| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Function | Category | Subcategory | Informative References | ||||||||||||||||||||||
2 | IDENTIFY (ID) | Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. | ID.AM-1: Physical devices and systems within the organization are inventoried | · CCS CSC 1 | ||||||||||||||||||||||
3 | · COBIT 5 BAI09.01, BAI09.02 | |||||||||||||||||||||||||
4 | · ISA 62443-2-1:2009 4.2.3.4 | |||||||||||||||||||||||||
5 | · ISA 62443-3-3:2013 SR 7.8 | |||||||||||||||||||||||||
6 | · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 | |||||||||||||||||||||||||
7 | · NIST SP 800-53 Rev. 4 CM-8 | |||||||||||||||||||||||||
8 | ID.AM-2: Software platforms and applications within the organization are inventoried | · CCS CSC 2 | ||||||||||||||||||||||||
9 | · COBIT 5 BAI09.01, BAI09.02, BAI09.05 | |||||||||||||||||||||||||
10 | · ISA 62443-2-1:2009 4.2.3.4 | |||||||||||||||||||||||||
11 | · ISA 62443-3-3:2013 SR 7.8 | |||||||||||||||||||||||||
12 | · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 | |||||||||||||||||||||||||
13 | · NIST SP 800-53 Rev. 4 CM-8 | |||||||||||||||||||||||||
14 | ID.AM-3: Organizational communication and data flows are mapped | · CCS CSC 1 | ||||||||||||||||||||||||
15 | · COBIT 5 DSS05.02 | |||||||||||||||||||||||||
16 | · ISA 62443-2-1:2009 4.2.3.4 | |||||||||||||||||||||||||
17 | · ISO/IEC 27001:2013 A.13.2.1 | |||||||||||||||||||||||||
18 | · NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8 | |||||||||||||||||||||||||
19 | ID.AM-4: External information systems are catalogued | · COBIT 5 APO02.02 | ||||||||||||||||||||||||
20 | · ISO/IEC 27001:2013 A.11.2.6 | |||||||||||||||||||||||||
21 | · NIST SP 800-53 Rev. 4 AC-20, SA-9 | |||||||||||||||||||||||||
22 | ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value | · COBIT 5 APO03.03, APO03.04, BAI09.02 | ||||||||||||||||||||||||
23 | · ISA 62443-2-1:2009 4.2.3.6 | |||||||||||||||||||||||||
24 | · ISO/IEC 27001:2013 A.8.2.1 | |||||||||||||||||||||||||
25 | · NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14 | |||||||||||||||||||||||||
26 | ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | · COBIT 5 APO01.02, DSS06.03 | ||||||||||||||||||||||||
27 | · ISA 62443-2-1:2009 4.3.2.3.3 | |||||||||||||||||||||||||
28 | · ISO/IEC 27001:2013 A.6.1.1 | |||||||||||||||||||||||||
29 | · NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 | |||||||||||||||||||||||||
30 | Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. | ID.BE-1: The organization’s role in the supply chain is identified and communicated | · COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 | |||||||||||||||||||||||
31 | · ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 | |||||||||||||||||||||||||
32 | · NIST SP 800-53 Rev. 4 CP-2, SA-12 | |||||||||||||||||||||||||
33 | ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated | · COBIT 5 APO02.06, APO03.01 | ||||||||||||||||||||||||
34 | · NIST SP 800-53 Rev. 4 PM-8 | |||||||||||||||||||||||||
35 | ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated | · COBIT 5 APO02.01, APO02.06, APO03.01 | ||||||||||||||||||||||||
36 | · ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 | |||||||||||||||||||||||||
37 | · NIST SP 800-53 Rev. 4 PM-11, SA-14 | |||||||||||||||||||||||||
38 | ID.BE-4: Dependencies and critical functions for delivery of critical services are established | · ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 | ||||||||||||||||||||||||
39 | · NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 | |||||||||||||||||||||||||
40 | ID.BE-5: Resilience requirements to support delivery of critical services are established | · COBIT 5 DSS04.02 | ||||||||||||||||||||||||
41 | · ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 | |||||||||||||||||||||||||
42 | · NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 | |||||||||||||||||||||||||
43 | Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. | ID.GV-1: Organizational information security policy is established | · COBIT 5 APO01.03, EDM01.01, EDM01.02 | |||||||||||||||||||||||
44 | · ISA 62443-2-1:2009 4.3.2.6 | |||||||||||||||||||||||||
45 | · ISO/IEC 27001:2013 A.5.1.1 | |||||||||||||||||||||||||
46 | · NIST SP 800-53 Rev. 4 -1 controls from all families | |||||||||||||||||||||||||
47 | ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners | · COBIT 5 APO13.12 | ||||||||||||||||||||||||
48 | · ISA 62443-2-1:2009 4.3.2.3.3 | |||||||||||||||||||||||||
49 | · ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 | |||||||||||||||||||||||||
50 | · NIST SP 800-53 Rev. 4 PM-1, PS-7 | |||||||||||||||||||||||||
51 | ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed | · COBIT 5 MEA03.01, MEA03.04 | ||||||||||||||||||||||||
52 | · ISA 62443-2-1:2009 4.4.3.7 | |||||||||||||||||||||||||
53 | · ISO/IEC 27001:2013 A.18.1 | |||||||||||||||||||||||||
54 | · NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1) | |||||||||||||||||||||||||
55 | ID.GV-4: Governance and risk management processes address cybersecurity risks | · COBIT 5 DSS04.02 | ||||||||||||||||||||||||
56 | · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 | |||||||||||||||||||||||||
57 | · NIST SP 800-53 Rev. 4 PM-9, PM-11 | |||||||||||||||||||||||||
58 | Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. | ID.RA-1: Asset vulnerabilities are identified and documented | · CCS CSC 4 | |||||||||||||||||||||||
59 | · COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 | |||||||||||||||||||||||||
60 | · ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 | |||||||||||||||||||||||||
61 | · ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 | |||||||||||||||||||||||||
62 | · NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 | |||||||||||||||||||||||||
63 | ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources | · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 | ||||||||||||||||||||||||
64 | · ISO/IEC 27001:2013 A.6.1.4 | |||||||||||||||||||||||||
65 | · NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5 | |||||||||||||||||||||||||
66 | ID.RA-3: Threats, both internal and external, are identified and documented | · COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 | ||||||||||||||||||||||||
67 | · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 | |||||||||||||||||||||||||
68 | · NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16 | |||||||||||||||||||||||||
69 | ID.RA-4: Potential business impacts and likelihoods are identified | · COBIT 5 DSS04.02 | ||||||||||||||||||||||||
70 | · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 | |||||||||||||||||||||||||
71 | · NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14 | |||||||||||||||||||||||||
72 | ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | · COBIT 5 APO12.02 | ||||||||||||||||||||||||
73 | · ISO/IEC 27001:2013 A.12.6.1 | |||||||||||||||||||||||||
74 | · NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16 | |||||||||||||||||||||||||
75 | ID.RA-6: Risk responses are identified and prioritized | · COBIT 5 APO12.05, APO13.02 | ||||||||||||||||||||||||
76 | · NIST SP 800-53 Rev. 4 PM-4, PM-9 | |||||||||||||||||||||||||
77 | Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. | ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders | · COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02 | |||||||||||||||||||||||
78 | · ISA 62443-2-1:2009 4.3.4.2 | |||||||||||||||||||||||||
79 | · NIST SP 800-53 Rev. 4 PM-9 | |||||||||||||||||||||||||
80 | ID.RM-2: Organizational risk tolerance is determined and clearly expressed | · COBIT 5 APO12.06 | ||||||||||||||||||||||||
81 | · ISA 62443-2-1:2009 4.3.2.6.5 | |||||||||||||||||||||||||
82 | · NIST SP 800-53 Rev. 4 PM-9 | |||||||||||||||||||||||||
83 | ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | · NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14 | ||||||||||||||||||||||||
84 | PROTECT (PR) | Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. | PR.AC-1: Identities and credentials are managed for authorized devices and users | · CCS CSC 16 | ||||||||||||||||||||||
85 | · COBIT 5 DSS05.04, DSS06.03 | |||||||||||||||||||||||||
86 | · ISA 62443-2-1:2009 4.3.3.5.1 | |||||||||||||||||||||||||
87 | · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | |||||||||||||||||||||||||
88 | · ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | |||||||||||||||||||||||||
89 | · NIST SP 800-53 Rev. 4 AC-2, IA Family | |||||||||||||||||||||||||
90 | PR.AC-2: Physical access to assets is managed and protected | · COBIT 5 DSS01.04, DSS05.05 | ||||||||||||||||||||||||
91 | · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 | |||||||||||||||||||||||||
92 | · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3 | |||||||||||||||||||||||||
93 | · NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 | |||||||||||||||||||||||||
94 | PR.AC-3: Remote access is managed | · COBIT 5 APO13.01, DSS01.04, DSS05.03 | ||||||||||||||||||||||||
95 | · ISA 62443-2-1:2009 4.3.3.6.6 | |||||||||||||||||||||||||
96 | · ISA 62443-3-3:2013 SR 1.13, SR 2.6 | |||||||||||||||||||||||||
97 | · ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1 | |||||||||||||||||||||||||
98 | · NIST SP 800-53 Rev. 4 AC‑17, AC-19, AC-20 | |||||||||||||||||||||||||
99 | PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties | · CCS CSC 12, 15 | ||||||||||||||||||||||||
100 | · ISA 62443-2-1:2009 4.3.3.7.3 |