ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
CMMC Level 1 vs ISO 27001 Controls
2
CMMC IDCMMC Family/DomainCMMC ControlISO 27001:2013 Control IDISO 27001:2013 Control TitleISO 27001:2022 Control IDISO 27001:2022 Control Title
3
AC.L1-3.1.1Access ControlLimit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).A.9.2.1User registration and de-registrationA.5.16Identity management
4
A.9.2.2User access provisioningA.5.18Access rights
5
A.9.2.3Management of privileged access rightsA.8.2Privileged access rights
6
A.9.2.5Review of user access rightsA.5.18Access rights
7
A.9.2.6Removal or adjustment of access rightsA.5.18Access rights
8
A.6.2.2TeleworkingA.6.7Remote working
9
A.9.1.2Access to networks and network servicesA.5.15Access control
10
A.9.4.1Information access restrictionA.8.3Information access restriction
11
A.9.4.4Use of privileged utility programsA.8.18Use of privileged utility programs
12
A.9.4.5Access control to program source codeA.8.4Access to source code
13
A.13.1.1Network controlsA.8.20Network controls
14
A.14.1.2Securing application services on public networksA.8.26Application security requirements
15
A.14.1.3Protecting application services transactionsA.8.32Change management
16
A.18.1.3Protection of recordsA.5.33Protection of records
17
A.6.2.1Mobile device policyA.8.1User endpoint devices
18
A.13.2.1Information transfer policies and proceduresA.5.14Information transfer
19
AC.L1-3.1.2Access ControlLimit system access to the types of transactions and functions that authorized users are permitted to execute.A.9.2.1User registration and de-registrationA.5.16Identity management
20
A.9.2.2User access provisioningA.5.18Access rights
21
A.9.2.3Management of privileged access rightsA.8.2Privileged access rights
22
A.9.2.5Review of user access rightsA.5.18Access rights
23
A.9.2.6Removal or adjustment of access rightsA.5.18Access rights
24
A.6.2.2TeleworkingA.6.7Remote working
25
A.9.1.2Access to networks and network servicesA.5.15Access control
26
A.9.4.1Information access restrictionA.8.3Information access restriction
27
A.9.4.4Use of privileged utility programsA.8.18Use of privileged utility programs
28
A.9.4.5Access control to program source codeA.8.4Access to source code
29
A.13.1.1Network controlsA.8.20Network controls
30
A.14.1.2Securing application services on public networksA.8.26Application security requirements
31
A.14.1.3Protecting application services transactionsA.8.32Change management
32
A.18.1.3Protection of recordsA.5.33Protection of records
33
A.6.2.1Mobile device policyA.8.1User endpoint devices
34
A.13.2.1Information transfer policies and proceduresA.5.14Information transfer
35
AC.L1-3.1.10Access ControlUse session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.A.11.2.8Unattended user equipmentA.8.1User endpoint devices
36
A.11.2.9Clear desk and clear screen policyA.7.7Clear desk and clear screen
37
AC.L1-3.1.20Access ControlVerify and control/limit connections to and use of external systems.A.11.2.6Security of equipment and assets off-premisesA.7.9Security of assets off-premises
38
A.13.1.1Network controlsA.8.20Network controls
39
A.13.2.1Information transfer policies and proceduresA.5.14Information transfer
40
AC.L1-3.1.22Access ControlControl CUI posted or processed on publicly accessible systems.
No direct mapping to ISO 27001.
41
IA.L1-3.5.1
Identification and Authentication
Identify system users, processes acting on behalf of users, and devices.A.9.2.1User registration and de-registrationA.5.16Identity management
42
A.9.2.4Management of secret authentication information of usersA.5.17Authentication information
43
A.9.3.1Use of secret authentication informationA.5.17Authentication information
44
A.9.4.3Password management systemA.5.17Authentication information
45
IA.L1-3.5.2
Identification and Authentication
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systemsA.9.2.1User registration and de-registrationA.5.16Identity management
46
A.9.2.4Management of secret authentication information of usersA.5.17Authentication information
47
A.9.3.1Use of secret authentication informationA.5.17Authentication information
48
A.9.4.3Password management systemA.5.17Authentication information
49
MP.L1-3.8.3Media ProtectionSanitize or destroy system media containing CUI before disposal or release for reuse.A.8.2.3Handling of AssetsA.5.10
Acceptable use of information and other associated assets
50
A.8.3.1Management of removable mediaA.7.10Storage media
51
A.8.3.2Disposal of mediaA.7.10Storage media
52
A.11.2.7Secure disposal or reuse of equipmentA.7.14Secure disposal or re-use of equipment
53
PE.L1-3.10.1Physical ProtectionLimit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. A.11.1.2Cabling securityA.7.2Physical entry controls
54
A.11.2.3Securing offices, rooms, and facilitiesA.7.12Cabling security
55
PE.L1-3.10.3Physical ProtectionEscort visitors and monitor visitor activity. A.11.1.1Physical security perimeterA.7.1Physical security perimeter
56
A.11.1.2Physical entry controlsA.7.2Physical entry controls
57
A.11.1.3Securing offices, rooms, and facilitiesA.7.3Securing offices, rooms and facilities
58
PE.L1-3.10.4Physical ProtectionMaintain audit logs of physical access. A.11.1.1Physical security perimeterA.7.1Physical security perimeter
59
A.11.1.2Physical entry controlsA.7.2Physical entry controls
60
A.11.1.3Securing offices, rooms, and facilitiesA.7.3Securing offices, rooms and facilities
61
PE.L1-3.10.5Physical ProtectionControl and manage physical access devices. A.11.1.1Physical security perimeterA.7.1Physical security perimeter
62
A.11.1.2Physical entry controlsA.7.2Physical entry controls
63
A.11.1.3Securing offices, rooms, and facilitiesA.7.3Securing offices, rooms and facilities
64
SC.L1-3.13.1
System and Communications Protection
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. A.13.1.1Network controlsA.7.3Securing offices, rooms and facilities
65
A.13.1.3Segregation in networksA.8.23Segregation in networks
66
A.13.2.1Information transfer policies and proceduresA.5.14Information transfer
67
A.14.1.3Protecting application services transactionsA.8.32Change management
68
SC.L1-3.13.5
System and Communications Protection
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. A.13.1.1Network controlsA.7.3Securing offices, rooms and facilities
69
A.13.1.3Segregation in networksA.8.23Segregation in networks
70
A.13.2.1Information transfer policies and proceduresA.5.14Information transfer
71
A.14.1.3Protecting application services transactionsA.8.32Change management
72
SI.L1-3.14.2
System and Information Integrity
Provide protection from malicious code at designated locations within organizational systems. A.12.6.1Management of technical vulnerabilitiesA.8.8Management of technical vulnerabilities
73
A.14.2.2System change control proceduresA.8.32Change management
74
A.14.2.3Technical review of applications after operating platform changesA.8.32Change management
75
A.16.1.3Reporting information security weaknessesA.6.8Information security event reporting
76
A.12.2.1Controls against malwareA.8.7Protection against malware
77
A.6.1.4Contact with special interest groupsA.5.6Contact with special interest groups
78
SI.L1-3.14.4
System and Information Integrity
Update malicious code protection mechanisms when new releases are available. A.12.2.1Controls against malwareA.8.7Protection against malware
79
SI.L1-3.14.5
System and Information Integrity
Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. A.12.2.1Controls against malwareA.8.7Protection against malware
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100