ISO 27001 v2022
ISO 27001:2022 Annex A control references with NIST CSF 2.0 mappings
ISO 27001 is a copyrighted standard. This tool provides control identifiers and cross-framework mappings via NIST OLIR (public domain). For complete control requirements, obtain the official standard from ISO.
93 All
5 — Organizational Controls (37 controls)
5.1Policies for information security
5.2Information security roles and responsibilities
5.3Segregation of duties
5.4Management responsibilities
5.5Contact with authorities
5.6Contact with special interest groups
5.7Threat intelligence
5.8Information security in project management
5.9Inventory of information and other associated assets
5.10Acceptable use of information and other associated assets
5.11Return of assets
5.12Classification of information
5.13Labelling of information
5.14Information transfer
5.15Access control
5.16Identity management
5.17Authentication information
5.18Access rights
5.19Information security in supplier relationships
5.20Addressing information security within supplier agreements
5.21Managing information security in the ICT supply chain
5.22Monitoring, review and change management of supplier services
5.23Information security for use of cloud services
5.24Information security incident management planning and preparation
5.25Assessment and decision on information security events
5.26Response to information security incidents
5.27Learning from information security incidents
5.28Collection of evidence
5.29Information security during disruption
5.30ICT readiness for business continuity
5.31Legal, statutory, regulatory and contractual requirements
5.32Intellectual property rights
5.33Protection of records
5.34Privacy and protection of PII
5.35Independent review of information security
5.36Compliance with policies, rules and standards for information security
5.37Documented operating procedures
6 — People Controls (8 controls)
7 — Physical Controls (14 controls)
7.1Physical security perimeters
7.2Physical entry
7.3Securing offices, rooms and facilities
7.4Physical security monitoring
7.5Protecting against physical and environmental threats
7.6Working in secure areas
7.7Clear desk and clear screen
7.8Equipment siting and protection
7.9Security of assets off-premises
7.10Storage media
7.11Supporting utilities
7.12Cabling security
7.13Equipment maintenance
7.14Secure disposal or re-use of equipment
8 — Technological Controls (34 controls)
8.1User endpoint devices
8.2Privileged access rights
8.3Information access restriction
8.4Access to source code
8.5Secure authentication
8.6Capacity management
8.7Protection against malware
8.8Management of technical vulnerabilities
8.9Configuration management
8.10Information deletion
8.11Data masking
8.12Data leakage prevention
8.13Information backup
8.14Redundancy of information processing facilities
8.15Logging
8.16Monitoring activities
8.17Clock synchronization
8.18Use of privileged utility programs
8.19Installation of software on operational systems
8.20Networks security
8.21Security of network services
8.22Segregation of networks
8.23Web filtering
8.24Use of cryptography
8.25Secure development life cycle
8.26Application security requirements
8.27Secure system architecture and engineering principles
8.28Secure coding
8.29Security testing in development and acceptance
8.30Outsourced development
8.31Separation of development, test and production environments
8.32Change management
8.33Test information
8.34Protection of information systems during audit testing