← Frameworks / EU GDPR / Control Mappings

EU General Data Protection Regulation (2016/679)

The EU's comprehensive data protection and privacy regulation. Establishes principles for lawful processing, data subject rights, controller and processor obligations, breach notification (72 hours), data protection by design and by default, and cross-border transfer safeguards. Applies to any organisation processing personal data of EU residents.

Controls: 194

Total Mappings: 439

Publisher: European Union Version: 2016/679

EU GDPR → SP 800-53 SP 800-53 → EU GDPR Coverage Analysis

AC (20) AT (6) AU (11) CA (8) CM (10) CP (10) IA (7) IR (8) MA (6) MP (6) PE (9) PL (8) PS (9) PT (8) RA (7) SA (11) SC (25) SI (13) SR (12)

AC Access Control

Control	Name	EU GDPR References
AC-01	Access Control Policies and Procedures	Art.24(1)Art.24(2)Art.25(1)Art.32(1)(b)Art.32(2)Art.5(1)(f)
AC-02	Account Management	Art.25(2)Art.32(1)(b)Art.32(4)Art.5(1)(f)
AC-03	Access Enforcement	Art.25(2)Art.32(1)(b)Art.5(1)(f)
AC-04	Information Flow Enforcement	Art.32(1)(a)Art.44Art.46(1)Art.5(1)(f)
AC-05	Separation Of Duties	Art.24(1)Art.32(1)(b)Art.5(1)(f)
AC-06	Least Privilege	Art.25(2)Art.32(1)(b)Art.5(1)(c)Art.5(1)(f)
AC-07	Unsuccessful Login Attempts	Art.32(1)(b)Art.32(1)(d)
AC-08	System Use Notification	Art.12(1)Art.13(1)
AC-09	Previous Logon Notification	Art.32(1)(d)Art.5(1)(f)
AC-10	Concurrent Session Control	Art.32(1)(b)
AC-11	Session Lock	Art.32(1)(b)
AC-12	Session Termination	Art.32(1)(b)
AC-13	Supervision And Review -- Access Control	Art.32(1)(d)Art.5(1)(f)Art.5(2)
AC-14	Permitted Actions Without Identification Or Authentication	Art.25(2)
AC-15	Automated Marking	Art.5(1)(f)
AC-16	Automated Labeling	Art.5(1)(e)Art.9(1)
AC-17	Remote Access	Art.32(1)(a)Art.32(1)(b)Art.44
AC-18	Wireless Access Restrictions	Art.32(1)(a)Art.32(1)(b)
AC-19	Access Control For Portable And Mobile Devices	Art.32(1)(a)Art.32(1)(b)
AC-20	Use Of External Information Systems	Art.28(1)Art.28(3)(a)Art.32(1)(b)

AT Awareness and Training

Control	Name	EU GDPR References
AT-01	Security Awareness And Training Policy And Procedures	Art.39(1)(b)Art.47(2)(n)Rec.78
AT-02	Security Awareness	Art.39(1)(b)Art.47(2)(n)
AT-03	Security Training	Art.29Art.32(4)Art.47(2)(n)
AT-04	Security Training Records	Art.24(1)Art.5(2)
AT-05	Contacts With Security Groups And Associations	Art.39(1)(b)
AT-06	Training Feedback	Art.39(1)(b)Art.47(2)(n)

AU Audit and Accountability

Control	Name	EU GDPR References
AU-01	Audit And Accountability Policy And Procedures	Art.24(1)Art.30(1)Art.30(2)Art.5(2)
AU-02	Auditable Events	Art.30(1)(g)Art.33(3)Art.5(2)Art.7(1)
AU-03	Content Of Audit Records	Art.30(1)(g)Art.33(3)(a)Art.33(3)(b)Art.7(1)
AU-04	Audit Storage Capacity	Art.30(1)Art.5(1)(e)
AU-05	Response To Audit Processing Failures	Art.32(1)(b)Art.32(1)(d)
AU-06	Audit Monitoring, Analysis, And Reporting	Art.32(1)(d)Art.33(3)(d)
AU-07	Audit Reduction And Report Generation	Art.30(1)Art.5(2)
AU-08	Time Stamps	Art.33(1)
AU-09	Protection Of Audit Information	Art.32(1)(b)Art.5(1)(f)
AU-10	Non-Repudiation	Art.5(2)
AU-11	Audit Record Retention	Art.17(1)Art.5(1)(e)

CA Security Assessment and Authorization

Control	Name	EU GDPR References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	Art.24(1)Art.32(1)(d)Art.32(2)
CA-02	Security Assessments	Art.32(1)(d)Art.35(1)Art.35(7)
CA-03	Information System Connections	Art.28(3)(a)Art.32(1)(a)
CA-04	Security Certification	Art.32(1)(d)
CA-05	Plan Of Action And Milestones	Art.24(1)Art.32(1)(d)
CA-06	Security Accreditation	Art.24(1)Art.36(1)
CA-07	Continuous Monitoring	Art.32(1)(d)Art.35(11)
CA-09	Internal System Connections	Art.32(1)(d)

CM Configuration Management

Control	Name	EU GDPR References
CM-01	Configuration Management Policy And Procedures	Art.25(1)Art.32(1)(b)Rec.78
CM-02	Baseline Configuration	Art.25(1)Art.32(1)(b)
CM-03	Configuration Change Control	Art.32(1)(b)Art.32(1)(d)
CM-04	Monitoring Configuration Changes	Art.32(1)(d)Art.35(1)
CM-05	Access Restrictions For Change	Art.32(1)(b)
CM-06	Configuration Settings	Art.25(1)Art.25(2)Art.32(1)(b)
CM-07	Least Functionality	Art.25(1)Art.25(2)Art.32(1)(b)
CM-08	Information System Component Inventory	Art.30(1)Art.35(7)(a)
CM-12	Information Location	Art.25(1)Art.30(1)Art.35(7)(a)Art.5(1)(c)Art.5(1)(e)Rec.78
CM-13	Data Action Mapping	Art.25(1)Art.30(1)Art.30(2)Art.35(7)(a)Art.5(1)(b)Art.5(2)Art.6(4)Rec.78

CP Contingency Planning

Control	Name	EU GDPR References
CP-01	Contingency Planning Policy And Procedures	Art.32(1)(b)Art.32(1)(c)
CP-02	Contingency Plan	Art.32(1)(b)Art.32(1)(c)Art.32(1)(d)
CP-03	Contingency Training	Art.32(1)(d)
CP-04	Contingency Plan Testing And Exercises	Art.32(1)(d)
CP-05	Contingency Plan Update	Art.32(1)(c)Art.32(1)(d)
CP-06	Alternate Storage Site	Art.32(1)(c)
CP-07	Alternate Processing Site	Art.32(1)(c)
CP-08	Telecommunications Services	Art.32(1)(b)Art.32(1)(c)
CP-09	Information System Backup	Art.32(1)(c)
CP-10	Information System Recovery And Reconstitution	Art.32(1)(c)Art.32(1)(d)

IA Identification and Authentication

Control	Name	EU GDPR References
IA-01	Identification And Authentication Policy And Procedures	Art.32(1)(b)Art.32(1)(d)Art.5(1)(f)
IA-02	User Identification And Authentication	Art.32(1)(b)Art.32(1)(d)
IA-03	Device Identification And Authentication	Art.32(1)(b)
IA-04	Identifier Management	Art.32(1)(b)Art.5(1)(f)
IA-05	Authenticator Management	Art.32(1)(a)Art.32(1)(b)
IA-06	Authenticator Feedback	Art.32(1)(b)
IA-07	Cryptographic Module Authentication	Art.32(1)(a)Rec.83

IR Incident Response

Control	Name	EU GDPR References
IR-01	Incident Response Policy And Procedures	Art.33(1)Art.33(2)Art.34(1)Art.34(2)
IR-02	Incident Response Training	Art.33(2)Art.39(1)(b)
IR-03	Incident Response Testing And Exercises	Art.32(1)(d)Art.33(5)
IR-04	Incident Handling	Art.33(1)Art.33(3)Art.33(4)Art.34(1)
IR-05	Incident Monitoring	Art.33(3)(d)Art.33(5)
IR-06	Incident Reporting	Art.33(1)Art.33(2)Art.34(1)Art.34(3)
IR-07	Incident Response Assistance	Art.33(1)Art.34(1)Art.34(2)
IR-09	Information Spillage Response	Art.33(2)Art.33(5)

MA Maintenance

Control	Name	EU GDPR References
MA-01	System Maintenance Policy And Procedures	Art.32(1)(b)Rec.78
MA-02	Controlled Maintenance	Art.32(1)(b)Art.32(1)(d)
MA-03	Maintenance Tools	Art.32(1)(b)
MA-04	Remote Maintenance	Art.32(1)(a)Art.32(1)(b)
MA-05	Maintenance Personnel	Art.28(3)(b)Art.32(4)
MA-06	Timely Maintenance	Art.32(1)(d)

MP Media Protection

Control	Name	EU GDPR References
MP-01	Media Protection Policy And Procedures	Art.32(1)(a)Art.5(1)(f)Rec.78
MP-02	Media Access	Art.32(1)(b)Art.5(1)(f)
MP-03	Media Labeling	Art.5(1)(f)Art.9(1)
MP-04	Media Storage	Art.32(1)(a)Art.5(1)(f)
MP-05	Media Transport	Art.32(1)(a)Art.44Art.5(1)(f)
MP-06	Media Sanitization And Disposal	Art.17(1)Art.32(1)(a)Art.5(1)(f)

PE Physical and Environmental Protection

Control	Name	EU GDPR References
PE-01	Physical And Environmental Protection Policy And Procedures	Art.32(1)(b)Rec.78
PE-02	Physical Access Authorizations	Art.32(1)(b)
PE-03	Physical Access Control	Art.32(1)(b)
PE-04	Access Control For Transmission Medium	Art.32(1)(b)
PE-05	Access Control For Display Medium	Art.32(1)(b)
PE-06	Monitoring Physical Access	Art.32(1)(b)Art.32(1)(d)
PE-08	Access Records	Art.32(1)(b)
PE-16	Delivery And Removal	Art.32(1)(b)
PE-17	Alternate Work Site	Art.32(1)(b)

PL Planning

Control	Name	EU GDPR References
PL-01	Security Planning Policy And Procedures	Art.24(1)Art.25(1)
PL-02	System Security Plan	Art.25(1)Art.35(1)Art.35(7)
PL-03	System Security Plan Update	Art.25(1)
PL-04	Rules Of Behavior	Art.29Art.39(1)(b)
PL-05	Privacy Impact Assessment	Art.35(1)Art.35(7)Art.36(1)
PL-06	Security-Related Activity Planning	Art.25(1)Art.35(1)
PL-09	Central Management	Art.24(1)Art.24(2)
PL-10	Baseline Selection	Art.24(1)

PS Personnel Security

Control	Name	EU GDPR References
PS-01	Personnel Security Policy And Procedures	Art.32(4)Art.39(1)(b)Rec.78
PS-02	Position Categorization	Art.32(4)
PS-03	Personnel Screening	Art.28(3)(b)Art.32(4)
PS-04	Personnel Termination	Art.29Art.32(1)(b)
PS-05	Personnel Transfer	Art.29Art.32(1)(b)
PS-06	Access Agreements	Art.29Art.32(4)
PS-07	Third-Party Personnel Security	Art.28(1)Art.28(3)(b)Art.32(4)
PS-08	Personnel Sanctions	Art.32(4)
PS-09	Position Descriptions	Art.29Art.32(4)Art.37(1)Art.39(1)

PT Personally Identifiable Information Processing and Transparency

Control	Name	EU GDPR References
PT-01	Policy and Procedures	Art.12(1)Art.13(1)Art.14(1)Art.5(1)(a)Art.5(1)(b)Art.5(2)Art.6(1)Art.9(1)
PT-02	Authority to Process Personally Identifiable Information	Art.12(1)Art.12(7)Art.13(1)Art.13(2)Art.14(1)Art.14(2)Art.5(1)(a)Art.6(1)
PT-03	Personally Identifiable Information Processing Purposes	Art.5(1)(b)Art.6(4)Art.9(1)Art.9(2)
PT-04	Consent	Art.5(1)(a)Art.6(1)(a)Art.7(1)Art.7(2)Art.7(3)Art.8(1)
PT-05	Privacy Notice	Art.12(1)Art.13(1)Art.14(1)Art.5(1)(a)Art.5(1)(b)
PT-06	System of Records Notice	Art.25(1)Art.25(2)Art.35(1)Art.35(7)
PT-07	Specific Categories of Personally Identifiable Information	Art.5(1)(b)Art.5(1)(c)Art.5(1)(e)Art.6(4)Art.9(1)
PT-08	Computer Matching Requirements	Art.22(1)Art.22(2)Art.22(3)Art.22(4)

RA Risk Assessment

Control	Name	EU GDPR References
RA-01	Risk Assessment Policy And Procedures	Art.24(1)Art.32(1)Art.35(1)
RA-02	Security Categorization	Art.30(1)Art.35(7)(a)
RA-03	Risk Assessment	Art.32(1)Art.35(1)Art.35(7)(c)
RA-04	Risk Assessment Update	Art.32(1)(d)Art.35(11)
RA-05	Vulnerability Scanning	Art.32(1)(d)
RA-07	Risk Response	Art.32(1)Art.32(2)
RA-08	Privacy Impact Assessments	Art.35(1)Art.35(3)Art.35(7)Art.35(7)(c)

SA System and Services Acquisition

Control	Name	EU GDPR References
SA-01	System And Services Acquisition Policy And Procedures	Art.25(1)Rec.78
SA-02	Allocation Of Resources	Art.25(1)Art.32(1)
SA-03	Life Cycle Support	Art.25(1)Art.28(1)
SA-04	Acquisitions	Art.28(1)Art.28(3)Art.28(3)(a)
SA-05	Information System Documentation	Art.30(1)
SA-06	Software Usage Restrictions	Art.25(1)
SA-07	User Installed Software	Art.25(1)
SA-08	Security Engineering Principles	Art.25(1)Art.25(2)Rec.78
SA-09	External Information System Services	Art.28(1)Art.28(3)Art.44Art.46(1)Art.46(2)
SA-10	Developer Configuration Management	Art.25(1)Art.32(1)(d)
SA-11	Developer Security Testing	Art.25(1)Art.32(1)(d)

SC System and Communications Protection

Control	Name	EU GDPR References
SC-01	System And Communications Protection Policy And Procedures	Art.32(1)(a)Art.32(1)(b)Art.5(1)(f)
SC-02	Application Partitioning	Art.32(1)(b)Art.5(1)(f)
SC-03	Security Function Isolation	Art.32(1)(a)Art.32(1)(b)
SC-04	Information Remnance	Art.32(1)(a)Art.5(1)(f)
SC-05	Denial Of Service Protection	Art.32(1)(b)
SC-06	Resource Priority	Art.32(1)(b)
SC-07	Boundary Protection	Art.32(1)(a)Art.32(1)(b)Art.5(1)(f)
SC-08	Transmission Integrity	Art.32(1)(a)Art.5(1)(f)Rec.83
SC-09	Transmission Confidentiality	Art.32(1)(a)Rec.83
SC-10	Network Disconnect	Art.32(1)(b)
SC-11	Trusted Path	Art.32(1)(a)
SC-12	Cryptographic Key Establishment And Management	Art.32(1)(a)Rec.83
SC-13	Use Of Cryptography	Art.32(1)(a)Art.5(1)(f)Rec.83
SC-14	Public Access Protections	Art.32(1)(a)
SC-15	Collaborative Computing	Art.32(1)(b)
SC-16	Transmission Of Security Parameters	Art.32(1)(a)
SC-17	Public Key Infrastructure Certificates	Art.32(1)(a)Rec.83
SC-18	Mobile Code	Art.32(1)(b)
SC-19	Voice Over Internet Protocol	Art.32(1)(a)
SC-20	Secure Name / Address Resolution Service (Authoritative Source)	Art.32(1)(a)
SC-21	Secure Name / Address Resolution Service (Recursive Or Caching Resolver)	Art.32(1)(a)
SC-22	Architecture And Provisioning For Name / Address Resolution Service	Art.32(1)(a)
SC-23	Session Authenticity	Art.32(1)(a)Art.32(1)(b)
SC-24	Fail in Known State	Art.32(1)(b)
SC-28	Protection of Information at Rest	Art.32(1)(a)Art.5(1)(f)Rec.83

SI System and Information Integrity

Control	Name	EU GDPR References
SI-01	System And Information Integrity Policy And Procedures	Art.32(1)(b)Art.5(1)(d)Art.5(1)(f)
SI-02	Flaw Remediation	Art.32(1)(b)Art.32(1)(d)
SI-03	Malicious Code Protection	Art.32(1)(b)
SI-04	Information System Monitoring Tools And Techniques	Art.32(1)(b)Art.32(1)(d)
SI-05	Security Alerts And Advisories	Art.32(1)(d)
SI-06	Security Functionality Verification	Art.32(1)(d)Art.5(1)(d)
SI-07	Software And Information Integrity	Art.32(1)(b)Art.5(1)(d)Art.5(1)(f)
SI-08	Spam Protection	Art.32(1)(b)
SI-09	Information Input Restrictions	Art.25(2)Art.5(1)(f)
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	Art.5(1)(d)
SI-11	Error Handling	Art.32(1)(b)
SI-12	Information Output Handling And Retention	Art.17(1)Art.32(1)(a)Art.5(1)(e)Art.5(1)(f)
SI-18	Personally Identifiable Information Quality Operations	Art.16Art.5(1)(d)

SR Supply Chain Risk Management

Control	Name	EU GDPR References
SR-01	Policy and Procedures	Art.28(1)Art.28(3)Art.28(4)
SR-02	Supply Chain Risk Management Plan	Art.28(1)Art.28(3)(c)Art.28(3)(h)
SR-03	Supply Chain Controls and Processes	Art.28(1)Art.28(2)Art.28(4)
SR-04	Provenance	Art.28(3)(a)Art.28(3)(h)
SR-05	Acquisition Strategies, Tools, and Methods	Art.28(3)(a)Art.28(3)(h)
SR-06	Supplier Assessments and Reviews	Art.28(3)(h)
SR-07	Supply Chain Operations Security	Art.28(3)(a)Art.28(3)(h)
SR-08	Notification Agreements	Art.28(3)(f)Art.33(2)
SR-09	Tamper Resistance and Detection	Art.28(1)Art.28(4)
SR-10	Inspection of Systems or Components	Art.28(3)(h)
SR-11	Component Authenticity	Art.28(3)(h)Art.30(2)(d)
SR-12	Component Disposal	Art.17(1)Art.28(1)Art.28(3)(g)