CSA AICM v1 Mappings | Open Security Architecture

Clause	Title	SP 800-53 Controls
A&A-01	Audit and Assurance Policy and Procedures	CA-01 CA-02 AU-01
A&A-02	Independent Assessments	CA-02 CA-07 CA-08
A&A-03	Risk Based Planning Assessment	CA-02 RA-03 RA-07
A&A-04	Requirements Compliance	CA-02 CA-05 CA-09
A&A-05	Audit Management Process	CA-02 CA-05 AU-06
A&A-06	Remediation	CA-05 CA-02 RA-07
AIS-01	Application and Interface Security Policy and Procedures	SA-01 SA-08 SI-01
AIS-02	Application Security Baseline Requirements	SA-08 SA-11 SA-15
AIS-03	Application Security Metrics	CA-07 PM-06 SA-11
AIS-04	Secure Application Development Lifecycle	SA-03 SA-08 SA-11 SA-15
AIS-05	Application Security Testing	CA-08 RA-05 SA-11
AIS-06	Secure Application Deployment	CM-02 CM-03 SA-03
AIS-07	Application Vulnerability Remediation	RA-05 SA-11
AIS-08	Input Validation	SA-08 SC-07 AC-04
AIS-09	Output Validation	SA-11 SI-07 CM-03
AIS-10	API Security	SA-08 SA-11 RA-05
AIS-11	Agents Security Boundaries	SA-03 SA-15 CM-03
AIS-12	Source Code Managemement	SI-04 CA-07 AU-06
AIS-13	AI Sandboxing	SA-11 CA-08 SI-07
AIS-14	AI Cache Protection	SA-08 SC-13 SI-07
AIS-15	Prompt Differentation	SA-03 SA-08 SA-11
BCR-01	Business Continuity Management Policy and Procedures	CP-01 CP-02
BCR-02	Risk Assessment and Impact Analysis	CP-02 RA-03 RA-09
BCR-03	Business Continuity Strategy	CP-02 CP-07 CP-08
BCR-04	Business Continuity Planning	CP-02 CP-03 CP-04
BCR-05	Documentation	PL-02 PL-07 CP-02
BCR-06	Business Continuity Exercises	CP-03 CP-04
BCR-07	Communication	CP-02 CP-08 IR-06
BCR-08	Backup	CP-06 CP-09
BCR-09	Disaster Response Plan	CP-02 CP-10 IR-01
BCR-10	Response Plan Exercise	CP-04 IR-03
BCR-11	Equipment Redundancy	CP-07 CP-08 PE-11
CCC-01	Change Management Policy and Procedures	CM-01 CM-03 CM-09
CCC-02	Quality Testing	CM-03 CM-04 SA-11
CCC-03	Change Management Technology	CM-03 CM-05 CM-09
CCC-04	Change Authorization	CM-05 SI-07
CCC-05	Change Agreements	SA-04 CM-03
CCC-06	Change Management Baseline	CM-02 CM-06
CCC-07	Detection of Baseline Deviation	CM-02 CM-03 SI-07
CCC-08	Exception Management	CA-05 PM-09 PL-02
CCC-09	Change Restoration	CP-09 CP-10 CM-03
CEK-01	Encryption and Key Management Policy and Procedures	SC-01 SC-12 SC-13
CEK-02	CEK Roles and Responsibilities	PS-01 PL-02 SC-12
CEK-03	Data Encryption	SC-08 SC-13 SC-28
CEK-04	Encryption Algorithm	SC-13
CEK-05	Encryption Change Management	CM-03 SC-13
CEK-06	Encryption Change Cost Benefit Analysis	RA-03 SC-13
CEK-07	Encryption Risk Management	RA-03 RA-07 SC-13
CEK-08	Customer Key Management Capability	SC-12
CEK-09	Encryption and Key Management Audit	AU-02 CA-02 SC-12
CEK-10	Key Generation	SC-12 SC-13
CEK-11	Key Purpose	SC-12
CEK-12	Key Rotation	SC-12
CEK-13	Key Revocation	SC-12 SC-17
CEK-14	Key Destruction	MP-06 SC-12
CEK-15	Key Activation	SC-12
CEK-16	Key Suspension	SC-12
CEK-17	Key Deactivation	SC-12
CEK-18	Key Archival	CP-09 SC-12
CEK-19	Key Compromise	IR-01 IR-06 SC-12
CEK-20	Key Recovery	CP-09 SC-12
CEK-21	Key Inventory Management	CM-08 SC-12
DCS-01	Off-Site Equipment Disposal Policy and Procedures	MP-06 PE-01
DCS-02	Off-Site Transfer Authorization Policy and Procedures	MP-05 PE-01 PE-16
DCS-03	Secure Area Policy and Procedures	PE-01 PE-02 PE-03
DCS-04	Secure Media Transportation Policy and Procedures	MP-01 MP-05
DCS-05	Assets Classification	CM-08 MP-04 RA-02
DCS-06	Assets Cataloguing and Tracking	CM-08 PE-05
DCS-07	Controlled Physical Access Points	PE-03 PE-06
DCS-08	Equipment Identification	CM-08 IA-03
DCS-09	Secure Area Authorization	PE-02 PE-03
DCS-10	Surveillance System	PE-06 PE-08
DCS-11	Adverse Event Response Training	AT-03 IR-02 PE-06
DCS-12	Cabling Security	PE-04 PE-09
DCS-13	Environmental Systems	PE-13 PE-14 PE-15
DCS-14	Secure Utilities	PE-09 PE-10 PE-11
DCS-15	Equipment Location	PE-05 PE-18
DSP-01	Security and Privacy Policy and Procedures	AC-01 PL-01 PT-01
DSP-02	Secure Disposal	MP-06 SI-12
DSP-03	Data Inventory	CM-08 PM-05 PT-03
DSP-04	Data Classification	AC-16 RA-02
DSP-05	Data Flow Documentation	AC-04 CA-09 PL-02
DSP-06	Data Ownership and Stewardship	AC-16 PM-05 PT-01
DSP-07	Data Protection by Design and Default	SA-08 SC-28 PT-01
DSP-08	Data Privacy by Design and Default	PT-01 PT-02 PT-03
DSP-09	Data Protection Impact Assessment	PT-01 RA-03 RA-08
DSP-10	Sensitive Data Transfer	AC-04 SC-08 SC-13
DSP-11	Personal Data Access, Reversal, Rectification and Deletion	PT-04 PT-05 PT-06
DSP-12	Limitation of Purpose in Personal Data Processing	PT-02 PT-03
DSP-13	Personal Data Sub-processing	PT-01 SA-04 SA-09
DSP-14	Disclosure of Data Sub-processors	PT-01 SA-09
DSP-15	Limitation of Production Data Use	CM-04 PT-03
DSP-16	Data Retention and Deletion	MP-06 PT-01 SI-12
DSP-17	Sensitive Data Protection	AC-03 SC-08 SC-28
DSP-18	Disclosure Notification	IR-06 PT-01
DSP-19	Data Location	PT-01 SA-09
DSP-20	Data Provenance and Transparency	PT-01 PT-03 SA-08
DSP-21	Data Poisoning Prevention & Detection	PT-01 SI-12 RA-03
DSP-22	Privacy Enhancing Technologies	AC-04 PT-01 SC-13
DSP-23	Data Integrity Check	PT-01 PT-04 SA-09
DSP-24	Data Differentiation and Relevance	SI-12 PT-03 AU-02
GRC-01	Governance Program Policy and Procedures	PL-01 PM-01 PM-02
GRC-02	Risk Management Program	PM-09 RA-01 RA-03
GRC-03	Organizational Policy Reviews	PL-01 PM-01
GRC-04	Policy Exception Process	CA-05 PL-02
GRC-05	Information Security Program	PM-01 PM-02 PM-03
GRC-06	Governance Responsibility Model	PL-02 PM-01 PM-02
GRC-07	Information System Regulatory Mapping	CA-02 PM-01 PL-02
GRC-08	Special Interest Groups	PM-15 PM-16
GRC-09	Acceptable Use of the AI Service	PM-01 PM-09 RA-01
GRC-10	AI Impact Assessment	PM-01 PM-02 PM-09
GRC-11	Bias and Fairness Assessment	RA-01 RA-03 PM-09
GRC-12	Ethics Committee	PM-01 CA-02 CA-07
GRC-13	Explainability Requirement	PM-02 PS-01 AT-01
GRC-14	Explainability Evaluation	PM-01 PM-09 RA-03
GRC-15	Human supervision	PM-15 PM-16 CA-07
HRS-01	Background Screening Policy and Procedures	PS-01 PS-03
HRS-02	Acceptable Use of Technology Policy and Procedures	AC-20 PL-04
HRS-03	Clean Desk Policy and Procedures	AC-11 MP-02
HRS-04	Remote and Home Working Policy and Procedures	AC-17 PE-17
HRS-05	Asset returns	PS-04
HRS-06	Employment Termination	PS-04 PS-05
HRS-07	Employment Agreement Process	PS-01 PS-06
HRS-08	Employment Agreement Content	PL-04 PS-06
HRS-09	Personnel Roles and Responsibilities	PL-02 PM-02 PS-01
HRS-10	Non-Disclosure Agreements	PS-06 PS-09
HRS-11	Security Awareness Training	AT-01 AT-02 AT-03
HRS-12	Personal and Sensitive Data Awareness and Training	AT-02 AT-03 PT-01
HRS-13	Compliance User Responsibility	AT-02 PL-04 PS-06
HRS-14	AI Competency Training	AT-02 AT-03 PM-02
HRS-15	AI Acceptable Use	AT-01 PM-02 PS-01
I&S-01	Infrastructure and Virtualization Security Policy and Procedures	SA-01 SC-01 CM-01
I&S-02	Capacity and Resource Planning	CP-02 SC-05 SC-06
I&S-03	Network Security	AC-04 SC-07 SC-08
I&S-04	OS Hardening and Base Controls	CM-02 CM-06 SI-02
I&S-05	Production and Non-Production Environments	CM-02 CM-04 SC-07
I&S-06	Segmentation and Segregation	AC-04 SC-03 SC-07
I&S-07	Migration to Hosted Environments	CM-03 SA-03 SA-04
I&S-08	Network Architecture Documentation	CA-09 PL-02 SC-07
I&S-09	Network Defense	SC-05 SC-07 SI-04
IAM-01	Identity and Access Management Policy and Procedures	AC-01 IA-01
IAM-02	Strong Password Policy and Procedures	IA-01 IA-05
IAM-03	Identity Inventory	AC-02 IA-04
IAM-04	Separation of Duties	AC-05 AC-06
IAM-05	Least Privilege	AC-02 AC-06
IAM-06	User Access Provisioning	AC-02 IA-04 IA-05
IAM-07	User Access Changes and Revocation	AC-02 PS-04 PS-05
IAM-08	User Access Review	AC-02 AC-06
IAM-09	Segregation of Privileged Access Roles	AC-05 AC-06
IAM-10	Management of Privileged Access Roles	AC-02 AC-06 IA-02
IAM-11	Customers' Approval for Agreed Privileged Access Roles	AC-02 AC-06
IAM-12	Safeguard Logs Integrity	AU-09 AU-10
IAM-13	Uniquely Identifiable Users	AC-02 IA-02 IA-04
IAM-14	Strong Authentication	IA-02 IA-05 IA-08
IAM-15	Passwords and Secrets Management	IA-02 IA-05
IAM-16	Authorization Mechanisms	AC-03 AC-06 AC-16
IAM-17	Knowledge Access Control - Need to Know	AC-02 IA-02 SC-07
IAM-18	Output Modification and Special Authorization	AC-02 AC-06 IA-03
IAM-19	Agent Access Restriction	AC-05 AC-06 CM-05
IPY-01	Interoperability and Portability Policy and Procedures	SA-01 SA-04
IPY-02	Application Interface Availability	SA-04 SA-09
IPY-03	Secure Interoperability and Portability Management	SA-04 SA-09 SC-08
IPY-04	Data Portability Contractual Obligations	SA-04
LOG-01	Logging and Monitoring Policy and Procedures	AU-01 AU-02
LOG-02	Audit Logs Protection	AU-09 AU-11
LOG-03	Security Monitoring and Alerting	AU-06 CA-07 SI-04
LOG-04	Audit Logs Access and Accountability	AC-06 AU-06 AU-09
LOG-05	Audit Logs Monitoring and Response	AU-06 IR-04 SI-04
LOG-06	Clock Synchronization	AU-08
LOG-07	Logging Scope	AU-02 AU-03
LOG-08	Log Records	AU-02 AU-03
LOG-09	Log Protection	AU-09 AU-11
LOG-10	Encryption Monitoring and Reporting	AU-02 CA-07 SC-13
LOG-11	Transaction/Activity Logging	AU-02 AU-03 AU-12
LOG-12	Access Control Logs	AC-02 AU-02 AU-03
LOG-13	Failures and Anomalies Reporting	AU-05 AU-06 SI-04
LOG-14	Input Monitoring	AU-02 AU-06 SI-04
LOG-15	Output Monitoring	AU-02 AU-03 CA-07
MDS-01	Training Pipeline Security	SA-08 CM-01 PL-01
MDS-02	Model Artifact Scanning	CM-08 SA-03
MDS-03	Model Documentation	SA-11 CA-08 RA-05
MDS-04	Model Documentation Requirements	CM-03 CM-05 SA-03
MDS-05	Model Documentation Validation	SI-04 CA-07 AU-06
MDS-06	Adversarial Attack Analysis	SI-07 SC-13 CM-03
MDS-07	Robustness against Adversarial Attack / Model Hardening	AC-03 AC-06 CM-05
MDS-08	Model Integrity Checks	SA-11 RA-05 SI-07
MDS-09	Model Signing/Ownership Verification	PT-01 PT-03 SA-08
MDS-10	Model Continuous Monitoring	SA-03 SA-08 SA-15
MDS-11	Model Failure	CM-03 CM-09 SA-03
MDS-12	Open Model Risk Assessment	SA-04 SA-09 RA-03
MDS-13	Secure Model Format	RA-03 PM-09 SI-01
SEF-01	Security Incident Management Policy and Procedures	IR-01 IR-08
SEF-02	Service Management Policy and Procedures	IR-01 IR-04 PM-01
SEF-03	Incident Response Plans	IR-02 IR-04 IR-08
SEF-04	Incident Response Testing	IR-03
SEF-05	Incident Response Metrics	CA-07 IR-04 PM-06
SEF-06	Event Triage Processes	AU-06 IR-04 IR-05
SEF-07	Security Breach Notification	IR-06 IR-07
SEF-08	Points of Contact Maintenance	IR-01 IR-06 PM-15
SEF-09	Incident Response	IR-01 IR-04 IR-06
STA-01	Supply Chain Risk Management Policies and Procedures	PM-01 SA-01 SR-01
STA-02	SSRM Policy and Procedures	SR-01 SR-02 SR-03
STA-03	SSRM Supply Chain	SA-04 SR-01
STA-04	SSRM Guidance	PM-02 SR-01
STA-05	SSRM Control Ownership	CA-02 SR-01
STA-06	SSRM Documentation Review	CA-02 SA-09 SR-01
STA-07	SSRM Control Implementation	CM-08 SR-01 SR-02
STA-08	Supply Chain Inventory	RA-03 SR-01 SR-02 SR-03
STA-09	Supply Chain Risk Management	SA-04 SA-09
STA-10	Primary Service and Contractual Agreement	SA-04 SR-01
STA-11	Supply Chain Agreement Review	CA-02 CA-07
STA-12	Supply Chain Compliance Assessment	CA-02 SA-09 SR-01
STA-13	Supply Chain Service Agreement Compliance	CA-02 PM-01 SR-01
STA-14	Supply Chain Governance Review	RA-03 SR-01 SR-03
STA-15	Supply Chain Data Security Assessment	SR-01 SA-04 CM-08
STA-16	Service Bill of Material (BOM)	SR-01 SR-02 SA-09
TVM-01	Threat and Vulnerability Management Policy and Procedures	RA-01 RA-05 SI-01
TVM-02	Malware and Malicious Instructions Protection Policy and Procedures	SI-01 SI-03
TVM-03	Vulnerability Identification	RA-05 SI-02
TVM-04	Detection Updates	SI-02 SI-03
TVM-05	External Library Vulnerabilities	RA-05 SA-11 SR-04
TVM-06	Penetration Testing	CA-08 RA-05
TVM-07	Vulnerability Remediation Schedule	RA-05 SI-05
TVM-08	Vulnerability Prioritization	RA-03 RA-05
TVM-09	Vulnerability Management Reporting	CA-07 PM-06 RA-05
TVM-10	Vulnerability Management Metrics	CA-07 PM-06 RA-05
TVM-11	Guardrails	RA-03 RA-05 SI-04
TVM-12	Threat Analysis and Modelling	CA-08 RA-05 SA-11
TVM-13	Threat Response	SI-04 CA-07 RA-05
UEM-01	Endpoint Devices Policy and Procedures	AC-19 CM-01 SC-42
UEM-02	Application and Service Approval	CM-07 CM-11
UEM-03	Compatibility	CM-02 SA-04
UEM-04	Endpoint Inventory	CM-08
UEM-05	Endpoint Management	CM-02 CM-03 CM-06
UEM-06	Automatic Lock Screen	AC-11
UEM-07	Operating Systems	CM-02 CM-06 SI-02
UEM-08	Storage Encryption	SC-13 SC-28
UEM-09	Anti-Malware Detection and Prevention	SI-03
UEM-10	Software Firewall	CM-07 SC-07
UEM-11	Data Loss Prevention	AC-04 SC-07 SI-04
UEM-12	Remote Locate	CM-08
UEM-13	Remote Wipe	AC-19 MP-06
UEM-14	Third-Party Endpoint Security Posture	AC-20 SA-09 SR-01

A&A-01

Audit and Assurance Policy and Procedures

CA-01 CA-02 AU-01

A&A-02

Independent Assessments

CA-02 CA-07 CA-08

A&A-03

Risk Based Planning Assessment

CA-02 RA-03 RA-07

A&A-04

Requirements Compliance

CA-02 CA-05 CA-09

A&A-05

Audit Management Process

CA-02 CA-05 AU-06

A&A-06

Remediation

CA-05 CA-02 RA-07

AIS-01

Application and Interface Security Policy and Procedures

SA-01 SA-08 SI-01

AIS-02

Application Security Baseline Requirements

SA-08 SA-11 SA-15

AIS-03

Application Security Metrics

CA-07 PM-06 SA-11

AIS-04

Secure Application Development Lifecycle

SA-03 SA-08 SA-11 SA-15

AIS-05

Application Security Testing

CA-08 RA-05 SA-11

AIS-06

Secure Application Deployment

CM-02 CM-03 SA-03

AIS-07

Application Vulnerability Remediation

RA-05 SA-11

AIS-08

Input Validation

SA-08 SC-07 AC-04

AIS-09

Output Validation

SA-11 SI-07 CM-03

AIS-10

API Security

SA-08 SA-11 RA-05

AIS-11

Agents Security Boundaries

SA-03 SA-15 CM-03

AIS-12

Source Code Managemement

SI-04 CA-07 AU-06

AIS-13

AI Sandboxing

SA-11 CA-08 SI-07

AIS-14

AI Cache Protection

SA-08 SC-13 SI-07

AIS-15

Prompt Differentation

SA-03 SA-08 SA-11

BCR-01

Business Continuity Management Policy and Procedures

CP-01 CP-02

BCR-02

Risk Assessment and Impact Analysis

CP-02 RA-03 RA-09

BCR-03

Business Continuity Strategy

CP-02 CP-07 CP-08

BCR-04

Business Continuity Planning

CP-02 CP-03 CP-04

BCR-05

Documentation

PL-02 PL-07 CP-02

BCR-06

Business Continuity Exercises

CP-03 CP-04

BCR-07

Communication

CP-02 CP-08 IR-06

BCR-08

Backup

CP-06 CP-09

BCR-09

Disaster Response Plan

CP-02 CP-10 IR-01

BCR-10

Response Plan Exercise

CP-04 IR-03

BCR-11

Equipment Redundancy

CP-07 CP-08 PE-11

CCC-01

Change Management Policy and Procedures

CM-01 CM-03 CM-09

CCC-02

Quality Testing

CM-03 CM-04 SA-11

CCC-03

Change Management Technology

CM-03 CM-05 CM-09

CCC-04

Change Authorization

CM-05 SI-07

CCC-05

Change Agreements

SA-04 CM-03

CCC-06

Change Management Baseline

CM-02 CM-06

CCC-07

Detection of Baseline Deviation

CM-02 CM-03 SI-07

CCC-08

Exception Management

CA-05 PM-09 PL-02

CCC-09

Change Restoration

CP-09 CP-10 CM-03

CEK-01

Encryption and Key Management Policy and Procedures

SC-01 SC-12 SC-13

CEK-02

CEK Roles and Responsibilities

PS-01 PL-02 SC-12

CEK-03

Data Encryption

SC-08 SC-13 SC-28

CEK-04

Encryption Algorithm

SC-13

CEK-05

Encryption Change Management

CM-03 SC-13

CEK-06

Encryption Change Cost Benefit Analysis

RA-03 SC-13

CEK-07

Encryption Risk Management

RA-03 RA-07 SC-13

CEK-08

Customer Key Management Capability

SC-12

CEK-09

Encryption and Key Management Audit

AU-02 CA-02 SC-12

CEK-10

Key Generation

SC-12 SC-13

CEK-11

Key Purpose

SC-12

CEK-12

Key Rotation

SC-12

CEK-13

Key Revocation

SC-12 SC-17

CEK-14

Key Destruction

MP-06 SC-12

CEK-15

Key Activation

SC-12

CEK-16

Key Suspension

SC-12

CEK-17

Key Deactivation

SC-12

CEK-18

Key Archival

CP-09 SC-12

CEK-19

Key Compromise

IR-01 IR-06 SC-12

CEK-20

Key Recovery

CP-09 SC-12

CEK-21

Key Inventory Management

CM-08 SC-12

DCS-01

Off-Site Equipment Disposal Policy and Procedures

MP-06 PE-01

DCS-02

Off-Site Transfer Authorization Policy and Procedures

MP-05 PE-01 PE-16

DCS-03

Secure Area Policy and Procedures

PE-01 PE-02 PE-03

DCS-04

Secure Media Transportation Policy and Procedures

MP-01 MP-05

DCS-05

Assets Classification

CM-08 MP-04 RA-02

DCS-06

Assets Cataloguing and Tracking

CM-08 PE-05

DCS-07

Controlled Physical Access Points

PE-03 PE-06

DCS-08

Equipment Identification

CM-08 IA-03

DCS-09

Secure Area Authorization

PE-02 PE-03

DCS-10

Surveillance System

PE-06 PE-08

DCS-11

Adverse Event Response Training

AT-03 IR-02 PE-06

DCS-12

Cabling Security

PE-04 PE-09

DCS-13

Environmental Systems

PE-13 PE-14 PE-15

DCS-14

Secure Utilities

PE-09 PE-10 PE-11

DCS-15

Equipment Location

PE-05 PE-18

DSP-01

Security and Privacy Policy and Procedures

AC-01 PL-01 PT-01

DSP-02

Secure Disposal

MP-06 SI-12

DSP-03

Data Inventory

CM-08 PM-05 PT-03

DSP-04

Data Classification

AC-16 RA-02

DSP-05

Data Flow Documentation

AC-04 CA-09 PL-02

DSP-06

Data Ownership and Stewardship

AC-16 PM-05 PT-01

DSP-07

Data Protection by Design and Default

SA-08 SC-28 PT-01

DSP-08

Data Privacy by Design and Default

PT-01 PT-02 PT-03

DSP-09

Data Protection Impact Assessment

PT-01 RA-03 RA-08

DSP-10

Sensitive Data Transfer

AC-04 SC-08 SC-13

DSP-11

Personal Data Access, Reversal, Rectification and Deletion

PT-04 PT-05 PT-06

DSP-12

Limitation of Purpose in Personal Data Processing

PT-02 PT-03

DSP-13

Personal Data Sub-processing

PT-01 SA-04 SA-09

DSP-14

Disclosure of Data Sub-processors

PT-01 SA-09

DSP-15

Limitation of Production Data Use

CM-04 PT-03

DSP-16

Data Retention and Deletion

MP-06 PT-01 SI-12

DSP-17

Sensitive Data Protection

AC-03 SC-08 SC-28

DSP-18

Disclosure Notification

IR-06 PT-01

DSP-19

Data Location

PT-01 SA-09

DSP-20

Data Provenance and Transparency

PT-01 PT-03 SA-08

DSP-21

Data Poisoning Prevention & Detection

PT-01 SI-12 RA-03

DSP-22

Privacy Enhancing Technologies

AC-04 PT-01 SC-13

DSP-23

Data Integrity Check

PT-01 PT-04 SA-09

DSP-24

Data Differentiation and Relevance

SI-12 PT-03 AU-02

GRC-01

Governance Program Policy and Procedures

PL-01 PM-01 PM-02

GRC-02

Risk Management Program

PM-09 RA-01 RA-03

GRC-03

Organizational Policy Reviews

PL-01 PM-01

GRC-04

Policy Exception Process

CA-05 PL-02

GRC-05

Information Security Program

PM-01 PM-02 PM-03

GRC-06

Governance Responsibility Model

PL-02 PM-01 PM-02

GRC-07

Information System Regulatory Mapping

CA-02 PM-01 PL-02

GRC-08

Special Interest Groups

PM-15 PM-16

GRC-09

Acceptable Use of the AI Service

PM-01 PM-09 RA-01

GRC-10

AI Impact Assessment

PM-01 PM-02 PM-09

GRC-11

Bias and Fairness Assessment

RA-01 RA-03 PM-09

GRC-12

Ethics Committee

PM-01 CA-02 CA-07

GRC-13

Explainability Requirement

PM-02 PS-01 AT-01

GRC-14

Explainability Evaluation

PM-01 PM-09 RA-03

GRC-15

Human supervision

PM-15 PM-16 CA-07

HRS-01

Background Screening Policy and Procedures

PS-01 PS-03

HRS-02

Acceptable Use of Technology Policy and Procedures

AC-20 PL-04

HRS-03

Clean Desk Policy and Procedures

AC-11 MP-02

HRS-04

Remote and Home Working Policy and Procedures

AC-17 PE-17

HRS-05

Asset returns

PS-04

HRS-06

Employment Termination

PS-04 PS-05

HRS-07

Employment Agreement Process

PS-01 PS-06

HRS-08

Employment Agreement Content

PL-04 PS-06

HRS-09

Personnel Roles and Responsibilities

PL-02 PM-02 PS-01

HRS-10

Non-Disclosure Agreements

PS-06 PS-09

HRS-11

Security Awareness Training

AT-01 AT-02 AT-03

HRS-12

Personal and Sensitive Data Awareness and Training

AT-02 AT-03 PT-01

HRS-13

Compliance User Responsibility

AT-02 PL-04 PS-06

HRS-14

AI Competency Training

AT-02 AT-03 PM-02

HRS-15

AI Acceptable Use

AT-01 PM-02 PS-01

I&S-01

Infrastructure and Virtualization Security Policy and Procedures

SA-01 SC-01 CM-01

I&S-02

Capacity and Resource Planning

CP-02 SC-05 SC-06

I&S-03

Network Security

AC-04 SC-07 SC-08

I&S-04

OS Hardening and Base Controls

CM-02 CM-06 SI-02

I&S-05

Production and Non-Production Environments

CM-02 CM-04 SC-07

I&S-06

Segmentation and Segregation

AC-04 SC-03 SC-07

I&S-07

Migration to Hosted Environments

CM-03 SA-03 SA-04

I&S-08

Network Architecture Documentation

CA-09 PL-02 SC-07

I&S-09

Network Defense

SC-05 SC-07 SI-04

IAM-01

Identity and Access Management Policy and Procedures

AC-01 IA-01

IAM-02

Strong Password Policy and Procedures

IA-01 IA-05

IAM-03

Identity Inventory

AC-02 IA-04

IAM-04

Separation of Duties

AC-05 AC-06

IAM-05

Least Privilege

AC-02 AC-06

IAM-06

User Access Provisioning

AC-02 IA-04 IA-05

IAM-07

User Access Changes and Revocation

AC-02 PS-04 PS-05

IAM-08

User Access Review

AC-02 AC-06

IAM-09

Segregation of Privileged Access Roles

AC-05 AC-06

IAM-10

Management of Privileged Access Roles

AC-02 AC-06 IA-02

IAM-11

Customers' Approval for Agreed Privileged Access Roles

AC-02 AC-06

IAM-12

Safeguard Logs Integrity

AU-09 AU-10

IAM-13

Uniquely Identifiable Users

AC-02 IA-02 IA-04

IAM-14

Strong Authentication

IA-02 IA-05 IA-08

IAM-15

Passwords and Secrets Management

IA-02 IA-05

IAM-16

Authorization Mechanisms

AC-03 AC-06 AC-16

IAM-17

Knowledge Access Control - Need to Know

AC-02 IA-02 SC-07

IAM-18

Output Modification and Special Authorization

AC-02 AC-06 IA-03

IAM-19

Agent Access Restriction

AC-05 AC-06 CM-05

IPY-01

Interoperability and Portability Policy and Procedures

SA-01 SA-04

IPY-02

Application Interface Availability

SA-04 SA-09

IPY-03

Secure Interoperability and Portability Management

SA-04 SA-09 SC-08

IPY-04

Data Portability Contractual Obligations

SA-04

LOG-01

Logging and Monitoring Policy and Procedures

AU-01 AU-02

LOG-02

Audit Logs Protection

AU-09 AU-11

LOG-03

Security Monitoring and Alerting

AU-06 CA-07 SI-04

LOG-04

Audit Logs Access and Accountability

AC-06 AU-06 AU-09

LOG-05

Audit Logs Monitoring and Response

AU-06 IR-04 SI-04

LOG-06

Clock Synchronization

AU-08

LOG-07

Logging Scope

AU-02 AU-03

LOG-08

Log Records

AU-02 AU-03

LOG-09

Log Protection

AU-09 AU-11

LOG-10

Encryption Monitoring and Reporting

AU-02 CA-07 SC-13

LOG-11

Transaction/Activity Logging

AU-02 AU-03 AU-12

LOG-12

Access Control Logs

AC-02 AU-02 AU-03

LOG-13

Failures and Anomalies Reporting

AU-05 AU-06 SI-04

LOG-14

Input Monitoring

AU-02 AU-06 SI-04

LOG-15

Output Monitoring

AU-02 AU-03 CA-07

MDS-01

Training Pipeline Security

SA-08 CM-01 PL-01

MDS-02

Model Artifact Scanning

CM-08 SA-03

MDS-03

Model Documentation

SA-11 CA-08 RA-05

MDS-04

Model Documentation Requirements

CM-03 CM-05 SA-03

MDS-05

Model Documentation Validation

SI-04 CA-07 AU-06

MDS-06

Adversarial Attack Analysis

SI-07 SC-13 CM-03

MDS-07

Robustness against Adversarial Attack / Model Hardening

AC-03 AC-06 CM-05

MDS-08

Model Integrity Checks

SA-11 RA-05 SI-07

MDS-09

Model Signing/Ownership Verification

PT-01 PT-03 SA-08

MDS-10

Model Continuous Monitoring

SA-03 SA-08 SA-15

MDS-11

Model Failure

CM-03 CM-09 SA-03

MDS-12

Open Model Risk Assessment

SA-04 SA-09 RA-03

MDS-13

Secure Model Format

RA-03 PM-09 SI-01

SEF-01

Security Incident Management Policy and Procedures

IR-01 IR-08

SEF-02

Service Management Policy and Procedures

IR-01 IR-04 PM-01

SEF-03

Incident Response Plans

IR-02 IR-04 IR-08

SEF-04

Incident Response Testing

IR-03

SEF-05

Incident Response Metrics

CA-07 IR-04 PM-06

SEF-06

Event Triage Processes

AU-06 IR-04 IR-05

SEF-07

Security Breach Notification

IR-06 IR-07

SEF-08

Points of Contact Maintenance

IR-01 IR-06 PM-15

SEF-09

Incident Response

IR-01 IR-04 IR-06

STA-01

Supply Chain Risk Management Policies and Procedures

PM-01 SA-01 SR-01

STA-02

SSRM Policy and Procedures

SR-01 SR-02 SR-03

STA-03

SSRM Supply Chain

SA-04 SR-01

STA-04

SSRM Guidance

PM-02 SR-01

STA-05

SSRM Control Ownership

CA-02 SR-01

STA-06

SSRM Documentation Review

CA-02 SA-09 SR-01

STA-07

SSRM Control Implementation

CM-08 SR-01 SR-02

STA-08

Supply Chain Inventory

RA-03 SR-01 SR-02 SR-03

STA-09

Supply Chain Risk Management

SA-04 SA-09

STA-10

Primary Service and Contractual Agreement

SA-04 SR-01

STA-11

Supply Chain Agreement Review

CA-02 CA-07

STA-12

Supply Chain Compliance Assessment

CA-02 SA-09 SR-01

STA-13

Supply Chain Service Agreement Compliance

CA-02 PM-01 SR-01

STA-14

Supply Chain Governance Review

RA-03 SR-01 SR-03

STA-15

Supply Chain Data Security Assessment

SR-01 SA-04 CM-08

STA-16

Service Bill of Material (BOM)

SR-01 SR-02 SA-09

TVM-01

Threat and Vulnerability Management Policy and Procedures

RA-01 RA-05 SI-01

TVM-02

Malware and Malicious Instructions Protection Policy and Procedures

SI-01 SI-03

TVM-03

Vulnerability Identification

RA-05 SI-02

TVM-04

Detection Updates

SI-02 SI-03

TVM-05

External Library Vulnerabilities

RA-05 SA-11 SR-04

TVM-06

Penetration Testing

CA-08 RA-05

TVM-07

Vulnerability Remediation Schedule

RA-05 SI-05

TVM-08

Vulnerability Prioritization

RA-03 RA-05

TVM-09

Vulnerability Management Reporting

CA-07 PM-06 RA-05

TVM-10

Vulnerability Management Metrics

CA-07 PM-06 RA-05

TVM-11

Guardrails

RA-03 RA-05 SI-04

TVM-12

Threat Analysis and Modelling

CA-08 RA-05 SA-11

TVM-13

Threat Response

SI-04 CA-07 RA-05

UEM-01

Endpoint Devices Policy and Procedures

AC-19 CM-01 SC-42

UEM-02

Application and Service Approval

CM-07 CM-11

UEM-03

Compatibility

CM-02 SA-04

UEM-04

Endpoint Inventory

CM-08

UEM-05

Endpoint Management

CM-02 CM-03 CM-06

UEM-06

Automatic Lock Screen

AC-11

UEM-07

Operating Systems

CM-02 CM-06 SI-02

UEM-08

Storage Encryption

SC-13 SC-28

UEM-09

Anti-Malware Detection and Prevention

SI-03

UEM-10

Software Firewall

CM-07 SC-07

UEM-11

Data Loss Prevention

AC-04 SC-07 SI-04

UEM-12

Remote Locate

CM-08

UEM-13

Remote Wipe

AC-19 MP-06

UEM-14

Third-Party Endpoint Security Posture

AC-20 SA-09 SR-01

CSA AI Controls Matrix v1.0.3