ENISA Control Mapping

ISO/IEC 24762:2008 Guidelines for ICT

and disaster recovery services [I12]
ISF Standard 2007 [I34]
UCF Control ID

CobiT [I27]
Control areas and sub-domains
1. Governance and Risk Management
1.1. Analyse and document organizational objectives, 00598, 00604
1 3 3
functions, and activities.
1.2. Establish and maintain the organizational compliance 01241, 00688,
27 00689, 00691-00694,
27 2701260, 00695, 01636, 008
framework and controls for your organization.
1.3. Establish, maintain and adopt a high-level IT plan. 00628, 00608-00609,
17 01179,
17 00633-00634,
17 01609, 00871, 014
1.4. Define an IT security policy. 00812, 00820,
34 00823, 01362-01363
34 34
1.5. Establish usage and proper behaviour policies. 01350 24 24 24
1.6. Establish and maintain formalized operations procedures. 00831, 00867,
21 00838, 04536
21 21

1.7. Establish and maintain the IT Governance risk 00685-00687,

52 01147, 01157,
52 00698,5201443, 00701, 01902, 007
assessment framework.
1.8. Establish and maintain a project management framework. 00990, 01026,
21 01044, 00991,
21 01033,
2101053, 01035, 01037, 01

1.9. Establish and maintain quality assurance standards. 01004, 01008,

7 01016 8 8

2. Information Systems Acquisition and Development

2.1. Define security requirements and/or specifications for 01124, 01447
1 1 1
information systems acquisition and development.
2.2. Establish and maintain procedures and standards for 01134, 01136,
9 01144, 01898-01899,
9 9 01133
procuring hardware, software, services, and facilities.
2.3. Establish and maintain a software product acquisition 01138, 01129,
16 01135, 01130,
16 01140,1601143
methodology.
2.4. Establish and maintain systems design principles, 01057-01058,
43 01061, 01066,
43 01074,
4301080-01082, 01614, 010
guidelines, and lifecycle documentation.
2.5. Establish, develop and maintain application and systems 01094, 01141,
14 01096-99
14 14
software in accordance with design specifications and
standards.
2.6. Perform quality assurance testing on all newly acquired, 01100-01103,
18 01106, 01317,
18 0110818
developed or modified systems and software.
3. Human Resources Security
3.1. Establish and maintain the IT staff structure in line with 00764-00765, 00768, 00774-00776, 00778-00779
strategic goals.
3.2. Establish and maintain IT staff security clearances in 00780
accordance with duties and responsibilities.
3.3. Ensure that security is part of the new personnel 01633
orientation process.
3.4. Ensure personnel are provided with regular security 00785 SM2.4.5(a), PO7.4, DS7.§ 5.9.5, § 5.
training.
3.5. Ensure that security knowledge is a part of personal
performance appraisal
3.6. Establish and maintain a process for managing changes
in the employee responsibilities and employment contract

3.7. Establish and maintain a process of handling policy

violations and frauds
4. Third Parties Security
4.1. Establish and maintain a policy regarding management of 00789 CB6.1.3(a), CB6.1.4(c), CB6.1.4(e),
third party services.
5. Physical and Environmental Security
5.1. Establish and maintain a process to maintain the 00710 DS12.5 § 6.4.3.3, § 6.14.1, § 6.14.2
facilities.
5.2. Establish and maintain physical security of IT assets. 00718 SM4.5.4(b), AI3.2, DS13.4
5.3. Establish and maintain adequate environmental controls 00724 CI2.6.2(a), DS12.4 § 6.4.7(b), §
and processes.
6. Information Systems Operations Management
6.1. Establish and maintain operational policies and 00806 SM1.3.1, SM2.3.2, SM2.4
§ 6.3.9, § 7.
processes.
6.2. Establish and maintain operational roles and
responsibilities.
6.3. Establish and maintain system classification scheme 00509
policy and standards.
6.4. Establish and maintain a policy for establishing access 00512 SM4.4.6(b), SM7.1.3(b),§ 7.5.5
policies and procedures.
6.5. Establish a change-management program with all 00886 SM3.2.2(e), AI2.9, AI6.1 § 7.6.9, § 7
necessary policies and procedures to prevent unauthorized
changes.

7. Information System Security

7.1. Establish and maintain configuration control and status 00863 6.3.1(a), 6.3DS9.3
accounting for each system.
7.2. Establish and maintain a systems hardening standard 00876 SM6.2.3(b),AI2.5
and procedures.
7.3. Safeguard master copies of digital configuration items 02131
using secure physical or electronic means.
7.4. Identify and control all network elements. 00529 SM6.5.4(a),AI3.2
7.5. Secure access to the operating systems of all system 00551 AI3.2
components.
7.6. Enforce information flow policies within the system and 01410 SM4.1.7(g)
between interconnected systems.
7.7. Establish and maintain process for remote access and 00559 SM6.4.1, SM6.4.3, SM6.4
§ 7.5.7
teleworking.
7.8. Establish and maintain a process for preventing attacks 00574 SM5.1.1 thr DS5.9
against information systems.
8. Incident Management
8.1. Establish and maintain an incident management 00579 SM4.6.1, CB2.1.3(f), CB§ 5.7.5, § 7
capability
8.2. Establish and maintain an incident detection capability . 00580 SM5.3.1 § 5.7.1

8.3. Establish and maintain incident handling system. 00852

8.4. Establish and maintain a process for incident response 01206 SM4.6.4(b), SM5.4.3(d),§ 6.3.11
and escalation
8.5. Establish and maintain a process for communicating the 01210, 01212SM4.6.2(a), SM5.4.3(g)
events to external parties.
9. Business Continuity Management
9.1. Identify the critical activities and their continuity
requirements.
9.2. Establish and maintain a business continuity strategy. 00735 CB2.5.6, UE6.5.7

9.3. Establish and maintain systems continuity plans. 00752 SM4.7.2, CB2DS4.2 § 5.12
9.4. Exercise the systems continuity plan. 00755 CB2.5.3(d), DS4.5 § 5.10, § 7.
9.5. Maintain and review the systems continuity plan. 00754 DS4.4
9.6. Establish and maintain a disaster recovery capability.
10. Monitoring and Security Testing
10.1. Define the roles and responsibilities, in a clear manner, 00678 SM3.2.2(f), CB5.3.2, CI5.4.3, NW4.4.3
of all personnel involved in the monitoring and security testing
process.
10.2. Establish and maintain monitoring and logging policies.

10.3. Establish monitoring and logging operations for all key 00637-00638SM6.5.3(c), ME1.1 § 6.14.10, §
systems according to the defined policies.
10.4. Establish and maintain a security testing and 00654 § 6.3.10, § 7.5.9, § 7.16.2
assessment policy.
10.5. Establish and maintain a compliance monitoring and 00671 ME2.4, ME3.3, ME3.4
audit policy.
10.6. Establish and maintain a plan of action for correcting 00675 PO9.6, ME1.6, ME2.7
deficiencies that were found in audits.
10.7. Report to management the periodic reviews of 01159 § 6.14.6.3
compliance checklists, audit reports, sign-off sheets, and
others.
 9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ISO/IEC 27001 [I23]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ISO/IEC 27002 [I24]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ITIL Service Support [I15]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ITIL Security Management [I15]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
IT Baseline Protection Manual Germany
[G10]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
BS 25999-1 Guide to Business
Continuity Management [I10]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27

NIST 800-34 [G29]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27

NIST 800-61 [G30]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27

PCI DSS 1.2 [I28]

 § 5.2.2, Ann§ 8.2.2 § 4.2.2.2 § 3.1.2 ¶ 3

Annex A.6.2§ 10.2.1 § 12.8

§ 6.4.3.3, § 6.14.1, § 6.14.2, § 6.14.3 § 4.2.3.2

Annex A.11.§ 11.3.3 § 9.1.3

Annex A.9.1§ 9.2.1 § 5.1.3

§ 5.1, Annex§ 5.1.1, § 6.1.2, § 8.1.1 § 12.4

Annex A.7.2§ 7.2.1

Annex A.11.§ 6.2.2, § 11.6.1 § 6.2.2 §7

Annex A.10.§ 10.1.2, § 12.5.1 § 2.2.3 § 6.2.b

§ 7.3.3, § 7.3.4

§ 7.3.5 § 3.1.2 ¶ 3 § 2.2

§ 7.3.8, § 7.3.9

Annex A.11.§ 11.4.3 § 4.2.4.2

 Annex A.11.4.7

Annex A.11.4.2

Annex A.10.§ 10.4.1 § 4.2.4 § 3.1.2 ¶ 3, § 5

§ 8.3, Annex§ 13.2.1 § 8.4 § 2.1 ¶ 2, § § 12.9.1

§ 4.2.3(a) § 5.3 § 11.1, § 11.

§ 3.3.2.2 § 4.2.1, § 4.5, § 5.2.1, § 5.5, § 6.2.1

§ 4.2.4(c) § 3.2.7, App J

§ 8.5.4, § 8.App D (Comm

§ 2.3.4.2, § § 12.9.1

Annex A.14.§ 14.1.2 § 5.4.2, § 7.§ 3.4, § 5.1, § 5.5

§ 14.1.3 § 5.5, § 8.3.§ 3.1, § 4.5, App A

Annex A.14.§ 14.1.5 § 5.4.1, § 9.§ 3.5.1, § 3.5.4
Annex A.14.§ 14.1.5 § 9.4

5.4.3, NW4.4.3

Annex A.10.§ 10.6.1, § 10.10.1, § 10.10.2

§ 6.3.10, § 7.5.9, § 7.16.2 § 11

§6
 9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
FIPS-200 [M50]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ITU-T X.1056 (01/2009) [I18]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ITU-T X.800 (1991) [I21]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
ITU-T X.805 (10/2003) [I31]

9
1
8
3

18
14
43
16
21
52
21
24
34
17
27
UK NICC ND 1643 [M46]

ISO/IEC 27005 Information security risk

management [I25]

ISO/IEC 27011 Information security

management guidelines for
telecommunications [I26]

ITU-T X.1051 (02/2008) [I29]

KATAKRI (FI) [G5]

§3 6.2

§ 3 Awarene7.3.3.5

§3 5.2

§3

8.1

§3

9.1

8.2

§3

8.3
 § 3 Access Control (AC), § 3 Certification, Accreditation, and Security Assessments (CA)

§3

§3 7.3.1.3-4 10.1

§3 3-7

§3 6-7

.5, § 5.2.1, § 5.5, § 6.2.15-7

6-7 11.2

6-7 11.1

12.1

§3

§3 5-7 6.1 8.4, 8.5

§3 7.3.2.3

7.3.2.3 13.1

§3