2018.1 Example CSOP WISP NIST CSF Mapping

NIST CSF WISP NIST CSF CSOP Secure Controls NIST 800-53 NIST 800-53 ISO 27002 EMEA
Secure Controls NIST 800-53 NIST 800-53 ISO 27002 EMEA EU GDPR AICPA SOC 2 (2016) AICPA SOC 2 (2017) CIS CSC v6.1 CIS CSC CSA CCM ISO 27001 ISO 27018 ISO 31000 ISO 31010
Standard # Procedure # Framework (SCF) rev4 rev 5 v2013 v7 [draft] v3.0.1 v2013 v2014 v2009 v2009
COBIT
NIST CSF v1.1 COSO v2013 ENISA v2.0
v5
Domain Procedure Name SCF # GAPP
Art 32.1 Art 32.2 Art

32.3 Art 32.4
AIS-04 GRM-05
Cybersecurity Governance GOV-01 P-GOV-01 Publishing Security Policies ID.GV-1 GOV-02 PM-1 PM-1 5.1.1 GOV-02 APO13.01 APO13.02 Principle 12 SO1 8.2.1 5.2
GRM-06
PL-9 PM-2 PL-9 PM-2

Cybersecurity Governance GOV-02 P-GOV-02 Assigned Security Responsibilities ID.AM-6 GOV-04 GOV-04 CC1.1 CC1.1 APO01.06 Principle 2 GRM-05 8.2.7 5.3
PM-6 PM-6
EDM02.03 APO01.04 Principle 5 Principle SO11 S12 S13 S14

EDM05.02 9 Principle 13 S15
EDM05.03 Principle 14 Principle
MEA01.01 15
MEA01.03
Cybersecurity Governance GOV-03 P-GOV-03 Measures of Performance PR.IP-8 GOV-05 PM-6 PM-6 GOV-05 9.1 5.6
1.6
2.1
2.5
12.9
16.12
ID.AM-1 ID.AM-2
Asset Management AST-01 P-AST-01 Asset Inventories AST-02 CM-8 PM-5 CM-8 PM-5 8.1.1 AST-02 1.4 BAI09.01 BAI09.05 SO15
ID.AM-4
PL-2 SA-5(1) Art 30.1 Art 30.2 Art

SA-5(2) 30.3 Art 30.4 Art 30.5
SA-5(3)
SA-5(4)
PL-2 SA-4(1) 12.9

Asset Management AST-02 P-AST-02 Network Diagrams & Data Flow Diagrams (DFDs) ID.AM-3 AST-04 AST-04 IVS-13
SA-4(2) 16.12
Asset Management AST-03 P-AST-03 Removal of Assets PR.DS-3 AST-11 11.2.5 AST-11 DCS-04
CP-1 CP-2 IR-4(3) CP-1 CP-2 IR-4(3)

PM-8 PM-8
Business Continuity & DSS04.01 DSS04.02

BCD-01 P-BCD-01 Contingency Plan RC.RP-1 BCD-01 17.1.2 BCD-01 Art 32.1 Art 32.2 A1.3 A1.3 BCR-01 BCR-07 SO19 SO20
Disaster Recovery DSS04.03
Business Continuity & Contingency Plan Root Cause Analysis (RCA) &
BCD-02 P-BCD-02 RC.IM-1 BCD-05 CP-4 CP-4 BCD-05 DSS04.05 DSS04.08 SO20 SO22
Disaster Recovery Lessons Learned
Business Continuity &

BCD-03 P-BCD-03 Contingency Plan Update RC.IM-2 BCD-06 CP-2 CP-2 BCD-06 DSS04.08 SO19 SO20
Disaster Recovery

BCD-04 P-BCD-04 Data Backups PR.IP-4 BCD-11 CP-9 SC-28(2) CP-9 SC-28(2) 12.3.1 BCD-11 10.1 10.1 DSS04.07
Disaster Recovery

BCD-05 P-BCD-05 Information System Recovery & Reconstitution PR.IP-4 BCD-12 CP-10 CP-10 BCD-12 10.5
Disaster Recovery
Capacity & Performance

CA01 P-CAP-01 Capacity & Performance Management PR.DS-4 CA01 SC-5 SC-5(3) SC-5 SC-5(3) 12.1.3 CAP-01 Art 32.1 Art 32.2 A1.1 A1.1 IVS-04
Planning
Change Management CHG-01 P-CHG-01 Configuration Change Control PR.IP-3 CHG-02 CM-3 CM-3 14.2.2 CHG-02 MOS-15 SO14
Art 1.2 Art 2.1 Art

2.2 Art 3.1 Art 3.2
Art 3.3
MEA03.01
Compliance CPL-01 P-CPL-01 Statutory, Regulatory & Contractual Compliance ID.GV-3 PR.IP-5 CPL-01 PM-8 PM-8 18.1.1 CPL-01 SO25
MEA03.02
APO01.03 DSS01.04
DSS06.04 MEA02.01
MEA02.02
Compliance CPL-02 P-CPL-02 Security Controls Oversight DE.DP-5 PR.IP-7 CPL-02 CA-7 CA-7(1) PM-14 CA-7 CA-7(1) PM-14 CPL-02 Art 5.2 AAC-02 AAC-03 SO25 8.2.7 9.3
5.1
5.2
5.3
5.5
6.2
8.3
CM-2 CM-6 CM-2 CM-6
Configuration Management CFG-01 P-CFG-01 System Hardening Through Baseline Configurations PR.IP-1 PR.IP-3 CFG-02 14.1.1 CFG-02 3.1 BAI10.02 GRM-01 IVS-07
SA-8 PL-10
9.1
9.5
15.7
15.8
Configuration Management CFG-02 P-CFG-02 Least Functionality PR.PT-3 CFG-03 CM-7 CM-7 CFG-03 9.1 IAC-03
DE.CM-1 DE.DP-1
DE.DP-2 PR.PT-1
6.2
Monitoring MON-01 P-MON-01 Continuous Monitoring MON-01 AU-1 SI-4 AU-1 SI-4 12.4.1 MON-01 Art 32.1 Art 32.2 4.6 DSS01.03 DSS05.07 IVS-06 SO21
14.7
Monitoring MON-02 P-MON-02 Monitoring Reporting DE.DP-4 MON-06 AU-7 AU-7(1) AU-12 AU-7 AU-7(1) AU-12 MON-06 6.4
Monitoring MON-03 P-MON-03 Anomalous Behavior DE.AE-1 MON-16 SI-4(11) SI-4(11) MON-16 16.10 16.8
Monitoring MON-04 P-MON-04 Insider Threats DE.CM-3 MON-16.1 MON-16.1
Monitoring MON-05 P-MON-05 Third-Party Threats DE.CM-6 MON-16.2 MON-16.2

Monitoring MON-06 P-MON-06 Unauthorized Activities DE.CM-7 MON-16.3 MON-16.3
11.4
Cryptographic Protections CRY-01 P-CRY-01 Transmission Confidentiality PR.DS-2 CRY-03 SC-8 SC-9 SC-8 13.2.3 CRY-03 Art 5.1 C1.3 13.2 8.2.5
14.2
SC-8 SC-16(1) SC-8 SC-16(1)

Cryptographic Protections CRY-02 P-CRY-02 Transmission Integrity PR.DS-8 CRY-04 14.1.3 CRY-04 Art 5.1 14.2
SC-28(1) SC-28(1)
13.2
Cryptographic Protections CRY-03 P-CRY-03 Encrypting Data At Rest PR.DS-1 CRY-05 SC-13 SC-28(2) SC-13 SC-28(2) 10.1.1 CRY-05 Art 5.1 14.5 13.10
14.5
Data Classification &

Handling DCH-01 P-DCH-01 Data & Asset Classification ID.AM-5 DCH-02 8.2.1 DCH-02 13.1 13.1 BAI08.03 DSI-01 DCS-01

DCH-02 P-DCH-02 Physical Media Disposal PR.IP-6 DCH-08 MP-6 MP-6 8.3.2 DCH-08 C1.8 C1.8 DSI-07
Handling

DCH-03 P-DCH-03 Removable Media Security PR.PT-2 DCH-12 8.3.1 DCH-12 13.4
Handling
8.1
Endpoint Security END-01 P-END-01 Malicious Code Protection (Anti- Malware) DE.CM-4 END-04 SI-3 SI-3 12.2.1 END-04 CC5.8 CC5.8 8.1 8.6 DSS05.01 TVM-01 SO12
8.8
Endpoint Security END-02 P-END-02 File Integrity Monitoring (FIM) PR.DS-6 END-06 SI-7 SI-7 END-06 3.5 SO12
SC-18 SC-18(1) SC-18 SC-18(1)

SC-18(2) SC-18(2)
SC-18(3) SC-18(3)
SC-18(4) SC-27 SC-18(4) SC-27
Endpoint Security END-03 P-END-03 Mobile Code DE.CM-5 END-10 END-10 TVM-03

Human Resources Security HRS-01 P-HRS-01 Human Resources Security Management PR.IP-11 HRS-01 PS-1 PS-1 HRS-01 APO04.01 SO7 SO8
32.4
Identification &
IAC-01 P-IAC-01 User Provisioning & De-Provisioning PR.AC-6 IAC-07 IA-5(3) IA-12(4) 9.2.1-9.2.2 IAC-07 CC5.2 CC5.2 16.3 IAC-09 IAC-11 SO7
Authentication
16.1
Identification &
IAC-02 P-IAC-02 Account Management PR.AC-1 IAC-15 AC-2 AC-2 IAC-15 16.4 IAC-10 8.2.2
Authentication
16.13
Identification &
IAC-03 P-IAC-03 Least Privilege PR.AC-4 IAC-21 AC-6 AC-6 9.1.2 IAC-21 CC5.6 CC5.6 14.4 SO11
Authentication
Incident Response IRO-01 P-IRO-01 Management of Security Incidents PR.IP-9 IRO-01 IR-1 IR-1 16.1.1 IRO-01 Art 32.1 Art 32.2 SO16 SO18 1.2.7
DE.AE-2 DE.AE-4 DSS02.03 DSS02.04

DE.AE-5 RS.AN-1 DSS02.05 DSS02.06.
RS.AN-4 DSS03.01
RS.MI-1 DSS03.02
Incident Response IRO-02 P-IRO-02 Incident Handling IRO-02 IR-4 IR-4 16.1.4 IRO-02 1.2.7
Incident Response IRO-03 P-IRO-03 Indicators of Compromise (IOC) RS.AN-2 IRO-03 IRO-03

33.3 Art 33.4 Art 33.5
1.2.7
Incident Response IRO-04 P-IRO-04 Personally Identifiable Information (PII) Processes RS.IM-2 IRO-04.1 SE-2 IR-8(1) IRO-04.1 A.9.1
7.2.4
Incident Response IRO-05 P-IRO-05 IRP Update RS.IM-2 IRO-04.2 IR-1 IR-1 IRO-04.2
Incident Response IRO-06 P-IRO-06 Coordination with Related Plans PR.IP-10 IRO-06.1 IR-3(2) IR-3(2) IRO-06.1 1.2.7
RC.CO-1 RC.CO-2 Art 34.1 Art 34.2 Art

RC.CO-3 RS.CO-1 34.3 Art 34.4
RS.CO-4
Incident Response IRO-07 P-IRO-07 Integrated Security Incident Response Team (ISIRT) IRO-07 IR-10 IR-10 16.1.4 IRO-07 DSS02.05 SO16
Incident Response IRO-08 P-IRO-08 Chain of Custody & Forensics RS.AN-3 IRO-08 16.1.7 IRO-08
Incident Response IRO-09 P-IRO-09 Incident Monitoring & Tracking DE.AE-3 IRO-09 IR-5 IR-5 IRO-09 SEF-05 SO17 1.2.7
33.3 Art 33.4 Art 33.5
Art 34.1
RS.CO-2 RS.CO-3 16.1.2 19.4

Incident Response IRO-10 P-IRO-10 Incident Reporting IRO-10 IR-6 IR-6 IRO-10 CC2.5 CC2.5 DSS02.07 DSS03.03 SO18 1.2.7
RS.CO-5 16.1.3 19.6
Incident Response IRO-11 P-IRO-11 Root Cause Analysis (RCA) & Lessons Learned RS.IM-1 IRO-13 IR-1 IR-1 16.1.6 IRO-13 DSS03.04 SO18
Maintenance MNT-01 P-MNT-01 Controlled Maintenance PR.MA-1 MNT-02 MA-2 MA-2 MNT-02
Maintenance MNT-01 P-MNT-01 Non-Local Maintenance PR.MA-2 MNT-05 MA-4 MA-4 MNT-05
13.1.1 11.1
Network Security MNT-01 P-MNT-01 Network Security Management PR.PT-4 NET-01 SC-1 SC-1 NET-01 Art 32.1 Art 32.2 DSS05.02
13.1.2 11.2
Network Security MNT-01 P-MNT-01 Layered Network Defenses PR.AC-5 NET-02 NET-02 9.5
12.6
Network Security MNT-03 P-MNT-03 Remote Access PR.AC-3 NET-14 AC-17 AC-17(6) AC-17 6.2.2 NET-14 12.7
12.7
Physical & Environmental PE-3 PE-3(2) PE-3 PE-3(2)

PES-01 P-PES-01 Physical Access Control PR.AC-2 PES-03 9.1.1 PES-03 DSS05.05 DSS05.06 DCS-02 SO9
Security PE-3(3) PE-3(3)
Physical & Environmental

PES-02 P-PES-02 Monitoring Physical Access DE.CM-2 PES-05 PE-6 PE-6 PES-05 DSS05.07 SO9
Security
Physical & Environmental Information Leakage Due To Electromagnetic Signals

PES-03 P-PES-03 PR.DS-5 PES-13 PE-19 PES-13
Security Emanations
Project & Resource 4.3.1

PRM-01 P-PRM-01 Allocation of Resources ID.BE-3 PRM-03 SA-2 SA-2 PRM-03 BAI05.04 APO07.01 7.1
Management 4.3.2
Project & Resource Principle 10 Principle 4.3.1

PRM-02 P-PRM-02 Security Requirements Definition ID.BE-4 ID.BE-5 PRM-05 SA-14 RA-9 SA-14 14.1 PRM-05 CC2.2 CC2.2 DSS06.01
Management 11 4.3.2
APO04.06 BAI01.02 7.1 4.3.1

BAI01.03 BAI01.04 7.2 4.3.2
BAI01.05 7.3 6.1
BAI01.06 7.4 6.2
7.5 6.3
6.4
Project & Resource
PRM-03 P-PRM-03 System Development Life Cycle (SDLC) Management PR.IP-2 PRM-07 SA-3 SA-3 14.2.2 PRM-07 CC7.1 CC7.1 Principle 2
Management
ID.GV-4 ID.RM-1 4.1 4.1

ID.RM-2 ID.RM-3 4.2 4.2
4.3 4.3.1
4.4 4.3.2
4.5 5.1
4.6
Risk Management RSK-01 P-RSK-01 Risk Management Program RSK-01 PM-9 RA-1 PM-9 RA-1 11.1.4 RSK-01 Art 32.1 Art 32.2 Principle 6 SO2
5.1
Risk Management RSK-02 P-RSK-02 Risk Identification ID.RA-3 RSK-03 RSK-03 3.5 Principle 7 5.2 5.2
5.3
Art 35.1 Art 35.2 Art 4.3.4

35.3 Art 35.6 Art 35.8 5.3.1
Art 35.9 5.3.4
5.3.5
5.3.6
5.4
Principle 7 Principle BCR-05 GRM-02
Risk Management RSK-03 P-RSK-03 Risk Assessment ID.RA-5 RSK-04 RA-3 RA-3 11.1.4 RSK-04 3.5 DSS06.04 SO2 1.2.4 8.2 5.4
8 GRM-10
8.3
Risk Management RSK-03 P-RSK-03 Risk Remediation ID.RA-6 RSK-06 RSK-06 Principle 9 GRM-11 5.5 4.3.5
10.1

35.3 Art 35.6 Art 35.8
Art 35.9
4.3.4
Principle 7 Principle
Risk Management RSK-04 P-RSK-04 Business Impact Analysis (BIAs) ID.RA-4 RSK-08 RSK-08 BAI01.10 BAI02.03 BCR-08 BCR-09 8.2 5.4 5.3.3
8
5.5
AR-7 SA-8 SA-13 Art 5.2 Art 24.1 Art 4.2.3 A.10.1
SC-7(18) 24.2 Art 24.3 Art 25.1 6.2.2 A.10.4
SI-1 Art 25.2 7.2.2 A.10.5
7.2.3 A.10.6
Secure Engineering & SA-8 SC-7(18) Principle 10 Principle

SEA-01 P-SEA-01 Secure Engineering Principles PR.IP-1 SEA-01 14.2.5 SEA-01 CC3.2 CC3.2 DSS06.06 SO12
Architecture SI-1 11
Secure Engineering &

SEA-02 P-SEA-02 Fail Secure PR.PT-5 SEA-07.2 CP-12 SC-24 CP-12 SC-24 SEA-07.2
Architecture
Security Awareness & PR.AT-1 PR.AT-3 Art 32.1 Art 32.2 Art
SAT-01 P-SAT-01 Security & Privacy-Minded Workforce SAT-01 AT-1 PM-13 AT-1 PM-13 7.2.2 SAT-01 BAI08.04 BAI08.05 HRS-09 SO6
Training PR.AT-4 32.4
Security Awareness &

SAT-02 P-SAT-02 Security & Privacy Training PR.AT-2 PR.AT-5 SAT-03 AT-3 AT-3 SAT-03 17.2 SO6
Training
Security Awareness &
SAT-03 P-SAT-03 Privileged Users PR.AT-2 PR.AT-5 SAT-03.5 SAT-03.5
Training
Technology Development & Separation of Development, Testing and Operational

TDA-01 P-TDA-01 PR.DS-7 TDA-08 CM-4(1) CM-4(1) 12.1.4 TDA-08 18.6 IVS-08
Acquisition Environments

28.3 Art 28.4 Art 28.5
Art 28.6
IAC-07 STA-05 STA-

Third-Party Management TPM-01 P-TPM-01 Third-Party Management ID.SC-1 TPM-01 SA-4 SA-4 15.1.1 TPM-01 C1.5 C1.5 DSS01.02 SO4
09
Third-Party Management TPM-02 P-TPM-02 Third-Party Criticality Assessments ID.BE-1 ID.SC-2 TPM-02 SA-14 RA-9 SA-14 TPM-02

28.3 Art 28.4 Art 28.5
Art 28.6
Third-Party Management TPM-03 P-TPM-03 Supply Chain Protection ID.SC-4 TPM-03 SA-12 SA-12 15.1.3 TPM-03 STA-01 STA-06 SO10

28.3 Art 28.4 Art 28.5
Art 28.6
13.2.4
Third-Party Management TPM-04 P-TPM-04 Third-Party Contract Requirements ID.SC-3 TPM-05 SA-9(3) SA-9(3) TPM-05 C1.4 C1.4
15.1.2
Third-Party Management TPM-05 P-TPM-05 Third-Party Personnel Security ID.GV-2 TPM-06 TPM-06
Third-Party Incident Response & Recovery

Third-Party Management TPM-06 P-TPM-06 Capabilities ID.SC-5 TPM-11 TPM-11
Threat Management THR-01 P-THR-01 Threat Awareness Program ID.BE-2 THR-01 PM-16 AT-5 PM-15 THR-01 Art 32.1 Art 32.2 CC3.1 CC3.1 BAI08.01
Threat Management THR-02 P-THR-02 Threat Intelligence Feeds ID.RA-2 THR-03 SI-5 SI-5(1) SI-5 SI-5(1) THR-03 4.4
Vulnerability & Patch

VPM-01 P-VPM-01 Vulnerability & Patch Management Program (VPMP) ID.RA-1 PR.IP-12 VPM-01 SI-2 SI-3(2) SI-2 12.6.1 VPM-01 Art 32.1 Art 32.2 CC6.1 CC6.1 11.5 TVM-02
Management

VPM-02 P-VPM-02 Continuous Vulnerability Remediation Activities RS.MI-3 VPM-04 SC-18(1) SC-18(1) VPM-04 9.4 10.2
Management
3.1
3.2
9.3
9.5
11.3
VPM-03 P-VPM-03 Vulnerability Scanning DE.CM-8 VPM-06 RA-5 RA-5 VPM-06 4.1 IVS-05
Management
20.3
VPM-04 P-VPM-04 Red Team Exercises DE.DP-3 VPM-10 CA-8(2) CA-8(2) VPM-10 20.5
Management
20.7
NIST 800-171 OWASP US DFARS US FDA US FedRAMP US NERC CIP US US - NY DFS
rev 1 Top 10 v2017 252.204-70xx 21 CFR Part 11 [moderate] CJIS Security Policy 23 NYCRR500
US US - MA 201 CMR
NIST 800-37 NIST 800-39 NIST 800-160 PCI DSS v3.2 UL 2900-1 US FACTA US FERPA US FFIEC US FINRA US GLBA US HIPAA US NISPOM US - CA SB1386 US - OR 646A
Privacy Shield 17.00
17.03(1)
12.1 252.204-7008 S-P (17 CFR 164.308(a)(1)(i)
§ 1232h D1.G.SP.B.4 6801(b)(1) 5.1.1.1 17.04 500.03
12.1.1 252.204-7012 §248.30) 164.316
17.03(2)(b)(2)
164.308(a)(2)
164.308(a)(3)
164.308(a)(4)
164.308(b)(1)
164.314
D1.R.St.B.1 8-101
12.5-12.5.5 Safeguards Rule CIP-003-6 R3 & R4 5.10.1.5 17.03(2)(a) 500.04 622(2)(d)(A)(i)
D1.TC.Cu.B.1 8-311
3.3.7 D2.IS.Is.B.1 164.308(a)(6)(ii) 622(2)(d)(A)(vi)

8-311 17.03(2)(j)
3.3.8 D2.IS.Is.E.2 164.308(a)(8) 622(2)(d)(B)(iii)
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)(A)
164.308(a)(7)(ii)(E )
164.308(b)
164.310(d)
D1.G.IT.B.1 164.310(d)(2)(iii)
3.4.1 1.1.2
CM-8 D4.RM.Dd.B.2 5.7.2
3.4.2 2 2.4
D4.C.Co.B.3
4.1 164.308(a)(1)(ii)(A)
5.1 164.308(a)(3)(ii)(A)
6.1 164.308(a)(8)
6.2 164.310(d)
6.3
6.4
1.1.2 D4.C.Co.B.4 5.1.1.1
1.1.3 D4.C.Co.Int.1 5.10.1.5
164.308(a)(1)(ii)(A)
164.310(a)(2)(ii)
164.310(a)(2)(iii)
164.310(a)(2)(iv)
164.310(d)(1)
164.310(d)(2)
D1.G.IT.E.3
622(2)(d)(C)(ii)
D1.G.IT.E.2
164.308(a)(7)
164.308(a)(7)(i)
164.308(a)(7)(ii)
164.308(a)(7)(ii)(C)
164.310(a)(2)(i)
164.312(a)(2)(ii) 8-104 5.3.2.1
CP-1 CP-2 D5.IR.Pl.B.6 8-603 5.3.2.2
8-614 5.10.1.5
164.308(a)(7)(ii)(D)
D5.IR.Pl.Int.4 164.308(a)(8) 8-615
164.316(b)(2)(iii)
D5.IR.Pl.Int.4 164.308(a)(7)(ii)(D)
CIP-009-6 R3 8-614
D5.IR.Te.Int.5 164.308(a)(8)
164.308(a)(7)(ii)(A)
164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(D)
164.310(a)(2)(i)
164.310(d)(2)(iv)
5.10.1.2.2
8-603
3.8.9 CP-9 5.10.1.2.3
8-612
5.10.1.5
D5.IR.Pl.B.5
CP-10 164.308(a)(7)(ii)(B) 8-613 5.10.1.5
D5.IR.Te.E.3
D5.IR.Pl.B.5 164.308(a)(1)(ii)(A)
D5.IR.Pl.B.6 164.308(a)(1)(ii)(B)
D5.IR.Pl.E.3 164.308(a)(7)
D3.PC.Im.E.4 164.310(a)(2)(i)
164.310(d)(2)(iv)
164.312(a)(2)(ii)
5.10.1.1
8-701
5.10.1.5
8-103 5.7.1
8-104 5.7.1.1
8-311 5.10.4.1
8-610 5.13.4
5.13.4.1
3.4.10
3.4.3 6.4-6.4.6 CM-3 D1.G.IT.B.4
3.4.13
3.3 164.306
3.3.3 164.308
3.3.4 164.308(a)(7)(i)
3.4 164.308(a)(7)(ii)(C)
3.4.1 164.308(a)(8)
3.4.2 164.310
D1.G.Ov.E.2
12.1 § 11.10 6801(b)(3) 8-104 500.19
D3.PC.Am.B.11
3.12.1 164.306(e) 8-202 5.4.1

3.12.2 164.308(a)(7)(ii)(D) 8-302 5.4.1.1
3.12.3 164.308(a)(8) 8-610 5.4.3
3.12.4 164.316(b)(2)(iii) 8-614 5.11.1.1
NFO 5.11.3
D5.IR.Pl.Int.3
12.11
3.6 3.3.8 § 11.10 CA-7 CA-7(1) D1.RM.RMP.E.2 622(2)(B)(iii)
12.11.1
D1.G.Ov.A.2
A1 A2 A3 A4 A5 5.7.1
A6 5.7.1.1
5.7.2
5.13.4
1.1 164.308(a)(8) 8-202

3.4.7 3.4.1 CM-2 CM-6 D3.PC.Im.B.5
1.1.1 252.204-7008 164.308(a)(7)(i) 8-311
3.4.8 3.4.2 SA-8 D1.G.IT.B.4
2.2-2.2.4 164.308(a)(7)(ii) 8-610
1.1.5 D3.PC.Am.B.7 164.308(a)(3)

1.2.1 D3.PC.Am.B.4 164.308(a)(4)
2.2.2 D3.PC.Am.B.3 164.310(a)(2)(iii)
2.2.4 D4.RM.Om.Int.1 164.310(b)
2.2.5 164.310(c)
164.312(a)(1)
17.03(2)(a)
3.4.6 A6 CM-7 5.7.1.1
17.03(2)(g)
D3.DC.An.B.2 164.308(a)(1)(i)
D3.DC.An.B.3 164.308(a)(1)(ii)(D)
D1.G.SP.B.3 164.308(a)(5)(ii)(B)
D2.MA.Ma.B.1 164.308(a)(5)(ii)(C)
D2.MA.Ma.B.2 164.308(a)(2)
10.1 D3.DC.Ev.B.4 164.308(a)(3)(ii)(A)
NFO A2 A5 A10 10.6-10.6.3 § 11.10 AU-1 CIP-007-6 R4 8-602 5.10.1.3 500.06
10.8-10.8.1
5.4.1
5.4.1.1
5.4.1.1.1
5.4.3
3.3.1 D3.DC.Ev.B.2 164.308(a)(6)(ii)
3.3.2 AU-7 AU-7(1) AU-12 D5.ER.Is.B.1 164.314(a)(2)(i)(C) 8-602
3.3.6 D5.ER.Is.E.1 164.314(a)(2)(iii)
D3.DC.Ev.B.1 164.308(a)(1)(ii)(D)
10.6-10.6.2 5.10.1.3
D4.C.Co.B.4 164.312(b)
164.308(a)(1)(ii)(D)
164.308(a)(3)(ii)(A)
164.308(a)(5)(ii)(C)
164.312(a)(2)(i)
164.312(b)
164.312(d)
D3.DC.An.A.3
D4.RM.Om.Int.1 164.308(a)(1)(ii)(D)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.310(a)(1)
164.310(a)(2)(ii)
164.310(a)(2)(iii)
D3.DC.Ev.B.3
164.308(b)(1)
164.308(b)(2)
164.312(e)(1)
164.312(e)(2)(i)
164.312(e)(2)(ii)
D3.PC.Am.B.13 164.314(b)(2)(i) 5.10.1.2
§ 11.10 D3.PC.Am.E.5 8-605 5.10.1.2.1 17.04(3) 500.15 622(2)(d)(C)(iii)
D3.PC.Am.Int.7 5.10.1.5
3.4 5.10.1.2
3.4.1 5.10.1.2.1
4.1 5.10.1.2.2
9.8.2 5.10.1.5
3.8.6 164.312(e)(2)(i)
MP-5(4) SC-8
3.13.8 § 11.10 164.312(e)(1) 8-605 17.04(3) 622(2)(d)(C)(iii)
SC-28(1)
3.13.16 164.312(e)(2)(i)
D1.G.IT.B.13 164.308(a)(1)(ii)(D) 5.10.1.2

D3.PC.Am.B.14 164.308(b)(1) 5.10.1.2.1
D4.RM.Co.B.1 164.310(d) 5.10.1.2.2
D3.PC.Am.A.1 164.312(a)(1) 5.10.1.2.3
164.312(a)(2)(iii) 5.10.1.5
164.312(a)(2)(iv)
3.4
§ 11.10 9-400 17.04(5) 500.15 622(2)(d)(C)(iii)
3.4.1
3.1 9.6.1 10.2 D1.G.IT.B.2 164.308(a)(7)(ii)(E )
164.310(d)(2)(i) 8-301 5.8.4

3.4.14 D1.G.IT.B.19
164.310(d)(2)(ii) 8-608 5.10.1.5
164.308(a)(3)(i)
164.308(a)(3)(ii)(A)
164.310(d)(1)
164.310(d)(2)
164.312(a)(1)
D1.G.SP.B.4 164.312(a)(2)(iv)
D3.PC.De.B.1 CIP-010-2 R4
D3.PC.Im.E.3
3.14.1
3.14.2
3.14.3
3.14.4
3.14.5
5.1-5.1.2
14.1 164.308(a)(1)(ii)(D) 5.10.4.2
5.2 SI-3 D3.DC.Th.B.2 CIP-007-6 R3 8-305 17.04(7)
14.2 164.308(a)(5)(ii)(B) 5.13.4.2
5.3
164.308(a)(1)(ii)(D)
164.312(b)
164.312(c)(1)
164.312(c)(2)
164.312(e)(2)(i)
D3.PC.Se.Int.3
11.5-11.5.1 SI-7 8-302 5.10.1.3
D3.PC.De.Int.2
164.308(a)(1)(ii)(D)
3.13.13 SC-18 D3.PC.De.E.5 5.13.4.3
164.308(a)(5)(ii)(B)
164.308(a)(1)(ii)(C) 5.1.1.7
3.2.4 NFO PS-1 D1.R.St.E.4 8-307
164.308(a)(3) 5.10.1.5
5.6.2.1.3
A5 IA-5(3) CIP-004-6 R5
5.6.3.1
8.1.3-8.1.5 164.308(a)(3)(ii)(B) 5.5.1

8.2.2 164.308(a)(3)(ii)(C) 5.5.2
8.5-8.5.1 164.308(a)(4)(i) 5.5.2.1
8.6 164.308(a)(4)(ii)(B) 5.5.2.2
8.7 164.308(a)(4)(ii)(C ) 5.5.2.3
164.312(a)(2)(i) 5.5.2.4
3.1.1 D3.PC.Im.B.7
8.3 AC-2 8-606 17.04(1)(a)
3.1.2 D3.PC.Am.B.6
164.308(a)(3) 5.5.2
164.308(a)(4) 5.5.2.1
164.310(a)(2)(iii) 5.5.2.2
164.310(b) 5.5.2.3
164.312(a)(1) 5.5.2.4
D3.PC.Am.B.1 164.312(a)(2)(i) 5.13.6
3.1.5 A5 8.7 1 § 11.10 AC-6 D3.PC.Am.B.2 8-303 622(2)(d)(C)(iii)
D3.PC.Am.B.5
164.308(a)(6) 5.3.2
164.308(a)(6)(i) 5.3.2.1
164.308(a)(7) 5.3.2.2
164.310(a)(2)(i) 5.10.1.5
164.312(a)(2)(ii) 5.13.5
8-101
NFO IR-1 D5.IR.Pl.B.1 CIP-008-5 R1 500.16
8-103
D5.IR.Pl.Int.4 164.308(a)(1)(i)
D5.IR.Te.E.1 164.308(a)(1)(ii)(D)
D5.ER.Es.E.1 164.308(a)(5)(ii)(B)
D1.RM.RMP.A.4 164.308(a)(5)(ii)(C)
D5.DR.De.B.1 164.308(6)(i)
D3.DC.An.E.4 164.308(a)(6)(i) 5.3.2.1
3.6.1 12.5.3 1-303
IR-4 5.3.2.2
3.6.2 12.10 4-218
5.13.5
164.308(a)(6)(ii)
164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(C)
164.308(a)(7)(ii)€
D1.RM.RMP.A.4
D5.IR.Te.E.1
D5.ER.Es.E.1
252.204-7012
5.3.2
5.3.2.1
5.3.2.2
5.10.1.5
5.13.5
D5.IR.Pl.Int.4 164.308(a)(7)(ii)(D) 8-101
NFO CIP-008-5 R3
D5.IR.Te.Int.5 164.308(a)(8) 8-103
D5.IR.Te.B.1
IR-3(2) 164.308(a)(7)(ii)(D)
D5.IR.Te.B.3
D5.ER.Es.Int.3 164.308(a)(2)
D5.IR.Pl.Int.1 164.308(a)(6)
D5.IR.Pl.B.3 164.308(a)(6)(i)
D5.ER.Is.B.1 164.308(a)(6)(ii)
D5.IR.Pl.Int.1 164.308(a)(7)
164.308(a)(7)(ii)(A)
12.10.3 IR-7(2)
D3.CC.Re.Int.3
D3.CC.Re.Int.4 164.308(a)(6)
164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C)
164.308(a)(6)(ii)
164.308(a)(8)
164.310(d)(2)(iii)
3.6.1 12.5.2 1-303
IR-5 D3.DC.Ev.E.1 5.3.4
3.6.2 12.10.5 4-218
D5.IR.Pl.B.2 164.308(a)(5)(ii)(B)
D5.DR.Re.B.4 164.308(a)(5)(ii)(C)
D5.DR.Re.E.6 164.308(a)(6)
D5.ER.Es.B.4 164.308(a)(6)(ii)
D5.ER.Es.B.2 164.314(a)(2)(i)(C)
D2.IS.Is.B.3 164.314(a)(2)(iii)
3.6.1 12.5.2 1-303 5.3.1 SEC2-Section
252.204-7012 IR-6 17.03(2)(j) 500.17 604(1)-(5)
3.6.2 12.8.3 4-218 5.10.1.5 1798.29
5.3.2
5.3.2.1
5.3.2.2
5.10.1.5
5.13.5
164.308(a)(7)(ii)(D)
8-101
NFO 12.10.6 D5.IR.Pl.Int.4 164.308(a)(8) CIP-008-5 R3
8-103
164.316(b)(2)(iii)
3.7.1
D3.CC.Re.Int.5 164.308(a)(3)(ii)(A) 5.7.1
3.4.13 3.7.2 A9 MA-2 8-304
D3.CC.Re.Int.6 164.310(a)(2)(iv) 5.8.3
3.7.3
164.308(a)(3)(ii)(A) 5.6.2.2
164.310(d)(1) 5.6.2.2.1
164.310(d)(2)(ii) 5.6.2.2.2
164.310(d)(2)(iii) 5.13.7
164.312(a) 5.13.7.2
164.312(a)(2)(ii)
3.4.13 3.7.5 MA-4 D3.PC.Im.B.7
164.308(a)(1)(ii)(D)
164.312(a)(1)
164.312(b)
164.312€
D3.PC.Im.B.1
8-101
NFO SC-1 D3.PC.Am.B.11 CIP-005-5 R1
8-605
D3.PC.Im.Int.1
164.308(a)(4)(ii)(B)
164.310(a)(1)
164.310(b)
164.312(a)(1)
164.312(b)
164.312(c)
D3.DC.Im.B.1
1.3.7 CIP-005-5 R1
D3.DC.Im.Int.1
164.308(a)(4)(i) 5.5.6
164.308(b)(1) 5.5.6.1
164.308(b)(3) 5.5.6.2
164.310(b) 5.10.1.5
164.312(e)(1)
D3.PC.Am.B.15 164.312(e)(2)(ii)
3.1.1 12.3.8
9.1 AC-17 D3.PC.De.E.7 CIP-005-5 R2
3.1.2 12.3.9
D3.PC.Im.Int.2
9.1-9.1.2 164.308(a)(1)(ii)(B) 5.1.1.7

9.2 164.308(a)(7)(i) 5.9.1.2
9.4.2 164.308(a)(7)(ii)(A) 5.9.1.3
9.4.3 164.310(a)(1) 5.9.1.6
164.310(a)(2)(i) 5.9.1.7
3.10.3 164.310(a)(2)(ii) 5.10.1.1
D3.PC.Am.B.11 5-300
3.10.4 PE-3 17.03(2)(g) 622(2)(d)(C)(ii)
D3.PC.Am.B.17 6-104
3.10.5
164.310(a)(2)(ii)
3.10.1 D3.PC.Am.E.4
9.1 -9.1.1 PE-6 164.310(a)(2)(iii) 5-300 5.9.1.6 622(2)(d)(C)(ii)
3.10.2 D3.Dc.Ev.B.5
164.310(c)
D3.PC.Am.B.15 164.308(a)(1)(ii)(D)
D3.PC.Am.Int.1 164.308(a)(3)
D3.PC.De.Int.1 164.308(a)(4)
D3.DC.Ev.Int.1 164.310(b)
164.310(c)
164.312(a)
2.1 3.2 164.308(a)(7)(ii)(B) 5.1

2.2 3.2.1 164.308(a)(7)(ii)(C) 5.1.1.2
2.3 3.2.2 164.308(a)(7)(ii)(D) 5.1.1.3
2.4 3.2.3 164.308(a)(7)(ii)(E) 5.1.1.4
3.2.4 164.310(a)(2)(i) 5.1.1.5
3.2.5 D1.G.SP.E.2 164.316 5.1.1.6
8-100
NFO 11.1 SA-2 D1.G.Ov.Int.5
8-200
D1.G.SP.Int.3
2.1 3.4 D4.C.Co.B.1 164.308(a)(1)(ii)(B)

2.2 3.4.3 D1.G.IT.B.2 164.308(a)(6)(ii)
2.3 3.4.4 D5.IR.Pl.B.5 164.308(a)(7)
2.4 3.4.5 D5.IR.Pl.E.3 164.308(a)(7)(i)
3.4.6 164.308.(a)(7)(ii)(E)
164.308(a)(8)
2.1
2.2
2.3
2.4
D3.PC.Se.B.1 8-311
3.2.1 NFO SA-3 164.308(a)(1)(i)
D3.PC.Se.E.1 8-610
2.1 D1.G.Ov.B.1 164.308(a)(1)

2.2 D1.G.Ov.B.3 164.308(a)(1)(ii)(B)
2.3 D1.G.Ov.E.1 164.308(a)(1)(ii)(B)
2.4 D1.G.SP.E.1 164.308(a)(6)(ii)
2.5 D1.G.Ov.Int.1 164.308(a)(7)(i)
2.6 D1.G.Ov.Int.3 164.308(a)(7)(ii)(C)
8-103
2.1 3.3.4 NFO 12.2 RA-1 6801(b)(2) 17.03(2)(b) 500.09 622(2)(d)(A)(ii)
8-610
D3.DC.An.B.1 164.308(a)(1)(ii)(A)
D2.MA.Ma.E.1 164.308(a)(1)(ii)(D)
D2.MA.Ma.E.4 164.308(a)(3)
D2.MA.Ma.Int.2 164.308(a)(4)
164.308(a)(5)(ii)(A)
164.310(a)(1)
3.1
3.2
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(D)
164.308(a)(7)(ii)(D)
164.308(a)(7)(ii)(E)
D1.RM.RA.B.1 164.316(a)
5.1.2
3.2 3.11.1 12.2 5.1 RA-3 D1.RM.RA.E.2 Safeguards Rule CIP-014-2 R1 8-402 17.03(2)(b) 622(b)(A)(ii)
5.1.2.1
D1.RM.RA.E.1
D5.IR.Pl.B.1 164.308(a)(1)(ii)(B)
3.3 7.1.1 D5.DR.Re.E.1 164.314(a)(2)(i)(C)
D5.IR.Pl.E.1 164.314(b)(2)(iv)
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(B)
164.308(a)(6)
164.308(a)(7)(ii)(E)
164.308(a)(8)
D5.RE.Re.B.1
3.2 5.1
D5.ER.Er.Ev.1
2.1 2.1
2.2 2.2
2.3 2.3
2.4 2.4
2.5
2.4 2.6 3.13.1 8-101
SA-8 SC-7(18) 5.10.1.1
3.1 3.13.2 A5 A6 2.2 § 11.30 8-302 Principle 4
SI-01 5.10.1.5
3.2 NFO 8-311
8-615
A5 A6 5.10.1.1
8-702
D1.TC.Tr.B.2 164.308(a)(2)
D1.TC.Tr.B.4 164.308(a)(3)(i)
D1.TC.Tr.Int.2 164.308(a)(5)
D1.TC.Tr.E.2 164.308(a)(5)(i)
164.308(a)(5)(ii)(A)
164.308(a)(5)(ii)(B) 8-101
2.7 NFO AT-1 CIP-004-6 R1 8-103 5.2.1 500.14
8-307
164.308(a)(2) 5.2.1.1
164.308(a)(3)(i) 5.2.1.2
164.308(a)(5)(i) 5.2.1.3
164.308(a)(5)(ii)(A) 5.2.1.4
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii)(C) 8-101
3.2.1 D1.TC.Tr.E.3
12.6.1 AT-3 CIP-004-6 R2 8-103 17.04(8) 622(2)(d)(A)(iv
3.2.2 D1.R.St.E.3
8-104
D1.TC.Tr.E.3
§ 11.10 CIP-004-6 R2
D1.R.St.E.3
5.10.4.1
6.4.1 D3.PC.Am.B.10 164.308(a)(4)
5.13.4.1
5.1
5.1.1.2
5.1.1.3
5.1.1.4
5.1.1.5
5.1.1.6
NFO A3 A4 12.8 12.1 500.11
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)
164.308(a)(7)(ii)(C)
164.308(a)(7)(ii)(E)
164.308(a)(8)
164.310(a)(2)(i)
8-302
12.1 D1.G.SP.A.3
8-311
12.1
12.2
12.3
12.4
12.5
12.6
A3 A4
164.308(b)(1)
164.314(a)(1)(i)-(ii)
164.314(a)(1)(ii)(A)-(B)
164.314(a)(2)(i)(A)-(D)
164.314(a)(2)(i)(A)-(D)
164.314(a)(2)(ii)(1)-(2)
2.6
12.1
12.9
164.308(a)(1)(i)
164.308(a)(2)
164.308(a)(3)
164.308(a)(4)
164.308(b)
D1.G.SP.B.7 164.314
12.1 D4.RM.Co.B.2
D4.RM.Co.B.5
164.308(a)(1)(ii)(A)
164.308(a)(4)(ii)
164.308(a)(7)(ii)(C)
164.308(a)(7)(ii)(E)
164.308(a)(8)
164.310(a)(2)(i)
12.6 D1.G.SP.Inn.1 CIP-014-2 R4 8-103 500.10
3.14.1
6.2
3.14.2 SI-5 D2.TI.Ti.B.1 164.308(A)(5)(ii) (ii)(A) 8-103 5.10.4.4 622(2)(d)(B)(iii)
12.4
3.14.3
D2.TI.Ti.B.2 164.308(a)(1)(i) 5.10.4.1

D3.DC.Th.B.1 164.308(a)(1)(ii)(A) 5.10.4.2
D1.RM.RA.E.2 164.308(a)(1)(ii)(B) 5.13.4.1
D3.DC.Th.E.5 164.308(a)(7)(ii)(E) 5.13.4.2
D3.DC.Th.A.1 164.308(a)(8)
D3.CC.Re.Ev.2 164.310(a)(1)
8-311
A6 A9
8-610
164.308(a)(1)(ii)(A)
A6 A9 6.6 D1.RM.RA.E.1 164.308(a)(1)(ii)(B) 5.13.4.3
164.308(a)(6)(ii)
3.11.2 164.308(a)(1)(i) 5.10.4.1 622(2)(B)(iii)

A6 A9 11.2 RA-5 D3.DC.Th.E.5 CIP-010-2 R3 8-614 500.05
3.11.3 164.308(a)(8) 5.13.4.1 622(2)(d)(A)(iii)
D3.DC.Ev.Int.2 164.306(e)
US-TX
Cybersecurity Act
US - TX
BC521
Sec 10
Sec 9
Sec 10 Sec 11
Sec 10 Sec 11
Sec. 521.052(b)
Sec 8
Sec 8
Sec. 521.053 Sec 8
Sec. 521.053 Sec 8 Sec 9

Sec. 521.053 Sec 8
Sec 12
Sec 12
Sec 12
Sec 7
Sec 7
Sec 7 Sec 11
Sec. 521.052
Sec 6

2018.1 Example CSOP WISP NIST CSF Mapping

Uploaded by

Copyright:

Available Formats

You might also like

2018.1 Example CSOP WISP NIST CSF Mapping

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2018.1 Example CSOP WISP NIST CSF Mapping

Uploaded by

Copyright:

Available Formats

NIST CSF WISP NIST CSF CSOP Secure Controls NIST 800-53 NIST 800-53 ISO 27002 EMEA

Domain Procedure Name SCF # GAPP

Art 32.1 Art 32.2 Art

PL-9 PM-2 PL-9 PM-2

EDM02.03 APO01.04 Principle 5 Principle SO11 S12 S13 S14

PL-2 SA-5(1) Art 30.1 Art 30.2 Art

PL-2 SA-4(1) 12.9

CP-1 CP-2 IR-4(3) CP-1 CP-2 IR-4(3)

Business Continuity & DSS04.01 DSS04.02

Business Continuity &

Business Continuity &

Business Continuity &

Capacity & Performance

Art 1.2 Art 2.1 Art

Monitoring MON-04 P-MON-04 Insider Threats DE.CM-3 MON-16.1 MON-16.1

Monitoring MON-05 P-MON-05 Third-Party Threats DE.CM-6 MON-16.2 MON-16.2

SC-8 SC-16(1) SC-8 SC-16(1)

Data Classification &

Data Classification &

Data Classification &

SC-18 SC-18(1) SC-18 SC-18(1)

Art 32.1 Art 32.2 Art

DE.AE-2 DE.AE-4 DSS02.03 DSS02.04

Art 33.1 Art 33.2 Art

RC.CO-1 RC.CO-2 Art 34.1 Art 34.2 Art

RS.CO-2 RS.CO-3 16.1.2 19.4

Physical & Environmental PE-3 PE-3(2) PE-3 PE-3(2)

Physical & Environmental

Physical & Environmental Information Leakage Due To Electromagnetic Signals

Project & Resource 4.3.1

Project & Resource Principle 10 Principle 4.3.1

APO04.06 BAI01.02 7.1 4.3.1

ID.GV-4 ID.RM-1 4.1 4.1

Art 35.1 Art 35.2 Art 4.3.4

Art 35.1 Art 35.2 Art

Secure Engineering & SA-8 SC-7(18) Principle 10 Principle

Secure Engineering &

Security Awareness &

Technology Development & Separation of Development, Testing and Operational

Art 28.1 Art 28.2 Art

IAC-07 STA-05 STA-

Art 28.1 Art 28.2 Art

Art 28.1 Art 28.2 Art

Third-Party Incident Response & Recovery

Vulnerability & Patch

Vulnerability & Patch

3.3.7 D2.IS.Is.B.1 164.308(a)(6)(ii) 622(2)(d)(A)(vi)

3.12.1 164.306(e) 8-202 5.4.1

1.1 164.308(a)(8) 8-202

1.1.5 D3.PC.Am.B.7 164.308(a)(3)

D1.G.IT.B.13 164.308(a)(1)(ii)(D) 5.10.1.2

3.1 9.6.1 10.2 D1.G.IT.B.2 164.308(a)(7)(ii)(E )

164.310(d)(2)(i) 8-301 5.8.4

8.1.3-8.1.5 164.308(a)(3)(ii)(B) 5.5.1

9.1-9.1.2 164.308(a)(1)(ii)(B) 5.1.1.7

2.1 3.2 164.308(a)(7)(ii)(B) 5.1

2.1 3.4 D4.C.Co.B.1 164.308(a)(1)(ii)(B)