10. Malware Defenses
6
Deploy and Maintain Anti-Malware Software
A8.1 User end point devices
A8.7 Protection against malware
Configure Automatic Anti-Malware Signature Updates
A8.7 Protection against malware
Configure Automatic Anti-Malware Scanning of Removable Media
A8.7 Protection against malware
Enable Anti-Exploitation Features
A8.7 Protection against malware
Centrally Manage Anti-Malware Software
A8.7 Protection against malware
Use Behavior-Based Anti-Malware Software
A8.1 User end point devices
A8.7 Protection against malware
11. Data Recovery
5
Establish and Maintain a Data Recovery Process
A8.13 Information backup
Perform Automated Backups
A8.13 Information backup
Protect Recovery Data
A8.12 Data leakage prevention
A8.13 Information backup
Establish and Maintain an Isolated Instance of Recovery Data
A8.13 Information backup
Test Data Recovery
A8.13 Information backup
12. Network Infrastructure Management
4
Establish and Maintain a Secure Network Architecture
A8.22 Segregation of networks
A8.27 Secure system architecture and engineering principles
Securely Manage Network Infrastructure
A8.20 Networks security
A8.21 Security of network services
Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
A6.7 Remote working
A8.1 User end point devices
Establish and Maintain Dedicated Computing Resources for All Administrative Work
A8.2 Privileged access rights
A8.22 Segregation of networks
13. Network Monitoring and Defense
10
Centralize Security Event Alerting
A8.15 Logging
Deploy a Host-Based Intrusion Detection Solution
A8.16 Monitoring activities
Deploy a Network Intrusion Detection Solution
A8.16 Monitoring activities
Perform Traffic Filtering Between Network Segments
A8.16 Monitoring activities
A8.22 Segregation of networks
Manage Access Control for Remote Assets
A6.7 Remote working
A8.1 User end point devices
A8.3 Information access restriction
Collect Network Traffic Flow Logs
A8.15 Logging
A8.16 Monitoring activities
Deploy a Host-Based Intrusion Prevention Solution
A8.8 Management of technical vulnerabilities
Deploy a Network Intrusion Prevention Solution
A8.8 Management of technical vulnerabilities
Deploy Port-Level Access Control
A8.8 Management of technical vulnerabilities
Perform Application Layer Filtering
A8.8 Management of technical vulnerabilities
14. Security Awareness and Skills Training
8
Establish and Maintain a Security Awareness Program
A6.3 Information security awareness, education and training
Train Workforce Members to Recognize Social Engineering Attacks
A8.7 Protection against malware
Train Workforce on Data Handling Best Practices
A5.10 Acceptable use of information and other associated assets
Train Workforce Members on Causes of Unintentional Data Exposure
A6.3 Information security awareness, education and training
Train Workforce Members on Recognizing and Reporting Security Incidents
A6.3 Information security awareness, education and training
A6.8 Information security event reporting
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
A6.3 Information security awareness, education and training
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
A6.3 Information security awareness, education and training
Conduct Role-Specific Security Awareness and Skills Training
A6.3 Information security awareness, education and training
15. Service Provider Management
7
Establish and Maintain an Inventory of Service Providers
A5.19 Information security in supplier relationships
Establish and Maintain a Service Provider Management Policy
A5.1 Policies for information security
A5.10 Acceptable use of information and other associated assets
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.23 Information security for use of cloud services
Classify Service Providers
A5.19 Information security in supplier relationships
Ensure Service Provider Contracts Include Security Requirements
A5.14 Information transfer
A5.20 Addressing information security within supplier agreements
A5.21 Managing information security in the information and communication technology (ICT) supply chain
A5.23 Information security for use of cloud services
Assess Service Providers
A5.19 Information security in supplier relationships
A5.22 Monitoring, review and change management of supplier services
A5.23 Information security for use of cloud services
Monitor Service Providers
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
A5.22 Monitoring, review and change management of supplier services
A5.21 Managing information security in the information and communication technology (ICT) supply chain
Securely Decommission Service Providers
A5.19 Information security in supplier relationships
A5.20 Addressing information security within supplier agreements
16. Application Software Security
14
Establish and Maintain a Secure Application Development Process
A5.8 Information security in project management
A8.4 Access to source code
A8.25 Secure development life cycle
A8.28 Secure coding
Establish and Maintain a Process to Accept and Address Software Vulnerabilities
A8.8 Management of technical vulnerabilities
Perform Root Cause Analysis on Security Vulnerabilities
A8.8 Management of technical vulnerabilities
Establish and Manage an Inventory of Third-Party Software Components
A8.26 Application security requirements
A8.30 Outsourced development
Use Up-to-Date and Trusted Third-Party Software Components
A8.26 Application security requirements
Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
A8.8 Management of technical vulnerabilities
Use Standard Hardening Configuration Templates for Application Infrastructure
A8.8 Management of technical vulnerabilities
Separate Production and Non-Production Systems
A8.31 Separation of development, test and production environments
Train Developers in Application Security Concepts and Secure Coding
A8.28 Secure coding
Apply Secure Design Principles in Application Architectures
A8.27 Secure system architecture and engineering principles
Leverage Vetted Modules or Services for Application Security Components
A8.25 Secure development life cycle
A8.26 Application security requirements
Implement Code-Level Security Checks
A8.25 Secure development life cycle
A8.28 Secure coding
A8.29 Security testing in development and acceptance
Conduct Application Penetration Testing
A8.8 Management of technical vulnerabilities
A8.29 Security testing in development and acceptance
Conduct Threat Modeling
A8.29 Security testing in development and acceptance
17. Incident Response Management
9
Designate Personnel to Manage Incident Handling
A5.24 Information security incident management planning and preparation
Establish and Maintain Contact Information for Reporting Security Incidents
A5.5 Contact with authorities
A5.6 Contact with special interest groups
A5.20 Addressing information security within supplier agreements
A5.24 Information security incident management planning and preparation
Establish and Maintain an Enterprise Process for Reporting Incidents
A6.8 Information security event reporting
Establish and Maintain an Incident Response Process
A5.24 Information security incident management planning and preparation
A5.26 Response to information security incidents
Assign Key Roles and Responsibilities
A5.2 Information security roles and responsibilities
A5.24 Information security incident management planning and preparation
Define Mechanisms for Communicating During Incident Response
A5.24 Information security incident management planning and preparation
Conduct Routine Incident Response Exercises
A5.30 ICT readiness for business continuity
Conduct Post-Incident Reviews
A5.24 Information security incident management planning and preparation
A5.27 Learning from information security incidents
Establish and Maintain Security Incident Thresholds
A5.24 Information security incident management planning and preparation
A5.25 Assessment and decision on information security events
18. Penetration Testing
5
Establish and Maintain a Penetration Testing Program
A8.8 Management of technical vulnerabilities
Perform Periodic External Penetration Tests
A8.8 Management of technical vulnerabilities
Remediate Penetration Test Findings
A8.8 Management of technical vulnerabilities
Validate Security Measures
A8.8 Management of technical vulnerabilities
Perform Periodic Internal Penetration Tests
A8.8 Management of technical vulnerabilities
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.