← Frameworks / DNB Good Practice / Control Mappings

DNB Good Practice Information Security 2023

De Nederlandsche Bank's mandatory information security framework for Dutch financial institutions including banks, insurers, pension funds, and payment institutions. 58 controls across 7 elements (governance, organisation, people, processes, technology, facilities, testing) with COBIT 4.1 maturity model assessment. DORA supersedes for in-scope entities from January 2025, but continues for pension funds. Self-assessment tool available.

Controls: 155
Total Mappings: 306
Publisher: De Nederlandsche Bank (DNB) Version: 2023
DNB Good Practice → SP 800-53 SP 800-53 → DNB Good Practice Coverage Analysis
AC (10) AT (5) AU (5) CA (6) CM (8) CP (9) IA (7) IR (7) MA (6) MP (5) PE (12) PL (4) PM (17) PS (7) RA (6) SA (11) SC (17) SI (8) SR (5)

AC Access Control

Control Name DNB Good Practice References
AC-01 Access Control Policies and Procedures
DNB.1.2
AC-02 Account Management
DNB.17.2DNB.8.5
AC-03 Access Enforcement
DNB.12.3DNB.17.2DNB.20.1
AC-04 Information Flow Enforcement
DNB.12.3DNB.18.4DNB.18.5
AC-05 Separation Of Duties
DNB.17.2DNB.7.1
AC-06 Least Privilege
DNB.17.2DNB.7.1
AC-07 Unsuccessful Login Attempts
DNB.17.2
AC-16 Automated Labeling
DNB.12.3DNB.2.2DNB.6.1
AC-17 Remote Access
DNB.18.4
AC-21 Information Sharing
DNB.18.5

AT Awareness and Training

Control Name DNB Good Practice References
AT-01 Security Awareness And Training Policy And Procedures
DNB.1.2
AT-02 Security Awareness
DNB.8.2DNB.9.1DNB.9.3
AT-03 Security Training
DNB.8.2DNB.9.2
AT-04 Security Training Records
DNB.9.2
AT-06 Training Feedback
DNB.9.1DNB.9.3

AU Audit and Accountability

Control Name DNB Good Practice References
AU-01 Audit And Accountability Policy And Procedures
DNB.1.2
AU-04 Audit Storage Capacity
DNB.18.1
AU-06 Audit Monitoring, Analysis, And Reporting
DNB.16.1
AU-09 Protection Of Audit Information
DNB.20.1
AU-11 Audit Record Retention
DNB.12.1

CA Security Assessment and Authorization

Control Name DNB Good Practice References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
DNB.1.2
CA-02 Security Assessments
DNB.10.4DNB.16.1DNB.16.2DNB.16.3DNB.16.4DNB.16.5DNB.22.1
CA-05 Plan Of Action And Milestones
DNB.16.2DNB.4.3
CA-06 Security Accreditation
DNB.16.4DNB.16.5
CA-07 Continuous Monitoring
DNB.14.1DNB.16.1DNB.16.2
CA-08 Penetration Testing
DNB.16.1DNB.16.5DNB.22.1

CM Configuration Management

Control Name DNB Good Practice References
CM-01 Configuration Management Policy And Procedures
DNB.1.2DNB.10.1DNB.13.1
CM-02 Baseline Configuration
DNB.10.3DNB.10.5DNB.13.1DNB.13.2DNB.3.2
CM-03 Configuration Change Control
DNB.10.1DNB.10.2DNB.10.5DNB.13.2
CM-04 Monitoring Configuration Changes
DNB.10.1DNB.10.2DNB.10.3DNB.10.4
CM-05 Access Restrictions For Change
DNB.10.1DNB.10.5DNB.7.1
CM-06 Configuration Settings
DNB.13.1DNB.19.2DNB.20.1DNB.3.2
CM-07 Least Functionality
DNB.13.2DNB.20.1DNB.3.2
CM-08 Information System Component Inventory
DNB.13.1DNB.13.2DNB.19.3DNB.6.1

CP Contingency Planning

Control Name DNB Good Practice References
CP-01 Contingency Planning Policy And Procedures
DNB.1.2DNB.11.1
CP-02 Contingency Plan
DNB.11.1DNB.11.4DNB.8.3
CP-03 Contingency Training
DNB.11.2
CP-04 Contingency Plan Testing And Exercises
DNB.11.2
CP-06 Alternate Storage Site
DNB.11.3
CP-07 Alternate Processing Site
DNB.11.1DNB.18.1
CP-08 Telecommunications Services
DNB.11.1DNB.18.1
CP-09 Information System Backup
DNB.11.3DNB.11.4
CP-10 Information System Recovery And Reconstitution
DNB.11.1DNB.11.4

IA Identification and Authentication

Control Name DNB Good Practice References
IA-01 Identification And Authentication Policy And Procedures
DNB.1.2DNB.17.1
IA-02 User Identification And Authentication
DNB.17.1
IA-04 Identifier Management
DNB.17.1DNB.17.2
IA-05 Authenticator Management
DNB.17.1DNB.17.2
IA-07 Cryptographic Module Authentication
DNB.18.3
IA-08 Identification and Authentication (Non-Organizational Users)
DNB.17.1
IA-12 Identity Proofing
DNB.17.1

IR Incident Response

Control Name DNB Good Practice References
IR-01 Incident Response Policy And Procedures
DNB.1.2DNB.15.1DNB.15.2
IR-02 Incident Response Training
DNB.15.1
IR-03 Incident Response Testing And Exercises
DNB.11.2
IR-04 Incident Handling
DNB.15.2
IR-05 Incident Monitoring
DNB.15.2
IR-06 Incident Reporting
DNB.15.2
IR-08 Incident Response Plan
DNB.15.1

MA Maintenance

Control Name DNB Good Practice References
MA-01 System Maintenance Policy And Procedures
DNB.1.2DNB.18.2
MA-02 Controlled Maintenance
DNB.18.2
MA-03 Maintenance Tools
DNB.18.2
MA-04 Remote Maintenance
DNB.18.2
MA-05 Maintenance Personnel
DNB.18.2
MA-06 Timely Maintenance
DNB.18.2

MP Media Protection

Control Name DNB Good Practice References
MP-01 Media Protection Policy And Procedures
DNB.1.2DNB.12.2
MP-02 Media Access
DNB.12.1
MP-04 Media Storage
DNB.11.3DNB.12.1DNB.12.3DNB.2.2
MP-06 Media Sanitization And Disposal
DNB.12.2
MP-08 Media Downgrading
DNB.12.2

PE Physical and Environmental Protection

Control Name DNB Good Practice References
PE-01 Physical And Environmental Protection Policy And Procedures
DNB.1.2DNB.21.1
PE-02 Physical Access Authorizations
DNB.21.1DNB.21.2DNB.8.5
PE-03 Physical Access Control
DNB.21.1DNB.21.2
PE-04 Access Control For Transmission Medium
DNB.21.1
PE-05 Access Control For Display Medium
DNB.21.1
PE-06 Monitoring Physical Access
DNB.21.1DNB.21.2
PE-07 Visitor Control
DNB.21.2
PE-08 Access Records
DNB.21.1DNB.21.2
PE-09 Power Equipment And Power Cabling
DNB.18.1DNB.21.1
PE-10 Emergency Shutoff
DNB.18.1
PE-11 Emergency Power
DNB.18.1
PE-17 Alternate Work Site
DNB.11.3

PL Planning

Control Name DNB Good Practice References
PL-01 Security Planning Policy And Procedures
DNB.1.1DNB.1.2DNB.5.1DNB.5.2
PL-02 System Security Plan
DNB.1.1DNB.19.3DNB.6.1
PL-04 Rules Of Behavior
DNB.9.1
PL-08 Security and Privacy Architectures
DNB.2.1DNB.3.2

PM Program Management

Control Name DNB Good Practice References
PM-01 Information Security Program Plan
DNB.1.1DNB.16.4DNB.5.1DNB.5.2
PM-02 Information Security Program Leadership Role
DNB.5.1DNB.5.2
PM-03 Information Security and Privacy Resources
DNB.4.3DNB.5.2
PM-04 Plan of Action and Milestones Process
DNB.4.3
PM-05 System Inventory
DNB.19.3DNB.5.2DNB.6.1
PM-06 Measures of Performance
DNB.14.1DNB.16.2DNB.16.4DNB.5.2
PM-07 Enterprise Architecture
DNB.2.1
PM-08 Critical Infrastructure Plan
DNB.11.1DNB.4.1
PM-09 Risk Management Strategy
DNB.1.1DNB.4.1DNB.4.2DNB.4.3
PM-11 Mission and Business Process Definition
DNB.1.1DNB.11.1DNB.4.1
PM-12 Insider Threat Program
DNB.15.2DNB.8.1DNB.8.2DNB.8.3DNB.9.3
PM-13 Security and Privacy Workforce
DNB.8.2DNB.8.3DNB.9.2
PM-14 Testing, Training, and Monitoring
DNB.11.2DNB.16.2DNB.16.5DNB.5.2DNB.8.2DNB.9.2DNB.9.3
PM-15 Security and Privacy Groups and Associations
DNB.16.4DNB.3.1
PM-16 Threat Awareness Program
DNB.3.1
PM-28 Risk Framing
DNB.4.1DNB.4.2
PM-29 Risk Management Program Leadership Roles
DNB.5.1

PS Personnel Security

Control Name DNB Good Practice References
PS-01 Personnel Security Policy And Procedures
DNB.1.2DNB.5.1DNB.8.1DNB.8.4
PS-02 Position Categorization
DNB.7.1DNB.8.1DNB.8.3
PS-03 Personnel Screening
DNB.8.1DNB.8.4
PS-04 Personnel Termination
DNB.8.5
PS-05 Personnel Transfer
DNB.8.5
PS-06 Access Agreements
DNB.8.4
PS-07 Third-Party Personnel Security
DNB.16.3DNB.5.1DNB.8.4

RA Risk Assessment

Control Name DNB Good Practice References
RA-01 Risk Assessment Policy And Procedures
DNB.1.1DNB.1.2DNB.4.1
RA-02 Security Categorization
DNB.2.2DNB.4.1DNB.6.1
RA-03 Risk Assessment
DNB.10.2DNB.3.1DNB.4.1DNB.4.2
RA-05 Vulnerability Scanning
DNB.16.1DNB.19.2DNB.22.1DNB.4.2
RA-07 Risk Response
DNB.10.2DNB.19.2DNB.4.2DNB.4.3
RA-09 Criticality Analysis
DNB.4.2

SA System and Services Acquisition

Control Name DNB Good Practice References
SA-01 System And Services Acquisition Policy And Procedures
DNB.1.2
SA-02 Allocation Of Resources
DNB.1.1
SA-03 Life Cycle Support
DNB.19.3
SA-04 Acquisitions
DNB.14.1DNB.14.2DNB.3.2
SA-08 Security Engineering Principles
DNB.2.1DNB.3.2
SA-09 External Information System Services
DNB.14.1DNB.14.2DNB.16.3
SA-10 Developer Configuration Management
DNB.10.1DNB.10.5
SA-11 Developer Security Testing
DNB.10.3DNB.10.4DNB.22.1
SA-15 Development Process, Standards, and Tools
DNB.10.4
SA-17 Developer Security and Privacy Architecture and Design
DNB.2.1
SA-22 Unsupported System Components
DNB.19.3

SC System and Communications Protection

Control Name DNB Good Practice References
SC-01 System And Communications Protection Policy And Procedures
DNB.1.2
SC-05 Denial Of Service Protection
DNB.18.1
SC-07 Boundary Protection
DNB.18.1DNB.18.4DNB.20.1
SC-08 Transmission Integrity
DNB.12.3DNB.18.4DNB.18.5
SC-12 Cryptographic Key Establishment And Management
DNB.18.3DNB.18.5
SC-13 Use Of Cryptography
DNB.18.3DNB.18.5
SC-16 Transmission Of Security Parameters
DNB.18.5DNB.2.2
SC-17 Public Key Infrastructure Certificates
DNB.18.3
SC-18 Mobile Code
DNB.19.1
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
DNB.18.4
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
DNB.18.4
SC-22 Architecture And Provisioning For Name / Address Resolution Service
DNB.18.4
SC-23 Session Authenticity
DNB.18.4
SC-28 Protection of Information at Rest
DNB.12.3
SC-32 System Partitioning
DNB.10.3
SC-42 Sensor Capability and Data
DNB.20.1
SC-44 Detonation Chambers
DNB.19.1

SI System and Information Integrity

Control Name DNB Good Practice References
SI-01 System And Information Integrity Policy And Procedures
DNB.1.2
SI-02 Flaw Remediation
DNB.19.2
SI-03 Malicious Code Protection
DNB.19.1
SI-04 Information System Monitoring Tools And Techniques
DNB.16.1DNB.19.1
SI-05 Security Alerts And Advisories
DNB.15.1DNB.19.2DNB.3.1
SI-08 Spam Protection
DNB.19.1
SI-12 Information Output Handling And Retention
DNB.12.1DNB.12.2DNB.12.3
SI-13 Predictable Failure Prevention
DNB.11.4

SR Supply Chain Risk Management

Control Name DNB Good Practice References
SR-01 Policy and Procedures
DNB.1.2DNB.14.2
SR-02 Supply Chain Risk Management Plan
DNB.14.2
SR-03 Supply Chain Controls and Processes
DNB.14.2DNB.16.3
SR-05 Acquisition Strategies, Tools, and Methods
DNB.14.2
SR-06 Supplier Assessments and Reviews
DNB.14.2DNB.16.3