ISO 27001 → NIST 800-53 crosswalk
A control-by-control mapping between ISO/IEC 27001:2022 and NIST SP 800-53 Rev. 5. 15 mappings.
| ISO 27001 | NIST 800-53 | Relationship | Notes |
|---|---|---|---|
| A.5.1 Policies for information security | PM-1 Information security program plan | PartialOfficial mapping | Governance & security policy |
| A.5.15 Access control | AC-2 Account management | EquivalentOfficial mapping | Access control & identity |
| A.5.16 Identity management | AC-2 Account management | EquivalentCurated | Access control & identity |
| A.5.24 Information security incident management planning and preparation | IR-4 Incident handling | PartialOfficial mapping | Incident response & breach notification |
| A.5.24 Information security incident management planning and preparation | IR-6 Incident reporting | PartialCurated | Incident response & breach notification |
| A.5.26 Response to information security incidents | IR-4 Incident handling | PartialCurated | Incident response & breach notification |
| A.5.26 Response to information security incidents | IR-6 Incident reporting | EquivalentOfficial mapping | Incident response & breach notification |
| A.5.9 Inventory of information and other associated assets | CM-8 System component inventory | EquivalentOfficial mapping | Asset & data inventory |
| A.8.13 Information backup | CP-9 System backup | EquivalentOfficial mapping | Backup & recovery |
| A.8.15 Logging | AU-2 Event logging | EquivalentOfficial mapping | Logging, monitoring & detection |
| A.8.16 Monitoring activities | AU-2 Event logging | EquivalentCurated | Logging, monitoring & detection |
| A.8.24 Use of cryptography | SC-8 Transmission confidentiality and integrity | EquivalentOfficial mapping | Cryptography & data protection |
| A.8.24 Use of cryptography | SC-28 Protection of information at rest | EquivalentOfficial mapping | Cryptography & data protection |
| A.8.8 Management of technical vulnerabilities | RA-5 Vulnerability monitoring and scanning | EquivalentOfficial mapping | Vulnerability management |
| A.8.9 Configuration management | CM-6 Configuration settings | EquivalentOfficial mapping | Secure configuration & hardening |
Mappings marked “Official” derive from standards-body informative references; “Curated” mappings are authored by Cyber Compliance and provided for guidance only.