Skip to content
Privacy & Security Hub
Privacy and Security Hub
GRC Hub
World of Privacy
CISO Zone
About
CIS Controls v.8.1 to ISO 27001

icon picker
ISO 27001 to CIS Safeguards


ISO 27001 to CIS Safeguards
Search
Chapter
ISO 27001 Control name
CIS Safeguards number
CIS Control name
CIS Safeguard Title
27
A5.1 Policies for information security
15. Service Provider Management
15.2 Establish and Maintain a Service Provider Management Policy
A5.2 Information security roles and responsibilities
17. Incident Response Management
17.5 Assign Key Roles and Responsibilities
A5.3 Segregation of duties
6. Access Control Management
6.8 Define and Maintain Role-Based Access Control
A5.5 Contact with authorities
17. Incident Response Management
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
A5.6 Contact with special interest groups
17. Incident Response Management
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
A5.8 Information security in project management
16. Application Software Security
16.1 Establish and Maintain a Secure Application Development Process
A5.9 Inventory of information and other associated assets
1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
1.1 Establish and Maintain Detailed Enterprise Asset Inventory
2.1 Establish and Maintain a Software Inventory
3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
3.7 Establish and Maintain a Data Classification Scheme
A5.10 Acceptable use of information and other associated assets
3. Data Protection
14. Security Awareness and Skills Training
15. Service Provider Management
3.1 Establish and Maintain a Data Management Process
3.3 Configure Data Access Control Lists
3.5 Securely Dispose of Data
14.4 Train Workforce on Data Handling Best Practices
15.2 Establish and Maintain a Service Provider Management Policy
A5.12 Classification of information
3. Data Protection
3.7 Establish and Maintain a Data Classification Scheme
A5.13 Labelling of information
3. Data Protection
3.7 Establish and Maintain a Data Classification Scheme
A5.14 Information transfer
3. Data Protection
15. Service Provider Management
3.8 Document Data Flows
3.9 Encrypt Data on Removable Media
3.1 Encrypt Sensitive Data in Transit
3.13 Deploy a Data Loss Prevention Solution
15.4 Ensure Service Provider Contracts Include Security Requirements
A5.15 Access control
3. Data Protection
5. Account Management
6. Access Control Management
3.3 Configure Data Access Control Lists
5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
5.5 Establish and Maintain an Inventory of Service Accounts
5.6 Centralize Account Management
6.1 Establish an Access Granting Process
6.3 Require MFA for Externally-Exposed Applications
6.8 Define and Maintain Role-Based Access Control
A5.16 Identity management
5. Account Management
6. Access Control Management
5.1 Establish and Maintain an Inventory of Accounts
6.1 Establish an Access Granting Process
6.2 Establish an Access Revoking Process
A5.17 Authentication information
5. Account Management
5.2 Use Unique Passwords
A5.18 Access rights
6. Access Control Management
6.1 Establish an Access Granting Process
6.2 Establish an Access Revoking Process
6.7 Centralize Access Control
A5.19 Information security in supplier relationships
15. Service Provider Management
15.1 Establish and Maintain an Inventory of Service Providers
15.2 Establish and Maintain a Service Provider Management Policy
15.3 Classify Service Providers
15.5 Assess Service Providers
15.6 Monitor Service Providers
15.7 Securely Decommission Service Providers
A5.20 Addressing information security within supplier agreements
15. Service Provider Management
17. Incident Response Management
15.2 Establish and Maintain a Service Provider Management Policy
15.4 Ensure Service Provider Contracts Include Security Requirements
15.6 Monitor Service Providers
15.7 Securely Decommission Service Providers
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
A5.21 Managing information security in the information and communication technology (ICT) supply chain
15. Service Provider Management
15.4 Ensure Service Provider Contracts Include Security Requirements
15.6 Monitor Service Providers
A5.22 Monitoring, review and change management of supplier services
15. Service Provider Management
15.5 Assess Service Providers
15.6 Monitor Service Providers
A5.23 Information security for use of cloud services
15. Service Provider Management
15.2 Establish and Maintain a Service Provider Management Policy
15.4 Ensure Service Provider Contracts Include Security Requirements
15.5 Assess Service Providers
A5.24 Information security incident management planning and preparation
17. Incident Response Management
17.1 Designate Personnel to Manage Incident Handling
17.2 Establish and Maintain Contact Information for Reporting Security Incidents
17.4 Establish and Maintain an Incident Response Process
17.5 Assign Key Roles and Responsibilities
17.6 Define Mechanisms for Communicating During Incident Response
17.8 Conduct Post-Incident Reviews
17.9 Establish and Maintain Security Incident Thresholds
A5.25 Assessment and decision on information security events
8. Audit Log Management
17. Incident Response Management
8.11 Conduct Audit Log Reviews
17.9 Establish and Maintain Security Incident Thresholds
A5.26 Response to information security incidents
17. Incident Response Management
17.4 Establish and Maintain an Incident Response Process
A5.27 Learning from information security incidents
17. Incident Response Management
17.8 Conduct Post-Incident Reviews
A5.28 Collection of evidence
8. Audit Log Management
8.5 Collect Detailed Audit Logs
8.1 Retain Audit Logs
A5.30 ICT readiness for business continuity
17. Incident Response Management
17.7 Conduct Routine Incident Response Exercises
A5.33 Protection of records
3. Data Protection
3.4 Enforce Data Retention
3.7 Establish and Maintain a Data Classification Scheme
3.11 Encrypt Sensitive Data at Rest
4
A6.3 Information security awareness, education and training
14. Security Awareness and Skills Training
14.1 Establish and Maintain a Security Awareness Program
14.5 Train Workforce Members on Causes of Unintentional Data Exposure
14.6 Train Workforce Members on Recognizing and Reporting Security Incidents
14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
14.9 Conduct Role-Specific Security Awareness and Skills Training
A6.5 Responsibilities after termination or change of employment
6. Access Control Management
6.2 Establish an Access Revoking Process
A6.7 Remote working
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
6. Access Control Management
12. Network Infrastructure Management
13. Network Monitoring and Defense
3.6 Encrypt Data on End-User Devices
4.5 Implement and Manage a Firewall on End-User Devices
4.12 Separate Enterprise Workspaces on Mobile End-User Devices
6.4 Require MFA for Remote Network Access
12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
13.5 Manage Access Control for Remote Assets
A6.8 Information security event reporting
14. Security Awareness and Skills Training
17. Incident Response Management
14.6 Train Workforce Members on Recognizing and Reporting Security Incidents
17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
28
A8.1 User end point devices
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
9. Email and Web Browser Protections
10. Malware Defenses
12. Network Infrastructure Management
13. Network Monitoring and Defense
3.1 Establish and Maintain a Data Management Process
3.6 Encrypt Data on End-User Devices
4.1 Establish and Maintain a Secure Configuration Process
4.5 Implement and Manage a Firewall on End-User Devices
4.11 Enforce Remote Wipe Capability on Portable End-User Devices
4.12 Separate Enterprise Workspaces on Mobile End-User Devices
9.1 Ensure Use of Only Fully Supported Browsers and Email Clients
10.1 Deploy and Maintain Anti-Malware Software
10.7 Use Behavior-Based Anti-Malware Software
12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
13.5 Manage Access Control for Remote Assets
A8.2 Privileged access rights
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
12. Network Infrastructure Management
4.7 Manage Default Accounts on Enterprise Assets and Software
5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
6.5 Require MFA for Administrative Access
6.8 Define and Maintain Role-Based Access Control
12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work
A8.3 Information access restriction
3. Data Protection
6. Access Control Management
13. Network Monitoring and Defense
3.3 Configure Data Access Control Lists
6.8 Define and Maintain Role-Based Access Control
13.5 Manage Access Control for Remote Assets
A8.4 Access to source code
3. Data Protection
16. Application Software Security
3.3 Configure Data Access Control Lists
16.1 Establish and Maintain a Secure Application Development Process
A8.5 Secure authentication
4. Secure Configuration of Enterprise Assets and Software
6. Access Control Management
4.3 Configure Automatic Session Locking on Enterprise Assets
4.1 Enforce Automatic Device Lockout on Portable End-User Devices
6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems
A8.6 Capacity management
8. Audit Log Management
8.3 Ensure Adequate Audit Log Storage
A8.7 Protection against malware
2. Inventory and Control of Software Assets
9. Email and Web Browser Protections
10. Malware Defenses
14. Security Awareness and Skills Training
2.5 Allowlist Authorized Software
9.3 Maintain and Enforce Network-Based URL Filters
9.7 Deploy and Maintain Email Server Anti-Malware Protections
10.1 Deploy and Maintain Anti-Malware Software
10.2 Configure Automatic Anti-Malware Signature Updates
10.4 Configure Automatic Anti-Malware Scanning of Removable Media
10.5 Enable Anti-Exploitation Features
10.6 Centrally Manage Anti-Malware Software
10.7 Use Behavior-Based Anti-Malware Software
14.2 Train Workforce Members to Recognize Social Engineering Attacks
A8.8 Management of technical vulnerabilities
1. Inventory and Control of Enterprise Assets
7. Continuous Vulnerability Management
13. Network Monitoring and Defense
16. Application Software Security
18. Penetration Testing
1.1 Establish and Maintain Detailed Enterprise Asset Inventory
7.1 Establish and Maintain a Vulnerability Management Process
7.2 Establish and Maintain a Remediation Process
7.3 Perform Automated Operating System Patch Management
7.4 Perform Automated Application Patch Management
7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
7.7 Remediate Detected Vulnerabilities
13.7 Deploy a Host-Based Intrusion Prevention Solution
13.8 Deploy a Network Intrusion Prevention Solution
13.9 Deploy Port-Level Access Control
13.1 Perform Application Layer Filtering
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.13 Conduct Application Penetration Testing
18.1 Establish and Maintain a Penetration Testing Program
18.2 Perform Periodic External Penetration Tests
18.3 Remediate Penetration Test Findings
18.4 Validate Security Measures
18.5 Perform Periodic Internal Penetration Tests
A8.9 Configuration management
4. Secure Configuration of Enterprise Assets and Software
4.1 Establish and Maintain a Secure Configuration Process
4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
4.3 Configure Automatic Session Locking on Enterprise Assets
4.7 Manage Default Accounts on Enterprise Assets and Software
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
A8.10 Information deletion
4. Secure Configuration of Enterprise Assets and Software
4.11 Enforce Remote Wipe Capability on Portable End-User Devices
A8.12 Data leakage prevention
3. Data Protection
11. Data Recovery
3.7 Establish and Maintain a Data Classification Scheme
3.13 Deploy a Data Loss Prevention Solution
11.3 Protect Recovery Data
A8.13 Information backup
11. Data Recovery
11.1 Establish and Maintain a Data Recovery Process
11.2 Perform Automated Backups
11.3 Protect Recovery Data
11.4 Establish and Maintain an Isolated Instance of Recovery Data
11.5 Test Data Recovery
A8.15 Logging
3. Data Protection
8. Audit Log Management
13. Network Monitoring and Defense
3.14 Log Sensitive Data Access
8.1 Establish and Maintain an Audit Log Management Process
8.5 Collect Detailed Audit Logs
8.8 Collect Command-Line Audit Logs
13.1 Centralize Security Event Alerting
13.6 Collect Network Traffic Flow Logs
A8.16 Monitoring activities
13. Network Monitoring and Defense
13.2 Deploy a Host-Based Intrusion Detection Solution
13.3 Deploy a Network Intrusion Detection Solution
13.4 Perform Traffic Filtering Between Network Segments
13.6 Collect Network Traffic Flow Logs
A8.17 Clock synchronization
8. Audit Log Management
8.4 Standardize Time Synchronization
A8.18 Use of privileged utility programs
5. Account Management
5.5 Establish and Maintain an Inventory of Service Accounts
A8.19 Installation of software on operational systems
2. Inventory and Control of Software Assets
2.5 Allowlist Authorized Software
2.6 Allowlist Authorized Libraries
A8.20 Networks security
3. Data Protection
8. Audit Log Management
12. Network Infrastructure Management
3.12 Segment Data Processing and Storage Based on Sensitivity
8.2 Collect Audit Logs
12.3 Securely Manage Network Infrastructure
A8.21 Security of network services
12. Network Infrastructure Management
12.3 Securely Manage Network Infrastructure
A8.22 Segregation of networks
3. Data Protection
12. Network Infrastructure Management
13. Network Monitoring and Defense
3.12 Segment Data Processing and Storage Based on Sensitivity
12.2 Establish and Maintain a Secure Network Architecture
12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work
13.4 Perform Traffic Filtering Between Network Segments
A8.23 Web filtering
9. Email and Web Browser Protections
9.2 Use DNS Filtering Services
9.3 Maintain and Enforce Network-Based URL Filters
A8.25 Secure development life cycle
16. Application Software Security
16.1 Establish and Maintain a Secure Application Development Process
16.11 Leverage Vetted Modules or Services for Application Security Components
16.12 Implement Code-Level Security Checks
A8.26 Application security requirements
16. Application Software Security
16.4 Establish and Manage an Inventory of Third-Party Software Components
16.5 Use Up-to-Date and Trusted Third-Party Software Components
16.11 Leverage Vetted Modules or Services for Application Security Components
A8.27 Secure system architecture and engineering principles
12. Network Infrastructure Management
16. Application Software Security
12.2 Establish and Maintain a Secure Network Architecture
16.1 Apply Secure Design Principles in Application Architectures
A8.28 Secure coding
16. Application Software Security
16.1 Establish and Maintain a Secure Application Development Process
16.9 Train Developers in Application Security Concepts and Secure Coding
16.12 Implement Code-Level Security Checks
A8.29 Security testing in development and acceptance
16. Application Software Security
16.12 Implement Code-Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
A8.30 Outsourced development
16. Application Software Security
16.4 Establish and Manage an Inventory of Third-Party Software Components
A8.31 Separation of development, test and production environments
16. Application Software Security
16.8 Separate Production and Non-Production Systems


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.