← Frameworks / BoG CISD / Control Mappings

Bank of Ghana Cyber and Information Security Directive

Comprehensive 131-page directive mandating cybersecurity requirements for all banks, specialised deposit-taking institutions, payment systems, and fintech companies in Ghana. 20 sections covering governance, risk management, audit, asset management, cyber defence, incident response, access control, electronic banking, cyber exercises, external connections, cloud services, physical security, HR management, contractual requirements, ISMS/ISO 27001 certification, business continuity, compliance, and secure development. Requires mandatory ISO 27001 certification.

Controls: 203

Total Mappings: 312

Publisher: Bank of Ghana (BoG) Version: 2018

BoG CISD → SP 800-53 SP 800-53 → BoG CISD Coverage Analysis

AC (18) AT (5) AU (12) CA (8) CM (11) CP (12) IA (9) IR (9) MP (7) PE (18) PL (8) PM (19) PS (9) RA (9) SA (15) SC (19) SI (10) SR (5)

AC Access Control

Control	Name	BoG CISD References
AC-01	Access Control Policies and Procedures	CISD-VIII
AC-02	Account Management	CISD-IXCISD-VIII
AC-03	Access Enforcement	CISD-IXCISD-VIII
AC-04	Information Flow Enforcement	CISD-VIIICISD-XICISD-XIII
AC-05	Separation Of Duties	CISD-VIII
AC-06	Least Privilege	CISD-VIII
AC-07	Unsuccessful Login Attempts	CISD-VIII
AC-08	System Use Notification	CISD-VIII
AC-10	Concurrent Session Control	CISD-VIII
AC-11	Session Lock	CISD-VIII
AC-12	Session Termination	CISD-VIII
AC-14	Permitted Actions Without Identification Or Authentication	CISD-VIII
AC-16	Automated Labeling	CISD-V
AC-17	Remote Access	CISD-IXCISD-VIIICISD-XI
AC-19	Access Control For Portable And Mobile Devices	CISD-VIII
AC-20	Use Of External Information Systems	CISD-VIIICISD-XICISD-XIICISD-XIII
AC-21	Information Sharing	CISD-VIII
AC-22	Publicly Accessible Content	CISD-VIII

AT Awareness and Training

Control	Name	BoG CISD References
AT-01	Security Awareness And Training Policy And Procedures	CISD-XV
AT-02	Security Awareness	CISD-XCISD-XV
AT-03	Security Training	CISD-XCISD-XV
AT-04	Security Training Records	CISD-XV
AT-06	Training Feedback	CISD-XV

AU Audit and Accountability

Control	Name	BoG CISD References
AU-01	Audit And Accountability Policy And Procedures	CISD-COMPCISD-IV
AU-02	Auditable Events	CISD-VII
AU-03	Content Of Audit Records	CISD-VII
AU-04	Audit Storage Capacity	CISD-VII
AU-05	Response To Audit Processing Failures	CISD-VII
AU-06	Audit Monitoring, Analysis, And Reporting	CISD-IVCISD-VII
AU-07	Audit Reduction And Report Generation	CISD-VII
AU-08	Time Stamps	CISD-VII
AU-09	Protection Of Audit Information	CISD-VII
AU-11	Audit Record Retention	CISD-COMP
AU-12	Audit Record Generation	CISD-VII
AU-16	Cross-Organizational Audit Logging	CISD-COMP

CA Security Assessment and Authorization

Control	Name	BoG CISD References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	CISD-COMPCISD-IICISD-ISMSCISD-IV
CA-02	Security Assessments	CISD-COMPCISD-ISMSCISD-IV
CA-03	Information System Connections	CISD-COMPCISD-XICISD-XIII
CA-05	Plan Of Action And Milestones	CISD-COMPCISD-IIICISD-ISMSCISD-IV
CA-06	Security Accreditation	CISD-COMPCISD-IICISD-ISMSCISD-IV
CA-07	Continuous Monitoring	CISD-COMPCISD-IICISD-IIICISD-ISMSCISD-IVCISD-VII
CA-08	Penetration Testing	CISD-X
CA-09	Internal System Connections	CISD-XI

CM Configuration Management

Control	Name	BoG CISD References
CM-01	Configuration Management Policy And Procedures	CISD-VI
CM-02	Baseline Configuration	CISD-VI
CM-03	Configuration Change Control	CISD-VI
CM-05	Access Restrictions For Change	CISD-VI
CM-06	Configuration Settings	CISD-VI
CM-07	Least Functionality	CISD-VI
CM-08	Information System Component Inventory	CISD-V
CM-09	Configuration Management Plan	CISD-V
CM-12	Information Location	CISD-VCISD-XII
CM-13	Data Action Mapping	CISD-VCISD-XII
CM-14	Signed Components	CISD-SDLC

CP Contingency Planning

Control	Name	BoG CISD References
CP-01	Contingency Planning Policy And Procedures	CISD-BCM
CP-02	Contingency Plan	CISD-BCM
CP-03	Contingency Training	CISD-BCM
CP-04	Contingency Plan Testing And Exercises	CISD-BCMCISD-X
CP-06	Alternate Storage Site	CISD-BCMCISD-XII
CP-07	Alternate Processing Site	CISD-BCMCISD-XII
CP-08	Telecommunications Services	CISD-BCM
CP-09	Information System Backup	CISD-BCM
CP-10	Information System Recovery And Reconstitution	CISD-BCM
CP-11	Alternate Communications Protocols	CISD-BCM
CP-12	Safe Mode	CISD-BCM
CP-13	Alternative Security Mechanisms	CISD-BCM

IA Identification and Authentication

Control	Name	BoG CISD References
IA-01	Identification And Authentication Policy And Procedures	CISD-IXCISD-VIII
IA-02	User Identification And Authentication	CISD-IXCISD-VIII
IA-03	Device Identification And Authentication	CISD-IX
IA-04	Identifier Management	CISD-VIII
IA-05	Authenticator Management	CISD-IXCISD-VIII
IA-06	Authenticator Feedback	CISD-VIII
IA-08	Identification and Authentication (Non-Organizational Users)	CISD-IXCISD-VIII
IA-11	Re-authentication	CISD-VIII
IA-12	Identity Proofing	CISD-IX

IR Incident Response

Control	Name	BoG CISD References
IR-01	Incident Response Policy And Procedures	CISD-VII
IR-02	Incident Response Training	CISD-VII
IR-03	Incident Response Testing And Exercises	CISD-VIICISD-X
IR-04	Incident Handling	CISD-VII
IR-05	Incident Monitoring	CISD-VII
IR-06	Incident Reporting	CISD-COMPCISD-VII
IR-07	Incident Response Assistance	CISD-VII
IR-08	Incident Response Plan	CISD-VII
IR-09	Information Spillage Response	CISD-VII

MP Media Protection

Control	Name	BoG CISD References
MP-01	Media Protection Policy And Procedures	CISD-V
MP-02	Media Access	CISD-V
MP-03	Media Labeling	CISD-V
MP-04	Media Storage	CISD-V
MP-05	Media Transport	CISD-V
MP-06	Media Sanitization And Disposal	CISD-V
MP-07	Media Use	CISD-V

PE Physical and Environmental Protection

Control	Name	BoG CISD References
PE-01	Physical And Environmental Protection Policy And Procedures	CISD-XIV
PE-02	Physical Access Authorizations	CISD-XIV
PE-03	Physical Access Control	CISD-XIV
PE-04	Access Control For Transmission Medium	CISD-XIV
PE-05	Access Control For Display Medium	CISD-XIV
PE-06	Monitoring Physical Access	CISD-XIV
PE-07	Visitor Control	CISD-XIV
PE-08	Access Records	CISD-XIV
PE-09	Power Equipment And Power Cabling	CISD-XIV
PE-10	Emergency Shutoff	CISD-XIV
PE-11	Emergency Power	CISD-XIV
PE-12	Emergency Lighting	CISD-XIV
PE-13	Fire Protection	CISD-XIV
PE-14	Temperature And Humidity Controls	CISD-XIV
PE-15	Water Damage Protection	CISD-XIV
PE-16	Delivery And Removal	CISD-XIV
PE-17	Alternate Work Site	CISD-XIV
PE-18	Location Of Information System Components	CISD-XIV

PL Planning

Control	Name	BoG CISD References
PL-01	Security Planning Policy And Procedures	CISD-COMPCISD-ICISD-ISMS
PL-02	System Security Plan	CISD-COMPCISD-ICISD-ISMS
PL-04	Rules Of Behavior	CISD-COMPCISD-I
PL-07	Concept of Operations	CISD-I
PL-08	Security and Privacy Architectures	CISD-ISMSCISD-XIII
PL-09	Central Management	CISD-II
PL-10	Baseline Selection	CISD-III
PL-11	Baseline Tailoring	CISD-III

PM Program Management

Control	Name	BoG CISD References
PM-01	Information Security Program Plan	CISD-ICISD-IICISD-ISMS
PM-02	Information Security Program Leadership Role	CISD-ICISD-IICISD-ISMS
PM-03	Information Security and Privacy Resources	CISD-ICISD-IICISD-ISMS
PM-04	Plan of Action and Milestones Process	CISD-COMPCISD-IIICISD-IV
PM-05	System Inventory	CISD-V
PM-06	Measures of Performance	CISD-COMPCISD-IV
PM-08	Critical Infrastructure Plan	CISD-BCM
PM-09	Risk Management Strategy	CISD-ICISD-IICISD-IIICISD-ISMSCISD-XIII
PM-10	Authorization Process	CISD-COMPCISD-ICISD-ISMS
PM-11	Mission and Business Process Definition	CISD-BCMCISD-ICISD-XIII
PM-12	Insider Threat Program	CISD-XIIICISD-XV
PM-13	Security and Privacy Workforce	CISD-IICISD-XV
PM-14	Testing, Training, and Monitoring	CISD-IICISD-IVCISD-X
PM-16	Threat Awareness Program	CISD-VII
PM-28	Risk Framing	CISD-IICISD-III
PM-29	Risk Management Program Leadership Roles	CISD-II
PM-30	Supply Chain Risk Management Strategy	CISD-XVI
PM-31	Continuous Monitoring Strategy	CISD-XVI
PM-32	Purposing	CISD-XVI

PS Personnel Security

Control	Name	BoG CISD References
PS-01	Personnel Security Policy And Procedures	CISD-XV
PS-02	Position Categorization	CISD-XV
PS-03	Personnel Screening	CISD-XV
PS-04	Personnel Termination	CISD-XV
PS-05	Personnel Transfer	CISD-XV
PS-06	Access Agreements	CISD-XV
PS-07	Third-Party Personnel Security	CISD-XVCISD-XVI
PS-08	Personnel Sanctions	CISD-XV
PS-09	Position Descriptions	CISD-IICISD-XV

RA Risk Assessment

Control	Name	BoG CISD References
RA-01	Risk Assessment Policy And Procedures	CISD-IIICISD-ISMS
RA-02	Security Categorization	CISD-III
RA-03	Risk Assessment	CISD-IIICISD-ISMS
RA-04	Risk Assessment Update	CISD-III
RA-05	Vulnerability Scanning	CISD-VICISD-X
RA-06	Technical Surveillance Countermeasures Survey	CISD-X
RA-07	Risk Response	CISD-III
RA-08	Privacy Impact Assessments	CISD-III
RA-09	Criticality Analysis	CISD-III

SA System and Services Acquisition

Control	Name	BoG CISD References
SA-01	System And Services Acquisition Policy And Procedures	CISD-SDLC
SA-02	Allocation Of Resources	CISD-SDLC
SA-03	Life Cycle Support	CISD-IXCISD-SDLC
SA-04	Acquisitions	CISD-IXCISD-SDLCCISD-XIICISD-XVI
SA-05	Information System Documentation	CISD-SDLC
SA-08	Security Engineering Principles	CISD-IXCISD-SDLC
SA-09	External Information System Services	CISD-SDLCCISD-XICISD-XIICISD-XIIICISD-XVI
SA-10	Developer Configuration Management	CISD-SDLC
SA-11	Developer Security Testing	CISD-IXCISD-SDLC
SA-15	Development Process, Standards, and Tools	CISD-SDLC
SA-16	Developer-Provided Training	CISD-SDLC
SA-17	Developer Security and Privacy Architecture and Design	CISD-SDLC
SA-20	Customized Development of Critical Components	CISD-SDLC
SA-21	Developer Screening	CISD-SDLC
SA-22	Unsupported System Components	CISD-XVI

SC System and Communications Protection

Control	Name	BoG CISD References
SC-01	System And Communications Protection Policy And Procedures	CISD-VI
SC-02	Application Partitioning	CISD-VI
SC-03	Security Function Isolation	CISD-VI
SC-04	Information Remnance	CISD-VI
SC-05	Denial Of Service Protection	CISD-VI
SC-07	Boundary Protection	CISD-IXCISD-VICISD-VIIICISD-XICISD-XIICISD-XIII
SC-08	Transmission Integrity	CISD-IXCISD-VICISD-VIIICISD-XICISD-XIICISD-XIII
SC-12	Cryptographic Key Establishment And Management	CISD-VI
SC-13	Use Of Cryptography	CISD-IXCISD-VICISD-XI
SC-17	Public Key Infrastructure Certificates	CISD-VI
SC-20	Secure Name / Address Resolution Service (Authoritative Source)	CISD-VI
SC-21	Secure Name / Address Resolution Service (Recursive Or Caching Resolver)	CISD-VI
SC-22	Architecture And Provisioning For Name / Address Resolution Service	CISD-VI
SC-23	Session Authenticity	CISD-IX
SC-24	Fail in Known State	CISD-BCM
SC-28	Protection of Information at Rest	CISD-VCISD-VICISD-XII
SC-39	Process Isolation	CISD-VI
SC-40	Wireless Link Protection	CISD-VI
SC-41	Port and I/O Device Access	CISD-VI

SI System and Information Integrity

Control	Name	BoG CISD References
SI-02	Flaw Remediation	CISD-VI
SI-03	Malicious Code Protection	CISD-VI
SI-04	Information System Monitoring Tools And Techniques	CISD-VICISD-VII
SI-07	Software And Information Integrity	CISD-VI
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	CISD-IXCISD-SDLC
SI-11	Error Handling	CISD-IXCISD-SDLC
SI-13	Predictable Failure Prevention	CISD-BCM
SI-15	Information Output Filtering	CISD-SDLC
SI-16	Memory Protection	CISD-VI
SI-17	Fail-safe Procedures	CISD-BCM

SR Supply Chain Risk Management

Control	Name	BoG CISD References
SR-01	Policy and Procedures	CISD-XICISD-XIICISD-XVI
SR-02	Supply Chain Risk Management Plan	CISD-XICISD-XIICISD-XVI
SR-03	Supply Chain Controls and Processes	CISD-XICISD-XIICISD-XVI
SR-05	Acquisition Strategies, Tools, and Methods	CISD-XIICISD-XVI
SR-06	Supplier Assessments and Reviews	CISD-XVI