CALL US +44 1502 449001

The ISO 27001 & ISO 22301 Blog

Rhand Leal

How to use NIST SP 800-53 for the implementation of ISO 27001 controls

In my previous article, How to use the NIST SP800 series of standards for ISO 27001 implementation, I made a description about the NIST SP800 series (documents describing computer security practices, published by the National Institute of Standards and Technology – NIST) and of some specific documents that can be used to support an ISO 27001 implementation.

In this article, I will detail the SP 800-53 Rev.4 – Security and Privacy Controls for Federal Information Systems and Organizations, which presents security controls recommended by NIST, and how this information can be used together with ISO 27002 to design and implement the security controls specified in ISO 27001 Annex A.

SP 800-53 Rev. 4 structure

SP 800-53 Rev.4 consists of three chapters and 10 appendices:

SP_800-53_Rev.4_structure

Figure – SP 800-53 Rev.4 structure

Chapter one – Introduction: covers document’s purpose and applicability, target audience identification, relationship to other security control publications, and organizational responsibilities.

Chapter two – Fundamentals: covers concepts used for selecting and specifying security controls, e.g., risk management (2.1), security controls structure (2.2), baselines (2.3), etc., providing references to more detailed NIST SP 800 documentation (see the above-mentioned article for more information).

Chapter three – Process: describes the process for selecting and specifying security controls.

Appendices: as described in figure 1, cover support information.

For the purpose of this article, only the most important parts of this document will be described.

Security control structure (chapter 2.2)

blogpost-banner-risk-en

The security controls structure in SP 800-53 is very similar to that of ISO 27001. Its 256 controls are organized into 18 families (against the 114 controls organized into 14 categories on ISO 27001), each one containing controls related to the general topic of the family, like ISO 27001.

Controls in each family may cover aspects related to policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms, depending upon their application (e.g., management, operational, or technical), and are structured as follows:

  • Control: prescribes basic specific security-related activities to be carried out.
  • Supplemental guidance: provides additional guidance information to be used as appropriate.
  • Control enhancements: provides additional measures to the security activities described in control section, considering that, under specific situations, they may not be sufficient to ensure required protection levels.
  • References: includes a list of applicable documentation considered relevant to the control (laws, regulations, standards, etc.), providing links to other SP 800 series documents (see the article mentioned above to find some examples).
  • Priority and baseline allocation: provides information regarding security controls prioritization during implementation, and the initial allocation of security controls and control enhancements, considering a low-moderate-high impact baseline model.

This structure has some similarities with that of ISO 27002 (control, implementation guidance, and other information), and also provides enough detail to support ISO 27001 Annex A implementation (see more about Annex A here: Overview of ISO 27001:2013 Annex A).

Additionally to the 256 security controls, SP 800-53 also provides one family of 16 controls for the management of information security programs, and 14 controls, grouped into three families, for privacy protection. These three lists of SP 800-53 controls are available on Appendices F (security control), G (information security programs), and J (privacy control).

Mapping of SP 800-53 controls to ISO 27001 Annex A

SP 800-53 Appendix H-2 provides a mapping from its security controls to those in ISO/IEC 27001 Annex A. Some examples are:

  • 6.1.2 Segregation of duties maps to AC-5 Separation of Duties
  • 8.3.2 Disposal of media maps to MP-6 Media Sanitization
  • 12.3.1 Information backup maps to CP-9 Information System Backup

Although this mapping can streamline the identification of information that can be used to design or improve ISO 27001 security controls, since the two sets of controls were created under different expectations (SP 800-53 was designed for US government agencies and ISO 27001 for any kind of organization), in some cases they may not be completely equivalent and this mapping should be used with caution.

Make the whole greater than the sum of the parts

Although ISO standards provide world-wide-recognized practices, it doesn’t mean they are the definitive answer in all issues they cover. As in any situation we face every day, always there will be something in other knowledge sources that we can use to improve our results.

ISO 27002 is a great source to help design ISO 27001 controls, and by combining its use with SP 800-53 resources, like security controls, baselines, and allocation priorities, an organization can achieve better results in the implementation, management, and operation of its security controls, improving security levels and users’ confidence.
To learn more about the development of security controls in your ISO 27001 implementation, try this free ISO 27001 Lead Implementer Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.