13-05 Control mapping (NIST 800-53 vs ISO 17799 / PCI-DSS v2 / COBIT 4.1

Mapping from OSA controls catalog (equivalent to NIST 800-53 rev 2) to ISO17799, PCI-DSS v2 and COBIT 4.1

Please note ISO, PCI and COBIT control catalogs are the property of their respective owners and cannot be used unless licensed, we therefore do not provide any further details of controls beyond the mapping on this site.

Warning- there is not an exact correspondence between the catalogs, as the focus of the materials varies as does the level of granularity on specific topics. We have elected to include partial matches, where wording may vary but semantic intent is similar.The PCI-DSS mapping is considered DRAFT. Last updated 29-May-2013

A map against ISO27000 series will be added soon. Drop us a mail if you have feedback or have a need for other mappings.



OSA IDNameISO 17799COBIT 4.1PCI-DSS v2800-53

AC-01

Access Control Policy And Procedures

11.1.1
11.4.1
15.1.1

DS11.6
PC5

12.3.2
7.1
12.5.1

AC-1

AC-02

Account Management

6.2.2
6.2.3
8.3.3
11.2.1
11.2.2
11.2.4
11.7.2

DS5.4

7.1.3

AC-2

AC-03

Access Enforcement

11.2.4
11.4.5

PO2.3
AI2.4
DS11.6

7.1.4

AC-3

AC-04

Information Flow Enforcement

10.6.2
11.4.5
11.4.6
11.4.7

DS5.10

4.1

AC-4

AC-05

Separation Of Duties

10.1.3
10.6.1
10.10.1

PO4.11

7.1.2

AC-5

AC-06

Least Privilege

11.2.2

PO4.11

7.1.1

AC-6

AC-07

Unsuccessful Login Attempts

11.5.1

None

8.5.13

AC-7

AC-08

System Use Notification

11.5.1
15.1.5

None

8.5.7

AC-8

AC-09

Previous Logon Notification

11.5.1

None

None

AC-9

AC-10

Concurrent Session Control

None

AC6

None

AC-10

AC-11

Session Lock

11.3.2

None

8.5.14

AC-11

AC-12

Session Termination

11.3.2
11.5.5

None

8.5.15

AC-12

AC-13

Supervision And Review - Access Control

10.10.2
11.2.4

PO4.10

8.5.1

AC-13

AC-14

Permitted Actions Without Identification Or Authentication

None

None

None

AC-14

AC-15

Automated Marking

7.2.2

PO2.3
DS11.6
AC2

None

AC-15

AC-16

Automated Labeling

7.2.2

PO2.3
DS11.6

None

AC-16

AC-17

Remote Access

11.4.2
11.4.3
11.4.4

None

8.3
8.5.6

AC-17

AC-18

Wireless Access Restrictions

11.4.2
11.7.1
11.7.2

None

2.1.1

AC-18

AC-19

Access Control For Portable And Mobile Devices

11.7.1

None

1.4
12.3.10

AC-19

AC-20

Use Of External Information Systems

6.1.4
9.2.5
11.7.1

None

None

AC-20

AT-01

Security Awareness And Training Policy And Procedures

5.1.1
8.2.2
15.1.1

DS7.1
PC5

12.6

AT-1

AT-02

Security Awareness

6.2.3
8.2.2
10.4.1
11.7.1
13.1.1
14.1.4
15.1.4

PO7.4

12.6.1a

AT-2

AT-03

Security Training

8.2.2
10.3.2
11.7.1
13.1.1
14.1.4

PO7.4
DS7.2

12.6.1b
12.9.4

AT-3

AT-04

Security Training Records

None

DS7.2

12.6.2

AT-4

AT-05

Contacts With Security Groups And Associations

6.1.7

None

None

AT-5

AU-01

Audit And Accountability Policy And Procedures

10.10
15.1.1

PC2
PC5

10.1
12.5.1

AU-1

AU-02

Auditable Events

10.10.1

AI2.3

10.2

AU-2

AU-03

Content Of Audit Records

10.10.1
10.10.4

None

10.3

AU-3

AU-04

Audit Storage Capacity

10.10.3

None

10.7

AU-4

AU-05

Response To Audit Processing Failures

10.10.3

None

10.6
12.9

AU-5

AU-06

Audit Monitoring, Analysis, And Reporting

10.10.2
10.10.4
13.2.1

DS5.5

10.6
12.5.2
12.9.5

AU-6

AU-07

Audit Reduction And Report Generation

10.10.3

None

None

AU-7

AU-08

Time Stamps

10.10.6

None

10.4

AU-8

AU-09

Protection Of Audit Information

10.10.3
15.1.3
15.3.2

None

10.5

AU-9

AU-10

Non-Repudiation

10.8.2
10.9.1
12.3.1

DS5.11

10.5
10.5.5

AU-10

AU-11

Audit Record Retention

10.10.1
15.1.3

None

10.7

AU-11

CA-01

Certification, Accreditation, And Security Assessment Policies And Procedures

6.1.4
10.3.2
15.1.1

PO10.12
PC5

12.5.1

CA-1

CA-02

Security Assessments

6.1.8
15.2.1
15.2.2

DS5.5

11.1
11.2

CA-2

CA-03

Information System Connections

10.6.2
10.9.1
11.4.5
11.4.6
11.4.7

None

1.1.5
1.1.6

CA-3

CA-04

Security Certification

10.3.2

AI7.7

11.3

CA-4

CA-05

Plan Of Action And Milestones

15.2.1

ME2.7

None

CA-5

CA-06

Security Accreditation

10.3.2

AI7.7
DS5.5

None

CA-6

CA-07

Continuous Monitoring

15.2.1
15.2.2

PO1.3
DS5.5

12.5.2
12.9.5

CA-7

CM-01

Configuration Management Policy And Procedures

12.4.1
12.5.1
15.1.1

PO2.1
AI6.1
DS9.1
PC5

2.2a

CM-1

CM-02

Baseline Configuration

7.1.1
15.1.2

PO1.6
PO2.1
DS9.1

2.2
2.1.1

CM-2

CM-03

Configuration Change Control

10.1.2
10.2.3
12.4.1
12.5.1
12.5.2
12.5.3

AI6.1
AI6.3
DS9.2

6.4

CM-3

CM-04

Monitoring Configuration Changes

10.1.2

DS5.5
DS9.3

11.5

CM-4

CM-05

Access Restrictions For Change

11.6.1

None

2.2

CM-5

CM-06

Configuration Settings

None

None

2.2
2.2.3

CM-6

CM-07

Least Functionality

None

None

2.2.2
2.2.4

CM-7

CM-08

Information System Component Inventory

7.1.1
15.1.2

None

12.3.3
12.3.4

CM-8

CP-01

Contingency Planning Policy And Procedures

5.1.1
10.4.1
14.1.1
14.1.3
15.1.1

DS4.1
PC5

12.9
12.9.1

CP-1

CP-02

Contingency Plan

10.3.2
10.4.1
10.8.5
14.1.3
14.1.4

DS4.2

12.9.1
12.9.2

CP-2

CP-03

Contingency Training

14.1.3
14.1.4

DS4.6

12.9.4

CP-3

CP-04

Contingency Plan Testing And Exercises

10.5.1
14.1.5

DS4.2
DS4.5

12.9.2

CP-4

CP-05

Contingency Plan Update

14.1.3
14.1.5

DS4.4

12.9.6

CP-5

CP-06

Alternate Storage Site

10.5.1

DS4.1
DS4.9

None

CP-6

CP-07

Alternate Processing Site

14.1.4

DS4.1
DS4.8

None

CP-7

CP-08

Telecommunications Services

14.1.4

DS4.1

None

CP-8

CP-09

Information System Backup

10.5.1
11.7.1

DS4.2
DS4.9
DS11.5

12.9.1a

CP-9

CP-10

Information System Recovery And Reconstitution

14.1.4

DS4.8
DS11.5

None

CP-10

IA-01

Identification And Authentication Policy And Procedures

15.1.1

DS5.3
PC5

12.3.2
8.5.7

IA-1

IA-02

User Identification And Authentication

11.2.3
11.4.2
11.5.2

AI2.4
DS5.3

8.1
8.2

IA-2

IA-03

Device Identification And Authentication

11.4.2
11.4.3
11.7.1

None

None

IA-3

IA-04

Identifier Management

11.2.3
11.5.2

DS5.3
DS5.4

8.5
8.5.1
8.5.5

IA-4

IA-05

Authenticator Management

11.5.2
11.5.3

None

8.5

IA-5

IA-06

Authenticator Feedback

11.5.1

None

None

IA-6

IA-07

Cryptographic Module Authentication

None

None

3.5

IA-7

IR-01

Incident Response Policy And Procedures

10.4.1
13.1
13.2.1
15.1.1

PO9.5
PO9.6
DS5.6
DS8.2
PC5

12.9

IR-1

IR-02

Incident Response Training

13.1.1

None

12.9.4

IR-2

IR-03

Incident Response Testing And Exercises

14.1.5

None

12.9.2

IR-3

IR-04

Incident Handling

6.1.6
13.2.1
13.2.2

PO9.5
PO9.6
DS8.2

12.9
12.9.1
12.9.6

IR-4

IR-05

Incident Monitoring

None

DS8.2
DS8.4

12.9.5

IR-5

IR-06

Incident Reporting

6.1.6
6.2.2
6.2.3
13.1.1
13.1.2

DS5.6

12.9.1

IR-6

IR-07

Incident Response Assistance

14.1.3

DS8.1

12.9.3

IR-7

MA-01

System Maintenance Policy And Procedures

10.1.1
15.1.1

PC5

None

MA-1

MA-02

Controlled Maintenance

9.2.4

AI2.10

9.8

MA-2

MA-03

Maintenance Tools

None

None

None

MA-3

MA-04

Remote Maintenance

11.4.4

None

8.5.6

MA-4

MA-05

Maintenance Personnel

6.2.3
9.2.4

None

8.5.6

MA-5

MA-06

Timely Maintenance

None

None

None

MA-6

MP-01

Media Protection Policy And Procedures

10.1.1
10.7
15.1.1
15.1.3

DS11.1
DS11.6
PC5

12.5.1

MP-1

MP-02

Media Access

10.7.3

DS11.6

9.6
9.8
9.9

MP-2

MP-03

Media Labeling

7.2.2
10.7.3
10.8.2
15.1.3

DS11.6

9.7
12.3.4

MP-3

MP-04

Media Storage

10.7.1
10.7.2
10.7.3
10.7.4
15.1.3

DS11.2
DS11.6

9.5
9.6

MP-4

MP-05

Media Transport

10.8.3

DS11.4
DS11.6

9.7.2

MP-5

MP-06

Media Sanitization And Disposal

9.2.6
10.7.1
10.7.2

DS11.4
DS11.6

9.10
9.10.1
9.10.2

MP-6

PE-01

Physical And Environmental Protection Policy And Procedures

15.1.1

DS12.1
DS12.5
PC5

12.5.1

PE-1

PE-02

Physical Access Authorizations

9.1.2
9.1.6

DS12.3

9.1

PE-2

PE-03

Physical Access Control

9.1.1
9.1.2
9.1.5
9.1.6
10.5.1

DS12.2

9.1

PE-3

PE-04

Access Control For Transmission Medium

9.2.3

DS5.7
DS12.2

9.1.2
9.1.3

PE-4

PE-05

Access Control For Display Medium

9.1.2
11.3.3

DS12.2

None

PE-5

PE-06

Monitoring Physical Access

9.1.2

DS12.3

9.1.1

PE-6

PE-07

Visitor Control

9.1.2

DS12.3

9.2
9.3.x

PE-7

PE-08

Access Records

9.1.2

DS12.3

9.4

PE-8

PE-09

Power Equipment And Power Cabling

9.2.2
9.2.3

DS12.4

None

PE-9

PE-10

Emergency Shutoff

9.2.2

DS12.4

None

PE-10

PE-11

Emergency Power

9.2.2

DS12.4

None

PE-11

PE-12

Emergency Lighting

9.2.2

DS12.4

None

PE-12

PE-13

Fire Protection

9.1.4
9.2.1

DS12.4

None

PE-13

PE-14

Temperature And Humidity Controls

9.2.1
10.5.1
10.7.1

DS12.4

None

PE-14

PE-15

Water Damage Protection

9.1.4
9.2.1

DS12.4

None

PE-15

PE-16

Delivery And Removal

9.1.6
9.2.7
10.7.1

DS12.2

None

PE-16

PE-17

Alternate Work Site

11.7.2

None

None

PE-17

PE-18

Location Of Information System Components

9.2.1

DS12.1

None

PE-18

PE-19

Information Leakage

None

DS12.2

None

PE-19

PL-01

Security Planning Policy And Procedures

6.1
15.1.1

DS5.2
PC5

12.5.1

PL-1

PL-02

System Security Plan

6.1

PO1.4
DS5.2

12.1

PL-2

PL-03

System Security Plan Update

6.1

PO1.4

12.1

PL-3

PL-04

Rules Of Behavior

7.1.3
8.1.3
15.1.5

PO6.5
DS5.2
PC4

12.6.2

PL-4

PL-05

Privacy Impact Assessment

15.1.4

None

3.1.1

PL-5

PL-06

Security-0Related Activity Planning

15.3.1

None

None

PL-6

PS-01

Personnel Security Policy And Procedures

8.1.1
15.1.1

PO4.6
PO7.3
PC5

12.5.1

PS-1

PS-02

Position Categorization

8.1.2

PO4.13
PO7.3

12.7

PS-2

PS-03

Personnel Screening

8.1.2

PO7.6

12.7

PS-3

PS-04

Personnel Termination

8.1.3
8.3
11.2.1

PO7.8

8.5.4

PS-4

PS-05

Personnel Transfer

8.3.1
8.3.3
11.2.1

PO7.8

7.1.1

PS-5

PS-06

Access Agreements

6.1.5
8.1.3

DS5.4

7.1.3

PS-6

PS-07

Third-0Party Personnel Security

6.2.1
6.2.3
8.1.1
8.1.2
8.1.3
8.2.1
8.2.2
11.2.1

PO4.14
DS2.2

8.5.6
7.2.2

PS-7

PS-08

Personnel Sanctions

8.2.3
11.2.1

None

None

PS-8

RA-01

Risk Assessment Policy And Procedures

4.1
15.1.1

PO9.1
PC5

12.5.1
12.1

RA-1

RA-02

Security Categorization

7.2.1

PO9.2

12.1.2

RA-2

RA-03

Risk Assessment

4.0
4.1
4.2
6.2.1
10.10.2
10.10.5
12.5.1
12.6.1
14.1.1
14.1.2

PO9.3
PO9.4
AI1.1

12.1.2

RA-3

RA-04

Risk Assessment Update

4.1

PO9.4

12.1.3

RA-4

RA-05

Vulnerability Scanning

12.6.1

PO9.3
DS5.5

11.1
11.2
11.2.1
11.2.2
11.2.3
11.3

RA-5

SA-01

System And Services Acquisition Policy And Procedures

12.1
15.1.1

AI2.5
AI5.1
PC5

12.5.1

SA-1

SA-02

Allocation Of Resources

10.3.1

PO1.1
PO5.2

None

SA-2

SA-03

Life Cycle Support

None

PO8.3
AI2.7

6.3

SA-3

SA-04

Acquisitions

12.1.1

AI2.4
AI5.4

None

SA-4

SA-05

Information System Documentation

10.7.4

DS5.7

None

SA-5

SA-06

Software Usage Restrictions

15.1.2

DS9.3

None

SA-6

SA-07

User Installed Software

15.1.2

DS9.3

12.3.7

SA-7

SA-08

Security Engineering Principles

12.1

AI2.4

6.3

SA-8

SA-09

External Information System Services

6.2.1
6.2.3
10.2.1
10.2.2
10.6.2

DS1.6
DS2.3
ME3.1
ME3.3

12.8.2

SA-9

SA-10

Developer Configuration Management

12.5.1
12.5.2

None

6.4.5

SA-10

SA-11

Developer Security Testing

12.5.1
12.5.2

AI2.8

6.4.5.3

SA-11

SC-01

System And Communications Protection Policy And Procedures

10.8.1
15.1.1

DS5.2
PC5

12.5.1

SC-1

SC-02

Application Partitioning

11.4.5

AI2.4

2.2.1
1.3.7

SC-2

SC-03

Security Function Isolation

11.4.5

DS5.7

2.2.1

SC-3

SC-04

Information Remnance

10.8.1

None

None

SC-4

SC-05

Denial Of Service Protection

10.8.4
13.2.1

None

None

SC-5

SC-06

Resource Priority

None

None

None

SC-6

SC-07

Boundary Protection

11.4.6

DS5.10

1.2
1.2.1
1.3.1
1.3.2
1.3.3
1.3.4

SC-7

SC-08

Transmission Integrity

10.6.1
10.8.1
10.9.1

AC6

None

SC-8

SC-09

Transmission Confidentiality

10.6.1
10.8.1
10.9.1

DS5.11
AC6

4.1
4.1.1

SC-9

SC-10

Network Disconnect

11.5.6

None

12.3.8

SC-10

SC-11

Trusted Path

10.9.2

DS5.11
AC6

None

SC-11

SC-12

Cryptographic Key Establishment And Management

12.3.1
12.3.2

DS5.8

3.5
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8

SC-12

SC-13

Use Of Cryptography

None

DS5.8

3.6
4.1.c

SC-13

SC-14

Public Access Protections

10.7.4
10.9.3

None

None

SC-14

SC-15

Collaborative Computing

None

None

4.2

SC-15

SC-16

Transmission Of Security Parameters

7.2.2
10.8.2
10.9.2

DS5.11

None

SC-16

SC-17

Public Key Infrastructure Certificates

12.3.2

None

None

SC-17

SC-18

Mobile Code

10.4.1
10.4.2

DS5.9

None

SC-18

SC-19

Voice Over Internet Protocol

None

None

None

SC-19

SC-20

Secure Name / Address Resolution Service (Authoritative Source)

None

None

None

SC-20

SC-21

Secure Name / Address Resolution Service (Recursive Or Caching Resolver)

None

None

None

SC-21

SC-22

Architecture And Provisioning For Name / Address Resolution Service

None

None

2.2.1

SC-22

SC-23

Session Authenticity

None

AC6
DS5.11

None

SC-23

SI-01

System And Information Integrity Policy And Procedures

15.1.1

PO2.4
PC5

12.5.1

SI-1

SI-02

Flaw Remediation

10.10.5
12.4.1
12.5.1
12.5.2
12.6.1

None

6.1
6.2
11.2
11.3

SI-2

SI-03

Malicious Code Protection

10.4.1

DS5.9

5.1
5.1.1
5.2

SI-3

SI-04

Information System Monitoring Tools And Techniques

10.6.2
10.10.1
10.10.2
10.10.4

PO2.4
DS5.5
DS5.10

11.4
11.5
10.5.5
11.1

SI-4

SI-05

Security Alerts And Advisories

6.1.7
10.4.1

None

12.9.6

SI-5

SI-06

Security Functionality Verification

None

None

None

SI-6

SI-07

Software And Information Integrity

12.2.1
12.2.2
12.2.4

PO2.4
AI2.4
DS5.9

11.5

SI-7

SI-08

Spam Protection

None

DS5.9

None

SI-8

SI-09

Information Input Restrictions

12.2.1
12.2.2

AC1
AC2

None

SI-9

SI-10

Information Accuracy, Completeness, Validity, And Authenticity

10.7.3
12.2.1
12.2.2

PO2.4
AI2.3
AI2.4
DS11.1
DS11.6
AC3
AC4
AC6

None

SI-10

SI-11

Error Handling

12.2.1
12.2.2
12.2.3
12.2.4

AC5

None

SI-11

SI-12

Information Output Handling And Retention

10.7.3
12.2.4

DS11.1
DS11.6
AC5

3.1.1

SI-12