27001-2013 to Cybersecurity Framework-1.0
Content
Mapping of ISO/IEC 27001:2013 Requirements and Control Objectives to the Cybersecurity Framework v 1.0 Subcategories
Provided by David Ochel / Secuilibrium, LLC.
Cross-Reference Sources:
Column Legend for the "Mapping" sheet:
27001:
27001 Requirement/Objective:
CSF:
CSF Subcategory:
Source:
Notes:
References:
[27001]
[CSF]
License:
Version History:
Version Date
1 2014-02-14
Mapping of ISO/IEC 27001:2013 Requirements and Control Objectives to the Cybersecurity Framework v 1.0 Subcategories
Provided by David Ochel / Secuilibrium, LLC.
The mapping is mainly derived from the CSF's Table 2 without (intentional)
modification, indicated by "CSF" in the source column. A mapping of CSF Subcategories
to non-Annex A requirements from 27001 (and in one case to an omitted (?) control
objective from Annex A) has been added, identified by the "DO" in the source column.
Column Legend for the "Mapping" sheet:
Identifies clause number or control objective in Annex A of 27001.
Heading of the clause or statement of the control objective from 27001. (Controls are not reproduced!)
Identifies Subcategory from Table 2: Framework Core in Appendix A of CSF.
Subcategory statement from CSF.
Source of the provided cross-reference.
The Cybersecurity Framework maps its Subcategory ID.GV-3 to ISO/IEC 27001 A.18.1.
This has been interpreted as mapping it to all of the five control objectives A.18.1.1
through A.18.1.5.
Relevant numbers in control objective and subcategory identifiers were changed to a
two-digit formatting in order to allow for easier sorting using Excel's mechanisms. (E.g.,
A.6.1.1 was reformatted to A06.1.1.)
ISO/IEC 27001:2013(E): International Standard ISO/IEC 27001, Information technology -
Security techniques - Information security management systems - Requirements,
Second edition 2013-10-01
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National
Institute of Standards and Technology, February 12, 2014
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0
International License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/4.0/deed.en_US.
Notes
Initial Version
Mapping of ISO/IEC 27001:2013 Requirements and Control Objectives to the Cybersecurity Framework v 1.0 Subcategories
Heading of the clause or statement of the control objective from 27001. (Controls are not reproduced!)
27001 27001 Requirement/Objective
04.1 Understanding the organization and its context
04.2 Understanding the needs and expectations of interested parties
04.3 Determining the scope of the information security management system
04.4 Information security management system
05.1 Leadership and commitment
05.2 Policy
05.3 Organizational roles, responsibilities, and authorities
06.1 Actions to address risks and opportunities
06.1.1 General
06.1.1 General
06.1.2 Information security risk assessment
06.1.2 Information security risk assessment
06.1.2 Information security risk assessment
06.1.3 Information security risk treatment
06.1.3 Information security risk treatment
06.2 Information security objectives and planning to achieve them
07.1 Resources
07.2 Competence
07.3 Awareness
07.4 Communication
07.5.1 General
07.5.2 Creating and updating
07.5.3 Control of documented information
07.5.3 Control of documented information
07.5.3 Control of documented information
07.5.3 Control of documented information
08.1 Operational planning and control
08.2 Information security risk assessment
08.3 Information security risk treatment
09.1 Monitoring, measurement, analysis and evaluation
09.1 Monitoring, measurement, analysis and evaluation
09.2 Internal audit
09.3 Management review
10.1 Nonconformity and corrective action
10.1 Nonconformity and corrective action
10.1 Nonconformity and corrective action
10.2 Continual improvement
A.05.1.1 Policies for information security
A.05.1.2 Review of the policies for information security
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.1 Information security roles and responsibilities
A.06.1.2 Segregation of duties
A.06.1.2 Segregation of duties
A.06.1.3 Contact with authorities
A.06.1.4 Contact with special interest groups
A.06.1.5 Information security in project management
A.06.2.1 Mobile device policy
A.06.2.2 Teleworking
A.07.1.1 Screening
A.07.1.1 Screening
A.07.1.2 Terms and conditions of employment
A.07.2.1 Management responsibilities
A.07.2.2 Information security awareness, education and training
A.07.2.2 Information security awareness, education and training
A.07.2.2 Information security awareness, education and training
A.07.2.2 Information security awareness, education and training
A.07.2.2 Information security awareness, education and training
A.07.2.3 Disciplinary process
A.07.3.1 Termination or change of employment responsibilities
A.07.3.1 Termination or change of employment responsibilities
A.08.1.1 Inventory of assets
A.08.1.1 Inventory of assets
A.08.1.2 Ownership of assets
A.08.1.2 Ownership of assets
A.08.1.3 Acceptable use of assets
A.08.1.4 Return of assets
A.08.2.1 Classification of information
A.08.2.2 Labelling of information
A.08.2.2 Labelling of information
A.08.2.3 Handling of assets
A.08.2.3 Handling of assets
A.08.2.3 Handling of assets
A.08.2.3 Handling of assets
A.08.2.3 Handling of assets
A.08.2.3 Handling of assets
A.08.3.1 Management of removable media
A.08.3.1 Management of removable media
A.08.3.1 Management of removable media
A.08.3.2 Disposal of media
A.08.3.2 Disposal of media
A.08.3.3 Physical media transfer
A.08.3.3 Physical media transfer
A.09.1.1 Access control policy
A.09.1.2 Access to networks and network services
A.09.1.2 Access to networks and network services
A.09.1.2 Access to networks and network services
A.09.2.1 User registration and de-registration
A.09.2.2 User access provisioning
A.09.2.3 Management of privileged access rights
A.09.2.3 Management of privileged access rights
A.09.2.4 Management of secret authentication information of users
A.09.2.5 Review of user access rights
A.09.2.6 Removal or adjustment of access rights
A.09.3.1 Use of secret authentication information
A.09.4.1 Information access restriction
A.09.4.1 Information access restriction
A.09.4.2 Secure log-on procedures
A.09.4.3 Password management system
A.09.4.4 Use of privileged utility programs
A.09.4.4 Use of privileged utility programs
A.09.4.5 Access control to program source code
A.10.1.1 Policy on the use of cryptographic controls
A.10.1.2 Key management
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
A.11.1.2 Physical entry controls
A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external and environmental threats
A.11.1.4 Protecting against external and environmental threats
A.11.1.4 Protecting against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
A.11.2.3 Cabling security
A.11.2.3 Cabling security
A.11.2.4 Equipment maintenance
A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and assets off-premises
A.11.2.7 Secure disposal or re-use of equipment
A.11.2.7 Secure disposal or re-use of equipment
A.11.2.8 Unattended user equipment
A.11.2.9 Clear desk and clear screen policy
A.12.1.1 Documented operating procedures
A.12.1.2 Change management
A.12.1.2 Change management
A.12.1.3 Capacity management
A.12.1.4 Separation of development, testing and operational environments
A.12.2.1 Controls against malware
A.12.2.1 Controls against malware
A.12.2.1 Controls against malware
A.12.3.1 Information backup
A.12.3.1 Information backup
A.12.4.1 Event logging
A.12.4.1 Event logging
A.12.4.1 Event logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and operator logs
A.12.4.3 Administrator and operator logs
A.12.4.4 Clock synchronisation
A.12.5.1 Installation of software on operational systems
A.12.5.1 Installation of software on operational systems
A.12.5.1 Installation of software on operational systems
A.12.5.1 Installation of software on operational systems
A.12.6.1 Management of technical vulnerabilities
A.12.6.1 Management of technical vulnerabilities
A.12.6.1 Management of technical vulnerabilities
A.12.6.1 Management of technical vulnerabilities
A.12.6.1 Management of technical vulnerabilities
A.12.6.2 Restrictions on software installation
A.12.6.2 Restrictions on software installation
A.12.7.1 Information systems audit controls
A.13.1.1 Network controls
A.13.1.1 Network controls
A.13.1.1 Network controls
A.13.1.1 Network controls
A.13.1.2 Security of network services
A.13.1.3 Segregation in networks
A.13.1.3 Segregation in networks
A.13.2.1 Information transfer policies and procedures
A.13.2.1 Information transfer policies and procedures
A.13.2.1 Information transfer policies and procedures
A.13.2.1 Information transfer policies and procedures
A.13.2.1 Information transfer policies and procedures
A.13.2.1 Information transfer policies and procedures
A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or non-disclosure agreements
A.14.1.1 Information security requirements analysis and specification
A.14.1.2 Securing application services on public networks
A.14.1.2 Securing application services on public networks
A.14.1.2 Securing application services on public networks
A.14.1.3 Protecting application services transactions
A.14.1.3 Protecting application services transactions
A.14.1.3 Protecting application services transactions
A.14.2.1 Secure development policy
A.14.2.2 System change control procedures
A.14.2.2 System change control procedures
A.14.2.3 Technical review of applications after operating platform changes
A.14.2.3 Technical review of applications after operating platform changes
A.14.2.4 Restrictions on changes to software packages
A.14.2.4 Restrictions on changes to software packages
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.7 Outsourced development
A.14.2.8 System security testing
A.14.2.9 System acceptance testing
A.14.3.1 Protection of test data
A.15.1.1 Information security policy for supplier relationships
A.15.1.2 Addressing security within supplier agreements
A.15.1.3 Information and communication technology supply chain
A.15.2.1 Monitoring and review of supplier services
A.15.2.1 Monitoring and review of supplier services
A.15.2.1 Monitoring and review of supplier services
A.15.2.2 Managing changes to supplier services
A.16.1.1 Responsibilities and procedures
A.16.1.1 Responsibilities and procedures
A.16.1.1 Responsibilities and procedures
A.16.1.2 Reporting information security events
A.16.1.2 Reporting information security events
A.16.1.2 Reporting information security events
A.16.1.3 Reporting information security weaknesses
A.16.1.4 Assessment of and decision on information security events
A.16.1.4 Assessment of and decision on information security events
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.16.1.5 Response to information security incidents
A.16.1.5 Response to information security incidents
A.16.1.5 Response to information security incidents
A.16.1.5 Response to information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.7 Collection of evidence
A.17.1.1 Planning information security continuity
A.17.1.1 Planning information security continuity
A.17.1.2 Implementing information security continuity
A.17.1.2 Implementing information security continuity
A.17.1.2 Implementing information security continuity
A.17.1.3 Verify, review and evaluate information security continuity
A.17.1.3 Verify, review and evaluate information security continuity
A.17.2.1 Availability of information processing facilities
A.18.1.1 Identification of applicable legislation and contractual requirements
A.18.1.2 Intellectual property rights
A.18.1.3 Protection of records
A.18.1.4 Privacy and protection of personally identifiable information
A.18.1.5 Regulation of cryptographic controls
A.18.2.1 Independent review of information security
A.18.2.2 Compliance with security policies and standards
A.18.2.3 Technical compliance review
CSF
ID.BE-2
ID.BE-2
ID.BE-2
ID.GV-1
ID.GV-4
ID.GV-1
ID.GV-2
ID.RM-1
ID.RM-3
PR.IP-07
ID.RA-3
ID.RA-4
ID.RM-2
ID.RA-6
ID.RM-2
PR.AT-1
RS.CO-4
PR.DS-1
PR.DS-2
PR.DS-3
PR.DS-4
ID.RA-5
ID.RA-6
DE.DP-1
PR.PT-1
RC.IM-1
RC.IM-2
RS.IM-2
ID.GV-1
DE.DP-1
ID.AM-6
ID.GV-2
PR.AT-2
PR.AT-3
PR.AT-4
PR.AT-5
RS.CO-1
PR.AC-4
PR.DS-5
RS.CO-2
ID.RA-2
PR.IP-02
PR.AC-3
PR.DS-5
PR.IP-11
PR.DS-5
ID.GV-2
PR.AT-1
PR.AT-2
PR.AT-3
PR.AT-4
PR.AT-5
PR.DS-5
PR.IP-11
ID.AM-1
ID.AM-2
ID.AM-1
ID.AM-2
PR.IP-11
ID.AM-5
PR.DS-5
PR.PT-2
PR.DS-1
PR.DS-2
PR.DS-3
PR.DS-5
PR.IP-06
PR.PT-2
PR.DS-3
PR.IP-06
PR.PT-2
PR.DS-3
PR.IP-06
PR.DS-3
PR.PT-2
PR.DS-5
PR.AC-4
PR.DS-5
PR.PT-3
PR.AC-1
PR.AC-1
PR.AC-4
PR.DS-5
PR.AC-1
PR.AC-1
PR.AC-4
PR.DS-5
PR.AC-1
PR.AC-1
PR.AC-4
PR.DS-5
PR.DS-5
PR.AC-2
PR.AC-2
PR.MA-1
ID.BE-5
PR.AC-2
PR.IP-05
PR.AC-2
PR.IP-05
ID.BE-4
PR.IP-05
ID.BE-4
PR.AC-2
PR.IP-05
PR.MA-1
PR.MA-2
PR.MA-1
ID.AM-4
PR.DS-3
PR.IP-06
PR.PT-2
PR.IP-01
PR.IP-03
ID.BE-4
PR.DS-7
DE.CM-4
PR.DS-6
RS.MI-2
PR.DS-4
PR.IP-04
DE.CM-3
PR.PT-1
RS.AN-1
PR.PT-1
PR.PT-1
RS.AN-1
PR.PT-1
DE.CM-5
PR.DS-6
PR.IP-01
PR.IP-03
DE.CM-8
ID.RA-1
ID.RA-5
PR.IP-12
RS.MI-3
PR.IP-01
PR.IP-03
PR.PT-1
PR.AC-3
PR.AC-5
PR.DS-2
PR.PT-4
PR.AC-5
PR.DS-5
ID.AM-3
PR.AC-3
PR.AC-5
PR.DS-2
PR.DS-5
PR.PT-4
PR.DS-2
PR.DS-5
PR.DS-5
PR.IP-02
PR.DS-2
PR.DS-5
PR.DS-6
PR.DS-2
PR.DS-5
PR.DS-6
PR.IP-02
PR.IP-01
PR.IP-03
PR.IP-01
PR.IP-03
PR.IP-01
PR.IP-03
PR.IP-02
DE.CM-6
DE.DP-3
PR.MA-2
ID.BE-1
DE.CM-6
ID.BE-1
PR.MA-2
ID.BE-1
DE.AE-2
PR.IP-09
RS.CO-1
DE.DP-4
RS.CO-2
RS.CO-3
DE.AE-2
DE.AE-4
RS.AN-4
RC.RP-1
RS.AN-1
RS.MI-1
RS.MI-2
RS.RP-1
DE.DP-5
PR.IP-08
RS.AN-2
RS.IM-1
RS.AN-3
ID.BE-5
PR.IP-09
ID.BE-5
PR.IP-04
PR.IP-09
PR.IP-04
PR.IP-10
ID.BE-5
ID.GV-3
ID.GV-3
ID.GV-3
ID.GV-3
ID.GV-3
PR.IP-12
ID.RA-1
DE.AE-1
DE.AE-3
DE.AE-5
DE.CM-1
DE.CM-2
DE.CM-7
DE.DP-2
ID.BE-3
PR.IP-04
RC.CO-1
RC.CO-2
RC.CO-3
RS.CO-5
CSF Subcategory
The organization’s place in critical infrastructure and its industry sector is identified and
The organization’s place in critical infrastructure and its industry sector is identified and
The organization’s place in critical infrastructure and its industry sector is identified and
Governance and risk management processes address cybersecurity risks
Risk management processes are established, managed, and agreed to by organizational
The organization’s determination of risk tolerance is informed by its role in critical
Protection processes are continuously improved
Threats, both internal and external, are identified and documented
Potential business impacts and likelihoods are identified
Organizational risk tolerance is determined and clearly expressed
Risk responses are identified and prioritized
Organizational risk tolerance is determined and clearly expressed
Coordination with stakeholders occurs consistent with response plans
Recovery plans incorporate lessons learned
Recovery strategies are updated
Response strategies are updated
Organizational information security policy is established
Roles and responsibilities for detection are well defined to ensure accountability
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
Information security roles & responsibilities are coordinated and aligned with internal roles
Privileged users understand roles & responsibilities
Third-party stakeholders (e.g., suppliers, customers, partners) understand roles &
Senior executives understand roles & responsibilities
Physical and information security personnel understand roles & responsibilities
Personnel know their roles and order of operations when a response is needed
Access permissions are managed, incorporating the principles of least privilege and
Protections against data leaks are implemented
Events are reported consistent with established criteria
Threat and vulnerability information is received from information sharing forums and sources
A System Development Life Cycle to manage systems is implemented
Remote access is managed
Protections against data leaks are implemented
Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel
Protections against data leaks are implemented
Information security roles & responsibilities are coordinated and aligned with internal roles
All users are informed and trained
Privileged users understand roles & responsibilities
Third-party stakeholders (e.g., suppliers, customers, partners) understand roles &
Senior executives understand roles & responsibilities
Physical and information security personnel understand roles & responsibilities
Protections against data leaks are implemented
Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel
Physical devices and systems within the organization are inventoried
Software platforms and applications within the organization are inventoried
Physical devices and systems within the organization are inventoried
Software platforms and applications within the organization are inventoried
Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel
Resources (e.g., hardware, devices, data, and software) are prioritized based on their
Protections against data leaks are implemented
Removable media is protected and its use restricted according to policy
Data-at-rest is protected
Data-in-transit is protected
Assets are formally managed throughout removal, transfers, and disposition
Protections against data leaks are implemented
Data is destroyed according to policy
Removable media is protected and its use restricted according to policy
Assets are formally managed throughout removal, transfers, and disposition
Data is destroyed according to policy
Removable media is protected and its use restricted according to policy
Assets are formally managed throughout removal, transfers, and disposition
Data is destroyed according to policy
Assets are formally managed throughout removal, transfers, and disposition
Removable media is protected and its use restricted according to policy
Protections against data leaks are implemented
Access permissions are managed, incorporating the principles of least privilege and
Protections against data leaks are implemented
Access to systems and assets is controlled, incorporating the principle of least functionality
Identities and credentials are managed for authorized devices and users
Identities and credentials are managed for authorized devices and users
Access permissions are managed, incorporating the principles of least privilege and
Protections against data leaks are implemented
Identities and credentials are managed for authorized devices and users
Identities and credentials are managed for authorized devices and users
Access permissions are managed, incorporating the principles of least privilege and
Protections against data leaks are implemented
Identities and credentials are managed for authorized devices and users
Identities and credentials are managed for authorized devices and users
Access permissions are managed, incorporating the principles of least privilege and
Protections against data leaks are implemented
Protections against data leaks are implemented
Physical access to assets is managed and protected
Physical access to assets is managed and protected
Maintenance and repair of organizational assets is performed and logged in a timely manner,
Resilience requirements to support delivery of critical services are established
Physical access to assets is managed and protected
Policy and regulations regarding the physical operating environment for organizational assets
Physical access to assets is managed and protected
Policy and regulations regarding the physical operating environment for organizational assets
Dependencies and critical functions for delivery of critical services are established
Policy and regulations regarding the physical operating environment for organizational assets
Dependencies and critical functions for delivery of critical services are established
Physical access to assets is managed and protected
Policy and regulations regarding the physical operating environment for organizational assets
Maintenance and repair of organizational assets is performed and logged in a timely manner,
Remote maintenance of organizational assets is approved, logged, and performed in a
Maintenance and repair of organizational assets is performed and logged in a timely manner,
External information systems are catalogued
Assets are formally managed throughout removal, transfers, and disposition
Data is destroyed according to policy
Removable media is protected and its use restricted according to policy
A baseline configuration of information technology/industrial control systems is created and
Configuration change control processes are in place
Dependencies and critical functions for delivery of critical services are established
The development and testing environment(s) are separate from the production environment
Malicious code is detected
Integrity checking mechanisms are used to verify software, firmware, and information integrity
Incidents are mitigated
Adequate capacity to ensure availability is maintained
Backups of information are conducted, maintained, and tested periodically
Personnel activity is monitored to detect potential cybersecurity events
Audit/log records are determined, documented, implemented, and reviewed in accordance
Notifications from detection systems are investigated
Audit/log records are determined, documented, implemented, and reviewed in accordance
Audit/log records are determined, documented, implemented, and reviewed in accordance
Notifications from detection systems are investigated
Audit/log records are determined, documented, implemented, and reviewed in accordance
Unauthorized mobile code is detected
Integrity checking mechanisms are used to verify software, firmware, and information integrity
A baseline configuration of information technology/industrial control systems is created and
Configuration change control processes are in place
Vulnerability scans are performed
Asset vulnerabilities are identified and documented
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
A vulnerability management plan is developed and implemented
Newly identified vulnerabilities are mitigated or documented as accepted risks
A baseline configuration of information technology/industrial control systems is created and
Configuration change control processes are in place
Audit/log records are determined, documented, implemented, and reviewed in accordance
Remote access is managed
PR.AC-5Network integrity is protected, incorporating network segregation where appropriate
Data-in-transit is protected
Communications and control networks are protected
PR.AC-5Network integrity is protected, incorporating network segregation where appropriate
Protections against data leaks are implemented
Organizational communication and data flows are mapped
Remote access is managed
PR.AC-5Network integrity is protected, incorporating network segregation where appropriate
Data-in-transit is protected
Protections against data leaks are implemented
Communications and control networks are protected
Data-in-transit is protected
Protections against data leaks are implemented
Protections against data leaks are implemented
A System Development Life Cycle to manage systems is implemented
Data-in-transit is protected
Protections against data leaks are implemented
Integrity checking mechanisms are used to verify software, firmware, and information integrity
Data-in-transit is protected
Protections against data leaks are implemented
Integrity checking mechanisms are used to verify software, firmware, and information integrity
A System Development Life Cycle to manage systems is implemented
A baseline configuration of information technology/industrial control systems is created and
Configuration change control processes are in place
A baseline configuration of information technology/industrial control systems is created and
Configuration change control processes are in place
A baseline configuration of information technology/industrial control systems is created and
Configuration change control processes are in place
A System Development Life Cycle to manage systems is implemented
External service provider activity is monitored to detect potential cybersecurity events
Detection processes are tested
Remote maintenance of organizational assets is approved, logged, and performed in a
The organization’s role in the supply chain is identified and communicated
External service provider activity is monitored to detect potential cybersecurity events
The organization’s role in the supply chain is identified and communicated
Remote maintenance of organizational assets is approved, logged, and performed in a
The organization’s role in the supply chain is identified and communicated
Detected events are analyzed to understand attack targets and methods
Response plans (Incident Response and Business Continuity) and recovery plans (Incident
Personnel know their roles and order of operations when a response is needed
Event detection information is communicated to appropriate parties
Events are reported consistent with established criteria
Information is shared consistent with response plans
Detected events are analyzed to understand attack targets and methods
Impact of events is determined
Incidents are categorized consistent with response plans
Recovery plan is executed during or after an event
Notifications from detection systems are investigated
Incidents are contained
Incidents are mitigated
Response plan is executed during or after an event
Detection processes are continuously improved
Effectiveness of protection technologies is shared with appropriate parties
The impact of the incident is understood
Response plans incorporate lessons learned
Forensics are performed
Resilience requirements to support delivery of critical services are established
Response plans (Incident Response and Business Continuity) and recovery plans (Incident
Resilience requirements to support delivery of critical services are established
Backups of information are conducted, maintained, and tested periodically
Response plans (Incident Response and Business Continuity) and recovery plans (Incident
Backups of information are conducted, maintained, and tested periodically
Response and recovery plans are tested
Resilience requirements to support delivery of critical services are established
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
A vulnerability management plan is developed and implemented
Asset vulnerabilities are identified and documented
A baseline of network operations and expected data flows for users and systems is
Event data are aggregated and correlated from multiple sources and sensors
Incident alert thresholds are established
The network is monitored to detect potential cybersecurity events
The physical environment is monitored to detect potential cybersecurity events
Monitoring for unauthorized personnel, connections, devices, and software is performed
Detection activities comply with all applicable requirements
Priorities for organizational mission, objectives, and activities are established and
Backups of information are conducted, maintained, and tested periodically
Public relations are managed
Reputation after an event is repaired
Recovery activities are communicated to internal stakeholders and executive and
Voluntary information sharing occurs with external stakeholders to achieve broader
Source
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
DO
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
DO
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
CSF
