Rhand Leal
May 10, 2016
Update 2022-09-07.
In my previous article, How to use the NIST SP800 series of standards for ISO 27001 implementation, I made a description about the NIST SP800 series (documents describing computer security practices, published by the National Institute of Standards and Technology – NIST) and of some specific documents that can be used to support an ISO 27001 implementation.
In this article, I will detail the SP 800-53 Rev.4 – Security and Privacy Controls for Federal Information Systems and Organizations, which presents security controls recommended by NIST, and how this information can be used together with ISO 27002 to design and implement the security controls specified in ISO 27001 Annex A. We will go deeper into mapping NIST 800 53 to ISO 27001.
SP 800-53 Rev.4 consists of three chapters and 10 appendices:
Figure – SP 800-53 Rev.4 structure
Chapter one – Introduction: covers document’s purpose and applicability, target audience identification, relationship to other security control publications, and organizational responsibilities.
Chapter two – Fundamentals: covers concepts used for selecting and specifying security controls, e.g., risk management (2.1), security controls structure (2.2), baselines (2.3), etc., providing references to more detailed NIST SP 800 documentation (see the above-mentioned article for more information).
Chapter three – Process: describes the process for selecting and specifying security controls.
Appendices: as described in figure 1, cover support information.
For the purpose of this article, only the most important parts of this document will be described.
The security controls structure in SP 800-53 is very similar to that of ISO 27001. Its 256 controls are organized into 18 families (against the 114 controls organized into 14 categories on ISO 27001), each one containing controls related to the general topic of the family, like ISO 27001.
Controls in each family may cover aspects related to policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms, depending upon their application (e.g., management, operational, or technical), and are structured as follows:
This structure has some similarities with that of ISO 27002 (control, implementation guidance, and other information), and also provides enough detail to support ISO 27001 Annex A implementation (see more about Annex A here: Understanding the ISO 27001 controls from Annex A).
Additionally to the 256 security controls, SP 800-53 also provides one family of 16 controls for the management of information security programs, and 14 controls, grouped into three families, for privacy protection. These three lists of SP 800-53 controls are available on Appendices F (security control), G (information security programs), and J (privacy control).
And now, more about mapping NIST 800 53 to ISO 27001. SP 800-53 Appendix H-2 provides mapping from its security controls to those in ISO/IEC 27001 Annex A. Some examples are:
Although this mapping can streamline the identification of information that can be used to design or improve ISO 27001 security controls, since the two sets of controls were created under different expectations (SP 800-53 was designed for US government agencies and ISO 27001 for any kind of organization), in some cases they may not be completely equivalent and this mapping should be used with caution.
Although ISO standards provide world-wide-recognized practices, it doesn’t mean they are the definitive answer in all issues they cover. As in any situation we face every day, always there will be something in other knowledge sources that we can use to improve our results.
ISO 27002 is a great source to help design ISO 27001 controls, and by combining its use with SP 800-53 resources, like security controls, baselines, and allocation priorities, an organization can achieve better results in the implementation, management, and operation of its security controls, improving security levels and users’ confidence.
To learn more about the development of security controls in your ISO 27001 implementation, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.