← Frameworks / SA JS2 / Control Mappings

South Africa Joint Standard 2 of 2024 — Cybersecurity and Cyber Resilience

Mandatory cybersecurity and cyber resilience requirements for all South African financial institutions including banks, insurers, market infrastructure, pension funds, and fund managers. Issued jointly by FSCA and Prudential Authority. 21 requirements covering governance, strategy, asset classification, risk assessment, access control, network security, monitoring, incident response, resilience, threat intelligence, testing, MFA, data protection, cryptography, patching, personnel security, third-party management, and regulatory reporting. Effective June 2025.

Controls: 195
Total Mappings: 265
Publisher: FSCA / Prudential Authority (SARB) Version: 2024
SA JS2 → SP 800-53 SP 800-53 → SA JS2 Coverage Analysis
AC (16) AT (5) AU (9) CA (6) CM (12) CP (11) IA (9) IR (9) MP (6) PE (16) PL (7) PM (19) PS (9) PT (6) RA (9) SA (11) SC (17) SI (13) SR (5)

AC Access Control

Control Name SA JS2 References
AC-01 Access Control Policies and Procedures
JS2-7.1
AC-02 Account Management
JS2-7.1
AC-03 Access Enforcement
JS2-7.1
AC-04 Information Flow Enforcement
JS2-7.1JS2-8.2
AC-05 Separation Of Duties
JS2-7.1
AC-06 Least Privilege
JS2-7.1
AC-07 Unsuccessful Login Attempts
JS2-7.1JS2-8.1
AC-10 Concurrent Session Control
JS2-7.1
AC-11 Session Lock
JS2-7.1JS2-8.1
AC-12 Session Termination
JS2-7.1
AC-16 Automated Labeling
JS2-6.1
AC-17 Remote Access
JS2-7.1JS2-8.1
AC-19 Access Control For Portable And Mobile Devices
JS2-7.1
AC-20 Use Of External Information Systems
JS2-7.1
AC-23 Data Mining Protection
JS2-8.2
AC-24 Access Control Decisions
JS2-7.1

AT Awareness and Training

Control Name SA JS2 References
AT-01 Security Awareness And Training Policy And Procedures
JS2-8.6
AT-02 Security Awareness
JS2-8.6
AT-03 Security Training
JS2-8.6
AT-04 Security Training Records
JS2-8.6
AT-06 Training Feedback
JS2-8.6

AU Audit and Accountability

Control Name SA JS2 References
AU-02 Auditable Events
JS2-7.3
AU-03 Content Of Audit Records
JS2-7.3
AU-04 Audit Storage Capacity
JS2-7.3
AU-05 Response To Audit Processing Failures
JS2-7.3
AU-06 Audit Monitoring, Analysis, And Reporting
JS2-7.3JS2-9
AU-07 Audit Reduction And Report Generation
JS2-7.3
AU-08 Time Stamps
JS2-7.3
AU-09 Protection Of Audit Information
JS2-7.3
AU-12 Audit Record Generation
JS2-7.3

CA Security Assessment and Authorization

Control Name SA JS2 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
JS2-9
CA-02 Security Assessments
JS2-6.2JS2-7.7JS2-9
CA-05 Plan Of Action And Milestones
JS2-6.2JS2-9
CA-07 Continuous Monitoring
JS2-7.3JS2-7.6JS2-7.7JS2-9
CA-08 Penetration Testing
JS2-7.7
CA-09 Internal System Connections
JS2-7.7

CM Configuration Management

Control Name SA JS2 References
CM-01 Configuration Management Policy And Procedures
JS2-7.2
CM-02 Baseline Configuration
JS2-7.2
CM-03 Configuration Change Control
JS2-7.2JS2-8.5
CM-04 Monitoring Configuration Changes
JS2-8.5
CM-05 Access Restrictions For Change
JS2-7.2
CM-06 Configuration Settings
JS2-7.2JS2-8.4
CM-07 Least Functionality
JS2-7.2JS2-8.4
CM-08 Information System Component Inventory
JS2-6.1JS2-7.2
CM-11 User-Installed Software
JS2-8.4
CM-12 Information Location
JS2-6.1JS2-8.2
CM-13 Data Action Mapping
JS2-6.1
CM-14 Signed Components
JS2-SA

CP Contingency Planning

Control Name SA JS2 References
CP-01 Contingency Planning Policy And Procedures
JS2-7.5
CP-02 Contingency Plan
JS2-7.5
CP-03 Contingency Training
JS2-7.5
CP-04 Contingency Plan Testing And Exercises
JS2-7.5
CP-06 Alternate Storage Site
JS2-7.5
CP-07 Alternate Processing Site
JS2-7.5
CP-08 Telecommunications Services
JS2-7.5
CP-09 Information System Backup
JS2-7.5
CP-10 Information System Recovery And Reconstitution
JS2-7.5
CP-12 Safe Mode
JS2-7.5
CP-13 Alternative Security Mechanisms
JS2-7.5

IA Identification and Authentication

Control Name SA JS2 References
IA-01 Identification And Authentication Policy And Procedures
JS2-7.1
IA-02 User Identification And Authentication
JS2-7.1JS2-8.1
IA-03 Device Identification And Authentication
JS2-7.1
IA-04 Identifier Management
JS2-7.1
IA-05 Authenticator Management
JS2-7.1JS2-8.1
IA-06 Authenticator Feedback
JS2-7.1JS2-8.1
IA-08 Identification and Authentication (Non-Organizational Users)
JS2-7.1JS2-8.1
IA-11 Re-authentication
JS2-7.1JS2-8.1
IA-12 Identity Proofing
JS2-7.1

IR Incident Response

Control Name SA JS2 References
IR-01 Incident Response Policy And Procedures
JS2-7.4
IR-02 Incident Response Training
JS2-7.4
IR-03 Incident Response Testing And Exercises
JS2-7.4
IR-04 Incident Handling
JS2-7.3JS2-7.4
IR-05 Incident Monitoring
JS2-7.4
IR-06 Incident Reporting
JS2-7.4JS2-9
IR-07 Incident Response Assistance
JS2-7.4
IR-08 Incident Response Plan
JS2-7.4
IR-09 Information Spillage Response
JS2-7.4

MP Media Protection

Control Name SA JS2 References
MP-01 Media Protection Policy And Procedures
JS2-6.1JS2-8.2
MP-02 Media Access
JS2-6.1JS2-8.2
MP-03 Media Labeling
JS2-8.2
MP-04 Media Storage
JS2-8.2
MP-05 Media Transport
JS2-8.2
MP-06 Media Sanitization And Disposal
JS2-8.2

PE Physical and Environmental Protection

Control Name SA JS2 References
PE-01 Physical And Environmental Protection Policy And Procedures
JS2-PE
PE-02 Physical Access Authorizations
JS2-PE
PE-03 Physical Access Control
JS2-PE
PE-04 Access Control For Transmission Medium
JS2-PE
PE-05 Access Control For Display Medium
JS2-PE
PE-06 Monitoring Physical Access
JS2-PE
PE-08 Access Records
JS2-PE
PE-09 Power Equipment And Power Cabling
JS2-PE
PE-10 Emergency Shutoff
JS2-PE
PE-11 Emergency Power
JS2-PE
PE-12 Emergency Lighting
JS2-PE
PE-13 Fire Protection
JS2-PE
PE-14 Temperature And Humidity Controls
JS2-PE
PE-15 Water Damage Protection
JS2-PE
PE-17 Alternate Work Site
JS2-PE
PE-18 Location Of Information System Components
JS2-PE

PL Planning

Control Name SA JS2 References
PL-01 Security Planning Policy And Procedures
JS2-4JS2-5
PL-02 System Security Plan
JS2-5JS2-9
PL-04 Rules Of Behavior
JS2-4
PL-08 Security and Privacy Architectures
JS2-4JS2-5
PL-09 Central Management
JS2-4JS2-5
PL-10 Baseline Selection
JS2-5
PL-11 Baseline Tailoring
JS2-5

PM Program Management

Control Name SA JS2 References
PM-01 Information Security Program Plan
JS2-4JS2-5
PM-02 Information Security Program Leadership Role
JS2-4
PM-03 Information Security and Privacy Resources
JS2-4
PM-04 Plan of Action and Milestones Process
JS2-5JS2-9
PM-05 System Inventory
JS2-6.1
PM-06 Measures of Performance
JS2-5JS2-9
PM-08 Critical Infrastructure Plan
JS2-7.5
PM-09 Risk Management Strategy
JS2-4JS2-5JS2-6.2
PM-10 Authorization Process
JS2-5JS2-9
PM-11 Mission and Business Process Definition
JS2-5JS2-7.5
PM-13 Security and Privacy Workforce
JS2-4JS2-8.6
PM-14 Testing, Training, and Monitoring
JS2-7.4JS2-7.7
PM-15 Security and Privacy Groups and Associations
JS2-7.6
PM-16 Threat Awareness Program
JS2-7.3JS2-7.6
PM-28 Risk Framing
JS2-4JS2-5JS2-6.2
PM-29 Risk Management Program Leadership Roles
JS2-4
PM-30 Supply Chain Risk Management Strategy
JS2-8.7
PM-31 Continuous Monitoring Strategy
JS2-8.7
PM-32 Purposing
JS2-8.7

PS Personnel Security

Control Name SA JS2 References
PS-01 Personnel Security Policy And Procedures
JS2-8.6
PS-02 Position Categorization
JS2-8.6
PS-03 Personnel Screening
JS2-8.6
PS-04 Personnel Termination
JS2-8.6
PS-05 Personnel Transfer
JS2-8.6
PS-06 Access Agreements
JS2-8.6
PS-07 Third-Party Personnel Security
JS2-8.6JS2-8.7
PS-08 Personnel Sanctions
JS2-8.6
PS-09 Position Descriptions
JS2-4

PT Personally Identifiable Information Processing and Transparency

Control Name SA JS2 References
PT-01 Policy and Procedures
JS2-8.2
PT-02 Authority to Process Personally Identifiable Information
JS2-8.2
PT-03 Personally Identifiable Information Processing Purposes
JS2-8.2
PT-04 Consent
JS2-8.2
PT-05 Privacy Notice
JS2-8.2
PT-06 System of Records Notice
JS2-8.2

RA Risk Assessment

Control Name SA JS2 References
RA-01 Risk Assessment Policy And Procedures
JS2-5JS2-6.2
RA-02 Security Categorization
JS2-6.1JS2-6.2
RA-03 Risk Assessment
JS2-5JS2-6.2JS2-7.6
RA-04 Risk Assessment Update
JS2-6.2
RA-05 Vulnerability Scanning
JS2-6.2JS2-7.2JS2-7.7JS2-8.5
RA-06 Technical Surveillance Countermeasures Survey
JS2-6.2JS2-7.7
RA-07 Risk Response
JS2-6.2
RA-09 Criticality Analysis
JS2-6.1JS2-6.2JS2-7.7
RA-10 Threat Hunting
JS2-7.3JS2-7.6

SA System and Services Acquisition

Control Name SA JS2 References
SA-03 Life Cycle Support
JS2-SA
SA-04 Acquisitions
JS2-8.7JS2-SA
SA-08 Security Engineering Principles
JS2-SA
SA-09 External Information System Services
JS2-8.7
SA-10 Developer Configuration Management
JS2-SA
SA-11 Developer Security Testing
JS2-7.7JS2-SA
SA-15 Development Process, Standards, and Tools
JS2-SA
SA-17 Developer Security and Privacy Architecture and Design
JS2-SA
SA-20 Customized Development of Critical Components
JS2-SA
SA-21 Developer Screening
JS2-8.7
SA-22 Unsupported System Components
JS2-8.5JS2-8.7

SC System and Communications Protection

Control Name SA JS2 References
SC-05 Denial Of Service Protection
JS2-7.2
SC-07 Boundary Protection
JS2-7.2JS2-7.6
SC-08 Transmission Integrity
JS2-7.2JS2-8.2JS2-8.3
SC-12 Cryptographic Key Establishment And Management
JS2-8.3
SC-13 Use Of Cryptography
JS2-8.3
SC-16 Transmission Of Security Parameters
JS2-6.1
SC-17 Public Key Infrastructure Certificates
JS2-8.3
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
JS2-7.2
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
JS2-7.2
SC-22 Architecture And Provisioning For Name / Address Resolution Service
JS2-7.2
SC-24 Fail in Known State
JS2-7.5
SC-26 Decoys
JS2-7.3
SC-28 Protection of Information at Rest
JS2-8.2JS2-8.3
SC-39 Process Isolation
JS2-7.2
SC-40 Wireless Link Protection
JS2-8.3
SC-41 Port and I/O Device Access
JS2-7.2JS2-8.4
SC-44 Detonation Chambers
JS2-7.3JS2-8.4

SI System and Information Integrity

Control Name SA JS2 References
SI-02 Flaw Remediation
JS2-7.2JS2-8.5
SI-03 Malicious Code Protection
JS2-7.2JS2-8.4
SI-04 Information System Monitoring Tools And Techniques
JS2-7.2JS2-7.3JS2-7.6JS2-8.4
SI-05 Security Alerts And Advisories
JS2-7.6
SI-07 Software And Information Integrity
JS2-7.2JS2-8.4JS2-8.5
SI-08 Spam Protection
JS2-8.4
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
JS2-SA
SI-11 Error Handling
JS2-SA
SI-12 Information Output Handling And Retention
JS2-8.2
SI-13 Predictable Failure Prevention
JS2-7.5
SI-15 Information Output Filtering
JS2-SA
SI-16 Memory Protection
JS2-7.2JS2-8.4
SI-17 Fail-safe Procedures
JS2-7.5

SR Supply Chain Risk Management

Control Name SA JS2 References
SR-01 Policy and Procedures
JS2-8.7
SR-02 Supply Chain Risk Management Plan
JS2-8.7
SR-03 Supply Chain Controls and Processes
JS2-8.7
SR-05 Acquisition Strategies, Tools, and Methods
JS2-8.7
SR-06 Supplier Assessments and Reviews
JS2-8.7