TLP:GREEN CIS Controls and ISO 27001 (simple mapping)

1.1, 06.03.2025

CIS Controls CIS Critical Security Controls, v.8.1

https://www.cisecurity.org/controls

ISO 27001:2022 ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection —
Information security management systems — Requirements
https://www.iso.org/standard/27001

ISO 27002:2022 ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection —
Information security controls
https://www.iso.org/standard/75652.html

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022 requirements and controls
Control 1: Inventory and Control of A.5.9 Inventory of information and other associated assets
Enterprise Assets A.5.10 Acceptable use of information and other associated assets
Actively manage (inventory, track, and correct) A.5.11 Return of assets
all enterprise assets (end-user devices,
including portable and mobile; network A.8.8 Management of technical vulnerabilities
devices; non-computing/Internet of Things
(IoT) devices; and servers) connected to the
infrastructure physically, virtually, remotely,
and those within cloud environments, to
accurately know the totality of assets that need
to be monitored and protected within the
enterprise. This will also support identifying
unauthorized and unmanaged assets to remove
or remediate.

Control 2: Inventory and Control of A.5.9 Inventory of information and other associated assets
Software Assets A.5.10 Acceptable use of information and other associated assets
Actively manage (inventory, track, and correct) A.5.32 Intellectual property rights
all software (operating systems and
applications) on the network so that only A.8.7 Protection against malware
authorized software is installed and can A.8.8 Management of technical vulnerabilities
execute, and that unauthorized and
A.8.19 Installation of software on operational systems
unmanaged software is found and prevented
from installation or execution.
Control 3: Data Protection A.5.1 Policies for information security
Develop processes and technical controls to A.5.9 Inventory of information and other associated assets
identify, classify, securely handle, retain, and
A.5.10 Acceptable use of information and other associated assets
dispose of data.
A.5.12 Classification of information
A.5.13 Labelling of information
A.5.14 Information transfer
A.5.15 Access control
A.5.18 Access rights
A.5.33 Protection of records
A.5.34 Privacy and protection of PII
A.5.37 Documented operating procedures
A.8.1 User endpoint devices
A.8.3 Information access restriction

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN CIS Controls and ISO 27001 (simple mapping)
1.1, 06.03.2025

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022 requirements and controls
A.8.4 Access to source code
A.8.6 Capacity management
A.8.12 Data leakage prevention
A.8.20 Networks security
A.8.22 Segregation of networks
A.8.24 Use of cryptography
Control 4: Secure Configuration of A.6.7 Remote working
Enterprise Assets and Software A.8.1 User endpoint devices
Establish and maintain the secure configuration A.8.2 Privileged access rights
of enterprise assets (end-user devices,
including portable and mobile; network A.8.5 Secure authentication
devices; non-computing/IoT devices; and A.8.9 Configuration management
servers) and software (operating systems and
A.8.10 Information deletion
applications).

Control 5: Account Management A.5.15 Access control

Use processes and tools to assign and manage A.5.16 Identity management
authorization to credentials for user accounts,
A.5.17 Authentication information
including administrator accounts, as well as
service accounts, to enterprise assets and A.8.2 Privileged access rights
software. A.8.5 Secure authentication
A.8.18 Use of privileged utility programs
Control 6: Access Control A.5.3 Segregation of duties
Management A.5.15 Access control
Use processes and tools to create, assign, A.5.16 Identity management
manage, and revoke access credentials and
privileges for user, administrator, and service A.5.18 Access rights
accounts for enterprise assets and software. A.6.5 Responsibilities after termination or change of employment
A.6.7 Remote working
A.8.2 Privileged access rights
A.8.3 Information access restriction
A.8.5 Secure authentication
Control 7: Continuous Vulnerability A.5.1 Policies for information security
Management A.5.6 Contact with special interest groups
Develop a plan to continuously assess and track A.5.7 Threat intelligence
vulnerabilities on all enterprise assets within the
enterprise’s infrastructure, in order to A.5.37 Documented operating procedures
remediate, and minimize, the window of A.6.8 Information security event reporting
opportunity for attackers. Monitor public and
private industry sources for new threat and
A.8.8 Management of technical vulnerabilities
vulnerability information. A.8.19 Installation of software on operational systems
Control 8: Audit Log Management A.5.25 Assessment and decision on information security events
Collect, alert, review, and retain audit logs of A.5.28 Collection of evidence
events that could help detect, understand, or
A.8.15 Logging
recover from an attack.
A.8.16 Monitoring activities
A.8.17 Clock synchronization
A.8.20 Networks security

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN CIS Controls and ISO 27001 (simple mapping)
1.1, 06.03.2025

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022 requirements and controls
Control 9: Email and Web Browser A.8.7 Protection against malware
Protections A.8.12 Data leakage prevention
Improve protections and detections of threats A.8.23 Web filtering
from email and web vectors, as these are
opportunities for attackers to manipulate
human behavior through direct engagement.

Control 10: Malware Defenses A.8.1 User end point devices

Prevent or control the installation, spread, and A.8.7 Protection against malware
execution of malicious applications, code, or
scripts on enterprise assets.
Control 11: Data Recovery A.5.24 Information security incident management planning and
Establish and maintain data recovery practices preparation
sufficient to restore in-scope enterprise assets A.5.26 Response to information security incidents
to a pre-incident and trusted state.
A.5.37 Documented operating procedures
A.8.13 Information backup
Control 12: Network Infrastructure A.6.7 Remote working
Management A.8.1 User end point devices
Establish, implement, and actively manage A.8.2 Privileged access rights
(track, report, correct) network devices, in
order to prevent attackers from exploiting A.8.20 Networks security
vulnerable network services and access points. A.8.21 Security of network services
A.8.22 Segregation of networks
A.8.27 Secure system architecture and engineering principles
Control 13: Network Monitoring and A.6.7 Remote working
Defense A.8.1 User end point devices
Operate processes and tooling to establish and A.8.3 Information access restriction
maintain comprehensive network monitoring
and defense against security threats across the A.8.15 Logging
enterprise’s network infrastructure and user A.8.16 Monitoring activities
base.
A.8.22 Segregation of networks
Control 14: Security Awareness and 7.2 Competence
Skills Training 7.3 Awareness
Establish and maintain a security awareness 7.4 Communication
program to influence behavior among the
workforce to be security conscious and properly A.5.10 Acceptable use of information and other associated assets
skilled to reduce cybersecurity risks to the A.6.3 Information security awareness, education and training
enterprise.
A.6.8 Information security event reporting
A.8.7 Protection against malware
Control 15: Service Provider A.5.1 Policies for information security
Management A.5.14 Information transfer
Develop a process to evaluate service providers A.5.19 Information security in supplier relationships
who hold sensitive data, or are responsible for
an enterprise’s critical IT platforms or A.5.20 Addressing information security within supplier agreements
processes, to ensure these providers are A.5.21 Managing information security in the information and
protecting those platforms and data communication technology (ICT) supply chain
appropriately.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:GREEN CIS Controls and ISO 27001 (simple mapping)
1.1, 06.03.2025

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022 requirements and controls
A.5.22 Monitoring, review and change management of supplier
services
A.5.23 Information security for use of cloud services
Control 16: Application Software A.5.8 Information security in project
Security A.8.4 Access to source code
Manage the security life cycle of in-house A.8.8 Management of technical vulnerabilities
developed, hosted, or acquired software to
prevent, detect, and remediate security A.8.25 Secure development life cycle
weaknesses before they can impact the A.8.26 Application security requirements
enterprise.
A.8.27 Secure system architecture and engineering principles
A.8.28 Secure coding
A.8.29 Security testing in development and acceptance
A.8.30 Outsourced development
A.8.31 Separation of development, test and production
environments
Control 17: Incident Response 5.3 Organizational roles, responsibilities and authorities
Management 7.4 Communication
Establish a program to develop and maintain an A.5.2 Information security roles and responsibilities
incident response capability (e.g., policies,
plans, procedures, defined roles, training, and A.5.5 Contact with authorities
communications) to prepare, detect, and A.5.6 Contact with special interest groups
quickly respond to an attack.
A.5.20 Addressing information security within supplier agreements
A.5.24 Information security incident management planning and
preparation
A.5.25 Assessment and decision on information security events
A.5.26 Response to information security incidents
A.5.27 Learning from information security incidents
A.5.28 Collection of evidence
A.5.29 Information security during disruption
A.5.30 ICT readiness for business continuity
A.6.8 Information security event reporting
Control 18: Penetration Testing 10.2 Nonconformity and corrective action
Test the effectiveness and resiliency of A.5.35 Independent review of information security
enterprise assets through identifying and
A.8.8 Management of technical vulnerabilities
exploiting weaknesses in controls (people,
processes, and technology), and simulating the
objectives and actions of an attacker.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:GREEN www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov