← Frameworks / Management System

ISO/IEC 27001:2022

Information security management systems standard. Specifies requirements for establishing, implementing, maintaining and continually improving an ISMS.

Clauses: 117
Avg Coverage: 84.5%
Publisher: ISO/IEC Version: 2022
ISO 27001:2022 → SP 800-53 SP 800-53 → ISO 27001:2022 Coverage Analysis
Clause Title SP 800-53 Controls
4.1 Understanding the organization and its context
RA-03 PM-08 PM-11 PM-32
4.2 Understanding the needs and expectations of interested parties
PM-08 PM-11 SR-01 SR-02 SR-03
4.3 Determining the scope of the ISMS
PM-01 PM-07 PM-10 PL-10
4.4 Information security management system
PM-01 PM-02 PM-03 PM-06 PL-09
5.1 Leadership and commitment
PM-01 PM-02 PM-13 PM-29
5.2 Policy
PL-01 PM-01
5.3 Organizational roles, responsibilities, and authorities
PM-02 PL-01 PS-01 PS-09
6.1 Actions to address risks and opportunities
RA-01 RA-02 RA-03 RA-07 PM-09 PM-28 PL-10 PL-11
6.1.3 Information security risk treatment
RA-03 RA-07 PM-09 CA-05 PM-04 PL-10 PL-11
6.2 Information security objectives and planning to achieve them
PM-01 PM-03 PM-06
6.3 Planning of changes
CM-03 CM-04 SA-10
7.1 Resources
PM-03 SA-03 SA-02
7.2 Competence
PM-13 PM-16 AT-01 AT-02 AT-03 AT-06
7.3 Awareness
AT-01 AT-02 PM-13
7.4 Communication
PM-01 PL-04 IR-07
7.5 Documented information
PL-02 PM-01 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-13 AU-14 AU-15 AU-16
8.1 Operational planning and control
PL-02 PM-01 CA-02 PL-09 PL-10 PL-11
8.2 Information security risk assessment
RA-03 RA-05 RA-09
8.3 Information security risk treatment
CA-05 PM-04 RA-03 RA-07
9.1 Monitoring, measurement, analysis and evaluation
CA-07 PM-06 SI-04 PM-14
9.2 Internal audit
CA-02 CA-07 AU-06
9.3 Management review
PM-01 PM-06 CA-07
10.1 Continual improvement
PM-01 CA-07 PM-06
10.2 Nonconformity and corrective action
CA-05 PM-04 RA-07
A.5.1 Policies for information security
PL-01 PM-01 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 PT-01 SR-01
A.5.2 Information security roles and responsibilities
PM-02 PS-01 PL-01 PM-10 PS-09
A.5.3 Segregation of duties
AC-05
A.5.4 Management responsibilities
PM-02 PM-13 PS-01 AT-01 PM-29
A.5.5 Contact with authorities
IR-06 PM-15
A.5.6 Contact with special interest groups
PM-15 PM-16
A.5.7 Threat intelligence
PM-16 RA-03 RA-05 RA-10 SI-05
A.5.8 Information security in project management
SA-03 SA-04 PM-07
A.5.9 Inventory of information and other associated assets
CM-08 PM-05 CM-12
A.5.10 Acceptable use of information and other associated assets
PL-04 AC-20
A.5.11 Return of assets
PS-04
A.5.12 Classification of information
RA-02
A.5.13 Labelling of information
MP-03 RA-02 AC-16
A.5.14 Information transfer
SC-07 SC-08 SC-12 AC-04 AC-20 CA-03
A.5.15 Access control
AC-01 AC-02 AC-03 AC-06 AC-17 AC-24
A.5.16 Identity management
IA-01 IA-02 IA-04 IA-05 IA-08 IA-12
A.5.17 Authentication information
IA-05 IA-06
A.5.18 Access rights
AC-02 AC-06 AC-25
A.5.19 Information security in supplier relationships
SA-04 SA-09 SR-01 SR-02 SR-03
A.5.20 Addressing information security within supplier agreements
SA-04 SA-09 SR-03
A.5.21 Managing information security in the ICT supply chain
SR-01 SR-02 SR-03 SR-05 SR-06 SR-11
A.5.22 Monitoring, review and change management of supplier services
SA-09 SR-06 CA-07
A.5.23 Information security for use of cloud services
SA-09 AC-20 SC-07
A.5.24 Information security incident management planning and preparation
IR-01 IR-02 IR-03 IR-08
A.5.25 Assessment and decision on information security events
IR-04 IR-05 IR-06
A.5.26 Response to information security incidents
IR-04 IR-06 IR-07
A.5.27 Learning from information security incidents
IR-03 IR-04 IR-06
A.5.28 Collection of evidence
IR-04 AU-03 AU-06 AU-11
A.5.29 Information security during disruption
CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-09 CP-10
A.5.30 ICT readiness for business continuity
CP-02 CP-07 CP-08 CP-09 CP-10 CP-13
A.5.31 Legal, statutory, regulatory and contractual requirements
PL-04 PM-01 SA-04
A.5.32 Intellectual property rights
A.5.33 Protection of records
AU-11 SI-12
A.5.34 Privacy and protection of PII
PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 PM-25 PM-26 PM-27
A.5.35 Independent review of information security
CA-02 CA-07 PM-06
A.5.36 Compliance with policies, rules and standards
CA-02 AU-06 PM-06 CM-04
A.5.37 Documented operating procedures
PL-02 SA-05 CM-01
A.6.1 Screening
PS-03
A.6.2 Terms and conditions of employment
PS-06 PL-04 PS-09
A.6.3 Information security awareness, education and training
AT-02 AT-03 AT-04 PM-13 AT-06
A.6.4 Disciplinary process
PS-08
A.6.5 Responsibilities after termination or change of employment
PS-04 PS-05
A.6.6 Confidentiality or non-disclosure agreements
PS-06
A.6.7 Remote working
AC-17 PE-17
A.6.8 Information security event reporting
IR-06 IR-07
A.7.1 Physical security perimeters
PE-03 PE-04
A.7.2 Physical entry
PE-02 PE-03 PE-06 PE-08
A.7.3 Securing offices, rooms and facilities
PE-03 PE-05
A.7.4 Physical security monitoring
PE-06 PE-08
A.7.5 Protecting against physical and environmental threats
PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-23
A.7.6 Working in secure areas
PE-02 PE-03 PE-07
A.7.7 Clear desk and clear screen
AC-11 MP-04
A.7.8 Equipment siting and protection
PE-01 PE-14 PE-18 PE-23
A.7.9 Security of assets off-premises
AC-17 MP-05 SC-28
A.7.10 Storage media
MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 MP-08
A.7.11 Supporting utilities
PE-09 PE-10 PE-11 PE-12
A.7.12 Cabling security
PE-04 PE-09
A.7.13 Equipment maintenance
MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 MA-07
A.7.14 Secure disposal or re-use of equipment
MP-06 MP-07 PM-32
A.8.1 User endpoint devices
AC-19 CM-07 SC-28
A.8.2 Privileged access rights
AC-06
A.8.3 Information access restriction
AC-03 AC-04 AC-06
A.8.4 Access to source code
CM-05 AC-03 SA-10
A.8.5 Secure authentication
IA-02 IA-05 IA-08 IA-11
A.8.6 Capacity management
AU-04 CP-02 SC-05 SC-06
A.8.7 Protection against malware
SI-03 SI-08
A.8.8 Management of technical vulnerabilities
RA-05 SI-02 SI-05
A.8.9 Configuration management
CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-10 CM-11 CM-14
A.8.10 Information deletion
MP-06 SI-12 SR-12
A.8.11 Data masking
SI-19 PT-06 PT-07
A.8.12 Data leakage prevention
AC-04 PE-19 SC-07 SI-04
A.8.13 Information backup
CP-09 CP-06
A.8.14 Redundancy of information processing facilities
CP-06 CP-07 CP-08
A.8.15 Logging
AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12
A.8.16 Monitoring activities
SI-04 AU-06 CA-07 IR-04
A.8.17 Clock synchronization
AU-08
A.8.18 Use of privileged utility programs
CM-07 CM-11 AC-06
A.8.19 Installation of software on operational systems
CM-05 CM-07 CM-11 CM-14 SA-22
A.8.20 Networks security
SC-07 SC-08 AC-04 CA-09
A.8.21 Security of network services
SC-07 SC-08 SA-09
A.8.22 Segregation of networks
SC-07 SC-32
A.8.23 Web filtering
SC-07 SI-03 AC-04
A.8.24 Use of cryptography
SC-12 SC-13 SC-28
A.8.25 Secure development life cycle
SA-03 SA-08 SA-10 SA-11 SA-15 SA-17
A.8.26 Application security requirements
SA-04 SA-08
A.8.27 Secure system architecture and engineering principles
SA-08 SA-17 SC-07 SC-32
A.8.28 Secure coding
SA-11 SA-15 SA-16 SA-17
A.8.29 Security testing in development and acceptance
SA-11 CA-02 SA-04
A.8.30 Outsourced development
SA-04 SA-09 SA-10 SA-11
A.8.31 Separation of development, test and production environments
CM-04 SA-11 SC-32
A.8.32 Change management
CM-03 CM-04 CM-05 SA-10
A.8.33 Test information
SA-11 SA-15
A.8.34 Protection of information systems during audit testing
CA-02 AU-06 CA-08