ISO 27001 → NIST CSF 2.0 crosswalk

A control-by-control mapping between ISO/IEC 27001:2022 and NIST Cybersecurity Framework 2.0. 15 mappings.

ISO 27001	NIST CSF 2.0	Relationship	Notes
A.5.1 Policies for information security	GV.OC-01 Organizational mission and security role understood	RelatedCurated	Governance & security policy
A.5.15 Access control	PR.AA-01 Identities and credentials managed	EquivalentCurated	Access control & identity
A.5.15 Access control	PR.AA-05 Access permissions and authorizations enforced	EquivalentCurated	Access control & identity
A.5.16 Identity management	PR.AA-01 Identities and credentials managed	EquivalentCurated	Access control & identity
A.5.16 Identity management	PR.AA-05 Access permissions and authorizations enforced	EquivalentCurated	Access control & identity
A.5.9 Inventory of information and other associated assets	ID.AM-01 Inventories of hardware managed	EquivalentCurated	Asset & data inventory
A.8.13 Information backup	PR.DS-11 Backups of data created and tested	EquivalentCurated	Backup & recovery
A.8.15 Logging	DE.CM-01 Networks and services monitored	EquivalentCurated	Logging, monitoring & detection
A.8.15 Logging	PR.PS-04 Log records generated for monitoring	EquivalentCurated	Logging, monitoring & detection
A.8.16 Monitoring activities	DE.CM-01 Networks and services monitored	EquivalentCurated	Logging, monitoring & detection
A.8.16 Monitoring activities	PR.PS-04 Log records generated for monitoring	EquivalentCurated	Logging, monitoring & detection
A.8.24 Use of cryptography	PR.DS-01 Confidentiality of data-at-rest protected	EquivalentCurated	Cryptography & data protection
A.8.24 Use of cryptography	PR.DS-02 Confidentiality of data-in-transit protected	EquivalentCurated	Cryptography & data protection
A.8.8 Management of technical vulnerabilities	ID.RA-01 Vulnerabilities identified and recorded	EquivalentCurated	Vulnerability management
A.8.9 Configuration management	PR.PS-01 Configuration management practices established	EquivalentCurated	Secure configuration & hardening

Mappings marked “Official” derive from standards-body informative references; “Curated” mappings are authored by Cyber Compliance and provided for guidance only.