audit1 copycopy111111ssssasdasdasdsdasssssss

copy copy2

TLP:GREEN CIS Controls and ISO 27001 (simple

mapping)

1.1, 06.03.2025

CIS Controls CIS Critical Security Controls, v.8.1

https://www.cisecurity.org/controls

ISO 27001:2022 ISO/IEC 27001:2022 Information security, cybersecurity and

privacy protection —
Information security management systems — Requirements
https://www.iso.org/standard/27001

ISO 27002:2022 ISO/IEC 27002:2022 Information security, cybersecurity and

privacy protection —
Information security controls
https://www.iso.org/standard/75652.html

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022

requirements and controls
Control 1: Inventory and Control of A.5.9 Inventory of information
and other associated assets
Enterprise Assets A.5.10 Acceptable use of
information and other associated assets
Actively manage (inventory, track, and correct) A.5.11 Return of assets
all enterprise assets (end-user devices,
including portable and mobile; network A.8.8 Management of technical
vulnerabilities
devices; non-computing/Internet of Things
(IoT) devices; and servers) connected to the
infrastructure physically, virtually, remotely,
and those within cloud environments, to
accurately know the totality of assets that need
to be monitored and protected within the
enterprise. This will also support identifying
unauthorized and unmanaged assets to remove
or remediate.

Control 2: Inventory and Control of A.5.9 Inventory of information

and other associated assets
Software Assets A.5.10 Acceptable use of
information and other associated assets
Actively manage (inventory, track, and correct) A.5.32 Intellectual property
rights
all software (operating systems and
applications) on the network so that only A.8.7 Protection against malware
authorized software is installed and can A.8.8 Management of technical
vulnerabilities
execute, and that unauthorized and
A.8.19 Installation of software
on operational systems
unmanaged software is found and prevented
from installation or execution.
Control 3: Data Protection A.5.1 Policies for information
security
Develop processes and technical controls to A.5.9 Inventory of information
and other associated assets
identify, classify, securely handle, retain, and
A.5.10 Acceptable use of
information and other associated assets
dispose of data.
A.5.12 Classification of
information
A.5.13 Labelling of information
A.5.14 Information transfer
A.5.15 Access control
A.5.18 Access rights
A.5.33 Protection of records
A.5.34 Privacy and protection
of PII
A.5.37 Documented operating
procedures
A.8.1 User endpoint devices
A.8.3 Information access
restriction

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA

27001
TLP:GREEN www.patreon.com/AndreyProzorov ||
www.linkedin.com/in/AndreyProzorov
TLP:GREEN CIS Controls and ISO 27001 (simple
mapping)

1.1, 06.03.2025

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022

requirements and controls
A.8.4 Access to source code
A.8.6 Capacity management
A.8.12 Data leakage
prevention
A.8.20 Networks security
A.8.22 Segregation of
networks
A.8.24 Use of cryptography
Control 4: Secure Configuration of A.6.7 Remote working
Enterprise Assets and Software A.8.1 User endpoint devices
Establish and maintain the secure configuration A.8.2 Privileged access
rights
of enterprise assets (end-user devices,
including portable and mobile; network A.8.5 Secure authentication
devices; non-computing/IoT devices; and A.8.9 Configuration
management
servers) and software (operating systems and
A.8.10 Information deletion
applications).

Control 5: Account Management A.5.15 Access control

Use processes and tools to assign and manage A.5.16 Identity management
authorization to credentials for user accounts,
A.5.17 Authentication
information
including administrator accounts, as well as
service accounts, to enterprise assets and A.8.2 Privileged access
rights
software. A.8.5 Secure authentication
A.8.18 Use of privileged
utility programs
Control 6: Access Control A.5.3 Segregation of duties
Management A.5.15 Access control
Use processes and tools to create, assign, A.5.16 Identity management
manage, and revoke access credentials and
privileges for user, administrator, and service A.5.18 Access rights
accounts for enterprise assets and software. A.6.5 Responsibilities after
termination or change of employment
A.6.7 Remote working
A.8.2 Privileged access
rights
A.8.3 Information access
restriction
A.8.5 Secure authentication
Control 7: Continuous Vulnerability A.5.1 Policies for
information security
Management A.5.6 Contact with special
interest groups
Develop a plan to continuously assess and track A.5.7 Threat intelligence
vulnerabilities on all enterprise assets within the
enterprise’s infrastructure, in order to A.5.37 Documented operating
procedures
remediate, and minimize, the window of A.6.8 Information security
event reporting
opportunity for attackers. Monitor public and
private industry sources for new threat and
A.8.8 Management of technical
vulnerabilities
vulnerability information. A.8.19 Installation of
software on operational systems
Control 8: Audit Log Management A.5.25 Assessment and
decision on information security events
Collect, alert, review, and retain audit logs of A.5.28 Collection of evidence
events that could help detect, understand, or
A.8.15 Logging
recover from an attack.
A.8.16 Monitoring activities
A.8.17 Clock synchronization
A.8.20 Networks security

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA

27001
TLP:GREEN www.patreon.com/AndreyProzorov ||
www.linkedin.com/in/AndreyProzorov
TLP:GREEN CIS Controls and ISO 27001 (simple
mapping)

1.1, 06.03.2025

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022

requirements and controls
Control 9: Email and Web Browser A.8.7 Protection against malware
Protections A.8.12 Data leakage prevention
Improve protections and detections of threats A.8.23 Web filtering
from email and web vectors, as these are
opportunities for attackers to manipulate
human behavior through direct engagement.

Control 10: Malware Defenses A.8.1 User end point devices

Prevent or control the installation, spread, and A.8.7 Protection against malware
execution of malicious applications, code, or
scripts on enterprise assets.
Control 11: Data Recovery A.5.24 Information security
incident management planning and
Establish and maintain data recovery practices preparation
sufficient to restore in-scope enterprise assets A.5.26 Response to information
security incidents
to a pre-incident and trusted state.
A.5.37 Documented operating
procedures
A.8.13 Information backup
Control 12: Network Infrastructure A.6.7 Remote working
Management A.8.1 User end point devices
Establish, implement, and actively manage A.8.2 Privileged access rights
(track, report, correct) network devices, in
order to prevent attackers from exploiting A.8.20 Networks security
vulnerable network services and access points. A.8.21 Security of network
services
A.8.22 Segregation of networks
A.8.27 Secure system
architecture and engineering principles
Control 13: Network Monitoring and A.6.7 Remote working
Defense A.8.1 User end point devices
Operate processes and tooling to establish and A.8.3 Information access
restriction
maintain comprehensive network monitoring
and defense against security threats across the A.8.15 Logging
enterprise’s network infrastructure and user A.8.16 Monitoring activities
base.
A.8.22 Segregation of networks
Control 14: Security Awareness and 7.2 Competence
Skills Training 7.3 Awareness
Establish and maintain a security awareness 7.4 Communication
program to influence behavior among the
workforce to be security conscious and properly A.5.10 Acceptable use of
information and other associated assets
skilled to reduce cybersecurity risks to the A.6.3 Information security
awareness, education and training
enterprise.
A.6.8 Information security event
reporting
A.8.7 Protection against malware
Control 15: Service Provider A.5.1 Policies for information
security
Management A.5.14 Information transfer
Develop a process to evaluate service providers A.5.19 Information security in
supplier relationships
who hold sensitive data, or are responsible for
an enterprise’s critical IT platforms or A.5.20 Addressing information
security within supplier agreements
processes, to ensure these providers are A.5.21 Managing information
security in the information and
protecting those platforms and data communication technology (ICT)
supply chain
appropriately.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA

27001
TLP:GREEN www.patreon.com/AndreyProzorov ||
www.linkedin.com/in/AndreyProzorov
TLP:GREEN CIS Controls and ISO 27001 (simple
mapping)

1.1, 06.03.2025

CIS Critical Security Controls, v.8.1 Related ISO 27001:2022

requirements and controls
A.5.22 Monitoring, review and
change management of supplier
services
A.5.23 Information security for
use of cloud services
Control 16: Application Software A.5.8 Information security in
project
Security A.8.4 Access to source code
Manage the security life cycle of in-house A.8.8 Management of technical
vulnerabilities
developed, hosted, or acquired software to
prevent, detect, and remediate security A.8.25 Secure development life
cycle
weaknesses before they can impact the A.8.26 Application security
requirements
enterprise.
A.8.27 Secure system architecture
and engineering principles
A.8.28 Secure coding
A.8.29 Security testing in
development and acceptance
A.8.30 Outsourced development
A.8.31 Separation of development,
test and production
environments
Control 17: Incident Response 5.3 Organizational roles,
responsibilities and authorities
Management 7.4 Communication
Establish a program to develop and maintain an A.5.2 Information security roles
and responsibilities
incident response capability (e.g., policies,
plans, procedures, defined roles, training, and A.5.5 Contact with authorities
communications) to prepare, detect, and A.5.6 Contact with special
interest groups
quickly respond to an attack.
A.5.20 Addressing information
security within supplier agreements
A.5.24 Information security
incident management planning and
preparation
A.5.25 Assessment and decision on
information security events
A.5.26 Response to information
security incidents
A.5.27 Learning from information
security incidents
A.5.28 Collection of evidence
A.5.29 Information security
during disruption
A.5.30 ICT readiness for business
continuity
A.6.8 Information security event
reporting
Control 18: Penetration Testing 10.2 Nonconformity and corrective
action
Test the effectiveness and resiliency of A.5.35 Independent review of
information security
enterprise assets through identifying and
A.8.8 Management of technical
vulnerabilities
exploiting weaknesses in controls (people,
processes, and technology), and simulating the
objectives and actions of an attacker.