This worksheet is the culmination of over a decade of measuring the maturity of variou

Framework (CSF) with the addition of maturity levels for both policy and practice.
* Policy Maturity: How well do your corporate policies, procedures, standards, and guid
* Practice Maturity: How well do your actual operational practices satisfy the NIST CSF

The goal of the Maturity Level descriptions is to provide some guidance around what g
to high for a Level 3 maturity, feel free to change it to better suit your needs.

Finally, this is in no way intended to infringe upon any work the good folks over at NIST
tab is completely owned by NIST. Certain cells are protected so the user doesn't accide
'2018NISTCMM'

NIST CSF Framework v1.1 (April, 2018) - https://www.nist.gov/cyberframework

NIST Privacy Framework 1.0 (January, 2020) - https://www.nist.gov/privacy-fram
I hope you find this useful.

Email inquiries/suggestions to John@JohnMasserini.com

Directions:
1) Review the ‘Maturity Levels’ tab to gain an understanding of how to rank each of the controls in
column versus the practices column.
2) On the ‘CSF Summary’ tab, review the Target Scores for applicability within your organization. In
goal’ of what you think the right level of control for your organization.

3) Using the 1-5 values in the Maturity tab, enter a value in each of the Policy/Practice cells. In orde
values (i.e. 2.5) are permitted. Sample values are provided only to demonstrate the functionality of t
ring the maturity of various security programs. This current iteration is founded on the 2018 NI
h policy and practice.
dures, standards, and guidelines satisfy the NIST CSF requirements?
ctices satisfy the NIST CSF requirements regardless of what your policies & standards say?

e guidance around what good practices look like. If, for example, you believe that a 5% policy e
suit your needs.

he good folks over at NIST have done. All of the questions and associated information on the ‘N
so the user doesn't accidentally step on a formula. You can unprotect the worksheet using pass

st.gov/cyberframework
ww.nist.gov/privacy-framework

o rank each of the controls in the ‘NIST CSF Details’ tab. There are different meanings for each level of matur

y within your organization. In most cases, the target of some controls will be different than others. This is m

e Policy/Practice cells. In order to provide as much functionality as possible, you are not locked into a hard 0
monstrate the functionality of the chart on the ‘CSF Summary’ page.
s founded on the 2018 NIST Cybersecurity Change Log
* Feb/28/2022 - Release 2.1 - Corrected
cell reference in Privacy Summary tab
(E5-E6) which resulted in incorrect
calculations and cleaned up references
es & standards say? in NIST Summary for consistency.
believe that a 5% policy exception rate is * Feb/18/2022 - Release 2.0. Added
Privacy Framework. Reworked formulas
to support easier future updates.
ated information on the ‘NIST CSF Details’
the worksheet using password * Jan/19/2019 - Release 1.0. Original
Release.

anings for each level of maturity between policy

fferent than others. This is meant to be an ‘end

u are not locked into a hard 0-5 value; partial

e Log
ase 2.1 - Corrected
cy Summary tab
d in incorrect
ed up references
onsistency.
ase 2.0. Added
eworked formulas
re updates.
se 1.0. Original
 Maturity Level Expectation of Policy Maturity Level 
Policy or standard does not exist or is not
Level 1 - Initial formally approved by management.
Policy or standard exists, but has not been
Level 2 - Repeatable reviewed in more than 2 years

Policy and standard exists with formal

management approval. Policy exceptions are
Level 3 - Defined documented, approved and occur less than 5%
of the time. 

Policy and standard exists with formal

management approval. Policy exceptions are
Level 4 - Managed documented, approved and occur less than 3%
of the time. 

Policy and standard exists with formal

management approval. Policy exceptions are
Level 5 - Optimizing
documented, approved and occur less than 0.5%
of the time.
 Expectation of Process Maturity Level 
Standard process does not exist.

Ad-hoc process exists and is done informally.

Formal process exists and is doucmented.

Evidence can be provided for most activities.
Less than 10% exceptions.

Formal process exists and is doucmented.

Evidence can be provided for all activities and
detailed metrics of the process are captured and
reported. Minimal target for metrics has been
established. Less than 5% of process exceptions
occur with minimal reoccuring exceptions.

Formal process exists and is doucmented.

Evidence can be provided for all activities and
detailed metrics of the process are captured and
reported.  Minimal target for metrics has been
established and continually improving. Less than
1% of process exceptions occur.
 2022
Target Policy Practice
NIST CSF 1.1 Categories Score Score Score
Overall 3.00 3.02 2.70
Asset Management (ID.AM) 3.00 3.42 2.00
Business Environment (ID.BE) 3.00 3.00 1.00
IDENTIFY (ID)

Governance (ID.GV) 3.00 5.00 3.00

Risk Assessment (ID.RA) 3.00 2.00 4.00
Risk Management Strategy (ID.RM) 3.00 4.00 2.00
Recov
Supply Chain Risk Management (ID.SC) 3.00 1.00 3.00
Identity Management, Authentication and Access Control (P 3.00 3.00 1.00
Improvemen
Awareness and Training (PR.AT) 3.00 5.00 3.00
PROTECT (PR)

Data Security (PR.DS) 3.00 1.00 3.00

Information Protection Processes and Procedures (PR.IP) 3.00 3.00 1.00
Mitigation (RS.M
Maintenance (PR.MA) 3.00 5.00 4.00
Protective Technology (PR.PT) 3.00 1.00 2.00
Anomalies and Events (DE.AE) 3.00 3.00 5.00
DETECT (DE)

Analysis (RS.AN
Security Continuous Monitoring (DE.CM) 3.00 5.00 2.00
Detection Processes (DE.DP) 3.00 2.00 3.00
Response Planning (RS.RP) 3.00 4.00 1.00
Communications (RS.C
Communications (RS.CO)
RESPOND (RS)

3.00 1.00 4.00

Analysis (RS.AN) 3.00 2.00 5.00
Mitigation (RS.MI) 3.00 3.00 2.00
Response Plannin
Improvements (RS.IM) 3.00 4.00 2.00
Recovery Planning (RC.RP)
RECOVER (RC)

3.00 5.00 3.00

Improvements (RC.IM) Detectio
3.00 1.00 3.00
Communications (RC.CO) 3.00 3.00 3.00
Securi
 NIST Cyber Securi
Maturity
Overall
Communications (RC.CO) Asset Management (ID.AM)

Improvements (RC.IM) Business Environment (ID.BE)

5.0
5 - Optima
4 - Manag
Recovery Planning (RC.RP) Governance (ID.GV) 3 - Define
2 - Acknow
1 - Initial
0 - Non-ex
Improvements (RS.IM) Risk Assessment (ID.RA)

Mitigation (RS.MI) Risk Management Strategy (ID

Analysis (RS.AN) 0.0 Supply Chain Risk Managem

Communications (RS.CO) Identity Management, Authen

Response Planning (RS.RP) Awareness and Training (PR.AT)

Detection Processes (DE.DP) Data Security (PR.DS)

Security Continuous Monitoring (DE.CM) Information Protection Processes and Procedures (PR.IP)

Anomalies and Events (DE.AE) Maintenance (PR.MA)

Target S
Protective Technology (PR.PT)
Policy S
Practice
 NIST Cyber Security Framework
Maturity Levels

nt (ID.BE)
5 - Optimal
4 - Managed
nance (ID.GV) 3 - Defined
2 - Acknowledged
1 - Initial
0 - Non-existent
Risk Assessment (ID.RA)

Risk Management Strategy (ID.RM)

Supply Chain Risk Management (ID.SC)

Identity Management, Authentication and Access Control (PR.AC)

Awareness and Training (PR.AT)

ecurity (PR.DS)

on Processes and Procedures (PR.IP)

Target Score
Policy Score
Practice Score
Function Category Subcategory

ID.AM-1: Physical devices and systems within

the organization are inventoried

ID.AM-2: Software platforms and applications

within the organization are inventoried

Asset Management (ID.AM): The data,

personnel, devices, systems, and facilities that ID.AM-3: Organizational communication and
enable the organization to achieve business data flows are mapped
purposes are identified and managed consistent
with their relative importance to organizational
objectives and the organization’s risk strategy.
ID.AM-4: External information systems are
catalogued

ID.AM-5: Resources (e.g., hardware, devices,

data, time, personnel, and software) are prioritized
based on their classification, criticality, and
business value

ID.AM-6: Cybersecurity roles and responsibilities

for the entire workforce and third-party
stakeholders (e.g., suppliers, customers, partners)
are established

ID.BE-1: The organization’s role in the supply

chain is identified and communicated

ID.BE-2: The organization’s place in critical

infrastructure and its industry sector is identified
and communicated
Business Environment (ID.BE): The
organization’s mission, objectives, stakeholders, ID.BE-3: Priorities for organizational mission,
and activities are understood and prioritized; this objectives, and activities are established and
information is used to inform cybersecurity roles, communicated
responsibilities, and risk management decisions.
ID.BE-4: Dependencies and critical functions for
delivery of critical services are established
 information is used to inform cybersecurity roles,
responsibilities, and risk management decisions.

ID.BE-5: Resilience requirements to support

delivery of critical services are established for all
operating states (e.g. under duress/attack, during
recovery, normal operations)

ID.GV-1: Organizational cybersecurity policy is

established and communicated

ID.GV-2: Cybersecurity roles and responsibilities

Governance (ID.GV): The policies, procedures, are coordinated and aligned with internal roles and
and processes to manage and monitor the external partners
organization’s regulatory, legal, risk,
environmental, and operational requirements are
understood and inform the management of
cybersecurity risk. ID.GV-3: Legal and regulatory requirements
regarding cybersecurity, including privacy and
civil liberties obligations, are understood and
managed

ID.GV-4: Governance and risk management

processes address cybersecurity risks

IDENTIFY (ID)
ID.RA-1: Asset vulnerabilities are identified and
documented

ID.RA-2: Cyber threat intelligence is received

from information sharing forums and sources

ID.RA-3: Threats, both internal and external, are

Risk Assessment (ID.RA): The organization identified and documented
understands the cybersecurity risk to
organizational operations (including mission,
functions, image, or reputation), organizational
assets, and individuals.

ID.RA-4: Potential business impacts and

likelihoods are identified

ID.RA-5: Threats, vulnerabilities, likelihoods,

and impacts are used to determine risk
 ID.RA-5: Threats, vulnerabilities, likelihoods,
and impacts are used to determine risk

ID.RA-6: Risk responses are identified and

prioritized

ID.RM-1: Risk management processes are

established, managed, and agreed to by
organizational stakeholders

Risk Management Strategy (ID.RM): The

organization’s priorities, constraints, risk
tolerances, and assumptions are established and ID.RM-2: Organizational risk tolerance is
used to support operational risk decisions. determined and clearly expressed

ID.RM-3: The organization’s determination of

risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis

ID.SC-1: Cyber supply chain risk management

processes are identified, established, assessed,
managed, and agreed to by organizational
stakeholders

ID.SC-2: Suppliers and third party partners of

information systems, components, and services
are identified, prioritized, and assessed using a
cyber supply chain risk assessment process

Supply Chain Risk Management (ID.SC):

The organization’s priorities, constraints, risk ID.SC-3: Contracts with suppliers and third-party
tolerances, and assumptions are established and partners are used to implement appropriate
used to support risk decisions associated with measures designed to meet the objectives of an
managing supply chain risk. The organization has organization’s cybersecurity program and Cyber
established and implemented the processes to Supply Chain Risk Management Plan.
identify, assess and manage supply chain risks.

ID.SC-4: Suppliers and third-party partners are

routinely assessed using audits, test results, or
other forms of evaluations to confirm they are
meeting their contractual obligations.

ID.SC-5: Response and recovery planning and

testing are conducted with suppliers and third-
party providers
 ID.SC-5: Response and recovery planning and
testing are conducted with suppliers and third-
party providers

PR.AC-1: Identities and credentials are issued,

managed, verified, revoked, and audited for
authorized devices, users and processes

PR.AC-2: Physical access to assets is managed

and protected

PR.AC-3: Remote access is managed

Identity Management, Authentication and PR.AC-4: Access permissions and authorizations

Access Control (PR.AC): Access to physical are managed, incorporating the principles of least
and logical assets and associated facilities is privilege and separation of duties
limited to authorized users, processes, and
devices, and is managed consistent with the
assessed risk of unauthorized access to authorized
activities and transactions.

PR.AC-5: Network integrity is protected (e.g.,

network segregation, network segmentation)

PR.AC-6: Identities are proofed and bound to

credentials and asserted in interactions

PR.AC-7: Users, devices, and other assets are

authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction
(e.g., individuals’ security and privacy risks and
other organizational risks)
 PR.AC-7: Users, devices, and other assets are
authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction
(e.g., individuals’ security and privacy risks and
other organizational risks)

PR.AT-1: All users are informed and trained

PR.AT-2: Privileged users understand their roles

and responsibilities

Awareness and Training (PR.AT): The

organization’s personnel and partners are
PR.AT-3: Third-party stakeholders (e.g.,
provided cybersecurity awareness education and
suppliers, customers, partners) understand their
are trained to perform their cybersecurity-related
roles and responsibilities
duties and responsibilities consistent with related
policies, procedures, and agreements.

PR.AT-4: Senior executives understand their

roles and responsibilities

PR.AT-5: Physical and cybersecurity personnel

understand their roles and responsibilities

PR.DS-1: Data-at-rest is protected

PR.DS-2: Data-in-transit is protected

PR.DS-3: Assets are formally managed

throughout removal, transfers, and disposition

PR.DS-4: Adequate capacity to ensure

Data Security (PR.DS): Information and records availability is maintained
(data) are managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability of
 PR.DS-4: Adequate capacity to ensure
Data Security (PR.DS): Information and records availability is maintained
(data) are managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability of
information.

PR.DS-5: Protections against data leaks are

implemented

PR.DS-6: Integrity checking mechanisms are

used to verify software, firmware, and information
integrity

PR.DS-7: The development and testing

environment(s) are separate from the production
environment
PROTECT (PR)

PR.DS-8: Integrity checking mechanisms are

used to verify hardware integrity

PR.IP-1: A baseline configuration of information

technology/industrial control systems is created
and maintained incorporating security principles
(e.g. concept of least functionality)

PR.IP-2: A System Development Life Cycle to

manage systems is implemented

PR.IP-3: Configuration change control processes

are in place

PR.IP-4: Backups of information are conducted,

maintained, and tested
 PR.IP-4: Backups of information are conducted,
maintained, and tested

PR.IP-5: Policy and regulations regarding the

physical operating environment for organizational
assets are met
Information Protection Processes and
Procedures (PR.IP): Security policies (that
address purpose, scope, roles, responsibilities,
management commitment, and coordination
PR.IP-6: Data is destroyed according to policy
among organizational entities), processes, and
procedures are maintained and used to manage
protection of information systems and assets.

PR.IP-7: Protection processes are improved

PR.IP-8: Effectiveness of protection technologies

is shared

PR.IP-9: Response plans (Incident Response and

Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and
managed

PR.IP-10: Response and recovery plans are tested

PR.IP-11: Cybersecurity is included in human

resources practices (e.g., deprovisioning,
personnel screening)

PR.IP-12: A vulnerability management plan is

developed and implemented

PR.MA-1: Maintenance and repair of

organizational assets are performed and logged,
with approved and controlled tools
Maintenance (PR.MA): Maintenance and
repairs of industrial control and information
system components are performed consistent
with policies and procedures. PR.MA-2: Remote maintenance of organizational
assets is approved, logged, and performed in a
manner that prevents unauthorized access
 Maintenance (PR.MA): Maintenance and
repairs of industrial control and information
system components are performed consistent
with policies and procedures. PR.MA-2: Remote maintenance of organizational
assets is approved, logged, and performed in a
manner that prevents unauthorized access

PR.PT-1: Audit/log records are determined,

documented, implemented, and reviewed in
accordance with policy

PR.PT-2: Removable media is protected and its

use restricted according to policy

Protective Technology (PR.PT): Technical

PR.PT-3: The principle of least functionality is
security solutions are managed to ensure the
incorporated by configuring systems to provide
security and resilience of systems and assets,
only essential capabilities
consistent with related policies, procedures, and
agreements.

PR.PT-4: Communications and control networks

are protected

PR.PT-5: Mechanisms (e.g., failsafe, load

balancing, hot swap) are implemented to achieve
resilience requirements in normal and adverse
situations

DE.AE-1: A baseline of network operations and

expected data flows for users and systems is
established and managed

DE.AE-2: Detected events are analyzed to

understand attack targets and methods

Anomalies and Events (DE.AE): Anomalous

activity is detected and the potential impact of
events is understood.
 DE.AE-2: Detected events are analyzed to
understand attack targets and methods

Anomalies and Events (DE.AE): Anomalous

activity is detected and the potential impact of
events is understood. DE.AE-3: Event data are collected and correlated
from multiple sources and sensors

DE.AE-4: Impact of events is determined

DE.AE-5: Incident alert thresholds are established

DE.CM-1: The network is monitored to detect

potential cybersecurity events

DE.CM-2: The physical environment is

monitored to detect potential cybersecurity events

DE.CM-3: Personnel activity is monitored to

detect potential cybersecurity events

DE.CM-4: Malicious code is detected

Security Continuous Monitoring (DE.CM):
DETECT (DE) The information system and assets are monitored
to identify cybersecurity events and verify the
effectiveness of protective measures.

DE.CM-5: Unauthorized mobile code is detected

DE.CM-6: External service provider activity is

monitored to detect potential cybersecurity events

DE.CM-7: Monitoring for unauthorized

personnel, connections, devices, and software is
performed
 DE.CM-7: Monitoring for unauthorized
personnel, connections, devices, and software is
performed

DE.CM-8: Vulnerability scans are performed

DE.DP-1: Roles and responsibilities for detection

are well defined to ensure accountability

DE.DP-2: Detection activities comply with all

applicable requirements

Detection Processes (DE.DP): Detection DE.DP-3: Detection processes are tested

processes and procedures are maintained and
tested to ensure awareness of anomalous events.

DE.DP-4: Event detection information is

communicated

DE.DP-5: Detection processes are continuously

improved

Response Planning (RS.RP): Response

processes and procedures are executed and RS.RP-1: Response plan is executed during or
maintained, to ensure response to detected after an incident
cybersecurity incidents.

RS.CO-1: Personnel know their roles and order of

operations when a response is needed

RS.CO-2: Incidents are reported consistent with

established criteria

Communications (RS.CO): Response activities

are coordinated with internal and external
 RS.CO-2: Incidents are reported consistent with
established criteria

Communications (RS.CO): Response activities

are coordinated with internal and external
stakeholders (e.g. external support from law RS.CO-3: Information is shared consistent with
enforcement agencies). response plans

RS.CO-4: Coordination with stakeholders occurs

consistent with response plans

RS.CO-5: Voluntary information sharing occurs

with external stakeholders to achieve broader
cybersecurity situational awareness

RS.AN-1: Notifications from detection systems

are investigated 

RESPOND (RS) RS.AN-2: The impact of the incident is

understood

Analysis (RS.AN): Analysis is conducted to

ensure effective response and support recovery
activities. RS.AN-3: Forensics are performed

RS.AN-4: Incidents are categorized consistent

with response plans

RS.AN-5: Processes are established to receive,

analyze and respond to vulnerabilities disclosed to
the organization from internal and external
sources (e.g. internal testing, security bulletins, or
security researchers)

RS.MI-1: Incidents are contained

Mitigation (RS.MI): Activities are performed to

prevent expansion of an event, mitigate its
effects, and resolve the incident. RS.MI-2: Incidents are mitigated
 Mitigation (RS.MI): Activities are performed to
prevent expansion of an event, mitigate its
effects, and resolve the incident. RS.MI-2: Incidents are mitigated

RS.MI-3: Newly identified vulnerabilities are

mitigated or documented as accepted risks

RS.IM-1: Response plans incorporate lessons

Improvements (RS.IM): Organizational learned
response activities are improved by incorporating
lessons learned from current and previous
detection/response activities.
RS.IM-2: Response strategies are updated

Recovery Planning (RC.RP): Recovery

processes and procedures are executed and RC.RP-1: Recovery plan is executed during or
maintained to ensure restoration of systems or after a cybersecurity incident
assets affected by cybersecurity incidents.

RC.IM-1: Recovery plans incorporate lessons

learned
Improvements (RC.IM): Recovery planning
and processes are improved by incorporating
lessons learned into future activities.
RECOVER (RC)
RC.IM-2: Recovery strategies are updated

RC.CO-1: Public relations are managed

Communications (RC.CO): Restoration
activities are coordinated with internal and RC.CO-2: Reputation is repaired after an incident
external parties (e.g. coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors). RC.CO-3: Recovery activities are communicated
to internal and external stakeholders as well as
executive and management teams
 Policy
Informative References
Maturity
·       CIS CSC 1
·       COBIT 5 BAI09.01, BAI09.02
·       ISA 62443-2-1:2009 4.2.3.4
4.3
·       ISA 62443-3-3:2013 SR 7.8
·       ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
·       NIST SP 800-53 Rev. 4 CM-8, PM-5
·       CIS CSC 2
·       COBIT 5 BAI09.01, BAI09.02, BAI09.05
·       ISA 62443-2-1:2009 4.2.3.4
4.0
·       ISA 62443-3-3:2013 SR 7.8
·       ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1
·       NIST SP 800-53 Rev. 4 CM-8, PM-5
·       CIS CSC 12
·       COBIT 5 DSS05.02
·       ISA 62443-2-1:2009 4.2.3.4 1.2
·       ISO/IEC 27001:2013 A.13.2.1, A.13.2.2
·       NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
·       CIS CSC 12
·       COBIT 5 APO02.02, APO10.04, DSS01.02
4.0
·       ISO/IEC 27001:2013 A.11.2.6
·       NIST SP 800-53 Rev. 4 AC-20, SA-9
·       CIS CSC 13, 14
·       COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02
·       ISA 62443-2-1:2009 4.2.3.6 4.0
·       ISO/IEC 27001:2013 A.8.2.1
·       NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6
·       CIS CSC 17, 19
·       COBIT 5 APO01.02, APO07.06, APO13.01, DSS06.03
·       ISA 62443-2-1:2009 4.3.2.3.3  3.0
·       ISO/IEC 27001:2013 A.6.1.1
·       NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
·       COBIT 5 APO08.01, APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
·       ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2 3.0
·       NIST SP 800-53 Rev. 4 CP-2, SA-12
·       COBIT 5 APO02.06, APO03.01
·       ISO/IEC 27001:2013 Clause 4.1 3.0
·       NIST SP 800-53 Rev. 4 PM-8
·       COBIT 5 APO02.01, APO02.06, APO03.01
·       ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 3.0
·       NIST SP 800-53 Rev. 4 PM-11, SA-14
·       COBIT 5 APO10.01, BAI04.02, BAI09.02
·       ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 3.0
·       NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
·       COBIT 5 BAI03.02, DSS04.02
·       ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 3.0
·       NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-13, SA-14
·       CIS CSC 19
·       COBIT 5 APO01.03, APO13.01, EDM01.01, EDM01.02
·       ISA 62443-2-1:2009 4.3.2.6 5.0
·       ISO/IEC 27001:2013 A.5.1.1
·       NIST SP 800-53 Rev. 4 -1 controls from all security control families
·       CIS CSC 19
·       COBIT 5 APO01.02, APO10.03, APO13.02, DSS05.04
·       ISA 62443-2-1:2009 4.3.2.3.3 5.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.15.1.1
·       NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2
·       CIS CSC 19
·       COBIT 5 BAI02.01, MEA03.01, MEA03.04
·       ISA 62443-2-1:2009 4.4.3.7 5.0
·       ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.4, A.18.1.5
·       NIST SP 800-53 Rev. 4 -1 controls from all security control families
·       COBIT 5 EDM03.02, APO12.02, APO12.05, DSS04.02
·       ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
5.0
·       ISO/IEC 27001:2013 Clause 6
·       NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, PM-9, PM-10, PM-11
·       CIS CSC 4
·       COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02
·       ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 2.0
·       ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
·       NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
·       CIS CSC 4
·       COBIT 5 BAI08.01
·       ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 2.0
·       ISO/IEC 27001:2013 A.6.1.4
·       NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16
·       CIS CSC 4
·       COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
·       ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 2.0
·       ISO/IEC 27001:2013 Clause 6.1.2
·       NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
·       CIS CSC 4
·       COBIT 5 DSS04.02
·       ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 2.0
·       ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2
·       NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-9, PM-11
·       CIS CSC 4
·       COBIT 5 APO12.02
2.0
 2.0
·       ISO/IEC 27001:2013 A.12.6.1
·       NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
·       CIS CSC 4
·       COBIT 5 APO12.05, APO13.02
2.0
·       ISO/IEC 27001:2013 Clause 6.1.3
·       NIST SP 800-53 Rev. 4 PM-4, PM-9
·       CIS CSC 4
·       COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
·       ISA 62443-2-1:2009 4.3.4.2 4.0
·       ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3, Clause 9.3
·       NIST SP 800-53 Rev. 4 PM-9
·       COBIT 5 APO12.06
·       ISA 62443-2-1:2009 4.3.2.6.5
4.0
·       ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3
·       NIST SP 800-53 Rev. 4 PM-9
·       COBIT 5 APO12.02
·       ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3 4.0
·       NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-11
·       CIS CSC 4
·       COBIT 5 APO10.01, APO10.04, APO12.04, APO12.05, APO13.02, BAI01.03, BAI02.03,
BAI04.02
1.0
·       ISA 62443-2-1:2009 4.3.4.2
·       ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
·       NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9
·       COBIT 5 APO10.01, APO10.02, APO10.04, APO10.05, APO12.01, APO12.02, APO12.03,
APO12.04, APO12.05, APO12.06, APO13.02, BAI02.03
·       ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2, 4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10, 4.2.3.12,
4.2.3.13, 4.2.3.14 1.0
·       ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
·       NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-12, SA-14, SA-15, PM-9
·       COBIT 5 APO10.01, APO10.02, APO10.03, APO10.04, APO10.05
·       ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7
1.0
·       ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3
·       NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-12, PM-9
·       COBIT 5 APO10.01, APO10.03, APO10.04, APO10.05, MEA01.01, MEA01.02, MEA01.03,
MEA01.04, MEA01.05
·       ISA 62443-2-1:2009 4.3.2.6.7
1.0
·       ISA 62443-3-3:2013 SR 6.1
·       ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
·       NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SA-12
·       CIS CSC 19, 20
·       COBIT 5 DSS04.04
·       ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
1.0
·       ISA 62443-3-3:2013 SR 2.8, SR 3.3, SR.6.1, SR 7.3, SR 7.4
·       ISO/IEC 27001:2013 A.17.1.3
 1.0

·       NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4, IR-6, IR-8, IR-9
·       CIS CSC 1, 5, 15, 16
·       COBIT 5 DSS05.04, DSS06.03
·       ISA 62443-2-1:2009 4.3.3.5.1
·       ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 3.0
·       ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
·       NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10,
IA-11
·       COBIT 5 DSS01.04, DSS05.05
·       ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
·       ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, 3.0
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8
·       NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8
·       CIS CSC 12
·       COBIT 5 APO13.01, DSS01.04, DSS05.03
·       ISA 62443-2-1:2009 4.3.3.6.6
3.0
·       ISA 62443-3-3:2013 SR 1.13, SR 2.6
·       ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1
·       NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15
·       CIS CSC 3, 5, 12, 14, 15, 16, 18
·       COBIT 5 DSS05.04
·       ISA 62443-2-1:2009 4.3.3.7.3
3.0
·       ISA 62443-3-3:2013 SR 2.1
·       ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
·       NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
·       CIS CSC 9, 14, 15, 18
·       COBIT 5 DSS01.05, DSS05.02
·       ISA 62443-2-1:2009 4.3.3.4
3.0
·       ISA 62443-3-3:2013 SR 3.1, SR 3.8
·       ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
·       NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7
·       CIS CSC, 16
·       COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03
·       ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4
·       ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1 3.0
·       ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
·       NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8,
PE-2, PS-3
·       CIS CSC 1, 12, 15, 16
·       COBIT 5 DSS05.04, DSS05.10, DSS06.10
·       ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7,
4.3.3.6.8, 4.3.3.6.9
3.0
·       ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10
·       ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4
 3.0

·       NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5,
IA-8, IA-9, IA-10, IA-11
·       CIS CSC 17, 18
·       COBIT 5 APO07.03, BAI05.07
·       ISA 62443-2-1:2009 4.3.2.4.2 5.0
·       ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
·       NIST SP 800-53 Rev. 4 AT-2, PM-13
·       CIS CSC 5, 17, 18
·       COBIT 5 APO07.02, DSS05.04, DSS06.03
·       ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 5.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
·       NIST SP 800-53 Rev. 4 AT-3, PM-13
·       CIS CSC 17
·       COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05
·       ISA 62443-2-1:2009 4.3.2.4.2 5.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2
·       NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16
·       CIS CSC 17, 19
·       COBIT 5 EDM01.01, APO01.02, APO07.03
·       ISA 62443-2-1:2009 4.3.2.4.2 5.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
·       NIST SP 800-53 Rev. 4 AT-3, PM-13
·       CIS CSC 17
·       COBIT 5 APO07.03
·       ISA 62443-2-1:2009 4.3.2.4.2 5.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
·       NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13
·       CIS CSC 13, 14
·       COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06
·       ISA 62443-3-3:2013 SR 3.4, SR 4.1 1.0
·       ISO/IEC 27001:2013 A.8.2.3
·       NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28
·       CIS CSC 13, 14
·       COBIT 5 APO01.06, DSS05.02, DSS06.06
·       ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2 1.0
·       ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
·       NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12
·       CIS CSC 1
·       COBIT 5 BAI09.03
·       ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1
1.0
·       ISA 62443-3-3:2013 SR 4.2
·       ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7
·       NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
·       CIS CSC 1, 2, 13
·       COBIT 5 APO13.01, BAI04.04
1.0
·       ISA 62443-3-3:2013 SR 7.1, SR 7.2 1.0
·       ISO/IEC 27001:2013 A.12.1.3, A.17.2.1
·       NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
·       CIS CSC 13
·       COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02
·       ISA 62443-3-3:2013 SR 5.2
·       ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, 1.0
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1,
A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
·       NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
·       CIS CSC 2, 3
·       COBIT 5 APO01.06, BAI06.01, DSS06.02
·       ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 1.0
·       ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
·       NIST SP 800-53 Rev. 4 SC-16, SI-7
·       CIS CSC 18, 20
·       COBIT 5 BAI03.08, BAI07.04
1.0
·       ISO/IEC 27001:2013 A.12.1.4
·       NIST SP 800-53 Rev. 4 CM-2
·       COBIT 5 BAI03.05
·       ISA 62443-2-1:2009 4.3.4.4.4
1.0
·       ISO/IEC 27001:2013 A.11.2.4
·       NIST SP 800-53 Rev. 4 SA-10, SI-7
·       CIS CSC 3, 9, 11
·       COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
·       ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
3.0
·       ISA 62443-3-3:2013 SR 7.6
·       ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
·       NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
·       CIS CSC 18
·       COBIT 5 APO13.01, BAI03.01, BAI03.02, BAI03.03
·       ISA 62443-2-1:2009 4.3.4.3.3
3.0
·       ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
·       NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-12, SI-
13, SI-14, SI-16, SI-17
·       CIS CSC 3, 11
·       COBIT 5 BAI01.06, BAI06.01
·       ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
3.0
·       ISA 62443-3-3:2013 SR 7.6
·       ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
·       NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
·       CIS CSC 10
·       COBIT 5 APO13.01, DSS01.01, DSS04.07
·       ISA 62443-2-1:2009 4.3.4.3.9
3.0
·       ISA 62443-3-3:2013 SR 7.3, SR 7.4
 3.0

·       ISO/IEC 27001:2013 A.12.3.1, A.17.1.2, A.17.1.3, A.18.1.3

·       NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
·       COBIT 5 DSS01.04, DSS05.05
·       ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
3.0
·       ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
·       NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
·       COBIT 5 BAI09.03, DSS05.06
·       ISA 62443-2-1:2009 4.3.4.4.4
·       ISA 62443-3-3:2013 SR 4.2 3.0
·       ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
·       NIST SP 800-53 Rev. 4 MP-6
·       COBIT 5 APO11.06, APO12.06, DSS04.05
·       ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
3.0
·       ISO/IEC 27001:2013 A.16.1.6, Clause 9, Clause 10
·       NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6
·       COBIT 5 BAI08.04, DSS03.04
·       ISO/IEC 27001:2013 A.16.1.6 3.0
·       NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
·       CIS CSC 19
·       COBIT 5 APO12.06, DSS04.03
·       ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 3.0
·       ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2, A.17.1.3
·       NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-12, CP-13, IR-7, IR-8, IR-9, PE-17
·       CIS CSC 19, 20
·       COBIT 5 DSS04.04
·       ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
3.0
·       ISA 62443-3-3:2013 SR 3.3
·       ISO/IEC 27001:2013 A.17.1.3
·       NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-14
·       CIS CSC 5, 16
·       COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
·       ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3 3.0
·       ISO/IEC 27001:2013 A.7.1.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4
·       NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21
·       CIS CSC 4, 18, 20
·       COBIT 5 BAI03.10, DSS05.01, DSS05.02
3.0
·       ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
·       NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
·       COBIT 5 BAI03.10, BAI09.02, BAI09.03, DSS01.05
·       ISA 62443-2-1:2009 4.3.3.3.7
5.0
·       ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6
·       NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5, MA-6
·       CIS CSC 3, 5
·       COBIT 5 DSS05.04
5.0
·       ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8 5.0
·       ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1
·       NIST SP 800-53 Rev. 4 MA-4
·       CIS CSC 1, 3, 5, 6, 14, 15, 16
·       COBIT 5 APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
·       ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
1.0
·       ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12
·       ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
·       NIST SP 800-53 Rev. 4 AU Family
·       CIS CSC 8, 13
·       COBIT 5 APO13.01, DSS05.02, DSS05.06
·       ISA 62443-3-3:2013 SR 2.3 1.0
·       ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9
·       NIST SP 800-53 Rev. 4 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8
·       CIS CSC 3, 11, 14
·       COBIT 5 DSS05.02, DSS05.05, DSS06.06
·       ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7,
4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9,
4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 1.0
·       ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR
1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
·       ISO/IEC 27001:2013 A.9.1.2
·       NIST SP 800-53 Rev. 4 AC-3, CM-7
·       CIS CSC 8, 12, 15
·       COBIT 5 DSS05.02, APO13.01
·       ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR
7.6 1.0
·       ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.14.1.3
·       NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23,
SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43
·       COBIT 5 BAI04.01, BAI04.02, BAI04.03, BAI04.04, BAI04.05, DSS01.05
·       ISA 62443-2-1:2009 4.3.2.5.2
·       ISA 62443-3-3:2013 SR 7.1, SR 7.2 1.0
·       ISO/IEC 27001:2013 A.17.1.2, A.17.2.1
·       NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-13, PL-8, SA-14, SC-6
·       CIS CSC 1, 4, 6, 12, 13, 15, 16
·       COBIT 5 DSS03.01
·       ISA 62443-2-1:2009 4.4.3.3 3.0
·       ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2
·       NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
·       CIS CSC 3, 6, 13, 15
·       COBIT 5 DSS05.07
·       ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
3.0
·       ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
·       ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4
 3.0

·       NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4

·       CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16
·       COBIT 5 BAI08.02
·       ISA 62443-3-3:2013 SR 6.1 3.0
·       ISO/IEC 27001:2013 A.12.4.1, A.16.1.7
·       NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
·       CIS CSC 4, 6
·       COBIT 5 APO12.06, DSS03.01
3.0
·       ISO/IEC 27001:2013 A.16.1.4
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI-4
·       CIS CSC 6, 19
·       COBIT 5 APO12.06, DSS03.01
·       ISA 62443-2-1:2009 4.2.3.10 3.0
·       ISO/IEC 27001:2013 A.16.1.4
·       NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
·       CIS CSC 1, 7, 8, 12, 13, 15, 16
·       COBIT 5 DSS01.03, DSS03.05, DSS05.07
5.0
·       ISA 62443-3-3:2013 SR 6.2
·       NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
·       COBIT 5 DSS01.04, DSS01.05
·       ISA 62443-2-1:2009 4.3.3.3.8
5.0
·       ISO/IEC 27001:2013 A.11.1.1, A.11.1.2
·       NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
·       CIS CSC 5, 7, 14, 16
·       COBIT 5 DSS05.07
·       ISA 62443-3-3:2013 SR 6.2 5.0
·       ISO/IEC 27001:2013 A.12.4.1, A.12.4.3
·       NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11
·       CIS CSC 4, 7, 8, 12
·       COBIT 5 DSS05.01
·       ISA 62443-2-1:2009 4.3.4.3.8
5.0
·       ISA 62443-3-3:2013 SR 3.2
·       ISO/IEC 27001:2013 A.12.2.1
·       NIST SP 800-53 Rev. 4 SI-3, SI-8
·       CIS CSC 7, 8
·       COBIT 5 DSS05.01
·       ISA 62443-3-3:2013 SR 2.4 5.0
·       ISO/IEC 27001:2013 A.12.5.1, A.12.6.2
·       NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
·       COBIT 5 APO07.06, APO10.05
·       ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 5.0
·       NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
·       CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16
·       COBIT 5 DSS05.02, DSS05.05
5.0
 5.0
·       ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1
·       NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
·       CIS CSC 4, 20
·       COBIT 5 BAI03.10, DSS05.01
·       ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 5.0
·       ISO/IEC 27001:2013 A.12.6.1
·       NIST SP 800-53 Rev. 4 RA-5
·       CIS CSC 19
·       COBIT 5 APO01.02, DSS05.01, DSS06.03
·       ISA 62443-2-1:2009 4.4.3.1 2.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
·       NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
·       COBIT 5 DSS06.01, MEA03.03, MEA03.04
·       ISA 62443-2-1:2009 4.4.3.2
2.0
·       ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3
·       NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14
·       COBIT 5 APO13.02, DSS05.02
·       ISA 62443-2-1:2009 4.4.3.2
·       ISA 62443-3-3:2013 SR 3.3 2.0
·       ISO/IEC 27001:2013 A.14.2.8
·       NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14
·       CIS CSC 19
·       COBIT 5 APO08.04, APO12.06, DSS02.05
·       ISA 62443-2-1:2009 4.3.4.5.9
2.0
·       ISA 62443-3-3:2013 SR 6.1
·       ISO/IEC 27001:2013 A.16.1.2, A.16.1.3
·       NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4
·       COBIT 5 APO11.06, APO12.06, DSS04.05
·       ISA 62443-2-1:2009 4.4.3.4
2.0
·       ISO/IEC 27001:2013 A.16.1.6
·       NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14
·       CIS CSC 19
·       COBIT 5 APO12.06, BAI01.10
·       ISA 62443-2-1:2009 4.3.4.5.1 4.0
·       ISO/IEC 27001:2013 A.16.1.5
·       NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
·       CIS CSC 19
·       COBIT 5 EDM03.02, APO01.02, APO12.03
·       ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 1.0
·       ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1
·       NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
·       CIS CSC 19
·       COBIT 5 DSS01.03
·       ISA 62443-2-1:2009 4.3.4.5.5 1.0
·       ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
 1.0

·       NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8

·       CIS CSC 19
·       COBIT 5 DSS03.04
·       ISA 62443-2-1:2009 4.3.4.5.2 1.0
·       ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause 16.1.2
·       NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4
·       CIS CSC 19
·       COBIT 5 DSS03.04
·       ISA 62443-2-1:2009 4.3.4.5.5 1.0
·       ISO/IEC 27001:2013 Clause 7.4
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
·       CIS CSC 19
·       COBIT 5 BAI08.04
1.0
·       ISO/IEC 27001:2013 A.6.1.4
·       NIST SP 800-53 Rev. 4 SI-5, PM-15
·       CIS CSC 4, 6, 8, 19
·       COBIT 5 DSS02.04, DSS02.07
·       ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
2.0
·       ISA 62443-3-3:2013 SR 6.1
·       ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
·       NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4
·       COBIT 5 DSS02.02
·       ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
2.0
·       ISO/IEC 27001:2013 A.16.1.4, A.16.1.6
·       NIST SP 800-53 Rev. 4 CP-2, IR-4
·       COBIT 5 APO12.06, DSS03.02, DSS05.07
·       ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1
2.0
·       ISO/IEC 27001:2013 A.16.1.7
·       NIST SP 800-53 Rev. 4 AU-7, IR-4
·       CIS CSC 19
·       COBIT 5 DSS02.02
·       ISA 62443-2-1:2009 4.3.4.5.6 2.0
·       ISO/IEC 27001:2013 A.16.1.4
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
·       CIS CSC 4, 19
·       COBIT 5 EDM03.02, DSS05.07 2.0
·       NIST SP 800-53 Rev. 4 SI-5, PM-15
·       CIS CSC 19
·       COBIT 5 APO12.06
·       ISA 62443-2-1:2009 4.3.4.5.6
3.0
·       ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4
·       ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
·       NIST SP 800-53 Rev. 4 IR-4
·       CIS CSC 4, 19

3.0
·       COBIT 5 APO12.06
·       ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 3.0
·       ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
·       NIST SP 800-53 Rev. 4 IR-4
·       CIS CSC 4
·       COBIT 5 APO12.06
3.0
·       ISO/IEC 27001:2013 A.12.6.1
·       NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
·       COBIT 5 BAI01.13
·       ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
4.0
·       ISO/IEC 27001:2013 A.16.1.6, Clause 10
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
·       COBIT 5 BAI01.13, DSS04.08
·       ISO/IEC 27001:2013 A.16.1.6, Clause 10 4.0
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
·       CIS CSC 10
·       COBIT 5 APO12.06, DSS02.05, DSS03.04
5.0
·       ISO/IEC 27001:2013 A.16.1.5
·       NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
·       COBIT 5 APO12.06, BAI05.07, DSS04.08
·       ISA 62443-2-1:2009 4.4.3.4
1.0
·       ISO/IEC 27001:2013 A.16.1.6, Clause 10
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
·       COBIT 5 APO12.06, BAI07.08
·       ISO/IEC 27001:2013 A.16.1.6, Clause 10 1.0
·       NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
·       COBIT 5 EDM03.02
3.0
·       ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
·       COBIT 5 MEA03.02
3.0
·       ISO/IEC 27001:2013 Clause 7.4
·       COBIT 5 APO12.06
·       ISO/IEC 27001:2013 Clause 7.4 3.0
·       NIST SP 800-53 Rev. 4 CP-2, IR-4
Practice
Maturity

2.0

2.0

2.0

2.0

2.0

2.0

1.0

1.0

1.0

1.0
1.0

3.0

3.0

3.0

3.0

4.0

4.0

4.0

4.0

4.0
4.0

4.0

2.0

2.0

2.0

3.0

3.0

3.0

3.0

3.0
3.0

1.0

1.0

1.0

1.0

1.0

1.0

1.0
1.0

3.0

3.0

3.0

3.0

3.0

3.0

3.0

3.0

3.0
3.0

3.0

3.0

3.0

3.0

1.0

1.0

1.0

1.0
1.0

1.0

1.0

1.0

1.0

1.0

1.0

1.0

1.0

4.0

4.0
4.0

2.0

2.0

2.0

2.0

2.0

5.0

5.0
5.0

5.0

5.0

5.0

2.0

2.0

2.0

2.0

2.0

2.0

2.0
2.0

2.0

3.0

3.0

3.0

3.0

3.0

1.0

4.0

4.0
4.0

4.0

4.0

4.0

5.0

5.0

5.0

5.0

5.0

2.0

2.0
2.0

2.0

2.0

2.0

3.0

3.0

3.0

3.0

3.0

3.0
 2022
Target Policy Practice
NIST Privacy 1.0 Categories Score Score Score
Overall 3.00 3.17 2.83
Inventory and Mapping (ID.IM-P) 3.00 5.00 1.00
Business Environment (ID.BE-P)
IDENTIFY-P

3.00 4.00 2.00

Risk Assessment (ID.RA-P) 3.00 3.00 3.00
Data Processing Ecosystem Risk Management (ID.DE-P) 3.00 2.00 4.00
Governance Policies, Processes, and Procedures (GV.PO-P) 3.00 1.00 5.00
Risk Management Strategy (GV.RM-P)
GOVERN-P

3.00 5.00 1.00

Awareness and Training (GV.AT-P) 3.00 4.00 2.00
Monitoring and Review (GV.MT-P) 3.00 3.00 3.00
Data Processing Policies, Processes, and Procedures (CT.PO-P) 3.00 2.00 4.00
CONTROL-P

Data Processing Management (CT.DM-P) 3.00 1.00 5.00

Disassociated Processing (CT.DP-P) 3.00 5.00 1.00
COMMUNI

Communication Policies, Processes, and Procedures (CM.PO-P) 3.00 4.00 2.00

CATE-P

Data Processing Awareness (CM.AW-P) 3.00 3.00 3.00

Data Protection Policies, Processes, and Procedures (PR.PO-P) 3.00 2.00 4.00
Identity Management, Authentication, and Access Control (PR.AC 3.00 1.00 5.00
PROTECT-P

Data Security (PR.DS-P) 3.00 5.00 1.00

Maintenance (PR.MA-P) 3.00 4.00 2.00
Protective Technology (PR.PT-P) 3.00 3.00 3.00
 Overall NIST P
Protective Technology (PR.PT-P) Inventory and Mapping (ID.IM-P)
M
5.0
Maintenance (PR.MA-P) Business Environment (ID.B

Data Security (PR.DS-P) Risk Assessm

Identity Management, Authentication, and Access Control (PR.AC-P) Data

0.0

Data Protection Policies, Processes, and Procedures (PR.PO-P) Go

Data Processing Awareness (CM.AW-P) Risk Ma

Communication Policies, Processes, and Procedures (CM.PO-P) Awareness and Train

Disassociated Processing (CT.DP-P) Monitoring and Review (GV.MT-P)

Data Processing Management (CT.DM-P) Data Processing Policies, Processes, and Procedures (CT.P
 NIST Privacy Framework
Inventory and Mapping (ID.IM-P)
Maturity Levels
Business Environment (ID.BE-P)

5 - Optimal
4 - Managed
3 - Defined
Risk Assessment (ID.RA-P)
2 - Acknowledged
1 - Initial
0 - Non-existent

Data Processing Ecosystem Risk Management (ID.DE-P)

Governance Policies, Processes, and Procedures (GV.PO-P)

Risk Management Strategy (GV.RM-P)

Awareness and Training (GV.AT-P)

Target Score
Monitoring and Review (GV.MT-P) Policy Score
Practice Score
essing Policies, Processes, and Procedures (CT.PO-P)
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk
Management Version 1.0 Core
NIST Privacy Framework Core
Function Category
IDENTIFY-P (ID-P): Develop Inventory and Mapping (ID.IM-P): Data
the organizational processing by systems, products, or
understanding to manage services is understood and informs the
privacy risk for individuals management of privacy risk.
arising from data processing.

Business Environment (ID.BE-P): The

organization’s mission, objectives,
stakeholders, and activities are
understood and prioritized; this
information is used to inform privacy
roles, responsibilities, and risk
management decisions.

Risk Assessment (ID.RA-P): The

organization understands the privacy
risks to individuals and how such
privacy risks may create follow-on
impacts on organizational operations,
including mission, functions, other risk
management priorities (e.g.,
compliance, financial), reputation,
workforce, and culture.
 privacy risks may create follow-on
impacts on organizational operations,
including mission, functions, other risk
management priorities (e.g.,
compliance, financial), reputation,
workforce, and culture.

Data Processing Ecosystem Risk

Management (ID.DE-P): The
organization’s priorities, constraints,
risk tolerance, and assumptions are
established and used to support risk
decisions associated with managing
privacy risk and third parties within
the data processing ecosystem. The
organization has established and
implemented the processes to
identify, assess, and manage privacy
risks within the data processing
ecosystem.

GOVERN-P (GV-P): Governance Policies, Processes, and

Develop and implement the Procedures (GV.PO-P): The policies,
organizational governance processes, and procedures to manage
structure to enable an ongoing and monitor the organization’s
understanding of the regulatory, legal, risk, environmental,
organization’s risk and operational requirements are
management priorities that understood and inform the
are informed by privacy risk. management of privacy risk.
Risk Management Strategy (GV.RM-
P): The organization’s priorities,
constraints, risk tolerances, and
assumptions are established and used
to support operational risk decisions.

Awareness and Training (GV.AT-P):

The organization’s workforce and third
parties engaged in data processing are
provided privacy awareness education
and are trained to perform their
privacy-related duties and
responsibilities consistent with related
policies, processes, procedures, and
agreements and organizational privacy
values.

Monitoring and Review (GV.MT-P): The

policies, processes, and procedures for
ongoing review of the organization’s
privacy posture are understood and
inform the management of privacy risk.
CONTROL-P (CT-P): Develop Data Processing Policies, Processes, and
and implement appropriate Procedures (CT.PO-P): Policies,
activities to enable processes, and procedures are
organizations or individuals to maintained and used to manage data
manage data with sufficient processing (e.g., purpose, scope, roles
granularity to manage privacy and responsibilities in the data
risks. processing ecosystem, and management
commitment) consistent with the
organization’s risk strategy to protect
individuals’ privacy.

Data Processing Management (CT.DM-

P): Data are managed consistent with
the organization’s risk strategy to
protect individuals’ privacy, increase
manageability, and enable the
implementation of privacy principles
(e.g., individual participation, data
quality, data minimization).
 Disassociated Processing (CT.DP-P):
Data processing solutions increase
disassociability consistent with the
organization’s risk strategy to protect
individuals’ privacy and enable
implementation of privacy principles
(e.g., data minimization).

COMMUNICATE-P (CM-P): Communication Policies, Processes, and

Develop and implement Procedures (CM.PO-P): Policies,
appropriate activities to processes, and procedures are
enable organizations and maintained and used to increase
individuals to have a reliable transparency of the organization’s data
understanding and engage in a processing practices (e.g., purpose,
dialogue about how data are scope, roles and responsibilities in the
processed and associated data processing ecosystem, and
privacy risks. management commitment) and
associated privacy risks.

Data Processing Awareness (CM.AW-P):

Individuals and organizations have
reliable knowledge about data
processing practices and associated
privacy risks, and effective mechanisms
are used and maintained to increase
predictability consistent with the
organization’s risk strategy to protect
individuals’ privacy.
PROTECT-P (PR-P): Develop Data Protection Policies, Processes,
and implement appropriate and Procedures (PR.PO-P): Security
data processing safeguards. and privacy policies (e.g., purpose,
scope, roles and responsibilities in the
data processing ecosystem, and
management commitment),
processes, and procedures are
maintained and used to manage the
protection of data.

Identity Management,
Authentication, and Access Control
(PR.AC-P): Access to data and devices
is limited to authorized individuals,
processes, and devices, and is
managed consistent with the assessed
risk of unauthorized access.
(PR.AC-P): Access to data and devices
is limited to authorized individuals,
processes, and devices, and is
managed consistent with the assessed
risk of unauthorized access.

Data Security (PR.DS-P): Data are

managed consistent with the
organization’s risk strategy to protect
individuals’ privacy and maintain data
confidentiality, integrity, and
availability.

Maintenance (PR.MA-P): System

maintenance and repairs are
performed consistent with policies,
processes, and procedures.

Protective Technology (PR.PT-P):

Technical security solutions are
managed to ensure the security and
resilience of
systems/products/services and
associated data, consistent with
related policies, processes,
procedures, and agreements.
systems/products/services and
associated data, consistent with
related policies, processes,
procedures, and agreements.
ving Privacy through Enterprise Risk

Shading
Key:
cy Framework Core Policy Practice
Subcategory Score Score
ID.IM-P1: Systems/products/services that process data

The Function, Category, or Subcategory aligns with the Cybersecurity Framework, but the text has been adapted for the Privacy Framework.
The Category or Subcategory is identical to the Cybersecurity Framework.
are inventoried.
5.0 1.0

ID.IM-P2: Owners or operators (e.g., the organization or

third parties such as service providers, partners,
customers, and developers) and their roles with respect
to the systems/products/services and components (e.g.,
internal or external) that process data are inventoried. 5.0 1.0

ID.IM-P3: Categories of individuals (e.g., customers,

employees or prospective employees, consumers) whose
data are being processed are inventoried. 5.0 1.0

ID.IM-P4: Data actions of the systems/products/services

are inventoried. 5.0 1.0

ID.IM-P5: The purposes for the data actions are 5.0 1.0
inventoried.
ID.IM-P6: Data elements within the data actions are 5.0 1.0
inventoried.
ID.IM-P7: The data processing environment is identified 5.0 1.0
(e.g., geographic
ID.IM-P8: location, internal,
Data processing cloud,
is mapped, third parties).
illustrating the data
actions and associated data elements for
systems/products/services, including components; roles
of the component owners/operators; and interactions of
individuals or third parties with the 5.0 1.0
systems/products/services.

ID.BE-P1: The organization’s role(s) in the data

processing ecosystem are identified and 4.0 2.0
communicated.
ID.BE-P2: Priorities for organizational mission,
objectives, and activities are established and 4.0 2.0
communicated.
ID.BE-P3: Systems/products/services that support
organizational priorities are identified and key
requirements communicated. 4.0 2.0

ID.RA-P1: Contextual factors related to the

systems/products/services and the data actions are
identified (e.g., individuals’ demographics and privacy
interests or perceptions, data sensitivity and/or types,
visibility of data processing to individuals and third 3.0 3.0
parties).
 e Privacy Framework.
ID.RA-P2: Data analytic inputs and outputs are identified
and evaluated for bias. 3.0 3.0

ID.RA-P3: Potential problematic data actions and

associated problems are identified. 3.0 3.0

ID.RA-P4: Problematic data actions, likelihoods, and

impacts are used to determine and prioritize risk. 3.0 3.0

ID.RA-P5: Risk responses are identified, prioritized, and

implemented. 3.0 3.0

ID.DE-P1: Data processing ecosystem risk management

policies, processes, and procedures are identified,
established, assessed, managed, and agreed to by 2.0 4.0
organizational stakeholders.

ID.DE-P2: Data processing ecosystem parties (e.g.,

service providers, customers, partners, product
manufacturers, application developers) are identified, 2.0 4.0
prioritized, and assessed using a privacy risk
assessment process.
ID.DE-P3: Contracts with data processing ecosystem
parties are used to implement appropriate measures
designed to meet the objectives of an organization’s 2.0 4.0
privacy program.

ID.DE-P4: Interoperability frameworks or similar multi-

party approaches are used to manage data processing
ecosystem privacy risks.
2.0 4.0

ID.DE-P5: Data processing ecosystem parties are

routinely assessed using audits, test results, or other
forms of evaluations to confirm they are meeting their
contractual, interoperability framework, or other 2.0 4.0
obligations.

GV.PO-P1: Organizational privacy values and policies

(e.g., conditions on data processing such as data uses
or retention periods, individuals’ prerogatives with 1.0 5.0
respect to data processing) are established and
communicated.
GV.PO-P2: Processes to instill organizational privacy
values within system/product/service development and
operations are established and in place. 1.0 5.0

GV.PO-P3: Roles and responsibilities for the workforce

are established with respect to privacy. 1.0 5.0
GV.PO-P4: Privacy roles and responsibilities are
coordinated and aligned with third-party stakeholders
(e.g., service providers, customers, partners). 1.0 5.0

GV.PO-P5: Legal, regulatory, and contractual

requirements regarding privacy are understood and
managed. 1.0 5.0

GV.PO-P6: Governance and risk management policies,

processes, and procedures address privacy risks. 1.0 5.0

GV.RM-P1: Risk management processes are

established, managed, and agreed to by organizational 5.0 1.0
stakeholders.
GV.RM-P2: Organizational risk tolerance is determined
and clearly expressed. 5.0 1.0

GV.RM-P3: The organization’s determination of risk

tolerance is informed by its role(s) in the data
processing ecosystem. 5.0 1.0

GV.AT-P1: The workforce is informed and trained on its

roles and responsibilities. 4.0 2.0

GV.AT-P2: Senior executives understand their roles and

responsibilities. 4.0 2.0

GV.AT-P3: Privacy personnel understand their roles

and responsibilities. 4.0 2.0

GV.AT-P4: Third parties (e.g., service providers,

customers, partners) understand their roles and
responsibilities. 4.0 2.0

GV.MT-P1: Privacy risk is re-evaluated on an ongoing

basis and as key factors, including the organization’s
business environment (e.g., introduction of new
technologies), governance (e.g., legal obligations, risk
tolerance), data processing, and 3.0 3.0
systems/products/services change.

GV.MT-P2: Privacy values, policies, and training are

reviewed and any updates are communicated. 3.0 3.0

GV.MT-P3: Policies, processes, and procedures for

assessing compliance with legal requirements and privacy
policies are established and in place. 3.0 3.0

GV.MT-P4: Policies, processes, and procedures for

communicating progress on managing privacy risks are
established and in place. 3.0 3.0
GV.MT-P5: Policies, processes, and procedures are
established and in place to receive, analyze, and respond
to problematic data actions disclosed to the organization
from internal and external sources (e.g., internal 3.0 3.0
discovery, privacy researchers, professional events).

GV.MT-P6: Policies, processes, and procedures

incorporate lessons learned from problematic data
actions. 3.0 3.0

GV.MT-P7: Policies, processes, and procedures for

receiving, tracking, and responding to complaints,
concerns, and questions from individuals about
organizational privacy practices are established and in 3.0 3.0
place.

CT.PO-P1: Policies, processes, and procedures for

authorizing data processing (e.g., organizational
decisions, individual consent), revoking authorizations,
and maintaining authorizations are established and in 2.0 4.0
place.

CT.PO-P2: Policies, processes, and procedures for

enabling data review, transfer, sharing or disclosure,
alteration, and deletion are established and in place (e.g.,
to maintain data quality, manage data retention). 2.0 4.0

CT.PO-P3: Policies, processes, and procedures for

enabling individuals’ data processing preferences and
requests are established and in place. 2.0 4.0

CT.PO-P4: A data life cycle to manage data is aligned

and implemented with the system development life
cycle to manage systems. 2.0 4.0

CT.DM-P1: Data elements can be accessed for review. 1.0 5.0

CT.DM-P2: Data elements can be accessed for
transmission or disclosure. 1.0 5.0
CT.DM-P3: Data elements can be accessed for alteration. 1.0 5.0
CT.DM-P4: Data elements can be accessed for deletion. 1.0 5.0
CT.DM-P5: Data are destroyed according to policy. 1.0 5.0
CT.DM-P6: Data are transmitted using standardized 1.0 5.0
formats.
CT.DM-P7: Mechanisms for transmitting processing
permissions and related data values with data elements
are established and in place. 1.0 5.0

CT.DM-P8: Audit/log records are determined,

documented, implemented, and reviewed in
accordance with policy and incorporating the principle 1.0 5.0
of data minimization.
CT.DM-P9: Technical measures implemented to manage
data processing are tested and assessed. 1.0 5.0

CT.DM-P10: Stakeholder privacy preferences are

included in algorithmic design objectives and outputs are
evaluated against these preferences. 1.0 5.0

CT.DP-P1: Data are processed to limit observability and

linkability (e.g., data actions take place on local devices,
privacy-preserving cryptography). 5.0 1.0

CT.DP-P2: Data are processed to limit the identification of

individuals (e.g., de-identification privacy techniques,
5.0 1.0
tokenization).

CT.DP-P3: Data are processed to limit the formulation of

inferences about individuals’ behavior or activities (e.g.,
data processing is decentralized, distributed 5.0 1.0
architectures).

CT.DP-P4: System or device configurations permit

selective collection or disclosure of data elements. 5.0 1.0

CT.DP-P5: Attribute references are substituted for

attribute values. 5.0 1.0

CM.PO-P1: Transparency policies, processes, and

procedures for communicating data processing purposes,
practices, and associated privacy risks are established and 4.0 2.0
in place.

CM.PO-P2: Roles and responsibilities (e.g., public

relations) for communicating data processing purposes,
practices, and associated privacy risks are established.

4.0 2.0

CM.AW-P1: Mechanisms (e.g., notices, internal or public

reports) for communicating data processing purposes,
practices, associated privacy risks, and options for
enabling individuals’ data processing preferences and
requests are established and in place. 3.0 3.0

CM.AW-P2: Mechanisms for obtaining feedback from

individuals (e.g., surveys or focus groups) about data
processing and associated privacy risks are established 3.0 3.0
and in place.

CM.AW-P3: System/product/service design enables data

processing visibility. 3.0 3.0
CM.AW-P4: Records of data disclosures and sharing are
maintained and can be accessed for review or
transmission/disclosure. 3.0 3.0

CM.AW-P5: Data corrections or deletions can be

communicated to individuals or organizations (e.g., data
sources) in the data processing ecosystem. 3.0 3.0

CM.AW-P6: Data provenance and lineage are maintained

and can be accessed for review or
transmission/disclosure. 3.0 3.0

CM.AW-P7: Impacted individuals and organizations are

notified about a privacy breach or event. 3.0 3.0

CM.AW-P8: Individuals are provided with mitigation

mechanisms (e.g., credit monitoring, consent withdrawal,
data alteration or deletion) to address impacts of 3.0 3.0
problematic data actions.

PR.PO-P1: A baseline configuration of information

technology is created and maintained incorporating
security principles (e.g., concept of least functionality). 2.0 4.0

PR.PO-P2: Configuration change control processes are

established and in place. 2.0 4.0

PR.PO-P3: Backups of information are conducted,

maintained, and tested. 2.0 4.0

PR.PO-P4: Policy and regulations regarding the physical

operating environment for organizational assets are 2.0 4.0
met.
PR.PO-P5: Protection processes are improved. 2.0 4.0
PR.PO-P6: Effectiveness of protection technologies is
shared. 2.0 4.0
PR.PO-P7: Response plans (Incident Response and
Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are established, in 2.0 4.0
place, and managed.

PR.PO-P8: Response and recovery plans are tested. 2.0 4.0

PR.PO-P9: Privacy procedures are included in human
resources practices (e.g., deprovisioning, personnel
screening). 2.0 4.0

PR.PO-P10: A vulnerability management plan is

developed and implemented. 2.0 4.0

PR.AC-P1: Identities and credentials are issued,

managed, verified, revoked, and audited for authorized
individuals, processes, and devices. 1.0 5.0

PR.AC-P2: Physical access to data and devices is

managed. 1.0 5.0
PR.AC-P3: Remote access is managed. 1.0 5.0
PR.AC-P4: Access permissions and authorizations are
managed, incorporating the principles of least privilege
and separation of duties. 1.0 5.0

PR.AC-P5: Network integrity is protected (e.g., network

segregation, network segmentation). 1.0 5.0

PR.AC-P6: Individuals and devices are proofed and

bound to credentials, and authenticated
commensurate with the risk of the transaction (e.g.,
individuals’ security and privacy risks and other
organizational risks). 1.0 5.0

PR.DS-P1: Data-at-rest are protected. 5.0 1.0

PR.DS-P2: Data-in-transit are protected. 5.0 1.0
PR.DS-P3: Systems/products/services and associated
data are formally managed throughout removal, 5.0 1.0
transfers, and disposition.

PR.DS-P4: Adequate capacity to ensure availability is

maintained. 5.0 1.0

PR.DS-P5: Protections against data leaks are

implemented. 5.0 1.0

PR.DS-P6: Integrity checking mechanisms are used to

verify software, firmware, and information integrity. 5.0 1.0

PR.DS-P7: The development and testing

environment(s) are separate from the production 5.0 1.0
environment.
PR.DS-P8: Integrity checking mechanisms are used to 5.0 1.0
verify hardware integrity.
PR.MA-P1: Maintenance and repair of organizational
assets are performed and logged, with approved and 4.0 2.0
controlled tools.

PR.MA-P2: Remote maintenance of organizational 4.0 2.0

assets is approved, logged, and performed in a manner
that prevents unauthorized access.
PR.PT-P1: Removable media is protected and its use
restricted according to policy. 3.0 3.0

PR.PT-P2: The principle of least functionality is

incorporated by configuring systems to provide only 3.0 3.0
essential capabilities.
PR.PT-P3: Communications and control networks are
protected. 3.0 3.0
PR.PT-P4: Mechanisms (e.g., failsafe, load balancing,
hot swap) are implemented to achieve resilience
requirements in normal and adverse situations. 3.0 3.0
 Document
NIST 800-53
CIS CSC
COBIT 5
ISA 62443 (All)
ISO/IEC 27001
 Link
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
https://www.cisecurity.org/controls/
http://www.isaca.org/cobit/pages/default.aspx
https://www.isa.org/standards-and-publications/isa-standards/find-isa-standards-in-numerical-order/
https://www.iso.org/isoiec-27001-information-security.html