Get 4 FREE months of Conformio to implement ISO 27001

How to use NIST SP 800-53 for the implementation of ISO 27001 controls

Update 2022-09-07.

In my previous article, How to use the NIST SP800 series of standards for ISO 27001 implementation, I made a description about the NIST SP800 series (documents describing computer security practices, published by the National Institute of Standards and Technology – NIST) and of some specific documents that can be used to support an ISO 27001 implementation.

In this article, I will detail the SP 800-53 Rev.4 – Security and Privacy Controls for Federal Information Systems and Organizations, which presents security controls recommended by NIST, and how this information can be used together with ISO 27002 to design and implement the security controls specified in ISO 27001 Annex A. We will go deeper into mapping NIST 800 53 to ISO 27001.

NIST 800 53 Appendix H-2 provides mapping from its security controls to those in ISO 27001 Annex A. Some examples are:
  • A.6.1.2 Segregation of duties maps to AC-5 Separation of Duties
  • A.8.3.2 Disposal of media maps to MP-6 Media Sanitization
  • A.12.3.1 Information backup maps to CP-9 Information System Backup

SP 800-53 Rev. 4 structure

SP 800-53 Rev.4 consists of three chapters and 10 appendices:

SP_800-53_Rev.4_structure

Figure – SP 800-53 Rev.4 structure

Chapter one – Introduction: covers document’s purpose and applicability, target audience identification, relationship to other security control publications, and organizational responsibilities.

Chapter two – Fundamentals: covers concepts used for selecting and specifying security controls, e.g., risk management (2.1), security controls structure (2.2), baselines (2.3), etc., providing references to more detailed NIST SP 800 documentation (see the above-mentioned article for more information).

Chapter three – Process: describes the process for selecting and specifying security controls.

Appendices: as described in figure 1, cover support information.

For the purpose of this article, only the most important parts of this document will be described.


Security control structure (chapter 2.2)

The security controls structure in SP 800-53 is very similar to that of ISO 27001. Its 256 controls are organized into 18 families (against the 114 controls organized into 14 categories on ISO 27001), each one containing controls related to the general topic of the family, like ISO 27001.

Controls in each family may cover aspects related to policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms, depending upon their application (e.g., management, operational, or technical), and are structured as follows:

  • Control: prescribes basic specific security-related activities to be carried out.
  • Supplemental guidance: provides additional guidance information to be used as appropriate.
  • Control enhancements: provides additional measures to the security activities described in control section, considering that, under specific situations, they may not be sufficient to ensure required protection levels.
  • References: includes a list of applicable documentation considered relevant to the control (laws, regulations, standards, etc.), providing links to other SP 800 series documents (see the article mentioned above to find some examples).
  • Priority and baseline allocation: provides information regarding security controls prioritization during implementation, and the initial allocation of security controls and control enhancements, considering a low-moderate-high impact baseline model.

This structure has some similarities with that of ISO 27002 (control, implementation guidance, and other information), and also provides enough detail to support ISO 27001 Annex A implementation (see more about Annex A here: Understanding the ISO 27001 controls from Annex A).

Additionally to the 256 security controls, SP 800-53 also provides one family of 16 controls for the management of information security programs, and 14 controls, grouped into three families, for privacy protection. These three lists of SP 800-53 controls are available on Appendices F (security control), G (information security programs), and J (privacy control).

Mapping NIST 800 53 to ISO 27001 Annex A

And now, more about mapping NIST 800 53 to ISO 27001. SP 800-53 Appendix H-2 provides mapping from its security controls to those in ISO/IEC 27001 Annex A. Some examples are:

  • 6.1.2 Segregation of duties maps to AC-5 Separation of Duties
  • 8.3.2 Disposal of media maps to MP-6 Media Sanitization
  • 12.3.1 Information backup maps to CP-9 Information System Backup

Although this mapping can streamline the identification of information that can be used to design or improve ISO 27001 security controls, since the two sets of controls were created under different expectations (SP 800-53 was designed for US government agencies and ISO 27001 for any kind of organization), in some cases they may not be completely equivalent and this mapping should be used with caution.

Make the whole greater than the sum of the parts

Although ISO standards provide world-wide-recognized practices, it doesn’t mean they are the definitive answer in all issues they cover. As in any situation we face every day, always there will be something in other knowledge sources that we can use to improve our results.

ISO 27002 is a great source to help design ISO 27001 controls, and by combining its use with SP 800-53 resources, like security controls, baselines, and allocation priorities, an organization can achieve better results in the implementation, management, and operation of its security controls, improving security levels and users’ confidence.

To learn more about the development of security controls in your ISO 27001 implementation, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.