← Frameworks / COBIT 2019 / Control Mappings

Control Objectives for Information Technologies

Framework for IT governance and management. Helps organizations develop, implement, and improve IT governance and management practices.

Controls: 196
Total Mappings: 327
Publisher: ISACA Version: 2019
COBIT 2019 → SP 800-53 SP 800-53 → COBIT 2019 Coverage Analysis
AC (25) AT (4) AU (4) CA (7) CM (14) CP (13) IA (12) IR (9) MA (7) MP (7) PE (21) PL (8) PM (13) PS (5) PT (8) RA (7) SA (12) SC (6) SI (9) SR (5)

AC Access Control

Control Name COBIT 2019 References
AC-01 Access Control Policies and Procedures
DSS05
AC-02 Account Management
DSS05
AC-03 Access Enforcement
DSS05DSS06
AC-04 Information Flow Enforcement
APO14DSS05DSS06
AC-05 Separation Of Duties
DSS05DSS06
AC-06 Least Privilege
DSS05DSS06
AC-07 Unsuccessful Login Attempts
DSS05
AC-08 System Use Notification
DSS05
AC-09 Previous Logon Notification
DSS05
AC-10 Concurrent Session Control
DSS05
AC-11 Session Lock
DSS05
AC-12 Session Termination
DSS05
AC-13 Supervision And Review -- Access Control
DSS05
AC-14 Permitted Actions Without Identification Or Authentication
DSS05
AC-15 Automated Marking
DSS05
AC-16 Automated Labeling
DSS05
AC-17 Remote Access
DSS05
AC-18 Wireless Access Restrictions
DSS05
AC-19 Access Control For Portable And Mobile Devices
DSS05
AC-20 Use Of External Information Systems
DSS05
AC-21 Information Sharing
DSS05
AC-22 Publicly Accessible Content
DSS05
AC-23 Data Mining Protection
DSS05
AC-24 Access Control Decisions
DSS05
AC-25 Reference Monitor
DSS05

AT Awareness and Training

Control Name COBIT 2019 References
AT-01 Security Awareness And Training Policy And Procedures
APO07
AT-02 Security Awareness
APO07APO13BAI08
AT-03 Security Training
APO07BAI08
AT-06 Training Feedback
APO07BAI08

AU Audit and Accountability

Control Name COBIT 2019 References
AU-02 Auditable Events
DSS06
AU-03 Content Of Audit Records
DSS06
AU-04 Audit Storage Capacity
BAI04
AU-06 Audit Monitoring, Analysis, And Reporting
DSS06MEA01MEA02

CA Security Assessment and Authorization

Control Name COBIT 2019 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
MEA04
CA-02 Security Assessments
APO11APO13BAI07MEA02MEA03MEA04
CA-03 Information System Connections
APO09
CA-05 Plan Of Action And Milestones
APO12BAI11DSS03
CA-07 Continuous Monitoring
APO13DSS01MEA01MEA02MEA04
CA-08 Penetration Testing
MEA04
CA-09 Internal System Connections
MEA04

CM Configuration Management

Control Name COBIT 2019 References
CM-01 Configuration Management Policy And Procedures
BAI10
CM-02 Baseline Configuration
BAI10
CM-03 Configuration Change Control
BAI05BAI06BAI07BAI10
CM-04 Monitoring Configuration Changes
APO11BAI05BAI06BAI07BAI10
CM-05 Access Restrictions For Change
BAI06BAI10
CM-06 Configuration Settings
BAI10
CM-07 Least Functionality
BAI10
CM-08 Information System Component Inventory
BAI09BAI10
CM-09 Configuration Management Plan
BAI06BAI10
CM-10 Software Usage Restrictions
BAI10
CM-11 User-Installed Software
BAI10
CM-12 Information Location
APO14BAI09BAI10
CM-13 Data Action Mapping
APO14BAI10
CM-14 Signed Components
BAI06BAI10DSS05

CP Contingency Planning

Control Name COBIT 2019 References
CP-01 Contingency Planning Policy And Procedures
DSS04
CP-02 Contingency Plan
BAI04DSS04
CP-03 Contingency Training
DSS04
CP-04 Contingency Plan Testing And Exercises
DSS04
CP-05 Contingency Plan Update
DSS04
CP-06 Alternate Storage Site
DSS04
CP-07 Alternate Processing Site
BAI04DSS04
CP-08 Telecommunications Services
BAI04DSS04
CP-09 Information System Backup
DSS04
CP-10 Information System Recovery And Reconstitution
DSS04
CP-11 Alternate Communications Protocols
DSS04
CP-12 Safe Mode
DSS04
CP-13 Alternative Security Mechanisms
DSS04

IA Identification and Authentication

Control Name COBIT 2019 References
IA-01 Identification And Authentication Policy And Procedures
DSS05
IA-02 User Identification And Authentication
DSS05
IA-03 Device Identification And Authentication
DSS05
IA-04 Identifier Management
DSS05
IA-05 Authenticator Management
DSS05
IA-06 Authenticator Feedback
DSS05
IA-07 Cryptographic Module Authentication
DSS05
IA-08 Identification and Authentication (Non-Organizational Users)
DSS05
IA-09 Service Identification and Authentication
DSS05
IA-10 Adaptive Authentication
DSS05
IA-11 Re-authentication
DSS05
IA-12 Identity Proofing
DSS05

IR Incident Response

Control Name COBIT 2019 References
IR-01 Incident Response Policy And Procedures
DSS02
IR-02 Incident Response Training
DSS02
IR-03 Incident Response Testing And Exercises
DSS02
IR-04 Incident Handling
DSS02DSS03
IR-05 Incident Monitoring
DSS02DSS03
IR-06 Incident Reporting
DSS02
IR-07 Incident Response Assistance
DSS02
IR-08 Incident Response Plan
DSS02
IR-09 Information Spillage Response
DSS02

MA Maintenance

Control Name COBIT 2019 References
MA-01 System Maintenance Policy And Procedures
DSS01
MA-02 Controlled Maintenance
DSS01
MA-03 Maintenance Tools
DSS01
MA-04 Remote Maintenance
DSS01
MA-05 Maintenance Personnel
DSS01
MA-06 Timely Maintenance
DSS01
MA-07 Field Maintenance
DSS01

MP Media Protection

Control Name COBIT 2019 References
MP-01 Media Protection Policy And Procedures
APO14BAI09
MP-02 Media Access
APO14BAI09
MP-03 Media Labeling
APO14BAI09
MP-04 Media Storage
APO14BAI09
MP-05 Media Transport
APO14BAI09
MP-06 Media Sanitization And Disposal
APO14BAI09
MP-07 Media Use
APO14BAI09

PE Physical and Environmental Protection

Control Name COBIT 2019 References
PE-01 Physical And Environmental Protection Policy And Procedures
DSS01DSS05
PE-02 Physical Access Authorizations
DSS01DSS05
PE-03 Physical Access Control
DSS01DSS05
PE-04 Access Control For Transmission Medium
DSS01DSS05
PE-05 Access Control For Display Medium
DSS01DSS05
PE-06 Monitoring Physical Access
DSS01DSS05
PE-07 Visitor Control
DSS01DSS05
PE-08 Access Records
DSS01DSS05
PE-09 Power Equipment And Power Cabling
DSS01DSS05
PE-10 Emergency Shutoff
DSS01DSS05
PE-11 Emergency Power
DSS01DSS05
PE-12 Emergency Lighting
DSS01DSS05
PE-13 Fire Protection
DSS01DSS05
PE-14 Temperature And Humidity Controls
DSS01DSS05
PE-15 Water Damage Protection
DSS01DSS05
PE-16 Delivery And Removal
DSS01DSS05
PE-17 Alternate Work Site
DSS01DSS05
PE-18 Location Of Information System Components
DSS01DSS05
PE-21 Electromagnetic Pulse Protection
DSS01
PE-22 Component Marking
DSS01
PE-23 Facility Location
DSS01

PL Planning

Control Name COBIT 2019 References
PL-01 Security Planning Policy And Procedures
APO01APO13
PL-02 System Security Plan
APO13BAI02
PL-04 Rules Of Behavior
MEA03
PL-07 Concept of Operations
BAI02
PL-08 Security and Privacy Architectures
APO03BAI02
PL-09 Central Management
APO01APO13EDM01
PL-10 Baseline Selection
APO13EDM01
PL-11 Baseline Tailoring
APO13

PM Program Management

Control Name COBIT 2019 References
PM-01 Information Security Program Plan
APO01APO02APO04APO13BAI05EDM01EDM02EDM05MEA03
PM-02 Information Security Program Leadership Role
APO01APO13EDM01EDM05
PM-03 Information Security and Privacy Resources
APO01APO06APO13EDM01EDM02EDM04
PM-05 System Inventory
BAI09
PM-06 Measures of Performance
APO13EDM02MEA01MEA02
PM-07 Enterprise Architecture
APO02APO03APO05BAI01BAI11
PM-08 Critical Infrastructure Plan
APO02
PM-09 Risk Management Strategy
APO12APO13EDM01EDM03
PM-10 Authorization Process
BAI11
PM-11 Mission and Business Process Definition
APO02APO05BAI01BAI11
PM-13 Security and Privacy Workforce
APO07BAI08EDM04
PM-15 Security and Privacy Groups and Associations
APO08
PM-28 Risk Framing
APO12EDM03

PS Personnel Security

Control Name COBIT 2019 References
PS-01 Personnel Security Policy And Procedures
APO07
PS-02 Position Categorization
APO07
PS-03 Personnel Screening
APO07
PS-06 Access Agreements
APO07
PS-09 Position Descriptions
APO07

PT Personally Identifiable Information Processing and Transparency

Control Name COBIT 2019 References
PT-01 Policy and Procedures
APO14
PT-02 Authority to Process Personally Identifiable Information
APO14
PT-03 Personally Identifiable Information Processing Purposes
APO14
PT-04 Consent
APO14
PT-05 Privacy Notice
APO14
PT-06 System of Records Notice
APO14
PT-07 Specific Categories of Personally Identifiable Information
APO14
PT-08 Computer Matching Requirements
APO14

RA Risk Assessment

Control Name COBIT 2019 References
RA-01 Risk Assessment Policy And Procedures
APO12APO13EDM03
RA-02 Security Categorization
APO12APO14
RA-03 Risk Assessment
APO12APO13EDM03
RA-05 Vulnerability Scanning
APO12
RA-07 Risk Response
APO12EDM03
RA-08 Privacy Impact Assessments
APO12
RA-09 Criticality Analysis
APO12EDM03

SA System and Services Acquisition

Control Name COBIT 2019 References
SA-03 Life Cycle Support
BAI01BAI03BAI11EDM04
SA-04 Acquisitions
APO09APO10BAI02BAI03MEA03
SA-05 Information System Documentation
BAI08
SA-08 Security Engineering Principles
APO03APO04BAI02BAI03
SA-09 External Information System Services
APO08APO09APO10
SA-10 Developer Configuration Management
BAI03BAI06
SA-11 Developer Security Testing
APO11BAI03BAI07
SA-15 Development Process, Standards, and Tools
APO11BAI03
SA-17 Developer Security and Privacy Architecture and Design
APO03BAI03
SA-20 Customized Development of Critical Components
BAI03
SA-21 Developer Screening
BAI03
SA-22 Unsupported System Components
BAI09

SC System and Communications Protection

Control Name COBIT 2019 References
SC-05 Denial Of Service Protection
BAI04
SC-07 Boundary Protection
DSS05
SC-24 Fail in Known State
DSS05
SC-28 Protection of Information at Rest
APO14
SC-41 Port and I/O Device Access
DSS05
SC-44 Detonation Chambers
DSS05

SI System and Information Integrity

Control Name COBIT 2019 References
SI-02 Flaw Remediation
DSS03
SI-03 Malicious Code Protection
DSS05
SI-04 Information System Monitoring Tools And Techniques
DSS01DSS05MEA01
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
DSS06
SI-12 Information Output Handling And Retention
APO14
SI-13 Predictable Failure Prevention
BAI04
SI-15 Information Output Filtering
DSS06
SI-16 Memory Protection
DSS05
SI-18 Personally Identifiable Information Quality Operations
APO14

SR Supply Chain Risk Management

Control Name COBIT 2019 References
SR-01 Policy and Procedures
APO10
SR-02 Supply Chain Risk Management Plan
APO10
SR-03 Supply Chain Controls and Processes
APO10
SR-05 Acquisition Strategies, Tools, and Methods
APO10
SR-06 Supplier Assessments and Reviews
APO10