← Frameworks / Basel SCO60 / Control Mappings

Basel Committee SCO60 — Prudential Treatment of Cryptoasset Exposures

Basel Committee standard for the prudential treatment of banks' cryptoasset exposures, effective January 2026. Covers classification of cryptoassets (Group 1a tokenised traditional assets, Group 1b stablecoins, Group 2 unbacked crypto), capital requirements, credit and market risk, operational risk including custody and key management requirements for DLT infrastructure, disclosure obligations, and exposure limits. Applies to all internationally active banks.

Controls: 133
Total Mappings: 393
Publisher: Basel Committee on Banking Supervision (BCBS) Version: d545 (July 2024)
Basel SCO60 → SP 800-53 SP 800-53 → Basel SCO60 Coverage Analysis
AC (9) AT (3) AU (7) CA (6) CM (8) CP (9) IA (5) IR (6) MP (4) PE (10) PL (4) PM (13) PS (5) PT (1) RA (5) SA (8) SC (10) SI (8) SR (12)

AC Access Control

Control Name Basel SCO60 References
AC-01 Access Control Policies and Procedures
SCO60.60
AC-02 Account Management
SCO60.55SCO60.62
AC-03 Access Enforcement
SCO60.61SCO60.62SCO60.66
AC-04 Information Flow Enforcement
SCO60.64
AC-05 Separation Of Duties
SCO60.55SCO60.60SCO60.61SCO60.62SCO60.63SCO60.66
AC-06 Least Privilege
SCO60.55SCO60.61SCO60.62SCO60.64SCO60.66SCO60.72
AC-16 Automated Labeling
SCO60.70
AC-17 Remote Access
SCO60.62
AC-22 Publicly Accessible Content
SCO60.70SCO60.71SCO60.72

AT Awareness and Training

Control Name Basel SCO60 References
AT-01 Security Awareness And Training Policy And Procedures
SCO60.3SCO60.60
AT-02 Security Awareness
SCO60.3SCO60.60
AT-03 Security Training
SCO60.60SCO60.74

AU Audit and Accountability

Control Name Basel SCO60 References
AU-01 Audit And Accountability Policy And Procedures
SCO60.50SCO60.74
AU-02 Auditable Events
SCO60.50SCO60.55SCO60.62SCO60.66SCO60.73
AU-03 Content Of Audit Records
SCO60.55SCO60.62SCO60.66SCO60.73
AU-06 Audit Monitoring, Analysis, And Reporting
SCO60.13SCO60.23SCO60.55SCO60.72SCO60.73SCO60.74
AU-09 Protection Of Audit Information
SCO60.23SCO60.62SCO60.66
AU-10 Non-Repudiation
SCO60.11SCO60.55SCO60.62SCO60.63SCO60.66SCO60.70SCO60.71SCO60.73SCO60.82
AU-11 Audit Record Retention
SCO60.11SCO60.62SCO60.63SCO60.66SCO60.70SCO60.71SCO60.73SCO60.74SCO60.82

CA Security Assessment and Authorization

Control Name Basel SCO60 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
SCO60.3SCO60.50SCO60.60SCO60.74
CA-02 Security Assessments
SCO60.5SCO60.14SCO60.21SCO60.41SCO60.51SCO60.52SCO60.64SCO60.65SCO60.74SCO60.85
CA-03 Information System Connections
SCO60.54SCO60.84
CA-05 Plan Of Action And Milestones
SCO60.74SCO60.82SCO60.85
CA-06 Security Accreditation
SCO60.1SCO60.3SCO60.60SCO60.85
CA-07 Continuous Monitoring
SCO60.5SCO60.13SCO60.23SCO60.50SCO60.51SCO60.65SCO60.71SCO60.72SCO60.73SCO60.74

CM Configuration Management

Control Name Basel SCO60 References
CM-01 Configuration Management Policy And Procedures
SCO60.51SCO60.65
CM-02 Baseline Configuration
SCO60.14SCO60.51SCO60.65
CM-03 Configuration Change Control
SCO60.52
CM-04 Monitoring Configuration Changes
SCO60.52
CM-05 Access Restrictions For Change
SCO60.52SCO60.66
CM-06 Configuration Settings
SCO60.51SCO60.64SCO60.65
CM-07 Least Functionality
SCO60.51SCO60.64SCO60.65
CM-08 Information System Component Inventory
SCO60.14SCO60.51SCO60.65

CP Contingency Planning

Control Name Basel SCO60 References
CP-01 Contingency Planning Policy And Procedures
SCO60.50SCO60.53
CP-02 Contingency Plan
SCO60.21SCO60.23SCO60.50SCO60.53SCO60.63
CP-03 Contingency Training
SCO60.53
CP-04 Contingency Plan Testing And Exercises
SCO60.23SCO60.53
CP-06 Alternate Storage Site
SCO60.63
CP-07 Alternate Processing Site
SCO60.53SCO60.65
CP-08 Telecommunications Services
SCO60.53
CP-09 Information System Backup
SCO60.21SCO60.23SCO60.53SCO60.63SCO60.65
CP-10 Information System Recovery And Reconstitution
SCO60.21SCO60.23SCO60.53SCO60.63

IA Identification and Authentication

Control Name Basel SCO60 References
IA-02 User Identification And Authentication
SCO60.62SCO60.66SCO60.71
IA-03 Device Identification And Authentication
SCO60.61
IA-04 Identifier Management
SCO60.62
IA-05 Authenticator Management
SCO60.61SCO60.62SCO60.66
IA-07 Cryptographic Module Authentication
SCO60.61SCO60.66

IR Incident Response

Control Name Basel SCO60 References
IR-01 Incident Response Policy And Procedures
SCO60.23SCO60.50SCO60.53SCO60.73
IR-04 Incident Handling
SCO60.23SCO60.50SCO60.53SCO60.55SCO60.63SCO60.73SCO60.82
IR-05 Incident Monitoring
SCO60.23SCO60.55SCO60.73
IR-06 Incident Reporting
SCO60.23SCO60.73SCO60.82
IR-07 Incident Response Assistance
SCO60.73
IR-08 Incident Response Plan
SCO60.50SCO60.73

MP Media Protection

Control Name Basel SCO60 References
MP-02 Media Access
SCO60.61
MP-04 Media Storage
SCO60.61SCO60.63
MP-05 Media Transport
SCO60.61SCO60.63
MP-06 Media Sanitization And Disposal
SCO60.63

PE Physical and Environmental Protection

Control Name Basel SCO60 References
PE-02 Physical Access Authorizations
SCO60.61SCO60.62SCO60.63SCO60.64SCO60.65
PE-03 Physical Access Control
SCO60.61SCO60.62SCO60.64
PE-04 Access Control For Transmission Medium
SCO60.63
PE-05 Access Control For Display Medium
SCO60.61SCO60.64
PE-06 Monitoring Physical Access
SCO60.62
PE-08 Access Records
SCO60.62
PE-11 Emergency Power
SCO60.53SCO60.65
PE-12 Emergency Lighting
SCO60.53
PE-14 Temperature And Humidity Controls
SCO60.53
PE-18 Location Of Information System Components
SCO60.64

PL Planning

Control Name Basel SCO60 References
PL-01 Security Planning Policy And Procedures
SCO60.1SCO60.3SCO60.60
PL-02 System Security Plan
SCO60.1SCO60.3SCO60.60
PL-04 Rules Of Behavior
SCO60.60
PL-08 Security and Privacy Architectures
SCO60.2

PM Program Management

Control Name Basel SCO60 References
PM-01 Information Security Program Plan
SCO60.1SCO60.3SCO60.50SCO60.60
PM-02 Information Security Program Leadership Role
SCO60.3SCO60.60
PM-04 Plan of Action and Milestones Process
SCO60.5SCO60.82
PM-06 Measures of Performance
SCO60.70SCO60.71SCO60.72SCO60.82
PM-07 Enterprise Architecture
SCO60.2
PM-09 Risk Management Strategy
SCO60.1SCO60.3SCO60.4SCO60.5SCO60.13SCO60.50SCO60.54SCO60.60SCO60.72SCO60.83SCO60.85
PM-10 Authorization Process
SCO60.1SCO60.3SCO60.60SCO60.74SCO60.85
PM-12 Insider Threat Program
SCO60.55
PM-14 Testing, Training, and Monitoring
SCO60.72SCO60.74
PM-15 Security and Privacy Groups and Associations
SCO60.84
PM-16 Threat Awareness Program
SCO60.73SCO60.84
PM-28 Risk Framing
SCO60.3
PM-31 Continuous Monitoring Strategy
SCO60.13

PS Personnel Security

Control Name Basel SCO60 References
PS-01 Personnel Security Policy And Procedures
SCO60.60
PS-02 Position Categorization
SCO60.60
PS-03 Personnel Screening
SCO60.55SCO60.62
PS-06 Access Agreements
SCO60.55SCO60.60SCO60.62
PS-07 Third-Party Personnel Security
SCO60.55SCO60.62

PT Personally Identifiable Information Processing and Transparency

Control Name Basel SCO60 References
PT-05 Privacy Notice
SCO60.70

RA Risk Assessment

Control Name Basel SCO60 References
RA-01 Risk Assessment Policy And Procedures
SCO60.1SCO60.3SCO60.4SCO60.5SCO60.50
RA-02 Security Categorization
SCO60.1SCO60.2SCO60.4
RA-03 Risk Assessment
SCO60.1SCO60.3SCO60.4SCO60.5SCO60.13SCO60.14SCO60.21SCO60.41SCO60.50SCO60.54SCO60.74SCO60.83SCO60.84SCO60.85
RA-05 Vulnerability Scanning
SCO60.4SCO60.13SCO60.14SCO60.21SCO60.23SCO60.51SCO60.52SCO60.64SCO60.65SCO60.74
RA-07 Risk Response
SCO60.4SCO60.5SCO60.50SCO60.85

SA System and Services Acquisition

Control Name Basel SCO60 References
SA-03 Life Cycle Support
SCO60.52
SA-04 Acquisitions
SCO60.4SCO60.54
SA-08 Security Engineering Principles
SCO60.2SCO60.14SCO60.21SCO60.51SCO60.52SCO60.64SCO60.65
SA-09 External Information System Services
SCO60.4SCO60.41SCO60.53SCO60.54SCO60.65SCO60.83SCO60.84
SA-10 Developer Configuration Management
SCO60.52
SA-11 Developer Security Testing
SCO60.14SCO60.21SCO60.51SCO60.52
SA-15 Development Process, Standards, and Tools
SCO60.51SCO60.52
SA-17 Developer Security and Privacy Architecture and Design
SCO60.51

SC System and Communications Protection

Control Name Basel SCO60 References
SC-02 Application Partitioning
SCO60.64
SC-03 Security Function Isolation
SCO60.64
SC-04 Information Remnance
SCO60.64
SC-05 Denial Of Service Protection
SCO60.51SCO60.53SCO60.65
SC-06 Resource Priority
SCO60.53
SC-07 Boundary Protection
SCO60.21SCO60.41SCO60.51SCO60.64SCO60.65
SC-08 Transmission Integrity
SCO60.71
SC-12 Cryptographic Key Establishment And Management
SCO60.11SCO60.21SCO60.23SCO60.41SCO60.51SCO60.61SCO60.63SCO60.64SCO60.65SCO60.66
SC-13 Use Of Cryptography
SCO60.11SCO60.21SCO60.23SCO60.51SCO60.61SCO60.63SCO60.64SCO60.66SCO60.71
SC-17 Public Key Infrastructure Certificates
SCO60.11SCO60.61

SI System and Information Integrity

Control Name Basel SCO60 References
SI-02 Flaw Remediation
SCO60.51SCO60.65
SI-03 Malicious Code Protection
SCO60.51SCO60.64SCO60.65
SI-04 Information System Monitoring Tools And Techniques
SCO60.13SCO60.51SCO60.55SCO60.64SCO60.65SCO60.72
SI-06 Security Functionality Verification
SCO60.14SCO60.21SCO60.52
SI-07 Software And Information Integrity
SCO60.11SCO60.14SCO60.21SCO60.23SCO60.51SCO60.52SCO60.65SCO60.71
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
SCO60.66
SI-12 Information Output Handling And Retention
SCO60.70SCO60.71
SI-15 Information Output Filtering
SCO60.70SCO60.72

SR Supply Chain Risk Management

Control Name Basel SCO60 References
SR-01 Policy and Procedures
SCO60.54
SR-02 Supply Chain Risk Management Plan
SCO60.4SCO60.41SCO60.54SCO60.83SCO60.84
SR-03 Supply Chain Controls and Processes
SCO60.4SCO60.41SCO60.54
SR-04 Provenance
SCO60.54
SR-05 Acquisition Strategies, Tools, and Methods
SCO60.54
SR-06 Supplier Assessments and Reviews
SCO60.41SCO60.54SCO60.83
SR-07 Supply Chain Operations Security
SCO60.54
SR-08 Notification Agreements
SCO60.54
SR-09 Tamper Resistance and Detection
SCO60.54
SR-10 Inspection of Systems or Components
SCO60.54
SR-11 Component Authenticity
SCO60.54
SR-12 Component Disposal
SCO60.54