The Cyber/Physical Security Framework

To ensure trustworthiness of a new type of supply chain in “Society5.0”,

so-called “value creation process”

Version 1.0

Cyber Security Division

Commerce and Information Policy Bureau

Ministry of Economy, Trade and Industry

Apr. 18, 2019

Table of contents

Executive Summary .......................................................................................................... I

Introduction ...................................................................................................................... 3
1. Society realized by “Society5.0” and “Connected Industries” ................................. 3
2. Increase of threats by cyberattacks ......................................................................... 5
3. Intention of developing the Framework and its scope of application .................... 6
4. Intended readers of the Framework ........................................................................ 7
5. Overall structure of the Framework ....................................................................... 8
6. Expected effects and features of the Framework.................................................... 9
7. How to use the Framework.................................................................................... 10
Part I (Concept): Industrial cybersecurity for connected cyber and physical systems 12
1. Efforts for “value creation process,” a “Society5.0” supply chain in an industrial
society where cyberspace and physical space are highly integrated.............. 12
2. Model for establishing the basis for trustworthiness to ensure security in the
value creation process: The three-layer and the six elements ....................... 13
2.1. Significance of the three-layer approach ....................................................... 16
2.2. The six elements............................................................................................. 19
3. Identifying the risk sources in the value creation process and its policy ............ 21
4. Concepts of securing trustworthiness based on the Framework ......................... 23
5. Conclusion .............................................................................................................. 25
Part II (Policy): Identification of risk sources and measure requirements ..................26
1. How to proceed with risk management that considers three-layer model and six
elements ............................................................................................................ 26
1.1. Specifying the target of analysis (applying to the three-layer model) ......... 29
1.2. Anticipating security incidents and their impact ......................................... 39
1.3. Analyzing risks ............................................................................................... 44
1.4. Managing risks ............................................................................................... 45
2. Relationship between risk sources and measure requirements........................... 53
Part III (Method): Security measures – requirements and examples..........................55
1. Risk management using security measure requirements and examples of
security measures ............................................................................................. 55
2. How to use examples of security measures ........................................................... 56
3. Security measure requirements ............................................................................ 59
3.1. CPS.AM – Asset Management ....................................................................... 61
3.2. CPS.BE – Business Environment.................................................................. 63
3.3. CPS.GV – Governance ................................................................................... 64
3.4. CPS.RA – Risk Assessment............................................................................ 66
3.5. CPS.RM – Risk Management Strategy ......................................................... 69
3.6. CPS.SC – Supply Chain Risk Management .................................................. 70
3.7. CPS.AC – Identity Management, Authentication and Access Control ........ 74
3.8. CPS.AT – Awareness and Training ................................................................ 78
3.9. CPS.DS – Data Security ................................................................................ 80
 3.10. CPS.IP – Information Protection Processes and Procedures ..................... 84
3.11. CPS.MA – Maintenance ............................................................................... 88
3.12. CPS.PT – Protective Technology.................................................................. 89
3.13. CPS.AE – Anomalies and Events ................................................................ 91
3.14. CPS.CM – Security Continuous Monitoring ............................................... 93
3.15. CPS.DP – Detection Process ........................................................................ 96
3.16. CPS.RP – Response Planning ...................................................................... 97
3.17. CPS.CO – Communications ......................................................................... 99
3.18. CPS.AN – Analysis ..................................................................................... 100
3.19. CPS.MI – Mitigation .................................................................................. 101
3.20. CPS.IM – Improvements ............................................................................ 102

Appendix A Use case

Appendix B Relationship between risk source and measure requirements
Appendix C Examples of security measures according to measure requirements
Appendix D Relationship with major overseas standards
Appendix E Glossary
Executive Summary

- The Government of Japan is proposing creation of a next-generation smart

social infrastructure program named Society5.0. The proposed program will
provide a variety of products and services for the emerging needs of citizens. It
also will provide both economic development and solutions for social challenges
by integrating cyberspace and physical space. To support “Society5.0”, the
Ministry of Economy, Trade, and Industry (METI), proposed a program called
Connected Industries which will create value by building connections between
a wide variety of disparate industrial data.

- In the industrial society of “Society5.0”, networking between companies and

industries has produced “Connected Industries”, in which the connections
themselves create new data opportunities, for commerce. It is now possible to
construct a more flexible and dynamic supply chain that includes new entities,
and as cyberspace and physical space interact with each other, it is a new
process that encompasses both spaces. The supply chain itself will create new
added value.

- Cybersecurity is critical to the Connected Industries program. An attacker has

many more possible targets in the new, interconnected supply chain, so cyber
defenses must be drastically increased.

- In addition, the interconnection of cyberspace and physical space means that

cyberattacks have an increasing impact on physical infrastructure. The
physical consequences of a cyberattack could be enormous.

- The initiatives proposed for Society5.0 integrating cyberspace and physical

space create great value for citizens and companies, but the risks and
consequences of cyberattacks greatly increase as well. The Cyber/Physical
Security Framework will guide the implementation of the Connected
Industries program to reduce the risk of cyberattack.

- Because many varied entities participate in highly networked supply chains,

measures adopted at a single enterprise cannot assure security across the
supply chain or even within its own enterprise. Therefore, each supply chain
participant must adopt “security by design” techniques in which security is one

I
 of the primary requirements of a new system. In addition, all participants must
ensure security of any shared data. Finally, the entire supply chain must build
resilience into supply chain systems to minimize impact of both potential
security breaches and system failures for other reasons.

- In the Framework, security measures are shown which are commonly required
for all industries for the next-generation supply chain in “Society5.0” an
industrial society in which cyber space and physical space are highly
integrated. In order to ensure supply chain trustworthiness, security measure
are shown from three viewpoints (“Connections between organizations”,
“Mutual connections between cyberspace and physical space” and “Connections
in cyberspace”).

- Companies and industries have widely varying tolerance for cybersecurity

risks. The Framework is designed with this in mind and should be used as a
reference document as enterprises consider their special cybersecurity
approaches and needs.

- Finally new threats will emerge with advances in AI technology in the unified
cyberspace and physical space. The Framework will evolve to manage new
threats, and will be reviewed appropriately.

II
Introduction
1. Society realized by “Society5.0” and “Connected Industries”
Practical uses of networking and IoT (Internet of Things) are advancing now
worldwide, and public and private sectors are beginning cooperation on highly
advanced IT in the field of manufacturing to lead the revolutionary changes
of “The Fourth Industrial Revolution” such as the “Industry 4.0” program in
Germany. In Japan, “The 5th Science and Technology Basic Plan”, approved
in a Cabinet meeting on January 22, 2016, the Government of Japan proposed
a next-generation smart society named “Society5.0” to produce products and
services that satisfy a variety of needs, and which also provides both economic
development and solutions for social challenges, by closely integrating
cyberspace and physical space. Furthermore, we the Ministry of Economy,
Trade and Industry (METI) need to develop a new industrial structure to
realize “Connected Industries”, which creates new added value for
“Society5.0”, focusing on increased and varied connections.

Figure i-1 Illustration of the society realized in “Society5.0”1

“Society5.0” is the latest in a series of social structures. It is the next in the

series of the hunting society (Society1.0), agricultural society (Society2.0),
industrial society (Society3.0), and information society (Society4.0).

1 The illustration is quoted from the introduction of “Society5.0” by the Cabinet Office.

3
In the information society (Society4.0), sharing necessary knowledge and
information was not enough. It was difficult to create new value, and it was
also difficult and burdensome to find and analyze information in the huge
amounts of data created.
In “Society5.0”, all people and things are connected by IoT, a wide variety of
knowledge and information are shared, and new value is created. Moreover,
“Society5.0” relieves humans from the burdensome work of analyzing huge
amounts of data through the use using Artificial Intelligence (AI).
Furthermore, “Society5.0” is not a society where economic and organizational
systems are prioritized, but is instead a human-centered society in which AI,
robots, etc. will support work formerly done by humans, and provide people
with the goods and services they need, when needed, and as much as needed.

Figure i-2 Illustration of connections between components and data, etc. in Society5.0

 Change in the supply chain structure

In “Society5.0”, the supply chain, which is a series of activities by companies
to create added value, will also change its form. The existing supply chain
was a rigid, linear structure of strict planning, including design, procuring
necessary parts and services based on the design, assembling and processing,
and delivering final products and services. It was deployed in a fixed and
unchanging manner. In “Society5.0,” however, where cyberspace and physical
space are highly integrated, needed goods and services are provided to the

4
people who need them when they need them. The starting point of a series of
activities to create added value is not fixed. In the past, suppliers planned
and designed the added value; from now on, there will be an increasing
number of cases where consumers will become the starting point of creating
added value. These activities may change during the process due to the
changes made in the requirements specified when starting the creation of
added value. If more effective data are obtained, the elements will be
incorporated into the new activities.
Supply chains straddle both cyber and physical spaces, and will change into
the creation of added value through various dynamically connected items and
data. In contrast with conventional standard and linear supply chain, these
changed supply chains need to be viewed as the “Society5.0” supply chain,
and existing systems and procedures are to be “value creation process” so that
it is distinguished from the conventional type.

2. Increase of threats by cyberattacks

In an industrial society of “Society5.0” where cyberspace and physical space
are highly integrated, cyberspace expands drastically and points of
cyberattack expand; the two spaces interacting with each other increase the
impact of the damages on physical space. For this reason, threats to the value
creation process (a new supply chain connecting across cyberspace and
physical space) are different and more complex compared to what the
standard and linear supply chain faced, and will cause a wider range of
damage.
It is necessary to understand that major change in the environment will
expand the points of cyberattacks. This means that the entire value creation
process may become exposed to threats of cyberattacks. For this reason,
measures to ensure security in all the elements relevant to the value creation
process need to be examined, and trustworthiness of the process needs to be
ensured through comprehensive measures, not partial ones.
In addition, new processes that occur with the advanced integration of cyber
space and physical space, such as digitization of information obtained from
IoT, and the exchange of a large amount of created data, are emerging as new
targets for cyber attacks. This needs to be recognized, and ensuring security
of the digitalization of information, and security measures to support the
accuracy, distribution, and coordination of a large amount of data will become

5
important issues.

Table I-1 Features of Society5.0 and corresponding security concerns

A large quantity of data  - Appropriate management suited

exchange for the characteristic of the data
is becoming increasingly
important
Integration of physical space  - Cyberattacks reach to physical
and cyberspace space
- Assume intrusion from physical
space and attack on cyberspace
- Intervention in information
conversion between physical
space and cyberspace
Supply chains connected  - Range affected by cyberattacks
complicatedly expands

Threats to the supply chain are already arising as a real-life problem. In fact,
a case was reported in which equipment of a European company was infected
with ransomware. It infiltrated domestic enterprises in Japan via the supply
chain, expanded the infection, and stopped some operations as a result.
Given the situation, the necessity to protect IoT and Industrial Control
Systems (ICS) by supply chain management is becoming widely recognized in
other countries. In the United States, the framework (Cybersecurity
Framework), which provides the perspective of cybersecurity measures
especially for the critical infrastructure developed by NIST 2 in February
2014, was revised in April 2018. In these documents, they added a description
on supply chain risk management and requested to implement preventive
measures to the entire supply chain and to conduct audits as needed.

3. Intention of developing the Framework and its scope of application

In the process of achieving “Society5.0” and “Connected Industries,” the
industrial and social environments are changing considerably. Along with
these changes, there are more threats of cyberattacks, and new threats are
emerging. Now is the time to begin preparing ourselves for these new and

2 National Institute of Standards and Technology

6
increasing threats.
Under such problem awareness, METI has decided to formulate the
“Cyber/Physical Security Framework,” build a model that appropriately
identifies the risks faced in creating added value in the new industrial society,
identify the risk sources, organize the overview of the required security
measures, and summarize examples of measures which the industrial
community can utilize as their security measures.
The Framework covers the entire model of the new industrial society and
targets all entities that are working to create added value in it.
In the contents of identifying risk sources and security measures, the
following are included;
(1) those applicable to conventional supply chains,
(2) those that need new measures in the new industrial society model,
Security measures can be customized to each enterprise.
In addition, even if a system is not connected to the Internet or other outside
networks, increased integration, convenience, and seamless interoperation
between the components of the system increase the possibility that a small
incident can spread system-wide. The reason is that most systems are
designed for general purpose operation and are not customized for the
increased security required. Therefore, you should recognize that the
electronic equipment and the systems you own can be within the scope of the
Framework, and you should take the necessary security measures for each of
them.
The reader should make use of the Framework and implement necessary
security measures according to the actual requirements of the enterprise etc.
to which the reader belongs.

4. Intended readers of the Framework

The Framework should be referenced when working on a value creation
process in the new industrial society, Society 5.0. The stakeholders should all
be aware of and involved with security measures necessary for that activity.
Stakeholders include the following.

・ CISO(Chief Information Security Officer)

・ Strategists and planners for supply chain creation and management
teams (mostly Part I)

7
 ・ Person in charge of security of the enterprises and groups involved in
the value creation process
・ Person in charge of development/quality assurance/design/construction
of information systems and control systems
・ Person in charge of data management
・ Person in charge of standardization of security guideline for industrial
associations

5. Overall structure of the Framework

In order to accurately identify the risk sources in terms of cybersecurity in
the value creation process and show the measures for the risks, we METI
decided that the three parts composed the entire framework as follows.

（1） Part I explains the Concept of the Framework , the followings are
specified:
- the model (the three-layer and the six elements) to identify the risk
sources in terms of cybersecurity in the value creation process
- an outline of the risks and risk sources
- approaching the risks to ensure trustworthiness.

（2） Part II uses the model shown in Part I to identify the risk sources and
presents measure requirements for these risk sources. This part clarifies
measure requirements (Policy) that each company or organization should
take.

（3） Part III organizes measure requirements shown in Part II according to a

kind of measure. In addition, examples of the security measures classified
based on the relative strength of security are presented in Appendix C.
This part shows the specific Methods that each company or organization
should acutually take.

The above three part structure is also suitable for timely and appropriate
review of necessary revisions. In other words, Part II will be updated in order
to take more new risk sources on the progress of integration between
cyberspace and physical space. Part III will be updated in order to take up
more valid measure instance by the progress of the security measure

8
technology.
In this way, by using the three part structure, the Framework can be updated
with any changes continuously and flexibly.

6. Expected effects and features of the Framework

The Framework was designed with expectations on the following effects and
characteristics.

（1） Expected effects in each enterprise utilizing the Framework

・ Ensuring trustworthiness in the value creation process by
implementing security measures
・ Strengthening of competitiveness by enhancing the security quality of
products and services into differentiation factors (value)

（2） Features of the Framework

i. It can be used to create and operate security measures for each
enterprise
 The Framework shall allow enterprises to confirm the policy and
have an actual implementation of the security measures (Part II
and Part III), in addition to defining goals for security measures in
the industrial society (Part I).

ii. It presents the necessity of security measures, and examples of

measures that are appropriate for costs and risks
 It will identify the relation between the expected risk sources and
countermeasures, and allow understanding of the costs so that the
enterprises (including small- and medium-sized enterprises) which
are building a value creation process can actually implement the
measures.
 It allows us to devise ways to reduce cost while maintaining an
appropriate level of security by deriving security measures from the
risk source (risk-based thinking), and allowing enterprises to select
the right measures for their circumstances.

9
iii. Contribute to international harmonization
 In order to ensure that the security measures in Japan for products
and services are accepted by other countries in the global supply
chains, Japanese policymakers and companies should understand
trends in foreign nations and include contents that will ensure
consistency with major standards in the United States and Europe,
including international standards (e.g., ISO/IEC 27001) and the
NIST Cybersecurity Framework, and promote mutual recognition
with the certification systems of each country based on these
standards.
 In the Framework, there are correspondence tables between the
Framework and other standards. An enterprise which uses the
correspondence tables can make sure that it satisfies security
requirements of the other standards. A foreign enterprise can show
its sufficient security treatment based on the other standards
through the tables.

7. How to use the Framework

The Framework is intended to be referred to when an entity, who is working
on creating added value in the new industrial society, “Society5.0,” takes
security measures necessary for that activity.
On the other hand, in each respective industry allowable risks are different,
depending on industrial structure or business practice. The material assets
which should be protected are influenced by industry, enterprise,
human/financial resources, and allowable risks. Security requirements
should be based on on the characteristics of each industrial sector.

（1） Identifying the risk sources [Part II, Appendix A, Appendix B]

By referring to the three-layer approach shown in the Framework, a model
can be developed for the creation of added value for each enterprise based
on trustworthiness. Necessary characteristics and functions are noted in
each layer of the three-layer approach. Specific examples of equipment are
presented in Part II. Appendix A shows a typical case of use in each industry.
In addition, the risk source of each enterprise can be identified by
referencing the security incidents, threats, and vulnerabilities translated
into the six elements, which are organized in Part II and Appendix B.

10
 Through these materials, it is expected that new risk sources will be
identified regarding the following points by comparing with the
conventional perspective of risk assessment.

i. Relation of multi-stakeholders who surround each organization

involved in the value creation process
ii. Integration of cyberspace and physical space through IoT devices
iii. Cross-organizational data exchange
iv. Securing the basis of trustworthiness of each layer

（2） Formulating security policy and implementing measures in each

enterprise [Part III, Appendix C]
Security policy for the organization can be formulated, and security
measures can be implemented with reference to security requirements and
examples of measures shown in Part III and Appendix C. Part III presents
security measures organized in consideration of the concept of NIST
cybersecurity frameworks. Appendix C gives examples of security measures
that would satisfy each of the security requirements.
It is expected that these materials will help each of the enterprise’s efforts,
especially on the following points.

i. Implementation of measures that take into account the level of

measures to be implemented and costs in each organization
ii. Comparisons with relevant international standards

（3） Building a trustworthy chain among each enterprise and industry

Trustworthiness of each value cration process can be ensured by identifying
the risk and implementing security measures based on the Framework.
Building up such efforts will build a trustworthy chain. To be specific, these
efforts are expected to result in the following.

i. Creating a list for trustworthiness (detailed definition is described in

Part I: 4.(2).
ii. Authenticating organizations and equipment

11
Part I (Concept): Industrial cybersecurity for connected cyber
and physical systems
1. Efforts for “value creation process,” a “Society5.0” supply chain in
an industrial society where cyberspace and physical space are highly
integrated
In the “Society5.0” and “Connected Industries” programs, the increased
connectivity, data creation by IoT devices, and data analysis using AI, will
result in very different supply chain and value creation models from today’s
practices.
In the Framework, a Society5.0 supply chain is defined as a “value creation
process” to distinguish it from the conventional supply chain. The Framework
provides a guide for security measures required by Society5.0 and Connected
Industries extended supply chain models.

In conventional supply chain models, security measures are based on the idea
that security of the entire process is ensured by business dealings with
entities who used proper security—in other words, the conventional idea that
trustworthiness of the supply chain is ensured if the organizational
governance and management of the participating entities is secure and
reliable. When a company entrusts its information processing work to other
company, security measures such as obtaining ISMS certification were
important. The basis for ensuring security was based on the trustworthiness
of the organization’s management.
However, in the value creation process, where cyberspace and physical space
are highly integrated, trustworthiness of the process cannot be assured
simply by the trustworthiness of the participating organizations’
management.
For example, in an integrated cyberspace and physical space, various
information such as environmental information (e.g., temperature, humidity)
and biological information (e.g., body temperature, heart rate) that once
would have been kept in physical space can be digitized and stored in large
quantities in cyberspace. Also unlike the conventional supply chain, trusted
entities are not the only ones involved with this process. To ensure
trustworthiness of the entire process, there is a limit to the approach of
ensuring trustworthiness of the participants.
In order to promote security and ensure trustworthiness in the value creation

12
process, a different approach is required, one which adopts alternate points
of view to ensure security across all the supply chain participants.

Part I shows a model with the points of the value creation process that need
security assurance, and describes policies to deal with risk sources in each of
its elements.

2. Model for establishing the basis for trustworthiness to ensure

security in the value creation process: The three-layer and the six
elements
The security of physical data produced by IoT devices – and its digitization,
transport, storage, and analysis – is very different from interactions between
two trusted entities in a conventional supply chain. Often this IoT data is
used to generate new data through automated analysis. Data is also used to
create physical products and services in physical space by controlling physical
IoT devices. All these interactions and more must be secured and controlled
by value creation process participants.
In order to accurately identify the sources of security risks in activities that
extend the conventional supply chain, the value creation process is organized
into three layers, as follows:

The first layer – Connections between organizations

The second layer – Mutual connections between cyberspace and
physical space
The third layer – Connections in cyberspace

Also, in order to implement measures against such risk sources at the

operational level, it is necessary to identify elements with risk sources, and it
is necessary to extract vulnerabilities and risk sources from this three-layer
model.
On the other hand, because the value creation process would be built
dynamically and flexibly, essential protection measures could be missed by
simply addressing risks on business assets. Elements of the value creation
should be abstracted to a certain extent, so security measures can respond to
changing threats dynamically.
In the Framework, these elements are organized into the following categories:

13
each detailed definitions are described in 2.2.

- Organization3
- People
- Components
- Data
- Procedure
- System

The basic structure of the Framework is to identify the risk source of the value
creation process based on the three layers, present security measures for each
risk source based on the six elements, and present specific examples of the
measures.

3 In order to distinguish it from "organization" of general usage, when using the term "organization"
as a unique meaning in this paper, " " is attached.

14
 Three-layers Conceptual diagram

The First Layer

(Connections between
organizations)

The Second Layer

(Mutual connections between
cyberspace and physical space)

The Third Layer

(Connections in cyberspace)

Figure 1.2-1 Three layers of the industrial society where value creation processes unwind

15
2.1. Significance of the three-layer approach
As already mentioned, it is no longer sufficient to ensure trust of the value
creation process by ensuring trustworthiness of an organization’s
management. In order to deal with new risks in the value creation process, it
is necessary to introduce additional requirements for trustworthiness. The
three-layer approach described in this section is the Framework approach of
ensuring trustworthiness. Trustworthiness to be verified in each layer is
explained below.

The First Layer — Connections between organizations

The first layer aims for a level that ensures trustworthiness in the
organization’s management.
This idea has been adopted to achieve security in the supply chain. It is based
on the idea that by confirming the trustworthiness of the enterprise’s
management and allowing only participants whose trustworthiness is
established, security can be ensured.
Certification programs such as ISMS (based on ISO/IEC 27001) center on
ensuring trustworthiness in the company’s management, division
management, and headquarters’ management, and provide a mechanism that
leads to connections between companies with confirmed trustworthiness to
ensure security in the supply chain. Using this approach, security policies are
shared, and the trustworthiness of management is confirmed and certified.
In summary, the first layer aims for a level that organizational management
with shared security policy is certified as a basis for ensuring trust.
However, in an industrial society where cyberspace and physical space are
integrated, it is impossible to ensure trust in the entire value creation process
by only confirming the trustworthiness of the organization’s management. In
the second layer and the third layer of the model, there are introduction of
further types of trustworthiness to ensure trustworthiness of the whole value
creation process.

The Second Layer — Mutual connections between cyberspace and physical

space

In an industrial society where cyberspace and physical space are highly

16
integrated, physical data can be digitized, delivered to cyberspace, processed
and edited, analyzed, and returned to physical space. IoT seeks to connect
everything to the network, and create borders between cyberspace and
physical space. Connections between cyber and physical space are found in
many industrial and social activities.
On the other hand, unreliable interactions between cyberspace and physical
space could cause uncertainty in the entire industrial society. The value
creation process expands over the border of cyberspace and physical space.
Its trustworthiness cannot be ensured if accuracy of transcripted information
over the border cannot also be ensured.
The value creation process goes beyond the border between of the cyberspace
and the physical space. The interaction between the cyberspace and the
physical space, that is, the data exchange between both spaces, is required to
have high accuracy. In other words, the trustworthiness of the value creation
process is not ensured unless the accuracy of transcription and translation is
confirmed.
The second layer is based on the accuracy and trustworthiness of data
transcription and transfer (including accurate translation) between
cyberspace and physical space.
The actual border of cyberspace and physical space is established by the so-
called IoT system, which is made up of elements such as sensors that
transfers physical events (e.g., temperature, humidity and distance) to data,
actuators and controllers. The security of the systems that transfer data on
the border of cyberspace and physical space cannot be ensured by confirming
the trustworthiness of the organization’s management.
To ensure trustworthiness in transcription, in accordance with ISO/IEC
27036, all the elements of the system lifecycle, including construction and
maintenance, must also be trustworthy.
Another point to be understood is that existing systems will be incorporated
into the new frontier between cyberspace and physical space. It is important
to reevaluate the systems’ security and take measures to ensure security of
transcription functions.

The Third Layer — Connections in cyberspace

As the quantity of data drastically increases in industrial society, the creation

17
of new value in cyberspace through exchange, analysis, and editing has
become commonplace.

Trustworthiness of the data transcribed from physical space to cyberspace is

guaranteed by ensuring trustworthiness of the transcription function in the
second layer. However, it should be noted that data is created, edited,
processed, and freely exchanged in cyberspace outside the second layer
process as well, and not only by organizations with confirmed trustworthiness.
Many entities may use and modify a data set, but the original data is the
foundation for creation of value in cyberspace.

In cyberspace, to ensure trustworthiness in the value creation process and to

create value as intended, the data itself must be trusted. Therefore, in the
third layer, data integrity is the basis of trustworthiness. Data falsification
and data breach during the distribution and storage of data will cause loss of
trust for the entire value creation process. For that reason, security measures
need to be implemented in the third layer for data distribution and storage,
as well as for appropriate editing and processing.

In the value creation process in an industrial society where cyberspace and

physical space are highly integrated, security measures from all three layers
are required. Risk sources will be identified from the three-layer model and
measures can be presented for each layer of the value creation process that
create the foundations of trust.

Figure 1.2-2 Significance of the three-layer model

18
2.2. The six elements
Through the three-layer model, it is necessary to identify the impact of the
threat on the elements that make up the value creation process, and to
identify the risk sources. The elements which make up the value creation
process must be organized to establish a policy for security measures and to
build specific measures.
In this point, it is necessary to understand that elements of the value creation
process should be abstracted because the value creation process is organized
dynamically and flexibly and it is difficult to grasp business assets fixedly.

Table 1.2-1 Six elements involved in the value creation process

Element Definition
Companies, groups and organizations that compose value
“Organization”
creation processes
People belonging to organizations. People directly participating
People
into value creation process
Components Hardware, software and parts including operating devices
Information collected in physical space. Edited information
Data
through sharing, analyzing and simulating above information
Procedure Sequences of activities to achieve defined purpose
Mechanisms or infrastructures configured with components for
System
defined purpose

The six elements are established to extract factors from the value creation
process and components of organizations based on the idea of quality control
“4M (Man, Machine, Material and Method)”. As Figure 1.2-3 shows,
organizations provide added values and outputs, as well as waste, through
inputs (material, information, and so on) from other entities. Also, there are
people, physical machines, IT/OT systems, and procedures like standards
included in the value creation process. Each element is produced from outputs
of other organizations as well. The six elements are related to each other in
complex ways. For example, an IT system is an output from a value creation
process composed of computer suppliers, system integrators, etc.
In an example of a value creation process of the manufacturing industry, the
relationship of six elements and three layers is shown in Figure 1.2-4. The
company "organization" on the left inputs "components", processes them, and

19
outputs “components". The company "organization" on the right inputs
"components" output by the company "organization" on the left, adds
processing, and outputs "components" of its own. Within each company
"organization", there are "components" such as processing machines, sensors
and actuators, “systems” such as systems to exchange data with other
organizations, “people” such as people who monitor and control the systems,
"procedures" such as procedures to establish each system activity, and “data”
such as various types of data flowing between the systems.
These are the elements which each organization manages and they make up
the first layer for each of companies. Within the elements of the first layer,
sensors and actuators transcribing between cyber space and physical space,
systems controlling them, and related procedures and data are organized as
the elements of the second layer. Between two organizations, the data
exchanged via the Internet and the related systems, procedures, and data are
organized as the elements of the third layer that connects in cyberspace.
These six elements do not have an exclusive relationship to each other. For
example, “organization” is formed of other elements such as "people",
"system", "procedure", but "organization" also has the meaning of the original
element in the value creation process. “People” is not only an element
contained in "organization", but also the element participating in a value
creation process directly. The trustworthiness of the value creation process is
secured by taking a security measure for the risk sources of six elements in
the value creation process, and in that way the trustworthiness of created
hardware, software, and services is ultimately secured.

Figure 1.2-3 Relationship of six elements

20
 Figure 1.2-4 Relationship of six elements in the three-layer model

3. Identifying the risk sources in the value creation process and its
policy
The risk sources in the value creation process will be identified and associated
policies will be developed in Part II based on the three-layer model and the
six elements. Part I especially shows that new risk sources appeared in the
value creation process, which are different from conventional supply chains.
In the first layer, management by the enterprise is the basis of
trustworthiness, and security measures are implemented based on the
management of each enterprise. However, as already mentioned, security
measures need to be taken in the second layer and the third layer for the
value creation process that spans both cyber and physical spaces.
The important point in security measures for the second layer is to ensure
correct transcription on the border of cyberspace and physical space. To
ensure trustworthiness of the transcription, any organization which is
directly or indirectly involved in the value creation process must cooperate.
This means that even organizations not directly involved in the value creation
process are required to participate in implementing security measures. A
multi-stakeholder approach is required.
For example, when an enterprise indirectly involved in a value creation
process provides secured products and services to a directly involved

21
enterprise, the trustworthiness of the transcription, which is the basis of
trustworthiness in the second layer, is ensured.
In addition, in the third layer, organizations participating in the value
creation process will use various data in cyberspace. Security of the process
is built on the premises that the data is handled appropriately and
trustworthiness is ensured.
Here also, although not directly involved in the value creation process, an
entity indirectly involved in distributing or handling the data is required to
play a vital role in ensuring security. Efforts on security measures using a
multi-stakeholder approach are necessary.
As an example, for a given data set, the same security measures must be
taken by all participants who handle the data. Security measures for the data
set from the first layer and the second layer will be based on the specific
measure in the third layer which ensures data trustworthiness.
The risk sources are viewed differently in each layer, and the policy for
managing risks also differs.
Taking these into account, the Framework will define and organize areas to
be protected and risk sources in each layer, as well as measures that will be
taken based on individual policies as shown in Figure 1.3-1.

Figure 1.3-1 Overview of the measures in each layer

22
4. Concepts of securing trustworthiness based on the Framework
The security of the entire value creation process is ensured by each entity
securing the security of each element that are the basis of trustworthiness
based on the three layers. In order to do so, it is necessary to confirm each
element’s security requirements satisfied (creation of trust), be inquired by
other subject except the subject of confirmation (proof of trust), structure and
maintain a chain of trustworthiness relationships (trustworthy chain) built
up in a chain by repeating creation and proof of trust (see Figure 1.4-2).
Examples of matters that are required to achieve creation of trust, proof of
trust and structuring and maintaining of trustworthy chain, are shown below.

(1) Creation of Trust

Examples)
・ To create components/data that satisfy the security requirements.
・ To preserve the above records.
・ Self-confirmation of those components/data being created with
security requirements satisfied.
・ Third party certification of those components/data having been
created with requirements satisfied.

(2) Proof of Trust

Examples)
・ To create and manage a list (the list for trustworthiness) that can be
inquired by the third parties other than the production subject that
the target components/data are properly created in a form that satisfy
security requirements; The list structure does not matter whether it
is an integrated ledger or a distributed ledger (such as blockchain, etc).
・ To confirm trustworthiness of the target components/data by
inquiring to the list for trustworthiness.

(3) Structuring and Maintaining of Trustworthy chain

Examples)
・ Structuring of trustworthy chain through repeated creation and
certification for trustworthiness (each chain element’s
trustworthiness being confirmed between other elements, and
thereby securing traceability).

23
 ・ Detection of/protection against external attacks to the trustworthy
chain.
・ Improvement of resilience against attacks.

Figure 1.4-1 Concept of basis of trustworthiness

The value creation process is dynamic and flexible. An approach that will
ensure security in a multilayered manner is required, such that it will ensure
trustworthiness through the entire value creation process by structuring a
trustworthy chain that can be traced and confirmed to its relationship, not
just verifying trustworthiness of each element.
However, building a value creation chain requires many technical and
system-related tasks, and requires the ongoing cooperation of public and
private sectors. The technical and system-related preparations must include
cybersecurity requirements, and they are described in Part II. Part II should
be improved in the case that new technologies and/or rules would be
introduced.

24
Figure. 1.4-2 Illustration of the relationship among Creation of Trust, Proof of Trust and Structuring

and Maintaining of Trustworthy chain

5. Conclusion
The Framework presents security measures common among all industries of
the value creation process in a proposed industrial society, “Society5.0,” where
cyberspace and physical space are highly integrated. However, there are wide
difference of practices and variations of allowable risks between industries,
and even between companies within an industry. Security measures must
take these variations into account.
Therefore, in each industry and each enterprise, please use the Framework
in order to adopt appropriate security measures internally.
Moreover, please use the Framework to identify gaps between existing
security measures and best practices.

25
Part II (Policy): Identification of risk sources and measure
requirements
In Part II, the risk sources for the Society 5.0 value creation process will be
presented. Risks are organized based on the three-layer model that forms the
basis of trustworthiness. Security measure requirements are also presented.

1. How to proceed with risk management that considers three-layer

model and six elements
Entities involved in the value creation process can utilize the Framework by
using the standard risk management process adopted in ISO 31000:2018 and
ISO/IEC 27001:2013. The contents of Part II can be utilized in the risk
management process, especially when scope, context, criteria, assessing risks,
and treating the risks.

Figure 2.1-1 Typical risk management process4

The followings steps are followed when scope, context, criteria, establishing
the contexts, assessing risks, and treating the risks.

4 Created based on ISO 31000:2018 Risk management—Principles and guidelines

26
 ■ Scope, context and criteria
i. Specifying the target of analysis (1.1)
The value creation process targeted for analysis is specified based on the
three-layer model, and elements in each layer are identified by
implementing this step.
ii. Defining assumed security incident and business damage level (1.2)
Security incidents which have high impact on the organization’s
business are identified, and the business damage level is defined
■ Risk assessment [Risk identification/Risk analysis/Risk evaluation]
iii.Analyzing risks (1.3)
Potential attack scenarios for the security incidents defined in ii. will be
studied, and risks are analyzed in terms of threats and vulnerabilities.
■ Risk treatment
iv. Managing risks (1.4)
Risks are addressed based on the risk analysis results.

Figure 2.1-2 Flow of risk management5

5Created with reference to “Security Risk Assessment Guide for Industrial Control Systems 2nd
Edition” published by IPA

27
When implementing security risk management, it is necessary to understand
the concept of security risks shown in Figure 2.1-3. Here, risk is defined as
“the effect of uncertainty on objectives”, and security risk means the effect of
uncertainty regarding security on objectives. A security incident occurs due
to risk sources such as threats and vulnerabilities, and then security risks
become apparent. Therefore, in order to reduce security risks appropriately
and efficiently, it is necessary to appropriately analyze and treat security
incidents to be avoided and risk sources (for example, threats and
vulnerabilities) that may lead to security incidents.

Figure 2.1-3 Concept of security risk

In particular, in order to properly assess the security risks in “Society5.0” and

implement effective treatment, the following four points should be taken into
consideration through the process shown in this part. These points will be
described in detail in 1.1.(2).

i. Relation of multi-stakeholders who surround each organization involved

in the value creation process
ii. Integration of cyberspace and physical space through IoT devices

28
iii. Cross-organizational data exchange
iv. Securing the basis of trustworthiness of each layer

In the following, the implementation of the security risk management will be

explained in order, in consideration of the above view points.

1.1. Specifying the target of analysis (applying to the three-layer model)

The identification of the target of analysis for risk assessment will be
described in the following, in the order of (1) implementation process and (2)
points to note on the implementation.

（1） Process for identifying the target of analysis based on the three-layer
model
The target of analysis must first be identified when assessing risks.
“Security Risk Assessment Guide for Industrial Control Systems 2nd
Edition” (published by IPA6) prescribes the following for the identification
of the target of analysis.

 Deciding the scope of analysis and identifying the assets

 Identifying the system configuration
 Identifying the data flow

In an industrial society where cyberspace and physical space are integrated

outside the organization, identifying the assets and the scope of analysis is
expected to become more difficult. In order to implement the three items
above, it is important to identify the stakeholders of the value creation
process in which the enterprise is involved, and to grasp the flows of the
items and data in both the cyberspace and physical space. The Framework
provides guidance to identify the target of analysis based on the three-layer
model presented in Part I. The enterprise can determine the scope of
analysis by utilizing the method in this section and then identifying the
system configuration and the data flow within the scope previously defined
so that understanding for the object of the risk management can be

6 Information-Technology Promotion Agency, Japan

29
 detailed7.
In order to identify the target of analysis for assessing risks, characteristics,
and functions/roles of each layer should be understood. (See Tables 2.1-1,
2.1-2, 2.1-3) The scope of analysis and assets will be organized based on the
approach of accounting for these these functions/roles, and focusing on the
functions performed by each system.
All components to be managed in the enterprise etc. are included in the first
layer. Among them, those having functions of the second layer or/and the
third layer are analyzed as components related to the second layer or/and
the third layer. Note that some components have functions of both the
second layer and the third layer depending on the characteristics of the
system. At the same time, in implementing the risk assessment, it is
appropriate to pay attention to the “zone” where components and systems
are set, and instances where people are required to follow certain
procedures.
When using a cloud service, the resources provided by the service provider
via the network are located in the third layer, but in risk analysis you also
need to consider them as assets in the first layer if necessary, keeping in
mind the service usage form (e.g., SaaS / PaaS / IaaS).

7 When carrying out “identifying the system configuration” and “identifying the data flow”, it is
desirable to refer Section 3.2, 3.3 in “Security Risk Assessment Guide for Industrial Control Systems
2nd Edition” published by IPA.

30
 Table 2.1-1 Characteristics, functions/roles, targets of analysis and concrete image of analysis

targets in the first layer

Characteristics Functions/roles Targets of analysis Concrete image of

analysis targets
The First Layer (Connections between organizations)
Maintain trustworthiness • Establishing the organizational risk • “Organization”, people, • Employees
through appropriate management system effective in components, data, • Corporate IT assets
governance and normal times and appropriately procedure, system • Corporate security
management of individual operating it managed by policy
organizations
• Continuing the business of the organization etc • Contract between
Individual organizations
organization appropriately even when • Zone where the above companies
maintain trustworthiness
a security incident occurs elements are managed
through appropriate
business collaboration • Products or services in physical space • Data exchange within
are received or shipped with desired the organization
quality
[Security requirement]
Defining and maintaining the
security policy of the organization
[Basis of trustworthiness]
Organizational risk management

31
 Table 2.1-2 Characteristics, functions/roles, targets of analysis and concrete image of analysis targets

in the second layer

Characteristics Functions/roles Targets of analysis Concrete image of

analysis targets
The Second Layer (Mutual connections between cyberspace and physical space)
Connection between • Reading events in physical space and • “Organization”, people • Actuator, sensor,
physical space and translating them into digital data and related to transcription controller, medical
cyberspace is strengthened sending the data to cyberspace in function equipment, ECU, 3D
through IoT devices accordance with certain rules • Components, system printer, surveillance
Longer lifecycle devices
• Controlling components and displaying with the function of camera, personal
connected to the network
visualized data based on data received correctly transcripting computer (as input
will increase
from cyberspace in accordance with cyberspace and device), smart meter
(Located in a remote place
etc.) Devices connected to certain rules physical space (as meter reading
the network and difficult to [Security requirement] according to rules device)
manage will increase Ensuring security in transcription • Data related to • Components related to
Devices connected to the transcription the transcription that
between cyberspace and physical
network are separated into
• Procedure related to configures these
various places (critical
space
transcription devices etc.
infrastructure to home) [Basis of trustworthiness]
The number of devices Trustworthiness in the function to
that perform work in
transcribe cyberspace and
physical space based on
the input from physical space correctly according
cyberspace increases to rules

32
 Table 2.1-3 Characteristics, functions/roles, targets of analysis and concrete image of analysis targets

in the third layer

Characteristics Functions/roles Targets of analysis Concrete image of

analysis targets
The Third Layer (Connections in cyber space)
Collecting, storing, • Securely processing and analyzing data • “Organization”, people • Server, router, smart
processing, and analyzing • Securely storing data dealing with data meter (as a
various and large amount • Securely sending and receiving data exchanging across communication device
of data across [Security requirement] organizations for meter reading data)
organizations in addition to
Ensuring security in data sending • Components, system • Hardware and software
the organization's data
and receiving etc. in cyber space sending and receiving, (OS, middleware,
Data is collected from
processing, analyzing, applications, etc.) that
various end points across [Basis of trustworthiness]
and storing data configure systems, etc.
organizations and Data
industries • Data to be exchanged • Open data
Various data including across organizations • Data for Limited
streaming data and • Common procedures for Provision
confidential data etc. are protecting data across • Data management
collected
organizations policy etc.
Data collected from
multiple data sources are
processed for integrated
analysis
The organization's stored
data including open data
and confidential data etc.
may be accessed from
various end points across
organizations and
industries
High-speed and
technically advanced
data processing is
performed by using AI
etc. in data processing /
analysis
The composition of the
supply chain of data in
cyberspace changes
dynamically.

33
For example, although a personal computer or a smart meter can be thought
of as a component having both the function of the second layer and the third
layer, it is desirable to assign the components to the second layer, the third
layer or both layers considering the role of the device in the system to be
analyzed.
It is desirable to create a document for the scope of analysis and assets
identified based on the three-layer model and to be able to respond quickly
when changes are made in the structure.
As a model simplifying the above arrangement, Figure 2.1-4 shows
relationship of the target of analysis and assets in the first layer. In the first
layer, these are organized regardless of the value creation process, and
consider only the management of the organization that shares/implements
its security policies.

Figure 2.1-4 Targets of analysis and concrete image of analysis targets in the first layer

Next, Figure 2.1-5 shows the functions/roles and concrete image of analysis
targets in the second layer and the third layer, and Figure 2.1-6 shows a
concrete image of the analysis targets of the value creation process in which
the analysis targets of the first layer are associated with the functions of
the second layer and the third layer.

34
The organization’s assets are positioned in the first layer. However, when
the value creation process develops, not only the security policy of a single
organization but the security of the functions of the second layer
(transcription) and the third layer (data exchange etc.) as shown in Figure
2.1-5 should be ensured so that the trustworthiness is ensured.
It becomes possible to identify the elements related to the second layer and
the third layer in one organization by associating the components arranged
in the first layer with the functions of the second layer and the third layer.
By using this method it is possible to set the basis of trustworthiness of each
layer, and define what security measures should be taken with respect to
each component.
Appendix A gives examples of use case of applying the model shown in
Figure 2.1-6 in typical industrial fields. It is advisable for each organization
to refer to them if necessary when identifying the target of analysis.
Regarding the specification of the detailed system configuration and data
flow, the target of analysis is assumed to differ depending on industries and
enterprises, and it is necessary that each implementing entity should
identify the target of analysis.

Figure 2.1-5 Functions/roles and concrete image of analysis targets in the second layer and the

third layer

35
Figure 2.1-6 Concrete image of analysis targets based on the three-layer model and the six elements

(2) Points to note when identifying the target of analysis

When identifying the target of analysis based on the three-layer model, the
entity implementing risk management needs to proceed with the operation
while noting the following points for the purpose of ensuring the security of
the entire value creation process.

i. Relation of multi-stakeholders who surround each organization involved

in the value creation process
 As mentioned in Part I, in the second layer and the third layer,
organizations not directly involved in the value creation process are
required to participate in the security measures as an essential entity
in implementing appropriate security measures. Efforts of multi-
stakeholder approach are necessary.
 Therefore, using the three-layer approach, stakeholders involved in
the value creation process need to be identified, and their role and
importance in the organization’s business need to be identified.
 “Organizations” related to the actions of the organization is
identified in each of the three-layers. When doing so, service

36
 providers who store, edit, and analyze the data in the third layer,
IoT device venders, and suppliers of parts of products and services
need to be identified. In addition, important business partners,
including contractors and subcontractors, should also be identified.

ii. Integration of cyberspace and physical space through IoT devices

 On the border where cyberspace and physical space integrates, data
in the physical space needs to be transcribed to data in cyberspace
correctly. In such a case where the data in the physical space and
the data in the physical space are not properly transcribed and the
wrong data are provided to the cyberspace, trust of the data collected
for analysis and that of the operation using such data will be lost.
 Therefore, it is necessary to identify properly the equipment (e.g.,
sensor) that measure the dynamics of the physical space and
transmit data to cyberspace, and classify the equipment by the level
of importance in the organization’s operation.
 Opposite from the example above, on the border where cyberspace
and physical space integrate, components in the physical space may
be controlled based on the result of data analysis in the cyberspace.
As a result, as shown in Figure 2.1-7 and 2.1-8, due to malfunction
of components, security threats may lead to problems in safety such
as physical harm to employees and damage to equipment.
 Therefore, when specifying the target of risk analysis, it is important
to specify applicable equipment and items that may trigger incidents
that could lead to safety issues as mentioned above using the results
of risk analysis regarding safety and make them available for
reference when implementing the risk analysis.

37
 Figure 2.1-7 Model of security problems affecting safety8

Figure 2.1-8 Example of security problems affecting safety

8 Cited from IoT Acceleration Consortium, Ministry of Internal Affairs and Communications, Ministry

of Economy, Trade and Industry “IoT Security Guidelines Ver.1.0”

38
iii. Cross-organizational data exchange
 When exchange of data across organizations becomes active, it is
assumed that there is a greater possibility that inappropriate data is
provided to the organization from an unexpected element
(“organization”, person, component, etc.).
 In addition, it is assumed that there is a higher chance that data is
provided to or by a third party beyond the organization and within a
limited range.
 Therefore, it is necessary to list elements (“organization”, person or
component not belonging to “organization”) that are the source of data
assumed to be used by the organization and classify the list based on
the level such as importance which is determined by the organization
itself.

iv. Securing the basis of trustworthiness of each layer

 As mentioned in Part I, in "Society5.0", in order to produce the
targeted value, it is important to take measures considering not only
the viewpoint of the trustworthiness of the organizational
management that has conventionally been taken in to consideration,
but the plural viewpoints such as the accuracy of the transcription
function through IoT devices in the second layer, and the trust of the
data itself pertaining to the value creation process in the third layer.
 Therefore, in identifying the target of analysis, it is important to
identify the factors that are connected with the basis of
trustworthiness. In the above implementation, the measures
described in i. to iii. in this section are effective.

1.2. Anticipating security incidents and their impact

Possible security incidents that may significantly impact business activities
must be anticipated and organized. It is necessary to consider high-level
incidents that could affect the functions of each layer at first, and then to
identify potential cybersecurity breaches that could cause the incidents.
Corresponding to the functions of each layer described in Table 2.1-1 to 2.1-3,
Table 2.1-4 lists high-level incidents that could threaten them (i.e. assumed
adverse effect on the functions). Enterprises should define specific possible
incidents in consideration of each item described in the column “Adverse

39
effect on functions” in Table 2.1-4.

Table 2.1-4 Image of adverse effect on functions in each layer

Functions in each layer

Layer Adverse effect on functions
(Object to be protected)
The First • Establishing the organizational • Noncompliance with regulations etc.
Layer risk management system and • Occurrence of a security incident ：

operating it properly Compromise of assets to be protected

• Continuing business operations (leakage/tampering/destruction/unintend

appropriately even when a ed stop)

security incident occurs • Expansion of the impact of security

• Products or services in physical incidents: adverse impacts to business
space are received or shipped due to the expansion of damage

with desired quality (deactivation, mistaken output,

employee’s health and safety, negative

impact on the environment etc.)

The Second • Reading events in physical • Device function stop: operation of IoT
Layer space, translating them into device stops

digital data, and sending the data • Low trustworthiness operation: IoT
to the third layer in accordance device does not operate as intended

with established rules  Operation with safety, environmental

• Controlling components and and hygiene issues

displaying visualized data based  False measurement

on data received from

cyberspace in accordance with

established rules

The Third • Securely processing and • Noncompliance with data protection

Layer analyzing data regulations etc.
• Securely storing data • Non-secure operation: compromise of
• Securely sending and receiving assets due to security incidents in

data cyberspace

(leakage/tampering/destruction/unintend

ed stop)

• Operation with low trustworthiness:

Data-related services do not operate as

40
 intended (malfunction, unintended stop,

etc.)

It is also important to consider each of the four points listed in 1 of this part.
If any of them are not considered sufficiently when identifying risks and, as
a result, protection measures are inadequate, there is a greater possibility of
disruption to the value creation process. The examples shown in Table 2.1-5
illustrate the impact on the organization and other relevant organizations.

Table 2.1-5 Risk when viewpoints that should be considered are unnoticed

when identifying the risk sources

Aspects not adequately Security incidents that may Security incidents9

considered occur relevant in [Appendix B]
Understanding the relationships of Business is not continued L1_3_b, L1_3_c

stakeholders inside and outside appropriately when security

the organization incidents occur at a certain point in

the value creation process

Understanding new security Incidents that may affect safety L2_1_a, L2_1_b, L2_1_c,

incidents that may arise from the occur at the point of contact (IoT L2_2_a

integration of cyberspace and device) between cyberspace and

physical space physical space

Attack on cyberspace from the IoT L2_3_b, L2_3_c

device

Understanding the state of data Sensitive data is not properly L3_1_a, L3_1_b, L3_1_c,

exchange across organizations managed by outsourcing parties L3_2_a, L3_2_b, L3_4_b

that process that data

Table 2.1-6 is examples of general security incidents that should be prevented

in each layer of the three-layer structure.
To consider possible incidents exhaustively, enterprises should identify
security incidents using the approach shown in Appendix B, and consider
them concretely, taking into account the circumstances of each enterprise.

9 For example, the security incident L1_3_b indicates the security incident (3) (b) assumed in the first
layer.

41
 Table 2.1-6 Security incidents to be assumed in each layer

Assumed security incidents in the first layer

(1) Security incidents (e.g. data leakage/tampering/destruction/unintended stop) due to
inadequate risk management processes during normal operations
(a) Data that must be protected is leaked from an area managed by the organization.
(b) Data that must be protected is tampered with in an area managed by the organization.
(c) The system dealing with the data of its own organization stops due to a denial of service
attack, ransomware infection etc..
(d) A security event occurs in the channel for product / service provisioning, causing
unintended quality deterioration such as malfunction of a device.
(2) Noncompliance with regulations
(a) Security measures that satisfy the legal requirements for a system cannot be
implemented
(3) Damage caused by security incidents expands, and the organization as well as other
relevant organizations cannot continue their business properly.
(a) The organization’s security incidents prevent their business from continuing properly
(b) Other relevant organizations cannot continue their business properly due to the
organization’s security incidents
(c) The organization’s security incidents prevent the business of other relevant
organizations from continuing properly

Assumed security incidents in the second layer

(1) Unintended operation of attacked IoT devices (e.g., incorrect measurement, improper
control of things, stop of control function, measurement function)
(a) Unexpected behavior of the IoT device due to unauthorized access to its controls by
exploiting a vulnerability results in unpredicted operation
(b) Unexpected behavior of the IoT device due to unauthorized access to its controls by
impersonation of an authorized user results in unpredicted operation
(c) Unauthorized input to the IoT device due to unauthorized access to the system that
remotely manages the IoT devices results in unpredicted operation
(d) Functions of IoT devices and communication devices stop due to attacks such as
denial-of-service attack
(2) Damage to equipment, physical harm to employees, and negative impact on business
operations due to operation of IoT devices (normal and abnormal operation)
(a) Behavior that threatens safety, regardless of the behavior being normal or abnormal

42
(3) Inaccurate transcription of physical data to cyberspace by IoT device (false measurement)
(a) Data is tampered with in the communication path between the IoT device and
cyberspace
(b) An unauthorized or tampered-with IoT device connects to the network and transmits
incorrect data
(c) An IoT device with low quality is connected to a network, causing failures and/or
transmission of inaccurate data or transmission to unauthorized entity.
(d) Inappropriate measurement occurs due to physical interference with measurement.

Assumed security incidents in the third layer

(1) Data that must be protected in cyberspace are leaked.
(a) A related organization’s protected data is leaked from a data storage area managed by
the organization.
(b) The organization’s protected data is leaked from a data processing area managed by
a related organization.
(c) The organization’s protected data is leaked from a data storage area managed by a
related organization.
(2) Data that must be protected in cyberspace are falsified.
(a) Data in storage is tampered with.
(b) Data in use is tampered with.
(3) The system that collects/processes/stores/analyzes data that must be protected in
cyberspace takes an unintended action (e.g., shutdown).
(a) The system receives inappropriate data from an “Organization”/People/Components
(due to a spoofing attack etc.).
(b) The system that handles the organization’s data in a related organization stops due to
a denial-of-service attack.
(c) The system that handles data stops whether it has been attacked or not.
(d) Improper processed/analyzed results become output due to a malfunction in the data
processing/analyzing system.
(4) An organization is unable to meet the security levels required by laws and regulations
concerning data handling and sharing in cyberspace
(a) Laws and rules that prescribe data protection in cyberspace are violated.
(b) The security requirements for highly confidential data to be shared only among
authorized parties has not been set or met.

43
After the enterprise defines potential security incidents, it should estimate
the business damage resulting from those incidents. One example of an
approach is defined in Section 4.3, “Business damage and the business
damage level” of “Security Risk Assessment Guide for Industrial Control
System 2nd Edition” (IPA, 2018).
By assigning severity scores to the degree of damage for each possible security
incident, appropriately prioritized risk mitigations and security measures can
be realized.

1.3. Analyzing risks

Using the results of the process in section 1.1 and 1.2, the organization should
explore and define attack scenarios that could lead to the identified security
incidents, define the sources of threats, and assess possible damage to
business. Appendix B identifies threats that may help cause particular
security incidents and/or magnify the damage caused by the incidents, along
with typical vulnerabilities. Hence, it can be used to identify the risk sources
to be considered and to show gaps in risk coverage.
Typical vulnerabilities are identified exhaustively for the six elements shown
in Figure 2.1-9. Note that, since system configurations, data flows, and details
of relevant assets differ from one enterprise to another, the Framework
recommends each enterprise consider their respective circumstances when
exploring specific scenarios of attacks, assessing the levels of damage to
business, and the risk sources.
When evaluating risk sources and selecting security measures, it is important
to keep in mind that the same specific entity may correspond to six different
elements in different value creation processes.For example, it may be
appropriate to be evaluated PC or server not only as “System” but also as
“Components”. Also, in some cases it is appropriate to evaluate software as
each of “Procedure”, “Data” and “Components”.

44
 Figure 2.1-9 Identification of vulnerabilities in terms of six elements

1.4. Managing risks

Determine which action to take — aversion, reduction, transfer, or retention10
— in order to manage the risks identified by the risk analysis conducted in
1.3 according to the level of damage each risk can cause.11

（1） Risk aversion: to eliminate risk by deleting risky functions or adopting

entirely different means.
（2） Risk reduction: to reduce risk and/or reduce severity of impact by taking
measures against the risk.
（3） Risk transfer: to transfer the risk to other entities by purchasing an
insurance policy or by replacing internal products/systems/processes with
those provided by other companies.
（4） Risk retention: to accept the risk without taking measures for risk
reduction

10 Cited from “Primer of safety & security design in the connected world” (IPA).
11 The types of risk treatment described correspond to the risk treatment options presented in ISO
31000: 2018 as follows.
 Risk aversion: Include “avoid the risk”, “remove the source of the risk”.
 Risk reduction: Include “change the probabilities”, “modify the consequences”.
 Risk transfer: Include “share the risk with others”.
 Risk retention: Include “increase the risk in order to pursue an opportunity”, “retain the risk”.

45
Appendix B provides a reference for risk sources corresponding to security
incidents introduced in Table 2.1-6 and action to be taken, especially when
the risk mitigation approach is selected from the above actions. The section
“Measure requirements” is a guideline for implementing security based on
the details of risk (threats and vulnerabilities). Appendix B also provides for
adaption of its guidance to the particular circumstances of the organization.
Since Appendix B matches specific vulnerabilities for each measure
requirement, it can be used as a completeness and quality check for the risk
analysis conducted by the organization.
It is particularly important to define measures for the four points of view
already mentioned in the Framework.

i. Relation of multi-stakeholders who surround each organization involved

in the value creation process
 It is vital to always have a whole picture of relationships between the
stakeholders inside and outside the organization. It is also important to
clarify the roles and responsibilities regarding cybersecurity among
organizations. Definitions of stakeholders and roles that was considered
in 1.1 must be promptly updated if the business partner has changed or
any modifications have been made to the details of what must be done.
 ISO/IEC 27036-2:2014 mentions 5 phases shown in Figure 2.1-10 as a
life cycle in relation to an individual supplier12.

12 With reference to this point, ISO/IEC 27036:2014 and NIST SP 800-161 are formulated as standards

regarding the security measures relevant to the supply chain. In drafting this framework, NIST SP
800-161 is referred to for the identification of risk sources, and ISO/IEC 27036:2014 is referred to for
the description of measure requirements and examples of security measures. Regarding this point, if it
is deemed necessary to implement more enhanced measures, it is possible to refer to NIST SP 800-161
for security controls.

46
 Figure 2.1-10 Life cycle in contracting with an individual supplier in ISO/IEC 27036-2:2013

 Requirements for security measures in light of the above life cycle are
set out in the measure category “CPS.SC” (supply chain risk
management) described in Part III. Each organization must consider
stakeholder relationship management throughout the process life cycle
for all categories of security measure.
 Related measure requirements include CPS.AM-5, CPS.AM-7,
CPS.BE-2, CPS.BE-3, CPS.SC-1, and CPS.SC-2. (Refer to Part III for
details on each measure requirement)

ii. Integration of cyberspace and physical space through IoT devices

 If a sensor sends any measured data different than the actual one to
cyberspace, or if measured data stops coming into cyberspace, the trust
of the operations that use these data may be damaged.
 To avoid such damages, security measures must be taken to prevent
attacks on functions of sensors. Specifically, consider using devices that
do not easily shut down under attack (e.g., a denial-of-service attack),
that offer a mechanism for checking data integrity, and/or that offer a
function designed to guarantee the authenticity of measured data.
 Related measure requirements include CPS.DS-6, CPS.DS-11,
CPS.DS-15, and CPS.CM-4.

 As stated in 1.1, when data inputs are received from cyberspace for
controlling components in physical space, security problems may lead to
safety problems including physical harm. To ensure security and safety

47
 on the interface between physical and cyberspace, it is vital to establish,
at the design and procurement stages, a series of procedures to: analyze
safety hazards and the sources of these risks. It is also critical to identify,
based on the analysis, the business and technical processes on which
security has an impact. This enables an organization to take appropriate
courses of action, through the entire supplier lifecycle from planning and
design/procurement through operation/maintenance/disposal, according
to the analysis results.
 Ensuring safety has the utmost priority. Hence, it is necessary to
combine measures taken for functional safety with cybersecurity
measures in order to achieve safety. Since consideration of both safety
and security aspects is required, close communication among the
persons in charge of both safety and cybersecurity is essential to take
appropriate actions.
 Related measure requirements include CPS.RA-4, CPS.RA-6,
CPS.PT-3, and CPS.CM-3.
 Integrated security for safety control has been discussed in recent
years in terms of international standardization. Documents
available for reference regarding this subject include IEC TR 63074
and IEC TR 63069 (cf. Figure 2.1-11).13

13In addition to the IEC standards mentioned above, reference may also be made to ISO TR 22100-4:
2018 (Guidance to machinery manufacturers for consideration of related IT-security (cyber security)
aspects) which deals with machine safety security as well as IEC TR 63074.

48
 Figure 2.1-11 Status of discussion about integrated safety and security in the movement toward

international standardization14

 In addition to logical threats, physical threats in physical space may

affect cyberspace through an IoT device situated on the border between
cyber and physical spaces.
 Hence, an organization must take physical security measures according
to the importance of IoT devices that the organization uses. Examples of
multilayered measures for physical security would be: separating the
areas where critical IoT devices are installed from other areas in order
to control access at the border and monitoring the critical area with
surveillance cameras or other appropriate tools to detect any
unauthorized actions. However, portable IoT devices carried by
individuals or devices installed in households and public spaces are
difficult for an organization to control. Therefore, it is important for an

14 Created based on “Guide for for considering safety/security requirements for control systems” (IPA)

and “Standard Activities of Functional Safety and Security” (Hiroo Kanamaru, “IPSJ Magazine”,
Vol.58, No.11, Nov.2017).

49
 organization to consider the risks of theft and loss when taking security
measures15.
 Related measure requirements include CPS.AC-2, CPS.DS-8,
CPS.IP-5, CPS.IP-6, CPS.PT-2, and CPS.CM-2.

iii. Cross-organizational data exchange

 In the case where the organization’s protected data is processed,
analyzed or stored by business partners, or where the organization
handles the protected data of other organizations, the organization
should agree with the business partners in advance on data
classification, on the required security measures based on the
classification, and on regular confirmation procedures including
compliance auditing.
 The organization should analyze the risk in view of the characteristics
of the exchanged data, the services that the business partners or the
organization provide, and so on, and implement specific security
requirements as appropriate.
 Even if it has implemented adequate measures, it is also important for
the organization to formulate a procedure for security incident response
in advance. The procedure should include notifications of all concerned
parties when security incidents involving protected data are detected.
 If the organization receives data processed by other organizations, it
should enable immediate response upon the detection of an anomaly,
including continuously monitoring whether data is sent from authentic
senders, the data does not include exploit codes, and so on.
 Related measure requirements include CPS.SC-3, CPS.SC-4,
CPS.SC-9, CPS.CM-1, CPS.CM-3, CPS.CM-4, CPS.DP-1, CPS.RP-2
and CPS.CO-1.

iv. Securing the basis of trustworthiness of each layer

 In the first layer, it is vital to specify cybersecurity requirements needed
to maintain relationships and trust with the stakeholder organizations
in the value creation process, and to regularly check compliance status.

15It is advisable to refer to the Main Point 6 in IoT Security Guidelines ver. 1.0 by the IoT Acceleration
Consortium, Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and
Industry.

50
  An entity subject to regular checks and audits should collect the
information that proves their compliance and make it available in
advance or promptly upon request. This applies particularly to business
partners critical to the organization’s business continuity. The
organization should ensure that not only direct contractors, but
subcontractors and any organizations working for them, comply with the
established requirements, thereby developing a chain of trust.
 Related measure requirements include CPS.SC-3, CPS.SC-4,
CPS.SC-6 and CPS.SC-8.
 The second layer requires that an IoT device’s transcription function be
accurate. To ensure accuracy, it is vital to maintain and enhance the
soundness of security for the IoT device by taking measures throughout
the device life cycle, from the design and procurement stages through
the operation and disposal stages.
 The organization should take measures such as adopting security-by-
design at the planning, design and procurement stages, testing security
functions for verification, managing vulnerability when the device is in
operation, and verifying the integrity of the device and software.
 In the case of an IoT device that is extremely important to the
organization’s business continuity, security requirements for the
transcription functions should be in the agreement so that the
organization can check if these requirements are accurately met
throughout the series of processes performed by the contractor, or
subcontractors, or any organizations working for them (e.g., production,
transportation).
 Security practice for IoT devices has some important differences from
security for traditional IT systems.16 Though it is essential to require
adequate security functions during procurement based on the principle
of Security by Design, alternative measures on the part of the system
should be considered if they are not available. In Appendix C, several
security measure requirements such as CPS.IP-10, CPS.CM-3, CPS.CM-

16 For example, Draft NISTIR 8228 suggests that, in order to implement security protection of IoT

devices in terms of device security, data security and privacy, the characteristics specific to IoT devices,
unlike traditional IT devices, should be considered with regard to the measures such as asset
management, vulnerability management, access management, incident detection, data flow
management.

51
 6 describe the process of securing IoT devices. The organization should
refer to these items when considering security measures for IoT devices.
 Related security measure requirements include CPS.RA-4, CPS.RA-
6, CPS.DS-10, CPS.DS-12, CPS.DS-15, CPS.CM-6 and CPS.CM-7.
 The third layer requires that data in cyberspace and its processing,
analysis, and storage be reliable.
 To ensure trustworthiness, it is essential that the data is reliable, in
addition to the important points in the first layer and the second layer
stated above. Specifically, the data should be checked to determine
whether it has been falsified, is in the acceptable range (e.g., the data
is free from attack code), and it has been generated by and sent from
authorized elements (e.g., “organization”, people, components).
 Data that is particularly important to the organization’s business
continuity should be checked for trustworthiness by the entity that has
created and processed the data. Data sent to the organization should
be quality and security checked when received (e.g., checking the data
for falsification or attack code). The organization must also monitor
security compliance of data processing and analysis components and
systems.
 Related measure requirements include CPS.DS-9, CPS.DS-14,
CPS.AE-1, CPS.CM-3, CPS.CM-4 and CPS.CM-5.

Table 2.1-7 An example of measure requirements corresponding to the points of view considered in

the risk management process

Point of view to identify the risk sources An example of Corresponding measure

requirements
Relationships with stakeholders involved in CPS.AM-5, CPS.AM-7, CPS.BE-2, CPS.BE-3,

the value creation process CPS.SC-1, CPS.SC-2, CPS.DS-13, CPS.CM-4

Integration of cyberspace and physical space CPS.RA-4, CPS.RA-6, CPS.PT-3, CPS.CM-3

through IoT devices

CPS.SC-3, CPS.SC-4, CPS.SC-6, CPS.CM-1,

Cross-organizational data flows CPS.CM-3, CPS.CM-4, CPS.DP-1, CPS.RP-2,

CPS.CO-1

CPS.RA-4, CPS.RA-6, CPS.SC-3, CPS.SC-4,

Securing a base level of trustworthiness in
CPS.SC-6, CPS.DS-10, CPS.DS-12, CPS.CM-4,
each layer
CPS.CM-5

52
2. Relationship between risk sources and measure requirements
Appendix B, as Table 2.2-1 below shows, lists the functions, assumed security
incidents, the risk sources (threats and vulnerability) and measure
requirements in each layer.

Table 2.2-1 Example of a table in Appendix B (The Third Layer)

Assumed Risk sources Measure
Measure
Function security Vulnerability requirement
Threat Vulnerability requirements
incident ID ID

All of the - DoS attacks on - DoS attack on L3_3_b_ORG [Organization] Identify, prioritize, and evaluate CPS.SC-2

following computer computing - The organization does not the organizations and people that

functions; equipment and devices such as confirm the trustworthiness play important role relevant in

- Functions to communication servers, of contractor organizations each layer of the three-layer

securely send devices (e.g., communication such as data providers or structure to sustaining the

and receive data servers) that devices, etc. data operation of the organization.

- Functions to comprise a · Transmission of manipulators/analyzers When signing contracts with CPS.SC-3

securely process system jamming waves before and after signing external organizations, check if

and analyze data contracts. the security management of the

- Function to other relevant organizations

securely store properly comply with the security

data requirements defined by the

organization while considering

the objectives of such contracts

and results of risk management.

The system that - Services L3_3_c_SYS [System] Secure sufficient resources (Ex: CPS.DS-6

handles data provided by a - A system that contains IoT People, Components, System)

stops whether it system with low devices does not have for components and systems,

has been quality/trustworth adequate resources (i.e., and protect assets property to

attacked or not. iness processing capacity, minimize bad effects of

communication cyberattack (e.g., DoS attack).

bandwidths, and storage

capacity)

The column “Function” shows the functions of each layer summarized in Table
2.1-1, 2.1-2, 2.1-3 of 1.1 in Part II.

53
The column “Assumed Security Incident” shows incidents attributable mainly
to security issues. These incidents may damage the layer’s functions stated
in the left column, and are summarized in Table 2-1.6 of 1.1. The security
incident stated may be caused by the “threat” and/or “vulnerability” shown in
the “Risk Source” columns. An enterprise needs to manage any “risk source”
that may have a severe impact. The requirements for security measures for
the risk management action are included as “Measure Requirements.”
Instances of vulnerability and measure requirements are given unique
identifiers (Measure Requirement ID). They are available for reference in
Part III and Appendix C, which provides examples of detailed measures.
Simple as they may be, the above descriptions follow the form of risk
assessment so that enterprise can refer to them while they manage risks.

54
Part III (Method): Security measures – requirements and
examples
1. Risk management using security measure requirements and
examples of security measures
Using the analysis process for the identification of risks and security needs
built in Part II, Part III and Appendix C show security measure requirements,
examples of security measures corresponding to the measur requirements
and the relationship with other international standards.
Part III and Appendix C are guides to the risk response phase of the risk
management process. An enterprise can use the contents in this part for the
following purposes:

（1） Strengthening the organization’s security management

An enterprise can improve its risk management by implementing security
measure requirements described in Part III and examples described in
Appendix C according to the result of risk management. The process is
expected to contribute to the security measures of each organization in two
ways:

i. Implementation of measures that take into account the level of measures

to be implemented and costs in each organization
ii. Comparisons with relevant international standards

For (i), Appendix C classifies security measures into three levels: High-
Advanced/Advanced/Basic. Several factors dictate the classification,
including scope of the measure (e.g., implementation only within the
organization, or involving other relevant organizations), costs, and
domestic/international standards. The enterprise can use these factors and
classifications when deciding on the level of security measures to be
implemented.
The security measures described in Appendix C are just examples. They do
not exclude other security methods, nor are they absolute requirements for
all organizations. It is always necessary for any organization to make its
own determination of appropriate security measures based on risk
assessment and analysis.
For (ii), Part III and Appendix C include points of alignment between the

55
 measure requirements and major international standards. Especially,
Appendix C organizes the comparison with the measure items of NIST
SP800-171, NIST SP800-53 Rev.4, ISO/IEC 27001:2013 and IEC 62443
according to the level of examples of security measures. In addition,
Appendix D organizes the correspondence relationship with the measure
requiements that the Framework presents based on major international
standards etc. in a table format. Implementation of the Framework is
intended to help the organization simultaneously comply with these
standards without requiring additional actions.

（2） Strengthening security governance over partners in the supply chain

In addition to the enterprise’s own security management, it can also
enhance security governance over partners in a relevant supply chain by
requiring compliance with security measure requirements defined in the
Framework.
Security measure requirements that state a set of processes the
organization shall require from partners include CPS.SC-2, CPS.SC-3,
CPS.SC-4, and CPS.SC-6. By implementing those processes effectively,
organizations can ensure governance for contractors through their contract
life cycle.
Since requirements for contractors will vary depending on the operations
they provide, the importance of the contractor to the organization’s
operation, or other factors, the organization should understand all potential
risks and risk sources as described in Part II.
Also, the organization may wish to maintain the security risk management
of the whole supply chain by extending its control to all participants,
especially when the direct contractors are important to the organization’s
operation. In such a case, the organization can provide the participants with
specific security programs and requirements.

2. How to use examples of security measures

Appendix C lists measure requirements, examples of measures to implement
those measure requirements by level, and the relationship between examples
of measures and major international standards in a table format. Table 3.2-1
shows items described in Appendix C.

56
 Table 3.2-1 Example of description in Appendix C

Measure Examples of Subject that NIST NIST ISO/IEC

Measure IEC
Requirement Security implements SP800- SP800- 27001
Requirement 62443
ID Measures measures 171 53 Annex A

<H-Advanced>
○ ○

<Advanced>
○ ○ ○

<Basic>
○ ○

The levels of security measures are classified as High-Advanced, Advanced,

or Basic (see above 1.(1)). When the organization implements security
measures classified as High-Advanced, it should also implement the security
measures classified as Advanced and Basic.
The organization needs to refer to the importance assigned to the business,
system, etc. that is required to be dealt with in CPS.AM-5 and CPS.BE-2, and
take the appropriate measures from High-Advanced, Advanced, Basic. For
example, it is possible to assign importance as shown in Table 3.2-2 from the
viewpoint of confidentiality, integrity, and availability for business operations,
systems, etc. Organizations need to materialize values and evaluation criteria,
etc., taking into account their own specific conditions.

Table 3.2-2 Example of importance and evaluation criteria for classifying information asset based

on confidentiality, integrity, availability17

Importance Evaluation criteria

The law requires appropriate management (leakage, loss or damage
prevention).
Identified as a subject of confidentiality or "Data for Limited Provision”.
Confidentiality 2 There is a significant impact on business partners and customers if
leaked.
There is a serious impact on the organization if leaked because
information that should be managed as trade secret.

17 In particular, with regard to industrial control systems, in addition to the effects that are generally
assumed in information systems in “Value” or “Evaluation criteria”, the effects on safety, environment,
and health are also desired to be considered.

57
 1 There is a significant impact on the organization’s business if leaked.
0 There is almost no impact on the organization’s business even if leaked.
The law requires appropriate management (leakage, loss or damage
prevention).
2
There is a serious impact on the organization or a significant impact on
business partners and customers if it is tampered with.
Integrity
There is a significant impact on the organization’s business if it is
1
tampered with.
There is almost no impact on the organization’s business even if it is
0
tampered with.
There is a serious impact on the organization or a significant impact on
2
business partners and customers if it becomes unavailable.
There is a significant impact on the organization’s business if it becomes
Availability 1
unavailable.
There is almost no impact on the organization’s business even if it
0
becomes unavailable.

Similar security measure requirements may be needed at different levels. For

example, “<Advanced> and <Basic>” may both require the same protection in
some areas. This calls for the implementation of the same measures in
<Advanced> and <Basic>. Also, the measure requirement described as “N / A”
in <Basic> indicates that the implementation priority of the measure
requirement is not necessarily high in cases where resources for
implementation are severely limited, or when the importance of System and
Components to be implemented for measures is not high.
The column “Subject that implements measures” classifies security
measures18 three ways. The subject is classified as “S” if the measures are
generally implemented by a system through technical means, as “O” if the
measures are implemented by an organization (e.g., by people through non-
technical means), and as “O/S” if the measures are implemented by both a
system and an organization.
The measures described in the “Examples of Security Measures” are just
references to meet the measure requirements. It is possible to satisfy security
requirement through the measures that are not described. Therefore, the

18 The notation is in accordance with “NIST SP 800-53 Rev.5 (DRAFT) APPENDIX D”.

58
“Examples of Security Measures” should be used for the implementation of
proper measures that take into account costs in each enterprise as well as for
comparisons with relevant international standards.

3. Security measure requirements

In the Framework, the measure requirements shown in Tables 3.3-2 to 3.3-21
are shown for each category.

(1) List of measure requirement categories

In the Framework, from the viewpoint of international harmonization, we
defined the following 20 categories in association with the category of NIST
Cybersecurity Framework Ver. 1.1.

Table 3.3-1 List of measure requirement categories and related category of NIST Cybersecurity

Framework Ver. 1.1

Related category of NIST Cybersecurity

Category name Acronym
Framework Ver. 1.1
Asset Management CPS.AM ID.AM (Asset Management)

Business Environment CPS.BE ID.BE (Business Environment)

Governance CPS.GV ID.GV (Governance)

Risk Assessment CPS.RA ID.RA (Risk Assessment)

Risk Management Strategy CPS.RM ID.RM (Risk Management Strategy)

Supply Chain Risk Management CPS.SC ID.SC (Supply Chain Risk Management)

Identity Management, PR.AC (Identity Management and Access

CPS.AC
Authentication, and Access Control Control)

Awareness and Training CPS.AT PR.AT (Awareness and Training)

Data Security CPS.DS PR.DS (Data Security)

Information Protection Processes PR.IP (Information Protection Processes and

CPS.IP
and Procedures Procedures)

Maintenance CPS.MA PR.MA (Maintenance）

Protective Technology CPS.PT PR.PT (Protective Technology)

Anomalies and Events CPS.AE DE.AE (Anomalies and Events)

Security Continuous Monitoring CPS.CM DE.CM (Security Continuous Monitoring)

Detection Processes CPS.DP DE.DP (Detection Processes)

59
 RS.RP (Response Planning)
Response Planning CPS.RP
RC.RP (Recovery Planning)

RS.CO (Communications)
Communications CPS.CO
RC.CO (Communications)

Analysis CPS.AN RS.AN (Analysis)

Mitigation CPS.MI RS.MI (Mitigation)

RS.IM (Improvements)
Improvements CPS.IM
RC.IM (Improvements)

(2) Alignment with major standards

The following are international standards noted in the NIST Cybersecurity
Framework as compatible with each other. Part III, Appendix C and
Appendix D list compatibilities of these standards with the Framework:

 NIST “Framework for Improving Critical Infrastructure Cybersecurity

Version 1.1” (NIST Cybersecurity Framework Ver. 1.1)
 Council on CyberSecurity（the Council） “The Critical Security Controls”
(CIS CSC)
 ISACA “Control Objectives for Information- related Technology 5”
(COBIT 5)
 ISA 62443-2-1:2010 “Industrial communication networks - Network and
system security - Part 2-1: Establishing an industrial automation and
control system security program”
 ISA 62443-3-3:2013 “Industrial communication networks - Network and
system security - Part 3-3: System security requirements and security
levels”
 ISO/IEC 27001:2013 “Information technology -- Security techniques --
Information security management systems – Requirements”19
 NIST “Special Publication 800-53 Revision 4”(SP 800-53 Rev.4)
 “Common Criteria for Information Technology Security Evaluation
Version 3.1 Revision 5” (CC v3.1 Release 5)

19 When using cloud services, it is desirable to also refer to the controls of ISO/IEC 27001: 2013 Annex

A that are mentioned in “Informative references.” and the items of ISO/IEC 27017: 2015 that correspond.

60
 Ministry of Economy, Trade and Industry (METI) and IPA “Cybersecurity
Management Guidelines Ver. 2.0”
 IoT Acceleration Consortium, Ministry of Internal Affairs and
Communications, METI “IoT Security Guidelines Ver. 1.0”

3.1. CPS.AM – Asset Management

Identify assets (e.g. data, people, goods, systems, zone where assets are
managed, etc.) that are important to the organization’s business and manage
risk in accordance with its risk analysis and tolerance.

Table 3.3-2 Measure requirements in CPS.AM

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.AM-1 Document and manage L1_1_a_COM, NIST Cybersecurity Framework Ver.1.1 ID.AM-1,

appropriately the list of hardware L1_1_b_COM, ID.AM-2

and software, and management L1_1_c_COM, CIS CSC 1, 2

information (e.g. name of asset, L2_1_a_ORG, COBIT 5 BAI09.01, BAI09.02, BAI09.05

version, network address, name of L2_3_b_ORG, ISA 62443-2-1:2009 4.2.3.4

asset manager, license L2_3_b_SYS ISA 62443-3-3:2013 SR 7.8

information) of components in the ISO/IEC 27001:2013 A.6.2.1, A.8.1.1, A.8.1.2,

system. A.8.1.3, A.11.2.5

NIST SP 800-53 Rev. 4 CM-8, PM-5

CC v3.1 Release5 Part 2 FMT

Cybersecurity Management Guidelines Item4

IoT Security Guidelines Key Concept 3, 15

CPS.AM-2 Specify a method to ensure L1_3_a_COM, CC v3.1 Release5 Part 2 FIA

traceability based on the L1_3_b_COM

importance of the components

produced by the organization’s

supply chain.

CPS.AM-3 Create records such as the date of L1_3_a_COM,

production and condition of L1_3_b_COM

components depending on

importance, and prepare and adopt

internal rules regarding records of

production activities in order to

61
 store components for a certain

period of time.

CPS.AM-4 Create and manage appropriately L1_3_b_ORG, NIST Cybersecurity Framework Ver.1.1 ID.AM-3

network configuration diagrams L1_3_c_ORG COBIT 5 DSS05.02

and data flows within the ISA 62443-2-1:2009 4.2.3.4, 4.2.3.5

organization. ISO/IEC 27001:2013 A.13.2.1, A.13.2.2

NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

Cybersecurity Management Guidelines Item 4

CPS.AM-5 Create and manage appropriately a L1_1_a_COM, NIST Cybersecurity Framework Ver.1.1 ID.AM-4

list of external information systems L1_1_b_COM, CIS CSC 12

where the organization’s assets are L1_1_c_COM, COBIT 5 APO02.02, APO10.04, DSS01.02

shared. L1_3_b_ORG, ISO/IEC 27001:2013 A.6.2.1, A.11.2.6

L1_3_c_ORG NIST SP 800-53 Rev. 4 AC-20, SA-9

Cybersecurity Management Guidelines Item 4

IoT Security Guidelines Key Concept 3

CPS.AM-6 Classify and prioritize resources L1_1_a_ORG, NIST Cybersecurity Framework Ver.1.1 ID.AM-5

(e.g., People, Components, Data, L1_1_b_ORG, CIS CSC 13, 14

and System) by function, L1_1_c_ORG, COBIT 5 APO03.03, APO03.04, APO12.01,

importance, and business value, L3_1_a_ORG, BAI04.02, BAI09.02

and communicate to the L3_4_a_ORG ISA 62443-2-1:2009 4.2.3.6, 4.3.4.4.3

organizations and people relevant ISO/IEC 27001:2013 A.8.2.1, A.8.2.2

to those resources in business NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-

Cybersecurity Management Guidelines Item 4

IoT Security Guidelines Key Concept 3

CPS.AM-7 Define roles and responsibilities for L1_3_b_ORG, NIST Cybersecurity Framework Ver.1.1 ID.AM-6

cyber security across the L1_3_c_ORG CIS CSC 17, 19

organization and other relevant COBIT 5 APO01.02, APO07.06, APO13.01,

parties. DSS06.03

ISA 62443-2-1:2009 4.3.2.3.3

ISO/IEC 27001:2013 A.6.1.1

NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11

Cybersecurity Management Guidelines Item 4, 9

IoT Security Guidelines Key Concept 18, 19, 20

62
3.2. CPS.BE – Business Environment
Understand and prioritize the mission, goals, stakeholders, and activities of
the organization. This information is used to convey cyber security roles,
responsibilities and risk management decisions.

Table 3.3-3 Measure requirements in CPS.BE

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.BE-1 Identify and share the role of the L1_3_b_ORG, NIST Cybersecurity Framework Ver.1.1 ID.BE-1,

organizations in the supply chain. L1_3_c_ORG ID.BE-2

COBIT 5 APO08.01, APO08.04, APO08.05,

APO10.03, APO10.04, APO10.05

ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,

A.15.1.3, A.15.2.1, A.15.2.2

NIST SP 800-53 Rev. 4 CP-2, SA-12

Cybersecurity Management Guidelines Item 9

IoT Security Guidelines Key Concept 20

CPS.BE-2 Define policies and standard L1_1_a_ORG, NIST Cybersecurity Framework Ver.1.1 ID.BE-3

measures regarding security that L1_1_b_ORG, COBIT 5 APO02.01, APO02.06, APO03.01

are consistent with the high-priority L1_1_c_ORG ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6

business and operations of the ISO/IEC 27001:2013 A.5.1.1

organization, and share them with NIST SP 800-53 Rev. 4 PM-11, SA-14

parties relevant to the Cybersecurity Management Guidelines Item 6, 9

organization’s business (including

suppliers and third-party

providers).

CPS.BE-3 Identify the dependency between L1_3_b_ORG, NIST Cybersecurity Framework Ver.1.1 ID.BE-4

the organization and other relevant L1_3_c_ORG COBIT 5 APO10.01, BAI04.02, BAI09.02

parties and the important functions ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3

of each in the course of running the NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-

operation. 8, SA-14

Cybersecurity Management Guidelines Item 9

63
3.3. CPS.GV – Governance
Understand policies, procedures and processes for managing and monitoring
compliance with regulations, laws, risks, internal policies, and operational
requirements for the organization, and communicate them to cybersecurity
risk managers.
Table 3.3-4 Measure requirements in CPS.GV

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.GV-1 Develop security policies, define L1_1_a_PRO, NIST Cybersecurity Framework Ver.1.1 ID.GV-1,

roles and responsibilities for L1_1_b_PRO, ID.GV-2

security across the organization L1_1_c_PRO CIS CSC 19

and other relevant parties, and COBIT 5 APO01.02, APO01.03, APO10.03,

clarify the information-sharing APO13.01, APO13.1202, DSS05.04, EDM01.01,

method among stakeholders. EDM01.02

ISA 62443-2-1:2009 4.3.2.6, 4.3.2.2.1, 4.3.2.3.3

ISO/IEC 27001:2013 A.5.1.1, A.6.1.1, A.7.2.1,

A.15.1.1

NIST SP 800-53 Rev. 4 -1 controls from all

security control families

Cybersecurity Management Guidelines Item 1, 2,

IoT Security Guidelines Key Concept 1, 18, 19

CPS.GV-2 Formulate internal rules L1_2_a_ORG, NIST Cybersecurity Framework Ver.1.1 ID.GV-3

considering domestic and foreign L1_2_a_COM, CIS CSC 19

laws, including the Act on the L1_2_a_SYS, COBIT 5 BAI02.01, MEA03.01, MEA03.04

Protection of Personal L1_2_a_PRO, ISA 62443-2-1:2009 4.4.3.7

Information and Unfair L1_2_a_DAT ISO/IEC 27001:2013 A.18.1.1, A.18.1.2,

Competition Prevention Act, as A.18.1.3, A.18.1.4, A.18.1.5

well as industry guidelines, and NIST SP 800-53 Rev. 4 -1 controls from all

review and revise the rules on a security control families

continuing and timely basis in CC v3.1 Release5 Part 2 FPR, FDP

accordance with any changes in Cybersecurity Management Guidelines Item 1

relevant laws, regulations, and

industry guidelines.

CPS.GV-3 Understand the level of data L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.GV-3

protection required by laws and L1_1_a_DAT, CIS CSC 13

64
 arrangements regarding handling L1_1_b_SYS, ISA 62443-2-1:2009 4.3.4.4.6, 4.4.3.7

of data shared only by relevant L3_1_a_SYS, ISO/IEC 27001:2013 A.18.1.1, A.18.1.2,

organizations, develop data L3_1_a_DAT, A.18.1.3, A.18.1.4

classification methods based on L3_4_a_ORG,

each requirement, and properly L3_4_a_PRO,

classify and protect data L3_4_b_ORG,

throughout the whole life cycle. L3_4_b_PRO

CPS.GV-4 Develop a strategy and secure L1_1_a_PRO, NIST Cybersecurity Framework Ver.1.1 ID.GV-4

resources to implement risk L1_1_b_PRO, COBIT 5 EDM03.02, APO12.02, APO12.05,

management regarding security. L1_1_c_PRO DSS04.02

ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8,

4.2.3.9, 4.2.3.11, 4.3.2.6.3

ISO/IEC 27001:2013 Clause 6

NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, PM-

9, PM-10, PM-11

CC v3.1 Release5 Part 2 FMT

Cybersecurity Management Guidelines Item 2, 3

IoT Security Guidelines Key Concept 2

65
3.4. CPS.RA – Risk Assessment
The enterprise understands the cyber security risks to its own operations
(including mission, function, image, and reputation), assets, and individuals.

Table 3.3-5 Measure requirements in CPS.RA

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.RA-1 Identify the vulnerability of the L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.RA-1

organization’s assets and L1_1_b_SYS, CIS CSC 4

document the list of identified L1_1_c_SYS COBIT 5 APO12.01, APO12.02, APO12.03,

vulnerability with the APO12.04, DSS05.01, DSS05.02

corresponding asset. ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9,

4.2.3.12

ISO/IEC 27001:2013 A.12.6.1, A.18.2.3

NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3,

RA-5, SA-5, SA-11, SI-2, SI-4, SI-5

CC v3.1 Release5 Part 1

Cybersecurity Management Guidelines Item 4

IoT Security Guidelines Key Concept 21

CPS.RA-2 The security management team L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.RA-2,

(SOC/CSIRT) collects L1_3_a_ORG, RS.AN-5

information, including L2_1_a_ORG, CIS CSC 4

vulnerability and threats from L2_1_c_SYS, COBIT 5 BAI08.01

internal and external sources L3_1_a_SYS, ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

(through internal tests, security L3_3_a_SYS, ISO/IEC 27001:2013 A.6.1.4, A.12.6.1

information, security L3_3_d_SYS NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16

researchers, etc.), analyzes the Cybersecurity Management Guidelines Item 10

information, and establishes a IoT Security Guidelines Key Concept 18, 21

process to implement and use

measures.

CPS.RA-3 Identify and document the L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.RA-3

assumed security incidents, L1_1_b_SYS, CIS CSC 4

those impacts on the L1_1_c_SYS COBIT 5 APO12.01, APO12.02, APO12.03,

organization’s assets, and the APO12.04

causes of those. ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

ISO/IEC 27001:2013 Clause 6.1.2

66
 NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-

16

CC v3.1 Release5 Part 1

Cybersecurity Management Guidelines Item 4

CPS.RA-4 - Conduct risk assessments L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.RA-4,

regularly to check if the security L1_1_b_SYS, RS.MI-3

rules for managing the L1_1_c_SYS, CIS CSC 4

components are effective and L2_1_a_COM, COBIT 5 DSS04.02

applicable to the components for L2_1_a_PRO, ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.11,

implementation. L2_2_a_ORG, 4.2.3.12

- Check the presence of L2_2_a_SYS ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2

unacceptable known security NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-

risks, including safety hazards, 9, PM-11

from the planning and design CC v3.1 Release5 Part 1

phase of an IoT device and Cybersecurity Management Guidelines Item 4

systems incorporating IoT IoT Security Guidelines Key Concept 4, 10, 12

devices.

CPS.RA-5 Consider threats, vulnerability, L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.RA-5

likelihood, and impacts when L1_1_b_SYS, CIS CSC 4

assessing risks. L1_1_c_SYS COBIT 5 APO12.02

ISO/IEC 27001:2013 A.12.6.1, Clause 6.1.2

NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16

CC v3.1 Release5 Part 1

Cybersecurity Management Guidelines Item 4

IoT Security Guidelines Key Concept 4, 7

CPS.RA-6 - On the basis of the results of the L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.RA-6,

risk assessment, clearly define L1_1_b_SYS, RS.MI-3

the details of measures to L1_1_c_SYS, CIS CSC 4

prevent possible security risks, L2_1_a_COM, COBIT 5 APO12.05, APO13.02

and document the organized L2_1_a_PRO, ISO/IEC 27001:2013 Clause 6.1.3

outcome from the scope and L2_2_a_SYS NIST SP 800-53 Rev. 4 PM-4, PM-9

priorities of the measures. CC v3.1 Release5 Part 1

- React accordingly to the Cybersecurity Management Guidelines Item 4

security risks and the associated IoT Security Guidelines Key Concept 10, 12

safety risks identified as a result

of the assessment conducted at

67
the planning and design phase of

an IoT device and systems

incorporating IoT devices.

68
3.5. CPS.RM – Risk Management Strategy
Set priority, constraint, and risk tolerance assumptions for the organization
and use it to judge investment risk.

Table 3.3-6 Measure requirements in CPS.RM

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.RM-1 Confirm the implementation L1_1_a_PRO, NIST Cybersecurity Framework Ver.1.1 ID.RM-1

status of the organization’s’ cyber L1_1_b_PRO, CIS CSC 4

security risk management and L1_1_c_PRO, COBIT 5 APO12.04, APO12.05, APO13.02,

communicate the results to L1_3_a_ORG, BAI02.03, BAI04.02

appropriate parties within the L1_3_b_ORG ISA 62443-2-1:2009 4.3.4.2

organization (e.g. senior ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3,

management). Define the scope Clause 9.3

of responsibilities of the NIST SP 800-53 Rev. 4 PM-9

organization and the relevant CC v3.1 Release5 Part 2 FMT

parties (e.g. subcontractor), and Cybersecurity Management Guidelines Item 4

establish and implement the IoT Security Guidelines Key Concept 12

process to confirm the

implementation status of security

risk management of relevant

parties.

CPS.RM-2 Determine the organization’s risk L1_1_a_ORG, NIST Cybersecurity Framework Ver.1.1 ID.RM-2,

tolerance level based on the L1_1_a_SYS, ID.RM-3

result of the risk assessment and L1_1_b_ORG, COBIT 5 APO12.02, APO12.06

its role in the supply chain. L1_1_b_SYS, ISA 62443-2-1:2009 4.3.2.6.5

L1_1_c_SYS ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3

NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-

11

Cybersecurity Management Guidelines Item 4

69
3.6. CPS.SC – Supply Chain Risk Management
Establish enterprise priorities, constraints, risk tolerances, and assumptions
and use them to assist in analysis of supply chain risk management.
Establish and implement the process of identifying, evaluating and managing
supply chain risks.

Table 3.3-7 Measure requirements in CPS.SC

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.SC-1 Formulate the standard of L1_1_a_ORG, NIST Cybersecurity Framework Ver.1.1 ID.SC-1

security measures relevant to the L1_1_b_ORG, CIS CSC 4

supply chain in consideration of L1_1_c_ORG COBIT 5 APO10.01, APO10.04, APO12.04,

the business life cycle, and agree APO12.05, APO13.02, BAI01.03, BAI02.03,

on contents with the business BAI04.02

partners after clarifying the scope ISA 62443-2-1:2009 4.3.4.2

of the responsibilities. ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3

NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9

CC v3.1 Release5 Part 2 FMT

Cybersecurity Management Guidelines Item 9

CPS.SC-2 Identify, prioritize, and evaluate L1_1_a_ORG, NIST Cybersecurity Framework Ver.1.1 ID.SC-2

the organizations and people that L1_1_b_ORG, COBIT 5 APO10.01, APO10.02, APO10.04,

play important role in each layer L1_1_c_ORG, APO10.05, APO12.01, APO12.02, APO12.03,

of the three-layer structure to L2_3_c_ORG, APO12.04, APO12.05, APO12.06, APO13.02,

sustaining the operation of the L3_1_b_ORG, BAI02.03

organization. L3_1_c_ORG, ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2, 4.2.3.3,

L3_3_a_ORG, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10,

L3_3_b_ORG, 4.2.3.12, 4.2.3.13, 4.2.3.14

L3_3_d_ORG NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-12, SA-

14, SA-15, PM-9

CC v3.1 Release5 Part 1

IoT Security Guidelines Key Concept 14

CPS.SC-3 When signing contracts with L1_1_a_PRO, NIST Cybersecurity Framework Ver.1.1 ID.SC-3

external organizations, check if L1_1_b_PRO, COBIT 5 APO10.01, APO10.02, APO10.03,

the security management of the L1_1_c_PRO, APO10.04, APO10.05

other relevant organizations L1_1_d_ORG, ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7

properly comply with the security L2_3_c_ORG, ISO/IEC 27001:2013 A.15.1.1, A.15.1.2

70
 requirements defined by the L3_1_b_ORG, NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-12,

organization while considering L3_1_b_DAT, PM-9

the objectives of such contracts L3_1_c_ORG, CC v3.1 Release5 Part 2 FCS, FDP, FIA, FMT

and results of risk management. L3_1_c_DAT, IoT Security Guidelines Key Concept 5, 11

L3_3_d_ORG,

L3_3_a_ORG,.

L3_3_b_ORG,

L3_3_c_ORG,

L3_4_a_DAT,

L3_4_b_DAT

CPS.SC-4 When signing contracts with L1_1_a_PRO, ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7

external parties, check if the L1_1_b_PRO, ISO/IEC 27001:2013 A15.1.3

products and services provided L1_1_c_PRO, CC v3.1 Release5 Part 2 FIA, FDP

by the other relevant L1_1_d_ORG, Cybersecurity Management Guidelines Item 9

organizations properly comply L1_1_d_COM, IoT Security Guidelines Key Concept 14

with the security requirements L2_1_a_COM,

defined by the organization while L2_1_a_PRO,

considering the objectives of L2_2_a_ORG,

such contracts and results of risk L2_3_a_ORG,

management. L2_3_c_ORG,

L2_3_c_PRO,

L2_3_d_ORG,

L3_1_b_ORG,

L3_3_a_ORG,

L3_3_b_ORG,

L3_3_c_ORG,

L3_3_d_ORG

CPS.SC-5 Formulate and manage security L1_1_a_PEO, ISA 62443-2-1:2009 4.3.3.2.1

requirements applicable to L1_1_b_PEO, NIST SP 800-53 Rev.4 PS-7, SA-21

members of other relevant L1_1_c_PEO,

organizations, such as business L2_3_b_PEO,

partners, who are engaged in L3_1_b_PEO,

operations outsourced from the L3_1_c_PEO

organization.

CPS.SC-6 Conduct regular assessments L1_1_a_DAT, NIST Cybersecurity Framework Ver.1.1 ID.SC-4

through auditing, test results, or L1_1_a_PRO,

71
 other checks of relevant parties L1_1_b_PRO, COBIT 5 APO10.01, APO10.03, APO10.04,

such as business partners to L1_1_c_PRO, APO10.05, MEA01.01, MEA01.02, MEA01.03,

ensure they are fulfilling their L2_3_c_ORG, MEA01.04, MEA01.05

contractual obligations. L2_3_c_PRO, ISA 62443-2-1:2009 4.3.2.6.7

L2_3_d_ORG, ISA 62443-3-3:2013 SR 6.1

L3_1_a_DAT, ISO/IEC 27001:2013 A.15.2.1, A.15.2.2

L3_1_b_ORG, NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-

L3_1_b_DAT, 16, PS-7, SA-9, SA-12

L3_1_c_ORG,

L3_1_c_DAT,

L3_3_a_ORG,.

L3_3_b_ORG,

L3_3_c_ORG,

L3_3_d_ORG,

L3_4_a_DAT,

L3_4_b_DAT

CPS.SC-7 Formulate and implement L1_1_a_PRO,

procedures to address L1_1_b_PRO,

noncompliance to contractual L1_1_c_PRO,

requirements found as a result of L1_1_d_ORG,

an audit, test, or other check on L2_2_a_ORG,

relevant parties. L2_3_c_ORG,

L2_3_c_PRO,

L3_1_b_ORG,

L3_1_c_ORG,

L3_3_a_ORG,

L3_3_b_ORG,

L3_3_c_ORG,

L3_3_d_ORG

CPS.SC-8 Collect and securely store data L1_1_d_ORG, COBIT 5 APO10.01, APO10.03, APO10.04,

proving that the organization is L2_2_a_ORG, APO10.05, MEA01.01, MEA01.02, MEA01.03,

fulfilling its contractual L2_3_c_ORG, MEA01.04, MEA01.05

obligations with other relevant L2_3_c_PRO, ISA 62443-2-1:2009 4.3.2.6.7

parties or individuals, and L3_1_b_ORG, ISA 62443-3-3:2013 SR 6.1

prepare them for disclosure as L3_1_c_ORG, ISO/IEC 27001:2013 A.15.2.1, A.15.2.2

needed within appropriate limits. L3_3_a_ORG,

72
 L3_3_b_ORG, NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-

L3_3_c_ORG, 16, PS-7, SA-9, SA-12

L3_3_d_ORG,

CPS.SC-9 Prepare and test a procedure for L1_3_b_PEO NIST Cybersecurity Framework Ver.1.1 ID.SC-5

incident response with relevant CIS CSC 19, 20

parties involved in the incident COBIT 5 DSS04.04

response activity to ensure action ISA 62443-2-1:2009 4.3.2.4.3, 4.3.2.5.7,

for incident response in the 4.3.4.5.11

supply chain. ISA 62443-3-3:2013 SR 2.8, SR 3.3, SR.6.1, SR

7.3, SR 7.4

ISO/IEC 27001:2013 A.16.1.5, A.17.1.2, A.17.1.3

NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4,

IR-6, IR-8, IR-9

CPS.SC-10 Develop and manage a L1_1_a_PRO, NIST SP 800-53 Rev. 4 SA-22

procedure to be executed when a L1_1_b_PRO,

contract with other relevant L1_1_c_PRO

organizations such as business

partners is finished. (e.g.,

expiration of contract period, end

of support)

CPS.SC-11 Continuously improve the L1_1_a_PRO,

standard of security measures L1_1_b_PRO,

relevant to the supply chain, L1_1_c_PRO

related procedures, and so on.

73
3.7. CPS.AC – Identity Management, Authentication and Access Control
Limiting logical and physical access to assets and related zone to approved
“organization”, people, goods and procedures and manage them to limit the
risk of unauthorized access and to ensure only approved activities and
transactions are accessible.

Table 3.3-8 Measure requirements in CPS.AC

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.AC-1 Establish and implement L1_1_a_COM, NIST Cybersecurity Framework Ver.1.1 PR.AC-1

procedures to issue, manage, L1_1_a_SYS, CIS CSC 1, 5, 15, 16

check, cancel, and monitor L1_1_b_COM, COBIT 5 DSS05.04, DSS06.03

identification and authentication L1_1_b_SYS, ISA 62443-2-1:2009 4.3.3.5.1

information of authorized goods, L1_1_c_COM, ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR

people, and procedures. L2_3_c_SYS 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9

L3_1_a_SYS, ISO/IEC 27001:2013 A.6.2.1, A.9.2.1, A.9.2.2,

L3_3_a_SYS A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3

NIST SP 800-53 Rev. 4 AC-1, AC-2, IA Family-1,

IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-

10, IA-11

CC v3.1 Release5 Part 2 FAU, FIA, FMT

Cybersecurity Management Guidelines Item 5

CPS.AC-2 Implement appropriate physical L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-2

security measures such as L1_1_c_SYS, COBIT 5 DSS01.04, DSS05.05

locking and limiting access to the L2_3_b_PEO, ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8

areas where the IoT devices and L2_3_b_SYS, ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3,

servers are installed, using L2_3_c_SYS, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.3 1, A.11.2.3,

entrance and exit controls, L2_3_d_SYS, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8

biometric authentication, L3_1_a_SYS NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5,

deploying surveillance cameras, PE-6, PE-8

and inspecting belongings and CC v3.1 Release5 Part 2 FIA, FMT, FDP

body weight. Cybersecurity Management Guidelines Item 5

CPS.AC-3 Properly authorize wireless L2_3_c_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-3

connection destinations L3_3_a_SYS CIS CSC 12, 15

(including users, IoT devices, COBIT 5 APO13.01, DSS01.04, DSS05.03

and servers). ISA 62443-2-1:2009 4.3.3.6.6

74
 ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.6, SR

1.13, SR 2.6

ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6,

A.13.1.1, A.13.2.1

NIST SP 800-53 Rev. 4 AC--1, AC-17, AC-19,

AC-20, SC-15

CC v3.1 Release5 Part 2 FCS, FIA, FMT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8, 11, 14,

16

CPS.AC-4 Prevent unauthorized log-in to L2_1_b_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-3

IoT devices and servers by L3_3_a_SYS CIS CSC 12

measures such as implementing COBIT 5 APO13.01, DSS01.04, DSS05.03

functions for lockout after a ISA 62443-2-1:2009 4.3.3.6.6

specified number of incorrect log- ISA 62443-3-3:2013 SR 1.11, SR 1.13, SR 2.6

in attempts and providing a time ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.9.4.2,

interval until safety is ensured. A.11.2.6, A.13.1.1, A.13.2.1

NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-

20, SC-15

CC v3.1 Release5 Part 2 FIA

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 4

CPS.AC-5 Segregate duties and areas of L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-4

responsibility properly (e.g. L1_1_b_SYS, CIS CSC 3, 5, 12, 14, 15, 16, 18

segregate user functions from L2_1_c_SYS, COBIT 5 DSS05.04

system administrator functions). L3_1_a_SYS ISA 62443-2-1:2009 4.3.3.7.3

ISA 62443-3-3:2013 SR 2.1

ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3,

A.9.4.1, A.9.4.4, A.9.4.5

NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5,

AC-6, AC-14, AC-16, AC-24

CC v3.1 Release5 Part 2 FMT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 4

CPS.AC-6 Adopt high confidence methods L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-

of authentication where 4, PR.AC-7

75
 appropriate based on risk (e.g. L1_1_b_SYS, CIS CSC 3, 5, 14, 15, 16

multi-factor authentication, L2_1_c_SYS, COBIT 5 DSS05.04

combining more than two types L3_1_a_SYS ISA 62443-2-1:2009 4.3.3.7.3, 4.3.3.7.4

of authentication) when logging ISA 62443-3-3:2013 SR 2.1

in to the system over the network ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3,

for the privileged user. A.9.4.1, A.9.4.4, A.9.4.5

NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5,

AC-6, AC-14, AC-16, AC-24

CC v3.1 Release5 Part 2 FMT, FIA

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8

CPS.AC-7 Develop a policy about L2_1_b_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-

controlling data flow, and L3_1_a_DAT, 5, PR.DS-7, PR.PT-4

according that protect the L3_4_b_SYS CIS CSC 9, 14, 15, 18

integrity of the network by means COBIT 5 DSS01.05, DSS05.02

such as appropriate network ISA 62443-2-1:2009 4.3.3.4

isolation (e.g., development and ISA 62443-3-3:2013 SR 3.1, SR 3.8

test environment vs. production ISO/IEC 27001:2013 A.13.1.1, A.13.1.3,

environment, and environment A.13.2.1, A.14.1.2, A.14.1.3

incorporates IoT devices vs. NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7

other environments within the Cybersecurity Management Guidelines Item 5

organization).

CPS.AC-8 Restrict communications by IoT L2_1_b_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-6

devices and servers to those with L3_3_a_SYS CIS CSC 16

entities (e.g. people, COBIT 5 DSS05.04, DSS05.05, DSS05.07,

components, system, etc.) DSS06.03

identified through proper ISA 62443-2-1:2009 4.3.3.5.2, 4.3.3.7.2,

procedures. 4.3.3.7.4

ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR

1.5, SR 1.9, SR 2.1

ISO/IEC 27001:2013, A.7.1.1, A.9.2.1

NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-

16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8,

PE-2, PS-3

CC v3.1 Release5 Part 2 FCO, FCS, FDP, FIA

76
 Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 11, 14, 16

CPS.AC-9 Authenticate and authorize L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.AC-7

logical accesses to system L1_1_b_SYS, CIS CSC 1, 12, 15, 16

components by IoT devices and L2_1_b_SYS, COBIT 5 DSS05.04, DSS05.10, DSS06.10

users according to the L3_1_a_SYS, ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2,

transaction risks (personal L3_4_b_SYS 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,

security, privacy risks, and other 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9

organizational risks). ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR

1.7, SR 1.8, SR 1.9, SR 1.10

ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1,

A.9.4.2, A.9.4.3, A.18.1.4

NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-

11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-

8, IA-9, IA-10, IA-11

CC v3.1 Release5 Part 2 FCS, FDP, FIA, FPR

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8, 14, 16

77
3.8. CPS.AT – Awareness and Training
Implement cybersecurity awareness education and training to internal
organization staff and partners to ensure fulfillment of contractual
obligations, based on relevant policies, procedures and contracts.
Table 3.3-9 Measure requirements in CPS.AT

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.AT-1 Provide appropriate training and L1_1_a_PEO, NIST Cybersecurity Framework Ver.1.1 PR.AT-1,

education to all individuals in the L1_1_b_PEO, PR.AT-2, PR.AT-4, PR.AT-5

organization and manage the L1_1_c_PEO, CIS CSC 17

record so that they can fulfill L1_1_d_PEO, ISA 62443-2-1:2009 4.3.2.4.1, 4.3.2.4.2,

assigned roles and L1_2_a_PEO, 4.3.2.4.6, 4.3.3.2.5, 4,3,4,5,2, 4.3.4.5.11

responsibilities to prevent and L1_3_a_PEO, ISO/IEC 27001:2013 A.6.1.1, A.7.1.2, A.7.2.1,

contain the occurrence and L1_3_a_DAT, A.7.2.2, A.7.3.1

severity of security incidents. L1_3_c_PEO, NIST SP 800-53 Rev. 4 AT-1, AT-2, AT-3, AT-4

L3_4_a_PEO Cybersecurity Management Guidelines Item 3, 5,

CPS.AT-2 Provide appropriate training and L1_3_a_DAT NIST Cybersecurity Framework Ver.1.1 PR.AT-3,

security education to members of L1_3_b_PEO, PR.IP-10, RS.CO-1

the organization and other L3_3_a_PEO CIS CSC 17

relevant parties of high COBIT 5 APO07.03, APO07.06, APO10.04,

importance in security APO10.05

management that may be ISA 62443-2-1:2009 4.3.2.4.1, 4.3.2.4.2,

involved in the security incident 4.3.2.4.3, 4.3.2.4.6, 4.3.4.5.11

prevention and response. Then, ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2

manage the record of such NIST SP 800-53 Rev. 4 AT-4, PS-7, SA-9, SA-16

training and security education. Cybersecurity Management Guidelines Item 3, 7,

CPS.AT-3 Improve the contents of training L1_1_a_PEO, CIS CSC 17

and education regarding security L1_1_b_PEO, ISA 62443-2-1:2009 4.3.2.4.4, 4.3.2.4.5

to members of the organization L1_1_c_PEO, ISO/IEC 27001:2013 A.7.2.2

and other relevant parties of high L1_3_a_PEO, NIST SP 800-53 Rev. 4 AT-1

importance in security L1_3_b_PEO,

management of the organization. L1_3_c_PEO,

L3_3_a_PEO,

78
L3_4_a_PEO,

L3_4_b_PEO

79
3.9. CPS.DS – Data Security
Manage information according to the organization's risk strategy, using the
core security principles of confidentiality, integrity and availability of data.

Table 3.3-10 Measure requirements in CPS.DS

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.DS-1 If the organization exchanges L3_1_a_PRO, ISO/IEC 27001:2013 A.13.1.2, A.13.2.1,

protected information with other L3_4_a_DAT, A.13.2.2, A.13.2.3

organizations, agree in advance L3_4_b_DAT NIST SP 800-53 Rev. 4 SC-1

on security requirements for Cybersecurity Management Guidelines Item 5

protection of such information.

CPS.DS-2 Encrypt information with an L1_1_a_DAT, NIST Cybersecurity Framework Ver.1.1 PR.DS-1

appropriate level of security L3_1_a_DAT, CIS CSC 13, 14

strength, and store them. L3_3_d_SYS, COBIT 5 APO01.06, BAI02.01, BAI06.01,

L3_4_b_SYS DSS04.07, DSS05.03, DSS06.06

ISA 62443-3-3:2013 SR 3.4, SR 4.1, SR 4.3

ISO/IEC 27001:2013 A.8.2.3, A.10.1.1

NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28

CC v3.1 Release5 Part 2 FCA

Cybersecurity Management Guidelines Item 5

CPS.DS-3 Encrypt the communication L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.DS-2

channel when communicating L1_1_b_DAT, CIS CSC 13, 14

between IoT devices and servers L3_1_a_DAT, COBIT 5 APO01.06, DSS05.02, DSS06.06

or in cyberspace L3_2_b_DAT, ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR

L3_3_a_SYS, 4.2, SR 4.3

L3_3_d_SYS ISO/IEC 27001:2013 A.6.2.2, A.8.2.3, A.13.1.1,

A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12

CC v3.1 Release5 Part 2 FCO, FCS

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 14

CPS.DS-4 Encrypt information itself when L1_1_a_DAT, NIST Cybersecurity Framework Ver.1.1 PR.DS-2

sending/receiving information. L1_1_b_DAT, CIS CSC 13, 14

L3_1_a_DAT, COBIT 5 APO01.06, DSS05.02, DSS06.06

ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR

80
 L3_2_b_DAT, 4.2, SR 4.3

L3_3_d_SYS ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1,

A.13.2.3, A.14.1.2, A.14.1.3

NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12

CC v3.1 Release5 Part 2 FCS

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 14

CPS.DS-5 Securely control encryption keys L1_1_a_DAT, CIS CSC 13

throughout their life cycle to L3_1_a_DAT ISO/IEC 27001:2013 A.10.1.2

ensure proper operation and NIST SP 800-53 Rev. 4 SC-12

securely transmitted, received Cybersecurity Management Guidelines Item 5

and stored data.

CPS.DS-6 Secure sufficient resources (e.g., L1_1_c_SYS, NIST Cybersecurity Framework Ver.1.1 PR.DS-4

People, Components, System) L2_1_d_SYS, COBIT 5 APO01.06, DSS05.04, DSS05.07,

for components and systems, L3_3_c_SYS DSS06.02

and protect assets property to ISA 62443-3-3:2013 SR 5.2, SR 7.1

minimize bad effects of ISO/IEC 27001:2013 A.12.1.3, A.17.2.1

cyberattack (e.g., DoS attack). NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-

19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

CC v3.1 Release5 Part 2 FCO, FRU

Cybersecurity Management Guidelines Item 5

CPS.DS-7 Carry out periodic quality checks, L1_1_c_SYS, NIST Cybersecurity Framework Ver.1.1 PR.DS-4

prepare standby devices and L2_1_d_SYS, COBIT 5 APO01.06, DSS05.04, DSS05.07,

uninterruptible power supplies, L3_3_c_SYS DSS06.02

provide redundancy, detect ISA 62443-3-3:2013 SR 5.2, SR 7.5

failures, conduct replacement ISO/IEC 27001:2013 A.12.1.3, A.17.2.1

work, and update software for IoT NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-

devices, communication devices, 19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

circuits, etc. CC v3.1 Release5 Part 2 FRU

Cybersecurity Management Guidelines Item 5

CPS.DS-8 When handling information to be L1_1_d_COM, NIST Cybersecurity Framework Ver.1.1 PR.DS-5

protected or procuring devices L2_3_b_COM COBIT 5 APO01.06, DSS05.04, DSS05.07,

that have an important function to DSS06.02

the organization, select IoT ISO/IEC 27001:2013 A.8.2.3, A.10.1.2, A.11.1.4,

devices and servers equipped A.11.1.5, A.11.2.1

with anti-tampering devices. NIST SP 800-53 Rev. 4 PE-19

81
 CC v3.1 Release5 Part 2 FCS, FPT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8

CPS.DS-9 Properly control outbound L1_1_a_DAT, NIST Cybersecurity Framework Ver.1.1 PR.DS-5

communications that send L2_3_c_SYS, COBIT 5 APO01.06, DSS05.04, DSS05.07,

information to be protected to L3_1_a_DAT DSS06.02

prevent improper data breach, ISA 62443-3-3:2013 SR 5.2

ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.13.1.1,

A.13.2.1

NIST SP 800-53 Rev. 4 AC-4, SC-7, SC-8, SC-

13, SC-31, SI-4

CC v3.1 Release5 Part 2 FCS, FPT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Soncept 8

CPS.DS-10 Conduct integrity checks of L2_3_b_SYS NIST Cybersecurity Framework Ver.1.1 PR.DS-6

software running on the IoT CIS CSC 2, 3

devices and servers at a time COBIT 5 APO01.06, BAI06.01, DSS06.02

determined by the organization, ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR

and prevent unauthorized 3.8

software from launching. ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.2.4

NIST SP 800-53 Rev. 4 SC-16, SI-7

CC v3.1 Release5 Part 2 FCS, FPT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8

CPS.DS-11 Perform integrity checking on L1_1_b_DAT, NIST Cybersecurity Framework Ver.1.1 PR.DS-6

information to be sent, received, L1_1_d_PRO, CIS CSC 2, 3

and stored. L3_2_a_DAT, COBIT 5 APO01.06, BAI06.01, DSS06.02

L3_2_b_DAT ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR

3.8

ISO/IEC 27001:2013 A.14.1.2, A.14.1.3

NIST SP 800-53 Rev. 4 SC-16, SI-7

CC v3.1 Release5 Part 2 FCS, FPT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8

82
CPS.DS-12 Introduce an integrity check L1_1_d_PRO, NIST Cybersecurity Framework Ver.1.1 PR.DS-8

mechanism to verify the integrity L2_3_b_SYS COBIT 5 BAI03.05

of hardware. ISA 62443-2-1:2009 4.3.4.4.4

ISO/IEC 27001:2013 A.11.2.4

NIST SP 800-53 Rev. 4 SA-10, SI-7

CC v3.1 Release5 Part 2 FCS, FPT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 8

CPS.DS-13 Confirm that IoT devices and L1_1_d_PRO, CC v3.1 Release5 Part 2 FIA, FDP, FCS

software are genuine products L2_3_c_ORG, Cybersecurity Management Guidelines Item 5

during the booting-up process L2_3_c_SYS

CPS.DS-14 Maintain, update, and manage L3_4_a_PRO, ISO/IEC 27001:2013 A.18.1.3, A.18.1.4

information such as the L3_4_b_PRO CC v3.1 Release5 Part 2 FAU

origination of data, and data Cybersecurity Management Guidelines Item 5

processing history, throughout IoT Security Guidelines Key Concept 13

the entire data life cycle.

CPS.DS-15 Use products that provide L2_1_a_COM, ISO/IEC 27001:2013 A.15.1.3

measurable security in order to L2_1_a_PRO, NIST SP 800-53 Rev. 4 SA-12

ensure the availability of security L2_3_a_ORG, Cybersecurity Management Guidelines Item 5

reporting and the trustworthiness L2_3_d_ORG

of sensing data through integrity

protection.

83
3.10. CPS.IP – Information Protection Processes and Procedures
Maintain security policies, processes, procedures, and use them to manage
system and asset protection (dealing with objectives, scope, roles,
responsibilities, management commitments, coordination among
organizations).
Table 3.3-11 Measure requirements in CPS.IP

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.IP-1 Introduce and implement the L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.IP-1,

process to manage the initial L1_1_b_SYS, PR.IP-3

setting procedure (e.g., L2_1_a_ORG, CIS CSC 3, 9, 11

password) and setting change L2_1_b_COM, COBIT 5 BAI10.01, BAI10.02, BAI10.03,

procedure for IoT devices and L2_1_b_PRO, BAI10.05, BAI01.06, BAI06.01

servers. L2_3_b_ORG, ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3,

L3_1_a_SYS, 4.3.4.3.5, 4.3.4.3.6

L3_3_d_SYS ISA 62443-3-3:2013 SR 7.6

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,

A.14.2.2, A.14.2.3, A.14.2.4

NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-

5, CM-6, CM-7, CM-9, SA-10

CC v3.1 Release5 Part 2 FMT, FDP, FIA

IoT Security Guidelines Key Concept 4, 15

CPS.IP-2 Restrict the software to be added L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.IP-1

after installing in the IoT devices L2_1_a_ORG, CIS CSC 9

and servers. L2_1_c_SYS, COBIT 5 BAI10.01, BAI10.02, BAI10.03,

L3_1_a_SYS, BAI10.05, BAI01.06, BAI06.01

L3_3_a_SYS, ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

L3_3_d_SYS ISA 62443-3-3:2013 SR 7.6

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,

A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4

NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-

5, CM-6, CM-7, CM-9, SA-10

CPS.IP-3 Introduce the system L1_1_a_ORG, NIST Cybersecurity Framework Ver.1.1 PR.IP-2

development life cycle to manage L1_1_b_ORG, CIS CSC 18

the systems. L1_1_c_ORG, COBIT 5 APO13.01, BAI03.01, BAI03.02,

BAI03.03

84
 L2_1_d_SYS, ISA 62443-2-1:2009 4.3.4.3.3

L3_3_c_SYS ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1,

A.14.2.5

NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8,

SA-10, SA-11, SA-12, SA-15, SA-17, PL-8SI-12,

SI-13, SI-14, SI-16, SI-17

CC v3.1 Release5 Part 1/3

CPS.IP-4 Perform a periodic system L1_3_a_DAT, NIST Cybersecurity Framework Ver.1.1 ID.BE-5,

backups and testing of L2_1_d_SYS, PR.IP-4

components (e.g., IoT devices, L3_3_c_SYS CIS CSC 10

communication devices, and COBIT 5 APO13.01, DSS01.01, DSS04.07

circuits). ISA 62443-2-1:2009 4.3.4.3.9

ISA 62443-3-3:2013 SR 7.3, SR 7.4

ISO/IEC 27001:2013 A.12.3.1, A.17.1.2,

A.17.1.3, A.18.1.3

NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

CC v3.1 Release5 Part 2 FRU, FPT_TEE,

FPT_TST

CPS.IP-5 Implement physical measures L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.BE-5,

such as preparing an L1_1_c_SYS, PR.IP-5

uninterruptible power supply, a L2_3_b_SYS, COBIT 5 DSS01.04, DSS05.05

fire protection facility, and L2_3_d_SYS, ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2,

protection from water infiltration L3_1_a_SYS 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6

to follow the policies and rules ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2,

related to the physical operating A.11.2.3

environment, including the IoT NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13,

devices and servers installed in PE-14, PE-15, PE-18

the organization. CC v3.1 Release5 Part 2 FPT, FRU

Cybersecurity Management Guidelines Item 8

IoT Security Guidelines Key Concept 6

CPS.IP-6 When disposing of an IoT device L2_3_b_DAT NIST Cybersecurity Framework Ver.1.1 PR.DS-

and server, delete the stored data 3, PR.IP-6

and the ID (identifier) uniquely COBIT 5 BAI09.03, DSS05.06

identifying the genuine IoT ISA 62443-2-1:2009 4.3.4.4.4

devices and servers as well as ISA 62443-3-3:2013 SR 4.2

important information (e.g., ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,

85
 private key and digital certificate), A.11.2.7

or make them unreadable. NIST SP 800-53 Rev. 4 MP-6

CC v3.1 Release5 Part 2 FCS, FIA, FDP, FMT,

FPT

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 6

CPS.IP-7 Assess the lessons learned from L1_1_a_PRO, NIST Cybersecurity Framework Ver.1.1 PR.IP-7

security incident response and L1_1_b_PRO, COBIT 5 APO11.06, APO12.06, DSS04.05

the results of monitoring, L1_1_c_PRO, ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3,

measuring, and evaluating L2_1_a_ORG 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8

internal and external attacks, and ISO/IEC 27001:2013 A.16.1.6, Clause 9, Clause

improve the processes of 10

protecting the assets. NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8,

PL-2, PM-6

Cybersecurity Management Guidelines Item 5

CPS.IP-8 Share information regarding the L2_1_a_ORG NIST Cybersecurity Framework Ver.1.1 PR.IP-8

effectiveness of data protection COBIT 5 BAI08.04, DSS03.04

technologies with appropriate ISO/IEC 27001:2013 A.16.1.6

partners. NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4

CC v3.1 Release5 Part 1

Cybersecurity Management Guidelines Item 9

IoT Security Guidelines Key Concept 18

CPS.IP-9 Include items concerning security L1_1_a_PEO, NIST Cybersecurity Framework Ver.1.1 PR.IP-11

(e.g., deactivate access L1_1_b_PEO, CIS CSC 5, 16

authorization and personnel L1_1_c_PEO, COBIT 5 APO07.01, APO07.02, APO07.03,

screening) when roles change in APO07.04, APO07.05

due to personnel transfer. ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2,

4.3.3.2.4, 4.3.3.2.3, 4.3.3.2.6

ISO/IEC 27001:2013 A.7.1.1, A.7.1.2, A.7.2.1,

A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4

NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3, PS-4,

PS-5, PS-6, PS-7, PS-8, SA-21

CC v3.1 Release5 Part 2 FMT, FIA

IoT Security Guidelines Key Concept 4

CPS.IP-10 Develop a vulnerability L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.IP-12

remediation plan, and modify the L2_1_a_ORG,

86
vulnerability of the components L3_1_a_SYS, CIS CSC 4, 18, 20

according to the plan. L3_3_a_SYS, COBIT 5 BAI03.10, DSS05.01, DSS05.02

L3_3_d_SYS ISA 62443-2-1:2009 4.3.4.3.7

ISO/IEC 27001:2013 A.12.6.1, A.14.2.3,

A.16.1.3, A.18.2.2, A.18.2.3

NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 17, 21

87
3.11. CPS.MA – Maintenance
Maintain and repair components of industrial control systems and
information systems according to policies and procedures.

Table 3.3-12 Measure requirements in CPS.MA

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.MA-1 - Discuss the method of L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.MA-1

conducting important security L2_1_a_ORG, COBIT 5 BAI03.10, BAI09.02, BAI09.03,

updates and the like on IoT L2_1_c_SYS, DSS01.05

devices and servers. Then, L3_1_a_SYS, ISA 62443-2-1:2009 4.3.3.3.7

apply those security updates with L3_3_a_SYS ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5,

managed tools properly and in a L3_3_d_SYS A.11.2.6, A.14.2.4

timely manner while recording NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5, MA-

the history. 6

- Introduce IoT devices having a IoT Security Guidelines Key Concept 17

remote update mechanism to

perform a mass update of

different software programs (OS,

driver, and application) through

remote commands, where

applicable.

CPS.MA-2 Conduct remote maintenance of L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.MA-2

the IoT devices and servers while L2_1_a_ORG, CIS CSC 3, 5

granting approvals and recording L3_1_a_SYS, COBIT 5 DSS05.04

logs so that unauthorized access L3_3_a_SYS, ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6,

can be prevented. L3_3_d_SYS, 4.3.3.6.7, 4.4.43.3.6.8

ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1

NIST SP 800-53 Rev. 4 MA-4

CC v3.1 Release5 Part 2 FAU

IoT Security Guidelines Key Concept 17

88
3.12. CPS.PT – Protective Technology
Based on relevant policies, procedures, contracts, manage technical solutions
to ensure security and resilience of systems and assets, safety.

Table 3.3-13 Measure requirements in CPS.PT

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.PT-1 Determine and document the L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.PT-1

subject or scope of the audit L2_1_b_ORG, CIS CSC 1, 3, 5, 6, 14, 15, 16

recording/log recording, and L3_1_a_SYS, COBIT 5 APO11.04, BAI03.05, DSS05.04,

implement and review those L3_3_a_SYS, DSS05.07, MEA02.01

records in order to properly L3_3_d_SYS ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8,

detect high-risk security 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4

incidents. ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12

ISO/IEC 27001:2013 A.12.4.1, A.12.4.2,

A.12.4.3, A.12.4.4, A.12.7.1

NIST SP 800-53 Rev. 4 AU Family

CC v3.1 Release5 Part 2 FAU

IoT Security Guidelines Key Concept 9, 13

CPS.PT-2 Minimize funcions of IoT devices L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 PR.PT-2,

and servers by physically and L1_1_b_SYS, PR.PT-3

logically blocking unnecessary L1_1_c_SYS, CIS CSC 3, 8, 11, 13, 14

network ports, USBs, and serial L2_1_b_COM, COBIT 5 DSS05.02, DSS05.05, DSS05.06,

ports accessing directly the main L2_3_b_SYS, DSS06.06

bodies of IoT devices and servers L3_1_a_SYS, ISA 62443-3-3:2013 SR 2.3

etc.. L3_3_d_SYS ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2,

4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6,

4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2,

4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,

4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,

4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4

ISA 62443-3-3:2013 SR 1.6, SR 1.13, SR 2.1,

SR 2.2, SR 2.3, SR 2.4

ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, A.8.2.3,

A.8.3.1, A.8.3.3, A.9.1.2, A.11.2.9

89
 NIST SP 800-53 Rev. 4 AC-3, CM-7, MP-2, MP-

3, MP-4, MP-5, MP-7, MP-8

CPS.PT-3 Introduce IoT devices that L2_2_a_ORG NIST Cybersecurity Framework Ver.1.1 PR.PT-5

implement safety functions, COBIT 5 BAI04.01, BAI04.02, BAI04.03,

assuming that these devices are BAI04.04, BAI04.05, DSS01.05

connected to the network. ISA 62443-2-1:2009 4.3.2.5.2

ISA 62443-3-3:2013 SR 3.6, SR 7.1, SR 7.2

ISO/IEC 27001:2013 A.16.1.6

NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-

13, PL-8, SA-14, SC-6

IoT Security Guidelines Key Concept 10

90
3.13. CPS.AE – Anomalies and Events
Detect anomaly and understand the possible impact of the event.

Table 3.3-14 Measure requirements in CPS.AE

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.AE-1 Establish and implement the L1_1_a_COM, NIST Cybersecurity Framework Ver.1.1 DE.AE-1

procedure to identify and L1_1_a_SYS, CIS CSC 1, 4, 6, 12, 13, 15, 16

manage the baseline of network L1_1_b_COM COBIT 5 DSS03.01ISA 62443-2-1:2009 4.4.3.3

operations and expected L1_1_c_COM ISO/IEC 27001:2013 A.12.1.1, A.12.1.2,

information flows between L1_3_b_ORG, A.13.1.1, A.13.1.2

people, goods, and systems. L1_3_c_ORG, NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4

L2_1_b_ORG, CC v3.1 Release5 Part 2 FAU, FDP

L3_1_a_SYS, Cybersecurity Management Guidelines Item 5

L3_3_a_SYS,

L3_3_d_SYS,

CPS.AE-2 Appoint a chief security officer, L1_3_a_ORG NIST Cybersecurity Framework Ver.1.1 DE.AE-2

establish a security management CIS CSC 3, 6, 13, 15

team (SOC/CSIRT), and prepare COBIT 5 DSS05.07

a system within the organization ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,

to detect, analyze, and respond 4.3.4.5.8

to security events. ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2

ISO/IEC 27001:2013 A6.1.1, A.12.4.1, A.16.1.5

NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4

CPS.AE-3 Identify the security events L1_1_b_SYS NIST Cybersecurity Framework Ver.1.1 DE.AE-

accurately by implementing the L1_3_a_SYS 3, RS.AN-1

procedure to conduct a CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16

correlation analysis of the COBIT 5 BAI08.02

security incidents and ISA 62443-3-3:2013 SR 6.1

comparative analysis with the ISO/IEC 27001:2013 A.12.4.1

threat information obtained from NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5,

outside the organization. IR-8, SI-4

CPS.AE-4 Identify the impact of security L1_3_b_PRO NIST Cybersecurity Framework Ver.1.1 DE.AE-4

events, including the impact on CIS CSC 4, 6

other relevant organizations. COBIT 5 APO12.06, DSS03.01

91
 ISO/IEC 27001:2013 A.6.1.4, A.16.1.4

NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 5

CPS.AE-5 Specify the criteria to determine L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 DE.AE-5

the risk degree of security CIS CSC 6, 19

events. COBIT 5 APO12.06, DSS03.01

ISA 62443-2-1:2009 4.2.3.10

ISO/IEC 27001:2013 A.16.1.4

NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8

Cybersecurity Management Guidelines Item 5

92
3.14. CPS.CM – Security Continuous Monitoring
Detect security events and monitor systems and assets to verify the
effectiveness of protection measures.

Table 3.3-15 Measure requirements in CPS.CM

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.CM-1 Conduct network and access L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 DE.CM-1

monitoring and control at the L1_1_c_SYS, CIS CSC 1, 7, 8, 12, 13, 15, 16

contact points between corporate L1_3_a_SYS, COBIT 5 DSS01.03, DSS03.05, DSS05.07

networks and wide area L2_1_b_ORG, ISA 62443-3-3:2013 SR 6.2

networks. L2_3_c_SYS, NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-

L3_1_a_SYS, 3, SC-5, SC-7, SI-4

L3_3_a_SYS, CC v3.1 Release5 Part 2 FAU, FDP

L3_3_d_SYS, IoT Security Guidelines Key Concept 8, 13

CPS.CM-2 Perform setting, recording, and L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 DE.CM-2

monitoring of proper physical L1_1_c_SYS, COBIT 5 DSS01.04, DSS01.05

access, considering the L2_3_b_PEO, ISA 62443-2-1:2009 4.3.3.3.8

importance of IoT devices and L2_3_b_SYS, ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3,

servers. L2_3_d_SYS, A.11.2.5, A.11.2.6

L3_1_a_SYS NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-

20

CC v3.1 Release5 Part 2 FAU, FDP

IoT Security Guidelines Key Concept 8

CPS.CM-3 - Use IoT devices that can detect L1_1_b_SYS, NIST Cybersecurity Framework Ver.1.1 DE.CM-

abnormal behaviors and suspend L2_2_a_COM, 4, DE.CM-5

operations by comparing the L3_3_a_DAT, CIS CSC 4, 7, 8, 12

instructed behaviors and actual L3_3_d_SYS COBIT 5 DSS05.01

ones. ISA 62443-2-1:2009 4.3.4.3.8

- Validate whether information ISA 62443-3-3:2013 SR 3.2, SR 3.5

provided from cyberspace ISO/IEC 27001:2013 A.12.2.1

contains malicious code, and is NIST SP 800-53 Rev. 4 SI-3, SI-8

within the permissible range CC v3.1 Release5 Part 2 FAU_SAA.2

before any action based on the IoT Security Guidelines Key Concept 9

data.

93
CPS.CM-4 Validate the integrity and L3_3_a_DAT, NIST Cybersecurity Framework Ver.1.1 DE.CM-

authenticity of the information L3_3_d_SYS 4, DE.CM-5

provided from cyberspace before CIS CSC 4, 7, 8, 12

operations. COBIT 5 DSS05.01

ISA 62443-2-1:2009 4.3.4.3.8

ISA 62443-3-3:2013 SR 3.2

ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.12.6.2

NIST SP 800-53 Rev. 4 SI-3, SI-8

CC v3.1 Release5 Part 2 FCS

CPS.CM-5 Monitor communication with L1_1_a_COM, NIST Cybersecurity Framework Ver.1.1 DE.CM-6

external service providers so that L1_1_a_SYS, COBIT 5 APO07.06, APO10.05

security events can be detected L1_1_b_COM ISO/IEC 27001:2013 A.13.1.2, A.14.2.7, A.15.2.1

properly. L1_1_c_COM NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9,

L1_3_b_ORG, SI-4

L1_3_c_ORG, IoT Security Guidelines Key Concept 8, 9, 13

L3_1_a_SYS,

L3_3_a_SYS,

L3_3_d_SYS,

CPS.CM-6 As part of the configuration L1_1_a_COM, NIST Cybersecurity Framework Ver.1.1 PR.AC-

management of devices, work L1_1_a_SYS, 3, DE.CM-3, DE.CM-7

constantly manage software L1_1_b_COM, CIS CSC 1, 2, 3, 5, 7, 9, 12, 13, 14, 15, 16

configuration information, status L1_1_c_COM, COBIT 5 DSS05.02, DSS05.05, DSS05.07

of network connections (e.g., L1_3_a_SYS, ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1

presence/absence of L1_3_b_ORG, NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13,

connections and access L1_3_c_ORG, CA-7, CM-3, CM-8, CM-10, CM-11, PE-3, PE-6,

destination), and information L2_1_a_ORG, PE-20, SI-4

transmission/reception status L2_1_c_ORG, IoT Security Guidelines Key Concept 13

between other “organization”, L2_1_c_SYS,

people, components, and L2_3_b_ORG,

systems. L2_3_b_SYS,

L2_3_c_SYS,

L3_1_a_SYS,

L3_3_a_SYS,

L3_3_d_SYS

CPS.CM-7 Confirm the existence of L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 DE.CM-8

vulnerabilities that require a L2_1_c_SYS,

94
regular check-up in IoT devices L3_1_a_SYS, CIS CSC 4, 20

and servers managed within the L3_3_a_SYS, COBIT 5 BAI03.10, DSS05.01

organization. L3_3_d_SYS, ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7

ISO/IEC 27001:2013 A.12.6.1

NIST SP 800-53 Rev. 4 RA-5

IoT Security Guidelines Key Concept 8, 21

95
3.15. CPS.DP – Detection Process
Maintain and test detection processes and procedures to accurately detect
abnormal security events.
Table 3.3-16 Measure requirements in CPS.DP

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.DP-1 Clarify the role and responsibility L1_3_a_ORG NIST Cybersecurity Framework Ver.1.1 DE.DP-1

of the organization as well as CIS CSC 19

service providers in detecting COBIT 5 APO01.02, DSS05.01, DSS06.03

security events so that they can ISA 62443-2-1:2009 4.4.3.1

fulfill their accountabilities. ISO/IEC 27001:2013 A.6.1.1, A.7.2.2

NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14

Cybersecurity Management Guidelines Item 5

CPS.DP-2 Detect security events in the L1_2_a_ORG, NIST Cybersecurity Framework Ver.1.1 DE.DP-2

monitoring process, in L1_3_a_ORG COBIT 5 DSS06.01, MEA03.03, MEA03.04

compliance with applicable local ISA 62443-2-1:2009 4.4.3.2

regulations, directives, industry ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3

standards, and other rules. NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, PM-

14, SA-18, SI-4, PM-14

Cybersecurity Management Guidelines Item 1

CPS.DP-3 As part of the monitoring L1_3_a_ORG NIST Cybersecurity Framework Ver.1.1 DE.DP-3

process, test regularly if the COBIT 5 APO13.02, DSS05.02

functions for detecting security ISA 62443-2-1:2009 4.4.3.2

events work as intended, and ISA 62443-3-3:2013 SR 3.3

validate these functions. ISO/IEC 27001:2013 A.14.2.8, A.14.3.1

CC v3.1 Release5 Part 2 FPT_TEE

Cybersecurity Management Guidelines Item 5

IoT Security Guidelines Key Concept 9

CPS.DP-4 Continuously improve the L1_1_b_SYS, NIST Cybersecurity Framework Ver.1.1 DE.DP-5

process of detecting security L1_3_a_ORG COBIT 5 APO11.06, APO12.06, DSS04.05

events. ISA 62443-2-1:2009 4.4.3.4

ISO/IEC 27001:2013 A.16.1.6

NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-

5, SI-4, PM-14

Cybersecurity Management Guidelines Item 5

96
3.16. CPS.RP – Response Planning
Respond to detected security incidents and implement and maintain response
and recovery processes and procedures so affected assets and systems can be
properly restored and business continues uninterrupted.

Table 3.3-17 Measure requirements in CPS.RP

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.RP-1 Develop and implement L1_1_a_SYS, NIST Cybersecurity Framework Ver.1.1 ID.BE-5,

previously the procedure of L1_3_a_PEO, PR.IP-9, DE.DP-4, RS.RP-1, RS.CO-2, RS.CO-3

response after detecting L1_3_a_PRO, CIS CSC 19

incidents (security operation L2_1_a_PRO, COBIT 5 APO12.06, BAI01.10

process) that includes the L2_1_b_PRO, ISA 62443-2-1:2009 4.3.3.3.10, 4.3.4.5.1

response of Organization, L2_1_c_PRO, ISO/IEC 27001:2013 A.16.1.5

People, Components, System to L2_2_a_PRO, NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8

identify the content of response, L3_1_a_SYS, CC v3.1 Release5 Part 2 FTA

priority, and scope of response L3_3_a_SYS, Cybersecurity Management Guidelines Item 5, 7,

taken after an incident occurs. L3_3_d_SYS 8

IoT Security Guidelines Key Concept 5

CPS.RP-2 As part of the security operation L1_3_a_PEO, NIST Cybersecurity Framework Ver.1.1 ID.BE-5,

process, define the procedure L1_3_a_PRO, PR.IP-9, RS.CO-4, RS.CO-5

and the division of roles with L1_3_b_PEO, CIS CSC 19

regard to cooperative relations L1_3_b_PRO COBIT 5 APO12.06, DSS03.04, DSS04.03

with relevant parties such as ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1,

partners, and implement the 4.3.4.5.2, 4.3.4.5.5

process. ISO/IEC 27001:2013 Clause 7.4, A.16.1.1,

A.17.1.1, A.17.1.2, A.17.1.3

NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-12, CP-

13, IR-4, IR-7, IR-8, IR-9, PE-17

Cybersecurity Management Guidelines Item 7, 8

CPS.RP-3 Include security incidents in the L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 ID.BE-5,

business continuity plan or L1_3_a_DAT RC.RP-1

emergency response plan that CIS CSC 10

outlines the action plans and COBIT 5 APO12.06, BAI03.02, DSS02.05,

response procedures to take in DSS03.04, DSS04.02

case of natural disasters.

97
 ISA 62443-2-1:2009 4.3.2.5.4, 4.3.3.3.10

ISO/IEC 27001:2013 A.11.1.4, A.16.1.5,

A.17.1.1, A.17.1.2, A.17.2.1

NIST SP 800-53 Rev. 4 CP-2, CP-11, CP-10, IR-

4, IR-8, SA-13, SA-14

Cybersecurity Management Guidelines Item 8

CPS.RP-4 Take appropriate measures on L1_3_b_COM

goods (products) whose quality

may be affected by security

incidents, especially regrading

production facilities damaged by

the security incident.

98
3.17. CPS.CO – Communications
Mitigate the impact of security incidents on the organization and the whole
society, and coordinate communication and recovery activities with
stakeholders in and outside Japan (for example, business partners,
JPCERT/CC, CSIRT of other organizations, vendors) so that they can obtain
support from organizations such as law enforcement agencies.

Table 3.3-18 Measure requirements in CPS.CO

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.CO-1 Develop and manage rules L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 RC.CO-1

regarding publishing information CIS CSC 19

after the occurrence of the COBIT 5 EDM03.02

security incident. ISA 62443-2-1:2009 4.3.4.5.9

ISO/IEC 27001:2013 A.6.1.4, A.17.1.1, Clause

7.4

Cybersecurity Management Guidelines Item 8

IoT Security Guidelines Key Concept 18

CPS.CO-2 Include the item in the business L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 RC.CO-2

continuity plan or contingency COBIT 5 MEA03.02

plan to the effect that the ISO/IEC 27001:2013 A.17.1.1, Clause 7.4

organization shall work to restore Cybersecurity Management Guidelines Item 8

its social reputation after the

occurrence of a high-risk security

incident.

CPS.CO-3 Include the item in the business L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 RC.CO-3

continuity plan or contingency CIS CSC 19

plan to the effect that the details COBIT 5 APO12.06

of the recovery activities shall be ISA 62443-2-1:2009 4.3.2.5.5, 4.3.4.5.9

communicated to the internal and ISO/IEC 27001:2013 A.17.1.1, Clause 7.4

external stakeholders, NIST SP 800-53 Rev. 4 CP-2, IR-4

executives, and management. Cybersecurity Management Guidelines Item 8

99
3.18. CPS.AN – Analysis
Analyze the incident and its effects to ensure efficient response and support
restoration activities.

Table 3.3-19 Measure requirements in CPS.AN

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.AN-1 Understand the impact of the L1_3_a_COM, NIST Cybersecurity Framework Ver.1.1 RS.AN-2

security incident on the whole L1_3_a_PRO CIS CSC 19

society including the organization COBIT 5 DSS02.02

and relevant parties such as ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,

partners based on the full 4.3.4.5.8

account of the incident and the ISO/IEC 27001:2013 A.16.1.4, A.16.1.6

probable intent of the attacker. NIST SP 800-53 Rev. 4 CP-2, IR-4

Cybersecurity Management Guidelines Item 10

CPS.AN-2 Implement digital forensics upon L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 RS.AN-3

the occurrence of the security COBIT 5 APO12.06, DSS03.02, DSS05.07

incident. ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12, SR 3.9, SR 6.1

ISO/IEC 27001:2013 A.16.1.7

NIST SP 800-53 Rev. 4 AU-7, IR-4

CPS.AN-3 Categorize and store information L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 RS.AN-4

regarding the detected security CIS CSC 19

incidents by the size of security- COBIT 5 DSS02.02

related impact, penetration ISA 62443-2-1:2009 4.3.4.5.6

vector, and other factors. ISO/IEC 27001:2013 A.16.1.4

NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8

100
3.19. CPS.MI – Mitigation
Implement activities to prevent the expansion of security events, mitigate the
effects, and resolve security incidents.

Table 3.3-20 Measure requirements in CPS.MI

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.MI-1 Take measures to minimize L1_3_a_PRO NIST Cybersecurity Framework Ver.1.1 RS.MI-1,

security-related damages and RS.MI-2

mitigate the impacts caused by CIS CSC 19

such incident. COBIT 5 APO12.06

ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10

ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4

ISO/IEC 27001:2013 A.12.2.1, A.16.1.5

NIST SP 800-53 Rev. 4 IR-4

IoT Security Guidelines Key Concept 9

101
3.20. CPS.IM – Improvements
Improve response and recovery activities by incorporating lessons learned
from present and past decisions / response activities.

Table 3.3-21 Measure requirements in CPS.IM

Relating
ID Measure requirement Informative references
vulnerability ID

CPS.IM-1 Review the lessons learned from L1_3_a_ORG NIST Cybersecurity Framework Ver.1.1 RS.IM-1,

the responses to security RS.IM-2

incidents, and continuously CIS CSC 19

improve the security operation COBIT 5 BAI01.13, DSS04.08

process. ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4

ISO/IEC 27001:2013 A.16.1.6, Clause 10

NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

Cybersecurity Management Guidelines Item 7

IoT Security Guidelines Key Concept 7

CPS.IM-2 Review the lessons learned from L1_3_a_ORG NIST Cybersecurity Framework Ver.1.1 RC.IM-1,

the responses to security RC.IM-2

incidents, and continuously CIS CSC 19

improve the business continuity COBIT 5 APO12.06, BAI05.07, DSS04.08

plan or emergency response ISA 62443-2-1:2009 4.4.3.4

plan. ISO/IEC 27001:2013 A.16.1.6, Clause 10

NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

Cybersecurity Management Guidelines Item 8

102
 Appendix Ａ．Use case
~References for specifying the targets of analysis~
Use case #1: Connections of components, data etc. in “Society5.0”
■In “Society5.0”, cyberspace and physical space are highly integrated, and various components, data
etc. are distributed across companies and even among industries.

The Third Layer - Connections in cyberspace

Communication network (Internet etc.)
Collaboration platform for data distribution across industries etc.

Building management
Automotive industry Smart home industry ・・・
industry

Flow of data Flow of data Flow of data

Data Data Data
Data Data
Data

Server etc. Server etc. Server etc. Server etc.

Communication  Communication 
device etc. device etc.
transcription

transcription

transcription

transcription
The Second Layer - Connections
between physical space and
cyberspace
Sensor, Sensor, Sensor, Sensor,
actuator  actuator  Device Device actuator  actuator 
etc. etc. etc. etc.
Distribution of Distribution of Distribution of
Components Components Components

The First Layer - Connections between companies

A-1
Use case #2: Manufacturing process

Communication network (Internet etc.)

Data on Data on Analytical
purchase orders accepted orders data

Business
Server for  management data
production  Data on  Data on 
The Third Layer management procurementprocurement Business Server for  Server for 
information information management data production  market 
Server for  Server for  management trend 
Server for  Server for 
Operation Production business  procurement  procurement  business  analysis
data data management information information management
Operation Production
data data

Trade of components which 
have function of the third 
layer (e.g. communication 
device)

The Second Layer Sensor Actuator Sensor Actuator

Trade of components which 
have function of the second 
layer (e.g. sensor, actuator)

Machines
Machines

Production facilities Production facilities
Trade of components which 
don’t have function of the 
second and the third layer 
Parts  Processing  Finished product  Analytics service 
… manufacturer company
(e.g. battery)
manufacturer company
The First Layer A-2
Point of view in the use case #2 - Manufacturing process

１．Assumed “value creation process”

 A series of transactions in the manufacturing process; acquirer places an order for a product, and supplier produces
the products based on the design drawing.

２．Features
 Along with progress toward Society5.0, the number of IoT devices will significantly increase.
 Also, there will be an increase of using external data such as market trend analysis data

３．Image of classification of elements to each layer

Layer Example: Classification of elements to each layer in use case #2
• Parts manufacturer: An organization providing manufactured parts to processing company.
• Processing company: An organization processing parts supplied by parts manufacturer.
The First Layer • Finished product manufacturer: An organization completing the product by assembling parts.
• Analytics company: An organization providing finished product manufacturer with analytical data
about market trends etc.

• Sensor: A component monitoring the operation status of the production facilities and transducing
The Second that to electronic data.
Layer • Actuator: A component actuating the production facilities based on data about production
management.
• Communication device: A system component enabling connection of data among organizations.
• Server for data processing: A system component performing functions such as storage, processing
and analysis of data etc..
The Third Layer
• Data to be processed
－Data on procurement information: Data about order plans, transactions between organizations, etc..
－Analytical data: Analytical data about market trends etc., used for improvement of production plan. A-3
Use case #3: Example of connected car in the future

Communication network (mobile communication network etc.)

Probe data 
Accident Map for Automated  (e.g. position information)
Update program
data driving/ADAS
Traffic 
control data
Congestion 
The Third Layer data
… Vehicle
communication
device Server for software 
Server for Traffic  data management
Server for dynamic  Server for map 
data management data management data management

Probe data 
(e.g. position information) Update data

GPS
ECU to be
Sensor for external updated
world recognition
The Second Layer
Accelerometer
Yaw rate sensor ECU for
integrated
… vehicle control

Motor brake Steering …

The First Traffic information  OTA program 

Layer Dynamic map provider …
provider provider
A-4
Point of view in the use case #3 – Example of connected car
１．Assumed “value creation process” in the future
 A process that utilizes data obtained from sensors etc. to support human driving, or ultimately autonomously
driving.
２．Features
 Along with progress of connected (automotive IoT), exchange of data inside and outside the car occurred, and
connection between physical space and cyberspace and connections in cyberspace increased.
 In order to realize future automatic driving, it is possibility to require exchange of various data such as map data,
congestion/traffic regulation data in addition of the surrounding data obtained by the outside world recognition
sensor etc.
３．Image of classification of elements to each layer

Layer Example: Classification of elements to each layer in use case #3
• Traffic information provider: An organization providing traffic control data and congestion data etc. for
dynamic map provider.
The First Layer • Dynamic map provider: An organization analyzing probe data (e.g. position information) and, providing the
result of analysis for automobiles.
• OTA center: An organization providing difference data for vehicles.

• ECU for driving control: A component controlling the motor, brake, steering, etc. based on information such
The Second as dynamic map.
• Car proximity sensor: A component measuring the distance to the surrounding obstacles using a camera,
Layer radar, etc..
• GPS︓A component for acquiring the location information of the vehicle.
• Transmitter/receiver: A system component enabling connection of data among vehicles.
• Server for data processing: A system component performing functions such as storage, processing and
analysis of data etc..
• Data to be processed
The Third Layer －Congestion data: Data about road congestion based on location information etc. of individual vehicle. Used
to create dynamic map.
－Dynamic map: Data combining map data, traffic congestion data, traffic control data, etc. used by vehicles
for automatic driving. A-5
Use case #4: Smart home
Telecommunications
carrier Communication network (Internet etc.)

Environmental Camera
Vital data
data data

The Third Layer Feedback

Feedback Server for   Server for remote 

HGW/Broadband Router analysis monitoring
Trade of communication 
devices

Smart phone Provision of
information

Camera
data
The Second Layer Web camera
Vital data

Environmental
data Wearable device
Environmental 
sensor Loan of devices

Trade of sensors Device

Manufacturing  Sale of  Configuration

of sensors sensors
Business
Manufacturer Mass Residents Service provider collaborator
retailer
The First Layer A-6
Point of view in the use case #4 - Smart home
１．Assumed “value creation process”
 A process in which services that meet the needs of residents are provided by utilizing data of daily life acquired from IoT
devices etc. bought by residents or leased from service providers.

２．Features
 While consumer appliance, security camera, health equipment, etc. are connected to the Internet and becoming IoT device, data
relating to daily life is exchanged through the network and, it is possible to operate IoT device via the network. So, it is important
to ensure trustworthiness in the transcript operation of IoT device connecting cyberspace and physical space.
 In many cases, an administrator is not clearly determined in the maintenance of the IoT device and the management of the state.

３．Image of classification of elements to each layer

Layer Example: Classification of elements to each layer in use case #4
• Residents: People that purchase or rent an IoT device and set it at home to provide data on their daily life
and enjoy services based on it.
• Service provider: An organization acquiring data from the household and implementing services based on it.
• Telecommunications carrier: An organization providing internet and LTE network by lending communication
The First Layer devices to residents etc..
• Business collaborator: An organization receiving information from service provider and providing services
based on it.
• Manufacturer: An organization manufacturing sensors connecting to the internet etc..
• Mass retailer: An organization selling sensors, etc. manufactured by manufacturer and setting them.

The Second • Sensor, Wearable device, Web camera, Network connected appliance: A component transcripting activities
in daily life into digital data.
Layer • Device: A component used for data browsing or input.
• HGW︓A system component enabling connection of data between a household and others.
• Server for data processing: A system component performing functions such as storage, processing and
analysis of data etc..
The Third Layer • Data to be processed
－Environmental data: Data such as temperature and humidity.
－Vital data: Data such as heart rate, body temperature and so on.

A-7
Use case #5: Building management

Communication network (Leased line, Internet etc.)

The Third Layer Leased line

Data about  Data from 
lighting, air  surveillance 
Data from  conditioning, etc. cameras
elevators Data on  Data on 
Electricity 
data crime  disaster 
GW
prevention prevention
Server for remote 
monitoring
The Second Server for remote  Server for remote 
Layer Integrated network for building facilities (BACnet etc.） monitoring monitoring

Data on  Data from 
Electricity  Data about lighting,  Data on crime  disaster  surveillance  Data from 
data air conditioning, etc. prevention prevention cameras elevators

Server for power  Server for crime  Server for disaster  Server for  Server for 

receiving/ Server for lighting,  prevention  prevention  surveillance  elevator systems
transforming etc. systems systems systems camera systems

Controller Controller Controller

Controller
Surveillance 
センサ
Sensor Fire alarms cameras
Water supply 
Power reception Lighting Entrance  Automated 
and drainage
/transformation and exit security Elevator
Heat source Air conditioning

Facility  Facility  Facility  Facility  Facility  Elevator  Facility  Security service 

The First vendor 
Facility vendor 
vendor  vendor  vendor  vendor  management  management  company
Layer company company
Building owner
A-8
Point of view in the use case #5 - Building management
１．Assumed “value creation process”
 The process that the owner of a building signs a contract with facility management firm and utilizes data obtained
from the building toward energy management and optimization of the building, and the process that the owner of
the building monitors or manages it from remote site(s).
２．Features
 Evolution in IP-based communication regarding many control system(s) in the building
 Necessity in handshake of various data such as power supply data, elevation machine(s)ʼ data to realize
monitor/manage the building(s) from remote site(s)
 Many stakeholders such as elevation machines monitor firm(s) and facility management firm(s)
３．Image of classification of elements to each layer

Layer Example: Classification of elements to each layer in use case #5
• Building: Objective(s) monitored/managed by building system(s)
• Elevator management company: Organization that monitors/manages the operation status of
elevators built in the building from remote site(s)
The First Layer • Facility management company: Organization that monitors/manages the power usage of the
building(s) and others from remote site(s)
• Security company: Organization that monitors/manages the building(s) through surveillance
camera(s) or other(s)

The Second • Controller: Control device (Lighting, Heat source, Air-conditioning)

Layer • Surveillance camera: A component that monitors occurrence of emergency event(s)
• Integrated network (BACnet etc.): System component toward achievement in data handshake
between inside building(s)and outside building(s)
• Server for data processing: A system component performing functions such as storage, processing
and analysis of data etc..
The Third Layer • Data to be processed
－ Electricity data: Various power consumption of device(s) inside building(s). Data utilized by facility
management firms.
－Data on crime prevention: Combined data regarding such as those in an access-controlled secure
room and those in automated security. Data utilized by security firm(s). A-9
Use case #6: Electric power system (Demand response)

Communication network (Leased line, Internet etc.) Weather

information
Request for electricity
consumption control Request for electricity
consumption control

System for smart 
System for  Server for 
meter’s data 
The Third DR
management Server for  weather 
Layer
DR control information
Data about 
power  Data about supply 
generation and demand
Power  System for  Data about 
generating  supply and  Server for  incentives
system demand balance Data from  Electricity  electricity 
Server for 
meter reading consumption data consumption
incentive 
processing

Smart
meter FEMS
/ BEMS

The Second Power  generation  

facility (Control unit etc.)
Layer

Power  generation   Lighting, air 
Production  Batteries, 
facility (Generator) conditioning, 
facilities, etc. etc.
etc.
power 
electricity
transmission 
facility 
The First Electric power supplier  Weather information
Consumer of electricity Aggregator
Layer company provider
EMS : Energy Management System  BEMS : Building EMS  FEMS : Factory EMS  A-10
Point of view in the use case #6 – Electric power system
(Demand response)
１．Assumed “value creation process”
 Process of demand-response toward reducing power supply through incentive

２．Features
 Increase in various data handshake as per power supply due to increasing smart-meter(s)
 Increase in the number of stakeholders in power supply due to evolution of de-regulation of power

３．Image of classification of elements to each layer

Layer Example: Classification of elements to each layer in use case #6
• Electric power supplier company: An organization that requests aggregator toward reducing
power usage
• Consumer of electricity: An organization that executes reducing power consumption due to
The First Layer request toward reducing power consumption
• Aggregator: An organization that requires manufacturers (plants, buildings) to reduce electric
power consumption requested by electric company/companies.
• Weather information provider: An organization that provides weather information to aggregators

The Second • Smart meter: A component that convert(s) electric consumption into read data
Layer • FEMS/BEMS: A system that manages energy consumption in plants or in buildings

• Smart meter: System component that sends read data

• Server for data processing: A system component performing functions such as storage,
processing and analysis of data etc..
• Data to be processed
－Weather information: Weather data such as temperature and humidity. Utilized for electric
The Third Layer
demand
forecast
－Request for electricity consumption control: Data such as the amount of electric power
consumption. Utilized to request the reduction of power consumption from power firm(s) to
A-11
aggregator(s), or from aggregator(s) to consumer(s)
Appendix B: Relationship between risk sources and measure requirements

■ Functions/Assumed Security Incidents/Risk Sources/Measure Requirements in the First Layer

Risk sources Measure
# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
1_1 Establishing the Data that must be protected is - Malware infection that takes advantage L1_1_a_ORG [Organization] Classify and prioritize resources (e.g., People, Components, Data, and System) by CPS.AM-6
organizational risk leaked from an area managed by of a data storage system’s vulnerability - Security risks are not managed in accordance with function, importance, and business value, and communicate to the organizations
management system the organization - Injection attack exploiting incomplete appropriate procedures, and other organizations and people relevant to those resources in business.
effective in normal times and input validation (e.g. SQL injection, XSS) needed are not involved in risk management. Define policies and standard measures regarding security that are consistent with CPS.BE-2
appropriately operating it. - Communication interception on the the high-priority business and operations of the organization, and share them with
network parties relevant to the organization’s business (including suppliers and third-party
providers).
- Physical intrusion by an unauthorized
person into areas that need to be Formulate the standard of security measures relevant to the supply chain in CPS.SC-1
consideration of the business life cycle, and agree on contents with the business
protected
partners after clarifying the scope of the responsibilities.
- Identity spoofing using a stolen
Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
ID/password of a proper user
in each layer of the three-layer structure to sustaining the operation of the
- Internal fraud by an authorized user organization.
Introduce the system development life cycle to manage the systems. CPS.IP-3
L1_1_a_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People are not fully aware of the security or safety manage the record so that they can fulfill assigned roles and responsibilities to
risks that may concern them. prevent and contain the occurrence and severity of security incidents.
Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
[People] Formulate and manage security requirements applicable to members of other CPS.SC-5
- The security or safety risks that involve people are relevant organizations, such as business partners, who are engaged in operations
not managed adequately. outsourced from the organization.
Include items concerning security (e.g., deactivate access authorization and CPS.IP-9
personnel screening) when roles change in due to personnel transfer.
L1_1_a_COM [Components] Document and manage appropriately the list of hardware and software, and CPS.AM-1
- The security status of components and the status of management information (e.g. name of asset, version, network address, name of
network connections are not managed appropriately asset manager, license information) of components in the system.
(e.g. Inventory of assets, monitoring). Create and manage appropriately a list of external information systems where the CPS.AM-5
organization’s assets are shared.
Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
monitor identification and authentication information of authorized goods, people,
and procedures.
Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
L1_1_a_SYS [System] Identify the vulnerability of the organization’s assets and document the list of CPS.RA-1
- The organization has not implemented technical identified vulnerability with the corresponding asset.
measures considering risks, or cannot confirm such Identify and document the assumed security incidents, those impacts on the CPS.RA-3
implementation. oraganization’s assets, and the causes of those.
- Conduct risk assessments regularly to check if the security rules for managing the CPS.RA-4
components are effective and applicable to the components for implementation.
- Check the presence of unacceptable known security risks, including safety
hazards, from the planning and design phase of an IoT device and systems
incorporating IoT devices.
Consider threats, vulnerability, likelihood, and impacts when assessing risks. CPS.RA-5
- On the basis of the results of the risk assessment, clearly define the details of CPS.RA-6
measures to prevent possible security risks, and document the organized outcome
from the scope and priorities of the measures.
Determine the organization’s risk tolerance level based on the result of the risk CPS.RM-2
assessment and its role in the supply chain.
[System] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- Vulnerabilities that should be handled are left vulnerability and threats from internal and external sources (through internal tests,
unaddressed in the system. security information, security researchers, etc.), analyzes the information, and
establishes a process to implement and use measures.
Restrict the software to be added after installing in the IoT devices and servers. CPS.IP-2
Develop a vulnerability remediation plan, and modify the vulnerability of the CPS.IP-10
components according to the plan.
- Discuss the method of conducting important security updates and the like on IoT CPS.MA-1
devices and servers. Then, apply those security updateswith managed tools
properly and in a timely manner while recording the history.
Conduct remote maintenance of the IoT devices and servers while granting CPS.MA-2
approvals and recording logs so that unauthorized access can be prevented.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
Confirm the existence of vulnerability that requires a regular check-up in IoT devices CPS.CM-7
and servers managed within the organization.
[System] Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- Settings in the system where the data to be password) and setting change procedure for IoT devices and servers.
protected is stored are not secure. Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
[System] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Regarding access to stored information, a request regarding handling of data shared only by relevant organizations, develop data
sender is not identified / authenticated in a manner classification methods based on each requirement, and properly classify and protect
suited to the level of confidentiality of such data throughout the whole life cycle.
information. Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
monitor identification and authentication information of authorized goods, people,
and procedures.
Segregate duties and areas of responsibility properly (e.g. segregate user functions CPS.AC-5
from system administrator functions)
Adopt high confidence methods of authentication where appropriate based on risk CPS.AC-6
(e.g. multi-factor authentication, combining more than two types of authentication)
when logging in to the system over the network for the privileged user.
Authenticate and authorize logical accesses to system components by IoT devices CPS.AC-9
and users according to the transaction risks (personal security, privacy risks, and
other organizational risks).
[System] Implement appropriate physical security measures such as locking and limiting CPS.AC-2
- The organization does not take physical security access to the areas where the IoT devices and servers are installed, using entrance
measures such as access control and monitoring of and exit controls, biometric authentication, deploying surveillance cameras, and
areas where its IoT devices and servers are inspecting belongings and body weight.
installed, Implement physical measures such as preparing an uninterruptible power supply, a CPS.IP-5
fire protection facility, and protection from water infiltration to follow the policies and
rules related to the physical operating environment, including the IoT devices and
servers installed in the organization.
Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
Perform setting, recording, and monitoring of proper physical access, considering CPS.CM-2
the importance of IoT devices and servers.
[System] Determine and document the subject or scope of the audit recording/log recording, CPS.PT-1
- The system has no mechanism for detecting and and implement and review those records in order to properly detect high-risk
handling any abnormality related to security as soon security incidents.
as it arises. Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
- Use IoT devices that can detect abnormal behaviors and suspend operations by CPS.CM-3
comparing the instructed behaviors and actual ones.
- Validate whether information provided from cyberspace contains malicious code,
and is within the permissible range before any action based on the data.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
Develop and implement previously the procedure of response after detecting CPS.RP-1
incidents (securith operation process) that includes the response of Organization,
People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.

B-1-1
Appendix B - The Fisrt Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
L1_1_a_DAT [Data] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Classification concerning protection of data regarding handling of data shared only by relevant organizations, develop data
managed in own organization is not clear. classification methods based on each requirement, and properly classify and protect
data throughout the whole life cycle.
[Data] Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
- Data protection at a predefined level of relevant parties such as business partners to ensure they are fulfilling their
confidentiality is not implemented. contractual obligations.
Encrypt information with an appropriate level of security strength, and store them. CPS.DS-2
Encrypt the communication channel when communicating between IoT devices and CPS.DS-3
servers or in cyberspace.
Encrypt information itself when sending/receiving information. CPS.DS-4
Securely control encryption keys throughout their life cycle to ensure proper CPS.DS-5
operation and securely transmitted, received and stored data.
Properly control outbound communications that send information to be protected to CPS.DS-9
prevent improper data breach.
L1_1_a_PRO [Procedure] Develop security policies, define roles and responsibilities for security across the CPS.GV-1
- Appropriate procedures for security risk organization and other relevant parties, and clarify the information-sharing method
management have not been established. among stakeholders.
Develop a strategy and secure resources to implement risk management regarding CPS.GV-4
security.
Confirm the implementation status of the organization’s’ cyber security risk CPS.RM-1
management and communicate the results to appropriate parties within the
organization (e.g. senior management). Define the scope of responsibilities of the
organization and the relevant parties (e.g. subcontractor), and establish and
implement the process to confirm the implementation status of security risk
management of relevant parties.
When signing contracts with external organizations, check if the security CPS.SC-3
management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Develop and manage a procedure to be executed when a contract with other CPS.SC-10
relevant organizations such as business partners is finished. (e.g., expiration of
contract period, end of support)
Continuously improve the standard of security measures relevant to the supply CPS.SC-11
chain, related procedures, and so on.
Assess the lessons learned from security incident response and the results of CPS.IP-7
monitoring, measuring, and evaluating internal and external attacks, and improve
the processes of protecting the assets.
Data that must be protected is - Identity spoofing using a stolen L1_1_b_ORG [Organization] Classify and prioritize resources (e.g., People, Components, Data, and System) by CPS.AM-6
tampered with in an area ID/password of a proper user - Security risks are not managed in accordance with function, importance, and business value, and communicate to the organizations
managed by the organization - Man-in-the-middle attacks to falsify data appropriate procedures, and other organizations and people relevant to those resources in business.
on communication paths needed are not involved in risk management. Define policies and standard measures regarding security that are consistent with CPS.BE-2
- Malware infection exploiting security the high-priority business and operations of the organization, and share them with
vulnerabilities in the system parties relevant to the organization’s business (including suppliers and third-party
providers).
- Internal fraud by an authorized user
- Physical intrusion into the area where Formulate the standard of security measures relevant to the supply chain in CPS.SC-1
consideration of the business life cycle, and agree on contents with the business
protection is required
partners after clarifying the scope of the responsibilities.
- Physical destruction of media handling
Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
data that needs protection in each layer of the three-layer structure to sustaining the operation of the
organization.
Introduce the system development life cycle to manage the systems. CPS.IP-3
L1_1_b_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People are not fully aware of the security or safety manage the record so that they can fulfill assigned roles and responsibilities to
risks that may concern them. prevent and contain the occurrence and severity of security incidents.
Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
[People] Formulate and manage security requirements applicable to members of other CPS.SC-5
- The security or safety risks that involve people are relevant organizations, such as business partners, who are engaged in operations
not managed adequately. outsourced from the organization.
Include items concerning security (e.g., deactivate access authorization and CPS.IP-9
personnel screening) when roles change in due to personnel transfer.
L1_1_b_COM [Components] Document and manage appropriately the list of hardware and software, and CPS.AM-1
- The security status of components that compose management information (e.g. name of asset, version, network address, name of
information systems and Industrial control systems asset manager, license information) of components in the system.
and the status of network connections are not Create and manage appropriately a list of external information systems where the CPS.AM-5
managed appropriately (e.g. Inventory of assets, organization’s assets are shared.
monitoring). Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
monitor identification and authentication information of authorized goods, people,
and procedures.
Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
L1_1_b_SYS [System] Identify the vulnerability of the organization’s assets and document the list of CPS.RA-1
- The organization has not implemented technical identified vulnerability with the corresponding asset.
measures considering risks, or cannot confirm such Identify and document the assumed security incidents, those impacts on the CPS.RA-3
implementation. oraganization’s assets, and the causes of those.
- Conduct risk assessments regularly to check if the security rules for managing the CPS.RA-4
components are effective and applicable to the components for implementation.
- Check the presence of unacceptable known security risks, including safety
hazards, from the planning and design phase of an IoT device and systems
incorporating IoT devices.
Consider threats, vulnerability, likelihood, and impacts when assessing risks. CPS.RA-5
- On the basis of the results of the risk assessment, clearly define the details of CPS.RA-6
measures to prevent possible security risks, and document the organized outcome
from the scope and priorities of the measures.
Determine the organization’s risk tolerance level based on the result of the risk CPS.RM-2
assessment and its role in the supply chain.
[System] Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- Settings in the system where the data to be password) and setting change procedure for IoT devices and servers.
protected is stored are not secure. Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
[System] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Regarding access to stored information, a request regarding handling of data shared only by relevant organizations, develop data
sender is not identified / authenticated in a manner classification methods based on each requirement, and properly classify and protect
suited to the level of confidentiality of such data throughout the whole life cycle.
information. Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
monitor identification and authentication information of authorized goods, people,
and procedures.
Segregate duties and areas of responsibility properly (e.g. segregate user functions CPS.AC-5
from system administrator functions)
Adopt high confidence methods of authentication where appropriate based on risk CPS.AC-6
(e.g. multi-factor authentication, combining more than two types of authentication)
when logging in to the system over the network for the privileged user.
Authenticate and authorize logical accesses to system components by IoT devices CPS.AC-9
and users according to the transaction risks (personal security, privacy risks, and
other organizational risks).
[System] Identify the security events accurately by implementing the procedure to conduct a CPS.AE-3
- The system does not have a mechanism to quickly correlation analysis of the security events and comparative analysis with the threat
detect and respond to anomalies on the network (eg, information obtained from outside the organization.
spoofing, message tampering) - Validate whether information provided from cyberspace contains malicious code, CPS.CM-3
and is within the permissible range before any action based on the data.
Continuously improve the process of detecting security events. CPS.DP-4

B-1-2
Appendix B - The Fisrt Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
L1_1_b_PRO [Procedure] Develop security policies, define roles and responsibilities for security across the CPS.GV-1
- Appropriate procedures for security risk organization and other relevant parties, and clarify the information-sharing method
management have not been established. among stakeholders.
Develop a strategy and secure resources to implement risk management regarding CPS.GV-4
security.
Confirm the implementation status of the organization’s’ cyber security risk CPS.RM-1
management and communicate the results to appropriate parties within the
organization (e.g. senior management). Define the scope of responsibilities of the
organization and the relevant parties (e.g. subcontractor), and establish and
implement the process to confirm the implementation status of security risk
management of relevant parties.
When signing contracts with external organizations, check if the security CPS.SC-3
management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Develop and manage a procedure to be executed when a contract with other CPS.SC-10
relevant organizations such as business partners is finished. (e.g., expiration of
contract period, end of support)
Continuously improve the standard of security measures relevant to the supply CPS.SC-11
chain, related procedures, and so on.
Assess the lessons learned from security incident response and the results of CPS.IP-7
monitoring, measuring, and evaluating internal and external attacks, and improve
the processes of protecting the assets.
L1_1_b_DAT [Data] Encrypt the communication channel when communicating between IoT devices and CPS.DS-3
- Data are not protected enough in communication servers or in cyberspace.
paths. Encrypt information itself when sending/receiving information. CPS.DS-4
[Data] Perform integrity checking on information to be sent, received, and stored. CPS.DS-11
- Data being handled have no mechanism to detect
falsification.
The system dealing with the data - DoS attacks on computer equipment L1_1_c_ORG [Organization] Classify and prioritize resources (e.g., People, Components, Data, and System) by CPS.AM-6
of its own organization stops due and communication devices (e.g., - Security risks are not managed in accordance with function, importance, and business value, and communicate to the organizations
to a denial of service attack, servers) that comprise a system appropriate procedures, and other organizations and people relevant to those resources in business.
ransomware infection etc.. - Malware infection exploiting security needed are not involved in risk management. Define policies and standard measures regarding security that are consistent with CPS.BE-2
vulnerabilities in the system the high-priority business and operations of the organization, and share them with
- Transmission of jamming waves parties relevant to the organization’s business (including suppliers and third-party
providers).
Formulate the standard of security measures relevant to the supply chain in CPS.SC-1
consideration of the business life cycle, and agree on contents with the business
partners after clarifying the scope of the responsibilities.
Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
in each layer of the three-layer structure to sustaining the operation of the
organization.
Introduce the system development life cycle to manage the systems. CPS.IP-3
L1_1_c_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People are not fully aware of the security or safety manage the record so that they can fulfill assigned roles and responsibilities to
risks that may concern them. prevent and contain the occurrence and severity of security incidents.
Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
[People] Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
- The security or safety risks that involve people are contractual obligations with other relevant parties or individuals, and prepare them
not managed adequately. for disclosure as needed within appropriate limits.
Include items concerning security (e.g., deactivate access authorization and CPS.IP-9
personnel screening) when roles change in due to personnel transfer.
L1_1_c_COM [Components] Document and manage appropriately the list of hardware and software, and CPS.AM-1
- The security status of components that compose management information (e.g. name of asset, version, network address, name of
information systems and Industrial control systems asset manager, license information) of components in the system.
and the status of network connections are not Create and manage appropriately a list of external information systems where the CPS.AM-5
managed appropriately (e.g. Inventory of assets, organization’s assets are shared.
monitoring). Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
monitor identification and authentication information of authorized goods, people,
and procedures.
Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
L1_1_c_SYS [System] Identify the vulnerability of the organization’s assets and document the list of CPS.RA-1
- The organization has not implemented technical identified vulnerability with the corresponding asset.
measures considering risks, or cannot confirm such Identify and document the assumed security incidents, those impacts on the CPS.RA-3
implementation. oraganization’s assets, and the causes of those.
- Conduct risk assessments regularly to check if the security rules for managing the CPS.RA-4
components are effective and applicable to the components for implementation.
Consider threats, vulnerability, likelihood, and impacts when assessing risks. CPS.RA-5
- On the basis of the results of the risk assessment, clearly define the details of CPS.RA-6
measures to prevent possible security risks, and document the organized outcome
from the scope and priorities of the measures.
Determine the organization’s risk tolerance level based on the result of the risk CPS.RM-2
assessment and its role in the supply chain.
[System] Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
- Communications to IoT devices, servers, etc. are unnecessary network ports, USBs, and serial ports accessing directly the main
not properly controlled. bodies of IoT devices and servers etc.
Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
[System] Implement appropriate physical security measures such as locking and limiting CPS.AC-2
- The system does not cope with physical access to the areas where the IoT devices and servers are installed, using entrance
interference (e.g. jamming waves) to IoT devices and exit controls, biometric authentication, deploying surveillance cameras, and
and servers. inspecting belongings and body weight.
Implement physical measures such as preparing an uninterruptible power supply, a CPS.IP-5
fire protection facility, and protection from water infiltration to follow the policies and
rules related to the physical operating environment, including the IoT devices and
servers installed in the organization.
Perform setting, recording, and monitoring of proper physical access, considering CPS.CM-2
the importance of IoT devices and servers.
[System] Secure sufficient resources (e.g., People, Components, system) for components CPS.DS-6
- A system that contains IoT devices does not have and systems, and protect assets property to minimize bad effects under cyber
adequate resources (i.e., processing capacity, attack (e.g., DoS attack).
communication bandwidths, and storage capacity) Carry out periodic quality checks, prepare standby devices and uninterruptible CPS.DS-7
power supplies, provide redundancy, detect failures, conduct replacement work, and
update software for IoT devices, communication devices, circuits, etc.

B-1-3
Appendix B - The Fisrt Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
L1_1_c_PRO [Procedure] Develop security policies, define roles and responsibilities for security across the CPS.GV-1
- Appropriate procedures for security risk organization and other relevant parties, and clarify the information-sharing method
management have not been established. among stakeholders.
Develop a strategy and secure resources to implement risk management regarding CPS.GV-4
security.
Confirm the implementation status of the organization’s’ cyber security risk CPS.RM-1
management and communicate the results to appropriate parties within the
organization (e.g. senior management). Define the scope of responsibilities of the
organization and the relevant parties (e.g. subcontractor), and establish and
implement the process to confirm the implementation status of security risk
management of relevant parties.
When signing contracts with external organizations, check if the security CPS.SC-3
management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Develop and manage a procedure to be executed when a contract with other CPS.SC-10
relevant organizations such as business partners is finished. (e.g., expiration of
contract period, end of support)
Continuously improve the standard of security measures relevant to the supply CPS.SC-11
chain, related procedures, and so on.
Assess the lessons learned from security incident response and the results of CPS.IP-7
monitoring, measuring, and evaluating internal and external attacks, and improve
the processes of protecting the assets.
Security measures that satisfy the All threats L1_2_a_ORG [Organization] Formulate internal rules considering domestic and foreign laws, including the Act on CPS.GV-2
legal requirements for a system - The organization is unaware of legal systems with the Protection of Personal Information and Unfair Competition Prevention Act, as
cannot be implemented which it should comply, or it has not developed, or is well as industry guidelines, and review and revise the rules on a continuing and
not operating internal rules that conform to the legal timely basis in accordance with any changes in relevant laws, regulations, and
systems. industry guidelines.
Detect security events in the monitoring process, in compliance with applicable local CPS.DP-2
regulations, directives, industry standards, and other rules.
L1_2_a_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People are unaware of legal systems with which it manage the record so that they can fulfill assigned roles and responsibilities to
should comply, or they do not follow internal rules prevent and contain the occurrence and severity of security incidents.
that conform to the legal systems.
L1_2_a_COM [Components] Formulate internal rules considering domestic and foreign laws, including the Act on CPS.GV-2
- The type of components that must receive certain the Protection of Personal Information and Unfair Competition Prevention Act, as
protection under a legal system is not provided with well as industry guidelines, and review and revise the rules on a continuing and
the required level of protection. timely basis in accordance with any changes in relevant laws, regulations, and
industry guidelines.
L1_2_a_SYS [System] Formulate internal rules considering domestic and foreign laws, including the Act on CPS.GV-2
- The type of system that must receive certain the Protection of Personal Information and Unfair Competition Prevention Act, as
protection under a legal system is not provided with well as industry guidelines, and review and revise the rules on a continuing and
the required level of protection. timely basis in accordance with any changes in relevant laws, regulations, and
industry guidelines.
L1_2_a_PRO [Procedure] Formulate internal rules considering domestic and foreign laws, including the Act on CPS.GV-2
- Established internal procedures are not designed to the Protection of Personal Information and Unfair Competition Prevention Act, as
ensure compliance with laws and regulations. well as industry guidelines, and review and revise the rules on a continuing and
timely basis in accordance with any changes in relevant laws, regulations, and
industry guidelines.
L1_2_a_DAT [Data] Formulate internal rules considering domestic and foreign laws, including the Act on CPS.GV-2
- The type of data that must receive certain the Protection of Personal Information and Unfair Competition Prevention Act, as
protection under a legal system is not provided with well as industry guidelines, and review and revise the rules on a continuing and
the required level of protection. timely basis in accordance with any changes in relevant laws, regulations, and
industry guidelines.
1_2 Continuing the business of The organization’s security All threats L1_3_a_ORG [Organization] Appoint a chief security officer, establish a security management team CPS.AE-2
the organization appropriately incidents prevent their business - The organization has not established a framework (SOC/CSIRT), and prepare a system within the organization to detect, analyze, and
even when a security incident from continuing properly for accurately detecting security incidents. respond to security events.
occurs. The security management team (SOC/CSIRT) collects information, including CPS.RA-2
vulnerability and threats from internal and external sources (through internal tests,
security information, security researchers, etc.), analyzes the information, and
establishes a process to implement and use measures.
Clarify the role and responsibility of the organization as well as service providers in CPS.DP-1
detecting security events so that they can fulfill their accountabilities.
Detect security events in the monitoring process, in compliance with applicable local CPS.DP-2
regulations, directives, industry standards, and other rules.
As part of the monitoring process, test regularly if the functions for detecting security CPS.DP-3
events work as intended, and validate these functions.
Continuously improve the process of detecting security events. CPS.DP-4
[Organization] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- The organization has not established a framework vulnerability and threats from internal and external sources (through internal tests,
for accurately handling security incidents. security information, security researchers, etc.), analyzes the information, and
establishes a process to implement and use measures.
Appoint a chief security officer, establish a security management team CPS.AE-2
(SOC/CSIRT), and prepare a system within the organization to detect, analyze, and
respond to security events.
Review the lessons learned from the responses to security incidents, and CPS.IM-1
continuously improve the security operation process.
Review the lessons learned from the responses to security incidents, and CPS.IM-2
continuously improve the business continuity plan or emergency response plan.
L1_3_a_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People are unable to take appropriate action when manage the record so that they can fulfill assigned roles and responsibilities to
a security incident arises. prevent and contain the occurrence and severity of security incidents.
Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
Develop and implement previously the procedure of response after detecting CPS.RP-1
incidents (securith operation process) that includes the response of Organization,
People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
L1_3_a_COM [Components] Specify a method to ensure traceability based on the importance of the components CPS.AM-2
- The scope of the organization's business (e.g., produced by the organization’s supply chain.
products) damaged by a security incident cannot be Create records such as the date of production and condition of components CPS.AM-3
identified. depending on importance, and prepare and adopt internal rules regarding records of
production activities in order to store components for a certain period of time.
Understand the impact of the security incident on the whole society including the CPS.AN-1
organization and relevant parties such as partners based on the full account of the
incident and the probable intent of the attacker.
L1_3_a_SYS [System] Identify the security events accurately by implementing the procedure to conduct a CPS.AE-3
- Devices or other tools for accurately detecting correlation analysis of the security events and comparative analysis with the threat
security incidents are not installed or not correctly information obtained from outside the organization.
operated. Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.

B-1-4
Appendix B - The Fisrt Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
L1_3_a_PRO [Procedure] Specify the criteria to determine the risk degree of security events. CPS.AE-5
- The organization has not developed internal Develop and implement previously the procedure of response after detecting CPS.RP-1
procedures for security incident handling. incidents (securith operation process) that includes the response of Organization,
People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
Understand the impact of the security incident on the whole society including the CPS.AN-1
organization and relevant parties such as partners based on the full account of the
incident and the probable intent of the attacker.
Implement digital forensics upon the occurrence of the security incident. CPS.AN-2
Categorize and store information regarding the detected security incidents by the CPS.AN-3
size of security-related impact, penetration vector, and other factors.
Take measures to minimize security-related damages and mitigate the impacts CPS.MI-1
caused by such incident.
[Procedure] Include security incidents in the business continuity plan or emergency response CPS.RP-3
- Security incidents are not treated in the business plan that outlines the action plans and response procedures to take in case of
continuity plan. This means a highly hazardous natural disasters.
security incident hinders the organization’s business Develop and manage rules regarding publishing information after the occurrence of CPS.CO-1
continuity when it occurs. the security incident.
Include the item in the business continuity plan or emergency response plan to the CPS.CO-2
effect that the organization shall work to restore its social reputation after the
occurrence of a high-risk security incident.
Include the item in the business continuity plan or emergency response plan to the CPS.CO-3
effect that the details of the recovery activities shall be communicated to the internal
and external stakeholders, executives, and management.
L1_3_a_DAT [Data] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- Data necessary to continue the business at the time manage the record so that they can fulfill assigned roles and responsibilities to
of the security incident has not been properly backed prevent and contain the occurrence and severity of security incidents.
up, or has been backed up but does not function Provide appropriate training and security education to members of the organization CPS.AT-2
properly. and other relevant parties of high importance in security management that may be
involved in the security incident prevention and response. Then, manage the record
of such training and security education.
Perform a periodical system backup and testing of components (e.g., IoT devices, CPS.IP-4
communication devices, and circuits).
Include security incidents in the business continuity plan or emergency response CPS.RP-3
plan that outlines the action plans and response procedures to take in case of
natural disasters.
Other relevant organizations All threats L1_3_b_ORG [Organization] Create and manage appropriately network configuration diagrams and data flows CPS.AM-4
cannot continue their business - The organization is unclear about how its within the organization.
properly due to the organization’s components, systems, and/or data have been Create and manage appropriately a list of external information systems where the CPS.AM-5
security incidents working with other organizations in cyberspace. organization’s assets are shared.
Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
[Organization] Define roles and responsibilities for cyber security across the organization and other CPS.AM-7
- The organization is unclear about how it has been relevant parties.
working with other organizations (e.g., suppliers) in Identify and share the role of the organizations in the supply chain. CPS.BE-1
physical space. Identify the dependency between the organization and other relevant parties and the CPS.BE-3
important functions of each in the course of running the operation.
Confirm the implementation status of the organization’s’ cyber security risk CPS.RM-1
management and communicate the results to appropriate parties within the
organization (e.g. senior management). Define the scope of responsibilities of the
organization and the relevant parties (e.g. subcontractor), and establish and
implement the process to confirm the implementation status of security risk
management of relevant parties.
L1_3_b_PEO [People] Prepare and test a procedure for incident response with relevant parties involved in CPS.SC-9
- People in other organizations are unable to take the incident response activitiy to ensure action for incident response in the supply
appropriate action when the organization has a chain.
security incident. Provide appropriate training and security education to members of the organization CPS.AT-2
and other relevant parties of high importance in security management that may be
involved in the security incident prevention and response. Then, manage the record
of such training and security education.
Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
As part of the security operation process, define the procedure and the division of CPS.RP-2
roles with regard to cooperative relations with relevant parties such as partners, and
implement the process.
L1_3_b_COM [Components] Take appropriate measures on goods (products) whose quality is expected to be CPS.RP-4
- A security incident causes damage to components affected by some reasons, including its production facility damaged by the
(products) and/or services. occurrence of the security incident.
[Components] Specify a method to ensure traceability based on the importance of the components CPS.AM-2
- The organization does not retain the records of produced by the organization’s supply chain.
components (products) (e.g., dates of manufacture, Create records such as the date of production and condition of components CPS.AM-3
identification numbers, and delivery destinations) depending on importance, and prepare and adopt internal rules regarding records of
delivered to/from the organization production activities in order to store components for a certain period of time.
L1_3_b_PRO [Procedure] Identify the impact of security events, including the impact on other relevant CPS.AE-4
- Procedures for security incident handling in organizations.
cooperation with other relevant organizations have As part of the security operation process, define the procedure and the division of CPS.RP-2
not been developed. roles with regard to cooperative relations with relevant parties such as partners, and
implement the process.
The organization’s security All threats L1_3_c_ORG [Organization] Create and manage appropriately network configuration diagrams and data flows CPS.AM-4
incidents prevent the business of - The organization is unclear about how its within the organization.
other relevant organizations from components, systems, and/or data have been Create and manage appropriately a list of external information systems where the CPS.AM-5
continuing properly working with other organizations in cyberspace. organization’s assets are shared.
Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
[Organization] Define roles and responsibilities for cyber security across the organization and other CPS.AM-7
- The organization is unclear about how it has been relevant parties.
working with other organizations (e.g., suppliers) in Identify and share the role of the organizations in the supply chain. CPS.BE-1
physical space. Identify the dependency between the organization and other relevant parties and the CPS.BE-3
important functions of each in the course of running the operation.
Confirm the implementation status of the organization’s’ cyber security risk CPS.RM-1
management and communicate the results to appropriate parties within the
organization (e.g. senior management). Define the scope of responsibilities of the
organization and the relevant parties (e.g. subcontractor), and establish and
implement the process to confirm the implementation status of security risk
management of relevant parties.
L1_3_c_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People in the organizations are unable to take manage the record so that they can fulfill assigned roles and responsibilities to
appropriate action when other organizations have a prevent and contain the occurrence and severity of security incidents.
security incident. Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
As part of the security operation process, define the procedure and the division of CPS.RP-2
roles with regard to cooperative relations with relevant parties such as partners, and
implement the process.
L1_3_c_PRO [Procedure] As part of the security operation process, define the procedure and the division of CPS.RP-2
- Procedures for security incident handling in roles with regard to cooperative relations with relevant parties such as partners, and
cooperation with other relevant organizations have implement the process.
not been developed.

B-1-5
Appendix B - The Fisrt Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
1_3 Products or services in A security event occurs in the - Fraudulent falsification by internal or L1_1_d_ORG [Organization] When signing contracts with external organizations, check if the security CPS.SC-3
physical space are received channel for product / service external people with malicious intent - The organization does not confirm the management of the other relevant organizations properly comply with the security
or shipped with desired provisioning, causing unintended - Insertion of a counterfeit that imitates a trustworthiness of products and services at the time requirements defined by the organization while considering the objectives of such
quality quality deterioration such as genuine equipment of procurement. contracts and results of risk management.
malfunction of a device. When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
L1_1_d_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- The organizatioin's staff in charge of procurement manage the record so that they can fulfill assigned roles and responsibilities to
are not fully aware of security risks related to prevent and contain the occurrence and severity of security incidents.
procurement.
L1_1_d_COM [Components] When signing contracts with external parties, check if the products and services CPS.SC-4
- Physical protection measures are not sufficiently provided by the other relevant organizations properly comply with the security
applied to procured products and services. requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When handling information to be protected or procuring devices that have an CPS.DS-8
important function to the organization, useselect the IoT devices and servers
equipped with anti-tampering devices.
L1_1_d_PRO [Procedure] Perform integrity checking on information to be sent, received, and stored. CPS.DS-11
- There is no procedure for confirming the Introduce an integrity check mechanism to verify the integrity of hardware. CPS.DS-12
qualification of procured goods at the time of Confirm that IoT devices and software are genuine products during the booting-up CPS.DS-13
procurement of products and services. process.

B-1-6
Appendix B - The Second Layer

■ Functions/Assumed Security Incidents/Risk Sources/Measure Requirements in the Second Layer

Risk sources Measure
# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
2_Comm Both of the following functions; Unexpected behavior of the IoT - Malware infection using an attack tool that L2_1_a_ORG [Organization] Document and manage appropriately the list of hardware and software, and CPS.AM-1
on - Function to read events in physical device due to unauthorized takes advantage of an IoT device’s - The organization is unclear about the status of the management information (e.g. name of asset, version, network address, name of
space and translating them into digital access to its controls by vulnerability security measures (e.g., software configurations; the asset manager, license information) of components in the system.
data and sending the data to exploiting a vulnerability results in status of patches applied) for its IoT devices Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
cyberspace in accordance with certain unpredicted operation connecting to information systems and industrial password) and setting change procedure for IoT devices and servers.
Restrict the software to be added after installing in the IoT devices and servers. CPS.IP-2
rules control systems.
- Function to control components and As part of the configuration management of devices, constantly manage software CPS.CM-6
displaying visualized data based on data configuration information, status of network connections (e.g., presence/absence of
received from cyberspace in connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
accordance with certain rules
[Organization] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- The organization does not collect or analyze vulnerability and threats from internal and external sources (through internal tests,
information about threats and vulnerability related to security information, security researchers, etc.), analyzes the information, and
the IoT devices it uses. establishes a process to implement and use measures.
Assess the lessons learned from security incident response and the results of CPS.IP-7
monitoring, measuring, and evaluating internal and external attacks, and improve the
processes of protecting the assets.
Share information regarding the effectiveness of data protection technologies with CPS.IP-8
appropriate partners.
Develop a vulnerability remediation plan, and modify the vulnerability of the CPS.IP-10
components according to the plan.
- Discuss the method of conducting important security updates and the like on IoT CPS.MA-1
devices and servers. Then, apply those security updateswith managed tools
properly and in a timely manner while recording the history.
- Introduce IoT devices having a remote update mechanism to perform a mass
update of different software programs (OS, driver, and application) through remote
commands, where applicable.
- Introduce IoT devices having a remote update mechanism to perform a mass CPS.MA-1
update of different software programs (OS, driver, and application) through remote
commands, where applicable.
Conduct remote maintenance of the IoT devices and servers while granting CPS.MA-2
approvals and recording logs so that unauthorized access can be prevented.
L2_1_a_COM [Components] - Check the presence of unacceptable known security risks, including safety hazards, CPS.RA-4
- IoT Devices in use do not have adequate security from the planning and design phase of an IoT device and systems incorporating IoT
functions. devices.
- React accordingly to the security risks and the associated safety risks identified as CPS.RA-6
a result of the assessment conducted at the planning and design phase of an IoT
device and systems incorporating IoT devices.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Use products that provide measurable security in order to ensure the availability of CPS.DS-15
security reporting and the trustworthiness of sensing data through integrity protection.

L2_1_a_PRO [Procedure] When signing contracts with external parties, check if the products and services CPS.SC-4
- There is no procedure, at the time of procurement, provided by the other relevant organizations properly comply with the security
for checking whether the goods have appropriate requirements defined by the organization while considering the objectives of such
levels of security functions. contracts and results of risk management.
Use products that provide measurable security in order to ensure the availability of CPS.DS-15
security reporting and the trustworthiness of sensing data through integrity protection.
- Check the presence of unacceptable known security risks, including safety hazards, CPS.RA-4
from the planning and design phase of an IoT device and systems incorporating IoT
devices.
- React accordingly to the security risks and the associated safety risks identified as CPS.RA-6
a result of the assessment conducted at the planning and design phase of an IoT
device and systems incorporating IoT devices.
[Procedure] Develop and implement previously the procedure of response after detecting CPS.RP-1
- The response procedure after detecting malfunction incidents (securith operation process) that includes the response of Organization,
of the IoT device is not defined. People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
Unexpected behavior of the IoT - Identity spoofing using a stolen ID of a L2_1_b_ORG [Organization] Determine and document the subject or scope of the audit recording/log recording, CPS.PT-1
device due to unauthorized proper host - The organization has no mechanism for regularly and implement and review those records in order to properly detect high-risk security
access to its controls by - Unauthorized access that exploits checking proper use of its network. incidents.
impersonation of an authorized vulnerable protocols with no security means Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
user results in unpredicted network operations and expected information flows between people, goods, and
systems.
operation
Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
L2_1_b_COM [Components] Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- Some settings are not robust enough in terms of password) and setting change procedure for IoT devices and servers.
security (e.g., passwords, ports). Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
L2_1_b_SYS [System] Prevent unauthorized log-in to IoT devices and servers by measures such as CPS.AC-4
- Access control of communication partners is not implementing functions for lockout after a specified number of incorrect log-in
robust enough. attempts and providing a time interval until safety is ensured.
Develop a policy about controlling data flow, and according that protect the integrity CPS.AC-7
of the network by means such as appropriate network isolation (e.g., development
and test environment vs. production environment, and environment incorporates IoT
devices vs. other environments within the organization).
Restrict communications by IoT devices and servers to those with entities (e.g. CPS.AC-8
people, components, system, etc.) identified through proper procedures.
Authenticate and authorize logical accesses to system components by IoT devices CPS.AC-9
and users according to the transaction risks (personal security, privacy risks, and
other organizational risks).
L2_1_b_PRO [Procedure] Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- No procedure for security settings of an IoT device password) and setting change procedure for IoT devices and servers.
is established.
[Procedure] Develop and implement previously the procedure of response after detecting CPS.RP-1
- The response procedure after detecting malfunction incidents (securith operation process) that includes the response of Organization,
of the IoT device is not defined. People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.

B-2-1
Appendix B - The Second Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
Unauthorized input to the IoT - Malware infection that takes advantage of a L2_1_c_ORG [Organization] As part of the configuration management of devices, constantly manage software CPS.CM-6
device due to unauthorized system’s vulnerability - The organization is unclear about the status of the configuration information, status of network connections (e.g., presence/absence of
access to the system that - Identity spoofing using a stolen security measures (e.g., software configurations; the connections and access destination), and information transmission/reception status
remotely manages the IoT ID/password of a proper user status of patches applied) for its system that between other “organization”, people, components, and systems.
devices results in unpredicted - Unauthorized command from system manages IoT devices.
operation managing IoT device to IoT device L2_1_c_SYS [System] Segregate duties and areas of responsibility properly (e.g. segregate user functions CPS.AC-5
- Access control regarding system administration from system administrator functions)
authority is not robust enough. Adopt high confidence methods of authentication where appropriate based on risk CPS.AC-6
(e.g. multi-factor authentication, combining more than two types of authentication)
when logging in to the system over the network for the privileged user.
[System] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- Access control regarding system administration vulnerability and threats from internal and external sources (through internal tests,
authority is not robust enough. security information, security researchers, etc.), analyzes the information, and
establishes a process to implement and use measures.
Restrict the software to be added after installing in the IoT devices and servers. CPS.IP-2
- Discuss the method of conducting important security updates and the like on IoT CPS.MA-1
devices and servers. Then, apply those security updateswith managed tools
properly and in a timely manner while recording the history.
- Introduce IoT devices having a remote update mechanism to perform a mass CPS.MA-1
update of different software programs (OS, driver, and application) through remote
commands, where applicable.
Conduct remote maintenance of the IoT devices and servers while granting CPS.MA-2
approvals and recording logs so that unauthorized access can be prevented.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
Confirm the existence of vulnerability that requires a regular check-up in IoT devices CPS.CM-7
and servers managed within the organization.
[Procedure] Develop and implement previously the procedure of response after detecting CPS.RP-1
- The response procedure after detecting malfunction incidents (securith operation process) that includes the response of Organization,
of the IoT device is not defined. People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
Functions of IoT devices and - DoS attacks on IoT and communication L2_1_d_SYS [System] Secure sufficient resources (e.g., People, Components, system) for components and CPS.DS-6
communication devices stop due devices that comprise an IoT system - A system that contains IoT devices does not have systems, and protect assets property to minimize bad effects under cyber attack
to attacks such as denial-of- adequate resources (i.e., processing capacity, (e.g., DoS attack).
service (DoS) attack communication bandwidths, and storage capacity) Carry out periodic quality checks, prepare standby devices and uninterruptible power CPS.DS-7
supplies, provide redundancy, detect failures, conduct replacement work, and update
software for IoT devices, communication devices, circuits, etc.
Perform a periodical system backup and testing of components (e.g., IoT devices, CPS.IP-4
communication devices, and circuits).
[Procedure] Develop and implement previously the procedure of response after detecting CPS.RP-1
- The response procedure after detecting the incidents (securith operation process) that includes the response of Organization,
stopping of the IoT device is not defined. People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
2_1 Function to control components and Behavior that threatens safety, - Command injection by an unauthorized L2_2_a_ORG [Organization] - Check the presence of unacceptable known security risks, including safety hazards, CPS.RA-4
displaying visualized data based on data regardless of the behavior being entity - The organization does not check whether the from the planning and design phase of an IoT device and systems incorporating IoT
received from cyberspace in normal or abnormal - Unacceptable input data from cyberspace devices have proper levels of safety functions at the devices.
accordance with certain rules time of procurement. When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
- Tampering control signal contracts and results of risk management.
by malware Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its contractual CPS.SC-8
obligations with other relevant parties or individuals, and prepare them for disclosure
as needed within appropriate limits.
Introduce IoT devices that implement safety functions, assuming that these devices CPS.PT-3
are connected to the network.
L2_2_a_COM [Components] - Use IoT devices that can detect abnormal behaviors and suspend operations by CPS.CM-3
- There is no mechanism for verifying data that has comparing the instructed behaviors and actual ones.
been input. - Validate whether information provided from cyberspace contains malicious code,
and is within the permissible range before any action based on the data.
L2_2_a_SYS [System] - Check the presence of unacceptable known security risks, including safety hazards, CPS.RA-4
- Safety instrument is not considered in the system from the planning and design phase of an IoT device and systems incorporating IoT
being operated. devices.
- On the basis of the results of the risk assessment, clearly define the details of CPS.RA-6
measures to prevent possible security risks, and document the organized outcome
from the scope and priorities of the measures.
- React accordingly to the security risks and the associated safety risks identified as
a result of the assessment conducted at the planning and design phase of an IoT
device and systems incorporating IoT devices.
L2_2_a_PRO [Procedure] Develop and implement previously the procedure of response after detecting CPS.RP-1
- The organization has no established courses of incidents (securith operation process) that includes the response of Organization,
action to take when any of its devices shows a sign People, Componens, System to identify the content of response, priority, and scope
of compromising safety. of response taken after an incident occurs.
2_2 Function to read events in physical Data is tampered with in the - Man-in-the-middle attack that tamper with L2_3_a_ORG [Organization] When signing contracts with external parties, check if the products and services CPS.SC-4
space and translating them into digital communication path between the data on communication channnel. - The organization does not check whether the provided by the other relevant organizations properly comply with the security
data and sending the data to IoT device and cyberspace devices have functions to detect and prevent requirements defined by the organization while considering the objectives of such
cyberspace in accordance with certain tampering at the time of procurement. contracts and results of risk management.
rules Use products that provide measurable security in order to ensure the availability of CPS.DS-15
security reporting and the trustworthiness of sensing data through integrity protection.

An unauthorized or tampered-with - A stolen and illegally modified IoT device L2_3_b_ORG [Organization] Document and manage appropriately the list of hardware and software, and CPS.AM-1
IoT device connects to the connected to a network - The organization is unclear about the status of management information (e.g. name of asset, version, network address, name of
network and transmits incorrect - Tampering by internal or external people devices connected to its information system or asset manager, license information) of components in the system.
data with malicious intent industrial control system. Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- Tampering with sensor readings, password) and setting change procedure for IoT devices and servers.
As part of the configuration management of devices, constantly manage software CPS.CM-6
thresholds, and settings
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
L2_3_b_PEO [People] Formulate and manage security requirements applicable to members of other CPS.SC-5
- Physical unauthorized acts to IoT devices by relevant organizations, such as business partners, who are engaged in operations
internal or external people can not be prevented. outsourced from the organization.
Implement appropriate physical security measures such as locking and limiting CPS.AC-2
access to the areas where the IoT devices and servers are installed, using entrance
and exit controls, biometric authentication, deploying surveillance cameras, and
inspecting belongings and body weight.
Perform setting, recording, and monitoring of proper physical access, considering the CPS.CM-2
importance of IoT devices and servers.
L2_3_b_COM [Components] When handling information to be protected or procuring devices that have an CPS.DS-8
- The devices used are not anti-tampering, which important function to the organization, useselect the IoT devices and servers
make it impossible to prevent physical falsification. equipped with anti-tampering devices.
L2_3_b_SYS [System] Conduct integrity checks of software runnning on the IoT devices and servers at a CPS.DS-10
- The organization does not regularly verify the time determined by the organization, and prevent unauthorized software from
integrity of connected devices. launching.
Introduce an integrity check mechanism to verify the integrity of hardware. CPS.DS-12
[System] Document and manage appropriately the list of hardware and software, and CPS.AM-1
management information (e.g. name of asset, version, network address, name of
- It is not properly detected that an unauthorized
device is connected to the network of the asset manager, license information) of components in the system.
organization. As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
[System] Implement appropriate physical security measures such as locking and limiting CPS.AC-2
- The organization does not take physical security access to the areas where the IoT devices and servers are installed, using entrance
measures such as access control and monitoring of and exit controls, biometric authentication, deploying surveillance cameras, and
areas where its IoT devices are installed, inspecting belongings and body weight.
Implement physical measures such as preparing an uninterruptible power supply, a CPS.IP-5
fire protection facility, and protection from water infiltration to follow the policies and
rules related to the physical operating environment, including the IoT devices and
servers installed in the organization.
Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
Perform setting, recording, and monitoring of proper physical access, considering the CPS.CM-2
importance of IoT devices and servers.
L2_3_b_DAT [Data] When disposing of an IoT device and server, delete the stored data and the ID CPS.IP-6
- The organization has no procedures for deleting (identifier) uniquely identifying the genuine IoT devices and servers as well as
data (or making data unreadable) in an IoT device important information (e.g., private key and digital certificate), or make them
before disposal. unreadable.

B-2-2
Appendix B - The Second Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
An IoT device with low quality is - An IoT device with low quality connected to L2_3_c_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
connected to a network, causing a network - The organization does not check whether the in each layer of the three-layer structure to sustaining the operation of the
failures, transmission of - Insertion of a counterfeit that imitates a products are trustworthy at the time of procurement organization.
inaccurate data or transmission to genuine equipment of IoT devices. When signing contracts with external organizations, check if the security CPS.SC-3
unauthorized entity . management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its contractual CPS.SC-8
obligations with other relevant parties or individuals, and prepare them for disclosure
as needed within appropriate limits.
[Organization] Confirm that IoT devices and software are genuine products during the booting-up CPS.DS-13
- The organization does not make certain that the IoT process.
devices and their software are official products (i.e.,
not falsified).
L2_3_c_SYS [System] Implement appropriate physical security measures such as locking and limiting CPS.AC-2
- Network communications (wired or wireless) from access to the areas where the IoT devices and servers are installed, using entrance
unauthorized devices can not be prevented. and exit controls, biometric authentication, deploying surveillance cameras, and
inspecting belongings and body weight.
Properly authorize wireless connection destinations (including users, IoT devices, CPS.AC-3
and servers).
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
[System] Properly control outbound communications that send information to be protected to CPS.DS-9
- The system cannot properly detect and block prevent improper data breach.
unauthorized outbound communication from the Conduct network and access monitoring and control at the contact points between CPS.CM-1
organization. corporate networks and wide area networks.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
[System] Establish and implement the procedure to issue, manage, check, cancel, and monitor CPS.AC-1
- The organization has implemented no mechanism identification and authentication information of authorized goods, people, and
for checking whether the devices to be connected to procedures.
cyberspace and other official devices are official Confirm that IoT devices and software are genuine products during the booting-up CPS.DS-13
products process.
L2_3_c_PRO [Procedure] When signing contracts with external parties, check if the products and services CPS.SC-4
- There is no procedure for checking whether the provided by the other relevant organizations properly comply with the security
procured products are reliable at the time of requirements defined by the organization while considering the objectives of such
procurement of IoT devices. contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its contractual CPS.SC-8
obligations with other relevant parties or individuals, and prepare them for disclosure
as needed within appropriate limits.
Inappropriate measurement Inappropriate acts against transcription L2_3_d_ORG [Organization] When signing contracts with external parties, check if the products and services CPS.SC-4
occurs due to physical function by people with malicious intent - The organization does not check whether the provided by the other relevant organizations properly comply with the security
interference with measurement . products are trustworthy in the measurement requirements defined by the organization while considering the objectives of such
security at the time of procurement of IoT devices. contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Use products that provide measurable security in order to ensure the availability of CPS.DS-15
security reporting and the trustworthiness of sensing data through integrity protection.

L2_3_d_SYS [System] Implement appropriate physical security measures such as locking and limiting CPS.AC-2
- The organization does not take physical security access to the areas where the IoT devices and servers are installed, using entrance
measures such as access control and monitoring of and exit controls, biometric authentication, deploying surveillance cameras, and
areas where its IoT devices are installed. inspecting belongings and body weight.
Implement physical measures such as preparing an uninterruptible power supply, a CPS.IP-5
fire protection facility, and protection from water infiltration to follow the policies and
rules related to the physical operating environment, including the IoT devices and
servers installed in the organization.
Perform setting, recording, and monitoring of proper physical access, considering the CPS.CM-2
importance of IoT devices and servers.

B-2-3
Appendix B - The Third Layer

■ Functions/Assumed Security Incidents/Risk Sources/Measure Requirements in the Third Layer

Risk sources Measure
# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
3_Comm All of the following functions; - Denial-of-Service (DoS) attacks - DoS attack on computing devices such L3_3_b_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
on - Functions to securely send and receive on computer equipment and as servers, communication devices, etc. - The organization does not confirm the in each layer of the three-layer structure to sustaining the operation of the
data communication devices (e.g., - Transmission of jamming waves trustworthiness of contractor organizations such as organization.
- Functions to securely process and servers) that comprise a system data providers or data manipulators/analyzers before When signing contracts with external organizations, check if the security CPS.SC-3
analyze data and after signing contracts. management of the other relevant organizations properly comply with the security
- Function to securely store data requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
The system that handles data - Services provided by a system with low L3_3_c_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
stops whether it has been quality/trustworthiness - The organization does not confirm the in each layer of the three-layer structure to sustaining the operation of the
attacked or not. trustworthiness of service supplier’s organizations, organization.
systems, etc. before and after signing contracts. When signing contracts with external organizations, check if the security CPS.SC-3
management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
L3_3_c_SYS [System] Secure sufficient resources (e.g., People, Components, system) for components CPS.DS-6
- A system that contains IoT devices does not have and systems, and protect assets property to minimize bad effects under cyber attack
adequate resources (i.e., processing capacity, (e.g., DoS attack).
communication bandwidths, and storage capacity)
Carry out periodic quality checks, prepare standby devices and uninterruptible power CPS.DS-7
supplies, provide redundancy, detect failures, conduct replacement work, and
update software for IoT devices, communication devices, circuits, etc.
Perform a periodical system backup and testing of components (e.g., IoT devices, CPS.IP-4
communication devices, and circuits).
Laws and rules that prescribe - Malware infection that takes advantage L3_4_a_ORG [Organization] Classify and prioritize resources (e.g., People, Components, Data, and System) by CPS.AM-6
data protection in cyberspace are of a data storage system’s vulnerability - Responsibility in the organization for managing data function, importance, and business value, and communicate to the organizations
violated - Physical intrusion by an unauthorized to be protected is not identified. and people relevant to those resources in business.
entity into the data storage area [Organization] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Identity spoofing using a stolen - The organization is not fully aware of data regarding handling of data shared only by relevant organizations, develop data
ID/password of a proper user protection laws and regulations with which it should classification methods based on each requirement, and properly classify and protect
comply. data throughout the whole life cycle.

L3_4_a_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- People involved are not fully aware of how the manage the record so that they can fulfill assigned roles and responsibilities to
organization’s protected data should be handled for prevent and contain the occurrence and severity of security incidents.
security reasons. Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
L3_4_a_PRO [Procedure] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Necessary procedures for handling data are not regarding handling of data shared only by relevant organizations, develop data
established. classification methods based on each requirement, and properly classify and protect
data throughout the whole life cycle.
[Procedure] Maintain, update, and manage information such as the origination of data and data CPS.DS-14
- The organization does not confirm whether the processing history throughout the entire life cycle.
necessary procedures are followed regarding data
handling.
L3_4_a_DAT [Data] When signing contracts with external organizations, check if the security CPS.SC-3
- Personal data or other important information is management of the other relevant organizations properly comply with the security
distributed among multiple organizations or systems. requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
[Data] If the organization exchanges protected information with other organizations, agree CPS.DS-1
- The organization is unaware that the data it in advance on security requirements for protection of such information.
handles is the specific type of data that must be
protected.
The security requirements for - Malware infection that takes advantage L3_4_b_ORG [Organization] Understand the level of data protection required by laws and arrangements CPS.GV-3
highly confidential data to be of a data storage system’s vulnerability - The organization is not fully aware of data regarding handling of data shared only by relevant organizations, develop data
shared only among authorized - Physical intrusion by an unauthorized protection laws and regulations with which it should classification methods based on each requirement, and properly classify and protect
parties has not been set or met. entity into the data storage area comply. data throughout the whole life cycle.
- Internal fraud by an authorized user L3_4_b_PEO [People] Provide appropriate training and education to all individuals in the organization and CPS.AT-1
- Identity spoofing using a stolen - People involved are not fully aware of how the manage the record so that they can fulfill assigned roles and responsibilities to
ID/password of a proper user organization’s protected data should be handled for prevent and contain the occurrence and severity of security incidents.
security reasons. Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
L3_4_b_PRO [Procedure] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Necessary procedures for handling data are not regarding handling of data shared only by relevant organizations, develop data
established. classification methods based on each requirement, and properly classify and protect
data throughout the whole life cycle.
[Procedure] Maintain, update, and manage information such as the origination of data and data CPS.DS-14
- The organization does not confirm whether the processing history throughout the entire life cycle.
necessary procedures are followed regarding data
handling.
L3_4_b_SYS [System] Develop a policy about controlling data flow, and according that protect the integrity CPS.AC-7
- The system is not designed according to the data of the network by means such as appropriate network isolation (e.g., development
confidentiality. and test environment vs. production environment, and environment incorporates IoT
devices vs. other environments within the organization).

Authenticate and authorize logical accesses to system components by IoT devices CPS.AC-9
and users according to the transaction risks (personal security, privacy risks, and
other organizational risks).
Encrypt information with an appropriate level of security strength, and store them. CPS.DS-2
L3_4_b_DAT [Data] When signing contracts with external organizations, check if the security CPS.SC-3
- Personal data or other important information is management of the other relevant organizations properly comply with the security
distributed among multiple organizations or systems. requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
[Data] If the organization exchanges protected information with other organizations, agree CPS.DS-1
- The organization is unaware that the data it in advance on security requirements for protection of such information.
handles is the specific type of data that must be
protected.
3_1 Functions to securely procecss and The organization’s protected data - Malware infection that takes advantage L3_1_b_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
analyze data is leaked from a data processing of the vulnerability of a data manipulation - The organization does not confirm the safeness in each layer of the three-layer structure to sustaining the operation of the
area managed by a related /analysis system managed by another and trustworthiness of data manipulation / analysis organization.
organization. organization organizations and/or systems before and after When signing contracts with external organizations, check if the security CPS.SC-3
- Physical intrusion by an unauthorized signing contracts. management of the other relevant organizations properly comply with the security
entity into the data manipulation / requirements defined by the organization while considering the objectives of such
analysis area managed by another contracts and results of risk management.
organization When signing contracts with external parties, check if the products and services CPS.SC-4
- Identity spoofing using a stolen provided by the other relevant organizations properly comply with the security
ID/password of a proper user requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
- Protected data has been taken out
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
improperly by another organization’s
relevant parties such as business partners to ensure they are fulfilling their
entity
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
L3_1_b_PEO [People] Formulate and manage security requirements applicable to members of other CPS.SC-5
- The organization does not confirm, before and after relevant organizations, such as business partners, who are engaged in operations
signing contracts, the trustworthiness of people in outsourced from the organization.
organizations that undertake data manipulation /
analysis.
L3_1_b_DAT [Data] When signing contracts with external organizations, check if the security CPS.SC-3
- The organization’s data that must be protected is management of the other relevant organizations properly comply with the security
distributed among multiple organizations at different requirements defined by the organization while considering the objectives of such
levels of security. contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.

B-3-1
Appendix B - The Third Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
Improper processed/analyzed - Malware infection that takes advantage L3_3_d_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
results become output due to a of vulnerability of a data manipulation / - The organization does not confirm the safeness of in each layer of the three-layer structure to sustaining the operation of the
malfunction in the data analysis system data manipulation / analysis organizations and/or organization.
processing/analyzing system - Unacceptable input data containing systems before and after signing contracts. When signing contracts with external organizations, check if the security CPS.SC-3
code to attack a data manipulation / management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
analysis system
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
L3_3_d_SYS [System] Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- Settings in the system that processes and analyzes password) and setting change procedure for IoT devices and servers.
data are not secure. Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
[System] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- Vulnerabilities that should be handled is left vulnerability and threats from internal and external sources (through internal tests,
unaddressed in a data manipulation / analysis security information, security researchers, etc.), analyzes the information, and
system. establishes a process to implement and use measures.
Restrict the software to be added after installing in the IoT devices and servers. CPS.IP-2
Develop a vulnerability remediation plan, and modify the vulnerability of the CPS.IP-10
components according to the plan.
- Discuss the method of conducting important security updates and the like on IoT CPS.MA-1
devices and servers. Then, apply those security updateswith managed tools
properly and in a timely manner while recording the history.
Conduct remote maintenance of the IoT devices and servers while granting CPS.MA-2
approvals and recording logs so that unauthorized access can be prevented.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
Confirm the existence of vulnerability that requires a regular check-up in IoT devices CPS.CM-7
and servers managed within the organization.
[System] Encrypt information with an appropriate level of security strength, and store them. CPS.DS-2
- Data are not protected enough in a system. Encrypt the communication channel when communicating between IoT devices and CPS.DS-3
servers or in cyberspace.
Encrypt information itself when sending/receiving information. CPS.DS-4
[System] - Use IoT devices that can detect abnormal behaviors and suspend operations by CPS.CM-3
The system does not fully check data that serves as comparing the instructed behaviors and actual ones.
input. - Validate whether information provided from cyberspace contains malicious code,
and is within the permissible range before any action based on the data.
Validate the integrity and authenticity of the information provided from cyberspace CPS.CM-4
before operations.
[System] Determine and document the subject or scope of the audit recording/log recording, CPS.PT-1
- The system has no mechanism for detecting and and implement and review those records in order to properly detect high-risk security
handling any abnormality related to security as soon incidents.
as it arises. Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
Develop and implement previously the procedure of response after detecting CPS.RP-1
incidents (securith operation process) that includes the response of Organization,
People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
3_2 Function to securely store data A related organization’s protected - Malware infection that takes advantage L3_1_a_ORG [Organization] Classify and prioritize resources (e.g., People, Components, Data, and System) by CPS.AM-6
data is leaked from a data of the vulnerability of a data storage - Responsibility in the organization for managing data function, importance, and business value, and communicate to the organizations
storage area managed by the system manageed by another to be protected is not identified. and people relevant to those resources in business.
organization. organization L3_1_a_SYS [System] Introduce and implement the process to manage the initial setting procedure (e.g., CPS.IP-1
- Physical intrusion by an unauthorized - Settings in the system storing data to be protected password) and setting change procedure for IoT devices and servers.
entity into the data storage area of relevant parties are not secure. Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
managed by another organization unnecessary network ports, USBs, and serial ports accessing directly the main
- Identity spoofing using a stolen bodies of IoT devices and servers etc.
ID/password of a proper user [System] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- Protected data has been taken out - Vulnerabilities that should be handled is left vulnerability and threats from internal and external sources (through internal tests,
improperly by a mallicious entity of the unaddressed in the organization's system. security information, security researchers, etc.), analyzes the information, and
establishes a process to implement and use measures.
organization
Restrict the software to be added after installing in the IoT devices and servers. CPS.IP-2
Develop a vulnerability remediation plan, and modify the vulnerability of the CPS.IP-10
components according to the plan.
- Discuss the method of conducting important security updates and the like on IoT CPS.MA-1
devices and servers. Then, apply those security updateswith managed tools
properly and in a timely manner while recording the history.
Conduct remote maintenance of the IoT devices and servers while granting CPS.MA-2
approvals and recording logs so that unauthorized access can be prevented.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
Confirm the existence of vulnerability that requires a regular check-up in IoT devices CPS.CM-7
and servers managed within the organization.
[System] Understand the level of data protection required by laws and arrangements CPS.GV-3
Regarding access to stored information, a request regarding handling of data shared only by relevant organizations, develop data
sender is not identified / authenticated in a manner classification methods based on each requirement, and properly classify and protect
suited to the level of confidentiality of such data throughout the whole life cycle.
information. Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
monitor identification and authentication information of authorized goods, people,
and procedures.
Segregate duties and areas of responsibility properly (e.g. segregate user functions CPS.AC-5
from system administrator functions)
Adopt high confidence methods of authentication where appropriate based on risk CPS.AC-6
(e.g. multi-factor authentication, combining more than two types of authentication)
when logging in to the system over the network for the privileged user.
Authenticate and authorize logical accesses to system components by IoT devices CPS.AC-9
and users according to the transaction risks (personal security, privacy risks, and
other organizational risks).
[System] Implement appropriate physical security measures such as locking and limiting CPS.AC-2
- The organization does not take physical security access to the areas where the IoT devices and servers are installed, using entrance
measures such as access control and monitoring of and exit controls, biometric authentication, deploying surveillance cameras, and
areas where its IoT devices and servers are inspecting belongings and body weight.
installed. Implement physical measures such as preparing an uninterruptible power supply, a CPS.IP-5
fire protection facility, and protection from water infiltration to follow the policies and
rules related to the physical operating environment, including the IoT devices and
servers installed in the organization.
Minimize funcions of IoT devices and servers by physically and logically blocking CPS.PT-2
unnecessary network ports, USBs, and serial ports accessing directly the main
bodies of IoT devices and servers etc.
Perform setting, recording, and monitoring of proper physical access, considering CPS.CM-2
the importance of IoT devices and servers.
[System] Determine and document the subject or scope of the audit recording/log recording, CPS.PT-1
- The system has no mechanism for detecting and and implement and review those records in order to properly detect high-risk security
handling any abnormality related to security as soon incidents.
as it arises. Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
Develop and implement previously the procedure of response after detecting CPS.RP-1
incidents (securith operation process) that includes the response of Organization,
People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
L3_1_a_PRO [Procedure] If the organization exchanges protected information with other organizations, agree CPS.DS-1
- There is no procedure for confirming levels of in advance on security requirements for protection of such information.
confidentiality and necessary security measures
regarding data whose management is outsourced
from other organizations.

B-3-2
Appendix B - The Third Layer

Risk sources Measure

# Function Assumed security incident Measure Requirement
Threat Vulnerability ID Vulnerability Requirement ID
L3_1_a_DAT [Data] Understand the level of data protection required by laws and arrangements CPS.GV-3
- Classification concerning protection of data regarding handling of data shared only by relevant organizations, develop data
commissioned by relevant parties is not identified. classification methods based on each requirement, and properly classify and protect
data throughout the whole life cycle.
[Data] Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
- Data protection at a predefined level of relevant parties such as business partners to ensure they are fulfilling their
confidentiality is not implemented. contractual obligations.
Develop a policy about controlling data flow, and according that protect the integrity CPS.AC-7
of the network by means such as appropriate network isolation (e.g., development
and test environment vs. production environment, and environment incorporates IoT
devices vs. other environments within the organization).
Encrypt information with an appropriate level of security strength, and store them. CPS.DS-2
Encrypt the communication channel when communicating between IoT devices and CPS.DS-3
servers or in cyberspace.
Encrypt information itself when sending/receiving information. CPS.DS-4
Securely control encryption keys throughout their life cycle to ensure proper CPS.DS-5
operation and securely transmitted, received and stored data.
Properly control outbound communications that send information to be protected to CPS.DS-9
prevent improper data breach.
The organization’s protected data - Malware infection that takes advantage L3_1_c_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
is leaked from a data storage of the vulnerability of a data storage - The organization does not confirm the safeness of in each layer of the three-layer structure to sustaining the operation of the
area managed by a related system manageed by another data storage organizations and/or systems before organization.
organization. organization and after signing contracts. When signing contracts with external organizations, check if the security CPS.SC-3
- Physical intrusion by an unauthorized management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
entity into the data storage area
contracts and results of risk management.
managed by another organization
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
- Identity spoofing using a stolen
relevant parties such as business partners to ensure they are fulfilling their
ID/password of a proper user contractual obligations.
- Protected data has been taken out
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
improperly by a mallicious entity of the requirements found as a result of an audit, test, or other check on relevant parties.
organization Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
L3_1_c_PEO [People] Formulate and manage security requirements applicable to members of other CPS.SC-5
- The organization does not confirm, before and after relevant organizations, such as business partners, who are engaged in operations
signing contracts, the trustworthiness of people in outsourced from the organization.
organizations that undertake data manipulation.

L3_1_c_DAT [Data] When signing contracts with external organizations, check if the security CPS.SC-3
- The organization’s data that must be protected is management of the other relevant organizations properly comply with the security
distributed among multiple organizations at different requirements defined by the organization while considering the objectives of such
levels of security. contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Data in storage is tampered with - Identity spoofing using a stolen L3_2_a_DAT [Data] Perform integrity checking on information to be sent, received, and stored. CPS.DS-11
ID/password of a proper user - Data being stored do not have a mechanism to
detect falsifications.
3_3 Functions to securely send and receive Data in use is tampered with. - Identity spoofing using a stolen L3_2_b_DAT [Data] Encrypt the communication channel when communicating between IoT devices and CPS.DS-3
data ID/password of a proper user - Data are not protected enough in communication servers or in cyberspace.
- Man-in-the-middle attacks to falsify paths. Encrypt information itself when sending/receiving information. CPS.DS-4
data on communication paths [Data] Perform integrity checking on information to be sent, received, and stored. CPS.DS-11
- Data being used do not have a mechanism to
detect falsifications.
The system receives - Identity spoofing by an unauthorized L3_3_a_ORG [Organization] Identify, prioritize, and evaluate the organizations and people that play important role CPS.SC-2
inappropriate data from an organization/person/component/system - The organization does not confirm the in each layer of the three-layer structure to sustaining the operation of the
Organization/People/Components to use an ID of a proper entity trustworthiness of the data sender organizations organization.
(due to a spoofing attack etc.). - Inappropriate data from authorized such as data providers or data When signing contracts with external organizations, check if the security CPS.SC-3
components and system that have been manipulators/analyzers before and after signing the management of the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
tampered with contracts.
contracts and results of risk management.
When signing contracts with external parties, check if the products and services CPS.SC-4
provided by the other relevant organizations properly comply with the security
requirements defined by the organization while considering the objectives of such
contracts and results of risk management.
Conduct regular assessments through auditing, test results, or other checks of CPS.SC-6
relevant parties such as business partners to ensure they are fulfilling their
contractual obligations.
Formulate and implement procedures to address noncompliance to contractual CPS.SC-7
requirements found as a result of an audit, test, or other check on relevant parties.
Collect and securely store data proving that the organization is fulfilling its CPS.SC-8
contractual obligations with other relevant parties or individuals, and prepare them
for disclosure as needed within appropriate limits.
L3_3_a_PEO [People] Provide appropriate training and security education to members of the organization CPS.AT-2
- A contractor’s employees responsible for the and other relevant parties of high importance in security management that may be
outsourced work are not fully aware of how the involved in the security incident prevention and response. Then, manage the record
organization’s protected data should be handled for of such training and security education.
security reasons. Improve the contents of training and education regarding security to members of the CPS.AT-3
organization and other relevant parties of high importance in security management
of the organization.
L3_3_a_SYS [System] The security management team (SOC/CSIRT) collects information, including CPS.RA-2
- Vulnerabilities that should be handled is left vulnerability and threats from internal and external sources (through internal tests,
unaddressed in a data collection / analysis system. security information, security researchers, etc.), analyzes the information, and
establishes a process to implement and use measures.
Restrict the software to be added after installing in the IoT devices and servers. CPS.IP-2
Develop a vulnerability remediation plan, and modify the vulnerability of the CPS.IP-10
components according to the plan.
- Discuss the method of conducting important security updates and the like on IoT CPS.MA-1
devices and servers. Then, apply those security updateswith managed tools
properly and in a timely manner while recording the history.
- Introduce IoT devices having a remote update mechanism to perform a mass CPS.MA-1
update of different software programs (OS, driver, and application) through remote
commands, where applicable.
Conduct remote maintenance of the IoT devices and servers while granting CPS.MA-2
approvals and recording logs so that unauthorized access can be prevented.
As part of the configuration management of devices, constantly manage software CPS.CM-6
configuration information, status of network connections (e.g., presence/absence of
connections and access destination), and information transmission/reception status
between other “organization”, people, components, and systems.
Confirm the existence of vulnerability that requires a regular check-up in IoT devices CPS.CM-7
and servers managed within the organization.
[System] Encrypt the communication channel when communicating between IoT devices and CPS.DS-3
- Communication channel is not appropriately servers or in cyberspace.
protected.
[System] Determine and document the subject or scope of the audit recording/log recording, CPS.PT-1
- The organization’s system has no mechanism for and implement and review those records in order to properly detect high-risk security
detecting and handling any abnormality related to incidents.
security as soon as it arises. Establish and implement the procedure to identify and manage the baseline of CPS.AE-1
network operations and expected information flows between people, goods, and
systems.
Conduct network and access monitoring and control at the contact points between CPS.CM-1
corporate networks and wide area networks.
Monitor communication with external service providers so that potential security CPS.CM-5
events can be detected properly.
Develop and implement previously the procedure of response after detecting CPS.RP-1
incidents (securith operation process) that includes the response of Organization,
People, Componens, System to identify the content of response, priority, and scope
of response taken after an incident occurs.
[System] Establish and implement the procedure to issue, manage, check, cancel, and CPS.AC-1
- The system does not identify or authenticate the monitor identification and authentication information of authorized goods, people,
person on the other end of communication in and procedures.
cyberspace when the communication starts. Properly authorize wireless connection destinations (including users, IoT devices, CPS.AC-3
and servers).
Prevent unauthorized log-in to IoT devices and servers by measures such as CPS.AC-4
implementing functions for lockout after a specified number of incorrect log-in
attempts and providing a time interval until safety is ensured.
Restrict communications by IoT devices and servers to those with entities (e.g. CPS.AC-8
people, components, system, etc.) identified through proper procedures.
Authenticate and authorize logical accesses to system components by IoT devices CPS.AC-9
and users according to the transaction risks (personal security, privacy risks, and
other organizational risks).
L3_3_a_DAT [Data] - Use IoT devices that can detect abnormal behaviors and suspend operations by CPS.CM-3
- No mechanism for filtering data sent from the other comparing the instructed behaviors and actual ones.
endpoint of communication is installed or operated. - Validate whether information provided from cyberspace contains malicious code,
and is within the permissible range before any action based on the data.
Validate the integrity and authenticity of the information provided from cyberspace CPS.CM-4
before operations.

B-3-3
Appendix C: Examples of security measures according to measure requirements

- Examples of security measures for each of the High Advanced, Advanced, and Basic levels are stated for implementing measure requirements described in Part III. To implement High Advanced-level measures, there is a need to include not only High Advanced-level measures but also Advanced- and Basic-level measures.
- The level of a measure is determined according to the costs in implementing/operating the measure, the scope of the measure (e.g., whether the scope is applied only to the organization or other related organizations), etc., based on management measures stratified into levels.
- The subject that implements measures is classifed as “S” (implemented by a system through technical means), as “O” (implemented by an organization (e.g., by people through non-technical means)), and as “O/S” (implemented by both a system and an organization).
- In the description of the examples of measures, the documents described in “related standards, etc.” which are assigned to each requirement in Part 3 and a part of the corresponding items (shown as “Reference Guidelines” in the table) are referred.
- The measures described in this section are just examples and do not deny other implementation methods. Use this document as a reference for risk management according to the characteristics of the business of each organization, the results of the risk analyses, etc.

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Document and manage appropriately the L1_1_a_COM, <High‐Advanced>
list of hardware and software, and L1_1_b_COM, ‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices; software; and information)  ○
management information (e.g. name of L1_1_c_COM, uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists periodically, or at the request of the operator including configuration  (In addition to the
L2_1_a_ORG, ○
information of assets (e.g., names, version information, license information, and location) while recognizing situations in real time. O/S following, CM-8(1), - -
asset, version, network address, name of L2_3_b_ORG, (3.4.2)
‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by the organization, and responds  CM-8(2), CM-8(3),
asset manager, license information) of L2_3_b_SYS appropriately. (Example: blocking unplanned connections except those permitted by the organization as an exception) CM-8(5))
components in the system. ‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses to unauthorized assets.
<Advanced> ○
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and location) by reviewing and updating  (In addition to the
following, A.8.1.3)
them periodically.
‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information system or industrial control system), 
CPS.AM-1 and manages the use of them. O
‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable ownwer of portable storage devices, the 
organization prohibits the use of such devices. 
○ ○ ○ ○
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of the media taken outside of the 
(3.4.1, 3.8.5, 3.8.7, 3.8.8) (CM-8, PM-5) （4.2.3.4） （SR 7.8）
controlled areas.
<Basic>
‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and information), assigns a responsible person 
to each asset, and documents a list of them. ○
O
‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration (grouping) of the analysis target and  (A.8.1.1, A.8.1.2)
exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
Specify a method to ensure traceability L1_3_a_COM, <High‐Advanced>
based on the importance of the L1_3_b_COM ‐ When traceability is a requirement, the organization manages a unique identification to outputs (products) and maintains documented necessary information for 
components produced by the organization’s enabling traceability.
・It is desirable for the organization to consider a method of unique identification in accordance with the rules applicable to different industries such as cross‐industry  O - - - - -
supply chain.
common numbering rules. 

[Reference] “ISO 9001:2015” 8.5.2 Identification and Traceability
CPS.AM-2 Common among <Advanced> and <Basic>
‐ The organization prioritizes the products of the organization into multiple stages from the viewpoint of the following example.
　‐ Extent of the impact in the supply chain when problems (e.g. regarding product quality) are found.
　‐ Magnitude of the impact on the business of the organization when problems (e.g. regarding product quality) are found.
O - - - - -
‐ The organization specifies an appropriate method of identifying outputs (e.g., adding serial numbers) such as adding numbers depending on the importance of the 
components produced by the organization on its supply chain.
‐ The organization identifies the conditions of outputs related to the requirements for monitoring and measuring throughout the processes of manufacturing and 
providing services.
Create records such as the date of L1_3_a_COM, <High‐Advanced>
production and condition of components L1_3_b_COM ‐ The organization prepares internal rules related to production activities, and based on the possibility that records of produced components may be later audited in 
depending on importance, and prepare and accordance with its importance, shares awareness with partners regarding importance in prior, and ensures an appropriate level of record management. O - - - - -
adopt internal rules regarding records of ‐ It is desirable that records of production activities that are created and managed can be quickly searched by production date, classification of components (e.g., 
product name), and the like.
production activities in order to store
Common among <Advanced> and <Basic>
CPS.AM-3 components for a certain period of time. ‐ The organization creates a record such as the date of production and condition of components depending on the importance of the produced component on the 
supply chain, and prepares and manages internal rules of production activities in order to store components for a certain period of time.
‐ The organization considers the following when creating or updating the above records. O - - - - -
　‐Making an appropriate identification and description (eg title, date, documenter, reference number)
　‐Recording in appropriate format (e.g., language, software version, charts) and media (e.g., paper, electronic media)
　‐Obtaining appropriate reviews and approvals for relevance
Create and manage appropriately network L1_3_b_ORG, <High‐Advanced> ○
configuration diagrams and data flows L1_3_c_ORG ‐ The organization implements/manages an automated mechanism for monitoring and managing system configurations, communication network configurations, and  (In addition to the
O - - -
within the organization. data flows of their information systems and industrial control systems in real time. following, CM-2(2),
CM-2(3))
<Advanced> ○
‐ The organization states the characteristics of the interface, security requirements, and characteristics of transmitted data for network connection in a diagram in the  O - (In addition to the ○ - -
CPS.AM-4
associated documents. following, CA-9) (A.13.2.1, A13.2.2)
<Basic>
‐ The organization documents and stores system configurations, communication network configurations, and data flows  of an information systems and an industrial 
○ ○
control systems in a range managed by the organization (for example, in units of business establishments). O - -
(CM-2, CM-2(1)) （4.2.3.4, 4.2.3.5）
‐ The organization reviews related documents periodically or when there is a change in system configurations, network configurations, or data flows and updates them 
as necessary.

C-1
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Create and manage appropriately a list of L1_1_a_COM, <High‐Advanced>
○
external information systems where the L1_1_b_COM, ‐ The system makes a list of external information services in use and manages the users, devices as well as serviced in use in real time. ○
O/S (In addition to the - -
organization’s assets are shared. L1_1_c_COM, ‐ The system uses a mechanism to give notice to the system administrator when an unpermitted external information system service is detected. (3.12.4)
L1_3_b_ORG, following, SA-9(2))
‐ The organization identifies functions, ports, protocols, and other services which are necessary for using services offered by external providers. ○
L1_3_c_ORG <Advanced> (In addition to the
‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the following: ○ following, A.13.1.2)
○
　a. Accessing an information system in the organization from an external information system O (In addition to the - -
CPS.AM-5 (3.1.20, 3.1.21, 3.12.4)
　b. Processing, saving, or transmitting information under the control of the organization using an external information system following, AC-20)
‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.
<Basic>
‐ The organization makes a list of external information system services in use and defines roles and responsibilities as users in each service.
○ ○
O - - -
(SA-9) (A.6.1.1)
[Reference] Appendix A "Concret examples of contract provisions and commentaries" of “Guidebook for using Cloud Security Guideline” (METI, 2013) could be referred 
to regarding the points to consider when stipulating in the contract the roles and responsibilities of users especially in terms of usage of cloud service.
Classify and prioritize resources (e.g., L1_1_a_ORG, Common among <High‐Advanced> and <Advanced>
People, Components, Data, and System) by L1_1_b_ORG, ‐ The organization considers business requirements and legal requirements which share or restrict data when classifying resources of the information system and 
○
function, importance, and business value, L1_1_c_ORG, industrial control system (data, components processing data, system, etc). O - - -
L3_1_a_ORG, (RA-2、SA-14)
and communicate to the organizations and ‐ The person responsible for an asset is responsible for the classification of the data.
L3_4_a_ORG ○
CPS.AM-6 ‐ The organization includes classification rules and classification review standards after time passes in a resource classification system.
people relevant to those resources in (A.6.1.1)
<Basic>
business. ‐ The organization sets priorities on identified information assets according to importance to the organization.  ○ ○
O - -
‐ When related laws or regulations require us to follow a certain classification for resources of the organization (e.g., system and data), apply an appropriate  (RA-2、SA-14) （4.2.3.6, 4.3.4.4.3）
classification to the asset.
Define roles and responsibilities for cyber L1_3_b_ORG, Common among <High‐Advanced> and <Advanced>
security across the organization and other L1_3_c_ORG ‐ In preparation for damages caused by security incidents, the organization considers risk transfer by using cyber insurance, etc., in addition to implementing security  O - - - -
relevant parties. measures designated by business partners.
<Basic>
○
CPS.AM-7 ‐ In a contract with a contractor or an outsourcer, the organization specifies the scope of the responsibilities of the organization and that of the business partner (state 
(A.6.1.1, A.15.1.1)
the disclaimer and an upper limit on agreed compensation for damages) in case of a damage caused by a security incident in the business. ○ ○
O - -
‐ To increase the effectiveness of the requirements related to security which a business partner requires or is required to satisfy in a contract, it is desirable that the  (SA-4) （4.3.2.3.3）
organization makes an agreement in meeting the requirements, identifying deficiencies and details of actions, paying expenses, and using an alternative when they 
cannot be satisfied at the time of the contract or in the early stage of the contract.
Identify and share the role of the L1_3_b_ORG, <High‐Advanced>
○
organizations in the supply chain. L1_3_c_ORG ‐ The organization estimates the details and scale of the impacts on direct partners and the entire supply chain in case of a security issue incident which has a harmful  O - - - -
(CP-2, SA-14)
effect on the business in the organization.
<Advanced>
‐ The organization graphically represents the overview of a supply chain related to the organization, with clarification of the roles in the entire organization by 
considering the component flow, data flow, etc., between organizations. O - - - - -
‐ The organization shares the above results with related organizations (suppliers to the organization, related departments within the organization, and customers of the 
CPS.BE-1
organization).
<Basic>
‐ The organization graphically represents the overview of the business connections among suppliers to the organization, related departments within the organization, 
and customers of the organization, with clarification of the roles in the organization by considering component flow, data flow, etc., between organizations.
O - - - - -
‐ The organization shares the above results with related organizations (suppliers to the organization, related departments within the organization, and customers of the 
organization).

Define policies and standard measures L1_1_a_ORG, Common among <High‐Advanced> and <Advanced>

regarding security that are consistent with L1_1_b_ORG, ‐ The organization defines its missions and business processes and gives priorities to actions, in consideration of risks to its business, its assets, persons, other  ○ ○ ○
O - -
the high-priority business and operations of L1_1_c_ORG organizations, etc. (PM-11、SA-14) (A.5.1.1) （4.2.2.1, 4.2.3.6）
the organization, and share them with ‐ The organization informs other organizations of their roles and responsibilities specified in its security policies.
<Basic>
CPS.BE-2 parties relevant to the organization’s
‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations considered to be important. In 
business (including suppliers and third- addition, identify and prioritize important resources (relevant parties, People, Components, Data, System, etc.) and functions from the viewpoint of business continuity.
party providers). O - - - - -
‐ The organization classifies and prioritizes resources particularly in industrial control systems, taking into consideration whether adverse effects on health, safety and 
environment (HSE) may occur due to malfunction or stoppage.

Identify the dependency between the L1_3_b_ORG, <High‐Advanced>

organization and other relevant parties and L1_3_c_ORG ‐ The organization identifies the functions of the following support utilities for the continuation of its business and the dependence relationship between them.
the important functions of each in the 　‐ Communication service
course of running the operation. 　‐ Electrical power equipment (including power cables)
‐ Among the above identified utilities, for those which have important roles for the continuation of its business, the organization examines the possibility of taking 
○
measures as follows: ○
(In addition to the
　‐ Establishment of alternative communication services O - (In addition to the - -
following, CP-8, CP-8(1),
　‐ Physical protection of electrical power equipment and power cables following, A.11.2.2)
CP-8(2), PE-9, PE-11)
　‐ Preparation of short‐term permanent power supply equipment
‐ When examining the possibility of using an alternative communication service, the organization considers the following:
CPS.BE-3
　‐ Identify the requirements on the availability of the organization (including the target recovery time) when examining a contract with a communication service 
provider.
　‐ Reduce the possibility of sharing a single point of failure with a primary communication service.
<Advanced>
‐ The organization identifies the requirements for the capacity/capability of an applicable system according to the requirements for its availability stipulated in CPS.AM‐
○ ○
6. O - - -
(SC-5(2)) (A.12.3.1)
‐ In order to fulfill the required system performance, the organization monitors/adjusts the use of resources in the information systems and industrial control systems in 
operation, and pre‐estimates the storage capacity/performance required in the future.
<Basic>
O - - - - -
‐ The organization identifies suppliers that are in important dependency in continuing their business.

C-2
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Develop security policies, define roles and L1_1_a_PRO, <High‐Advanced>
responsibilities for security across the L1_1_b_PRO, ‐ While sharing the basic policy with operations used in a conventional IT environment, the organization formulates security policies and operational procedures by fully 
organization and other relevant parties, and L1_1_c_PRO considering the characteristics of a site on which an IoT device is installed. ○
O - -
clarify the information-sharing method (A.12.1.1)
[Reference] For example, IEC 62443‐2‐1, a security management standard for industrial automation and control systems (IACS), requires formulation of cyber security 
among stakeholders.
policies at an upper level for an IACS environment.
<Advanced>
‐ The organization formulates a series of lower level security policies, such as the policies and implementation procedures of the following individual topics, to support 
policies at a higher level.
　a) Access control and authentication
　b) Physical security measures
　c) System development and maintenance ○ ○
CPS.GV-1 　d) Management of external contractors (controls from all （4.3.2.3.3, 4.3.2.2.1,
○
　e) Classification and handling of information O - security control families) 4.3.2.6） -
(A.5.1.1, A12.1.1)
‐ The organization formulates a series of security policies by fully considering the organization’s a) business strategies, b) related rules, laws, regulations, and contracts, 
and c) environments under threats to security to sufficiently reflect the actual situation of the organization.
‐ The organization reviews and updates a security plan according to changes in its a) business strategies, b) related rules, laws, regulations, and contracts, and c) 
environments under threats to security.

[Reference] To formulate a policy at a more detailed level, refer to related standards such as ISO/IEC 27002 for identification of fields which require the policy, and refer 
to more detailed guidelines.
<Basic>
‐ The organization formulates a basic security policy at the highest level of its series of security policies, obtains an approval of the management, and operates it  ○
O - -
appropriately. (A.5.1.1)
‐ The organization reviews and updates the security policy periodically (e.g., once a year).
Formulate internal rules considering L1_2_a_ORG, Common among <High‐Advanced>, <Advanced> and <Basic>
domestic and foreign laws, including the Act L1_2_a_COM, ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context of security as well as the 
on the Protection of Personal Information L1_2_a_SYS, organization’s effort to fulfill these requirements, document them, and maintain those documents at their latest.
L1_2_a_PRO, ‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements. ○
and Unfair Competition Prevention Act, as L1_2_a_DAT ○
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of business. (A.6.1.3, A.18.1.1, ○
CPS.GV-2 well as industry guidelines, and review and O - (controls from all security -
‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all related countries. A.18.1.2, A.18.1.3, （4.4.3.7）
revise the rules on a continuing and timely control families)
A.18.1.4, A.18.1.5)
basis in accordance with any changes in
relevant laws, regulations, and industry
guidelines.
Understand the level of data protection L1_1_a_SYS, Common among <High‐Advanced>, <Advanced> and <Basic>
required by laws and arrangements L1_1_a_DAT, ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each system and each organization and the 
regarding handling of data shared only by L1_1_b_SYS, organization’s activities to satisfy these requirements, and update them to the latest.
L3_1_a_SYS, ○
relevant organizations, develop data ‐ The organization classifies its data appropriately according to the classification of the identified rules. ○
L3_1_a_DAT, ○ (A.8.2.1, A.18.1.1, ○
CPS.GV-3 ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of the identified rules. When the  O (controls from all security -
classification methods based on each L3_4_a_ORG, (3.1.22) A.18.1.2, A.18.1.3, (4.3.4.4.6)
implementation of a measure is considered difficult, measures such as tokenization of an applicable data in the organization may be considered. (e.g., tokenization of  control families)
requirement, and properly classify and L3_4_a_PRO, card information due to the Installment Sales Law)
A.18.1.4, A.18.1.5)
protect data throughout the whole life cycle. L3_4_b_ORG,
L3_4_b_PRO
Develop a strategy and secure resources to L1_1_a_PRO, Common among <High‐Advanced> and <Advanced>
○
implement risk management regarding L1_1_b_PRO, ‐ The organization formulates a comprehensive risk management strategy in the short to medium term (e.g. 1 to 5 years) to manage risks to the organization’s business,  ○
L1_1_c_PRO （4.2.3.1, 4.2.3.3,
security. capital, persons, and other organizations caused by operating and using a system. O - (In addition to the -
4.2.3.8, 4.2.3.9, 4.2.3.11,
‐ The organization reviews and updates the risk management strategy in the short to medium term periodically or as necessary. following, PM-3, PM-9)
○ 4.3.2.4.3, 4.3.2.6.3）
CPS.GV-4
(Clause 6)
<Basic>
‐ The organization determines the security requirements in an information system, industrial control system or a system service and decides, documents, and assigns  ○
O - - -
resources necessary for protecting the system or the system service. (SA-2)
‐ The organization states each security budget item in the organization’s plans and budget‐related materials.
Identify the vulnerability of the organization’ L1_1_a_SYS, <High‐Advanced>
s assets and document the list of identified L1_1_b_SYS, ‐ The organization conducts vulnerability diagnosis at planned timings such as planned stopping so as not to adversely affect the operation of the system managed by 
○ ○
vulnerability with the corresponding asset. L1_1_c_SYS the organization. And then, identify and list vulnerabilities that exist in the system owned by the organization.
(In addition to the （In addition to the
‐ It is desirable to conduct a penetration test periodically to recognize an existing vulnerability in a system it manages. O - -
following, CA-8, following, 4.2.3.7,
‐ When conducting vulnerability diagnosis, it is desirable to use a vulnerability diagnosis tool that can immediately update the vulnerability of the system to be 
RA-5(1), RA-5(5)) 4.2.3.9）
diagnosed.
‐ The organization develops mechanisms to temporarily permit privileged access to a inspector in vulnerability diagnosis to more thoroughly identify vulnerabilities.
<Advanced> ○
‐ The organization carries out a vulnerability diagnosis to recognize vulnerabilities existing in the information system which has high importance and makes a list of  (A.12.6.1)
CPS.RA-1
them.
‐ In the operation phase of an information system owned by the organization, the organization uses a vulnerability diagnosis tool to periodically identify its system 
○ ○
vulnerability within vulnerabilities collected from various sources, which are supposed to be related to the organization. The organization shall add the identified  O - -
(RA-5, RA-5(2)) （4.2.3.12, 4.3.4.4.5）
vulnerability and its impact degree to a list.

[Reference] Japan Vulnerability Notes (https://jvn.jp/) and other sources of information are available for reference to obtain information regarding vulnerability. Also, 
CVSS (https://www.ipa.go.jp/security/vuln/CVSS.html Illustrated by IPA) could be used as a referential indicator to evaluate the impact level of vulnerability.
<Basic>
O - - - - -
‐ The organization recognizes vulnerabilities in the information systems that the organization manages using documents which are baselines of security measures.

C-3
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
The security management team L1_1_a_SYS, <High‐Advanced>
(SOC/CSIRT) collects information, including L1_3_a_ORG, ‐ The organization establishes a security measure organization managing comprehensively the systems including industrial control systems, IoT systems, etc., and takes 
○
vulnerability and threats from internal and L2_1_a_ORG, security measures integrally within the organization. ○
O - (In addition to the -
L2_1_c_SYS, ‐ The person in charge of security updates knowledge about security in both an information system and industrial control system to the latest by attending workshops  (4.3.2.3.2)
external sources (through internal tests, L3_1_a_SYS, following, PM-15)
and meetings related to security and by maintaining an appropriate communication structure with security professional associations/institutions. ○
security information, security researchers, L3_3_a_SYS, ‐ Mainly analyze the products/services that the company offers to check if any new vulnerability is contained, and if detected, submit related information to IPA. (In addition to the
etc.), analyzes the information, and L3_3_d_SYS <Advanced> following, A.6.1.4)
CPS.RA-2 establishes a process to implement and use ‐ The organization, with a chief security officer at the center, establishes a security management team mainly for information systems and IoT systems with high  ○
measures. ○
business importance, and prepares a structure for handling security measures within the organization. O - (In addition to the -
（4.2.3.9, 4.2.3.12）
‐ The organization collects information on vulnerabilities, threats, etc., from organizations, including the Information‐technology Promotion Agency (IPA), JPCERT/CC,  following, PM-16)
industry ISAC, and business partners (device vendors and software vendors), and determines the necessity of actions by comparing to the organization’s asset list.
<Basic>
‐ For both information systems and industrial control systems, the organization appoints a chief security officer and a person responsible for security measures to clarify  ○ ○ ○
O - -
the security roles and responsibilities within the organization. (SI-5) (A.6.1.1) (4.3.2.3.2)
‐ The organization checks security‐related cautions offered by device vendors and software vendors, and notifies stakeholders within the organization about them.
Identify and document the assumed L1_1_a_SYS, <High‐Advanced>
○ ○
security incidents, those impacts on the L1_1_b_SYS, ‐ The organization updates security knowledge to the latest by attending workshops and meetings related to security and by maintaining an appropriate communication 
O - (In addition to the (In addition to the - -
oraganization’s assets, and the causes of L1_1_c_SYS structure with security professional associations/institutions.
following, PM-15) following, A.6.1.4)
those. ‐ As necessary, the organization utilizes services provided by experts, obtains information that only some experts can know, and uses them to identify threats.
<Advanced>
CPS.RA-3 ○
‐ The organization collects information including newly released attacking trends, malware behaviors, and malicious IP addresses/domains (external intelligence). ○
O - - -
‐ The organization evaluates the reliability of the obtained threat information, impacts on the organization, etc., selects vulnerabilities to be handled, and documents  (PM-16) （4.2.3.9, 4.2.3.12）
threats to be handled.
<Basic> ○
O - - - -
‐ The orgainzation recognizes threats to the security of the organization and the possibility of occurrence using baseline documents for identifying security threats. (Clause 6.1.2)
- Conduct risk assessments regularly to L1_1_a_SYS, <High‐Advanced>
check if the security rules for managing the L1_1_b_SYS, ‐ When developing a new device or a new component which may have an impact on a physical space such as components of an industrial control system, the 
components are effective and applicable to L1_1_c_SYS, organization collects/analyzes accident case studies of conventional products and others to identify safety‐related hazards.
L2_1_a_COM, ‐ The organization analyzes a situation where a hazard leads to harm and identifies the possibility of occurrence and the severity of the harm to estimate a possible risk  O - - - -
the components for implementation. L2_1_a_PRO, especially regarding an industrial control system. At the time, it is desirable to check whether there is any hazard caused by a security issue.
- Check the presence of unacceptable L2_2_a_ORG, ‐ The organization updates the risk assessment if there is a significant change in the industrial control system or the environment in which it operates, or the other 
known security risks, including safety L2_2_a_SYS change that affects the security state of the industrial control system. ○
hazards, from the planning and design <Advanced> (A.12.6.1, A.18.2.2,
phase of an IoT device and systems ‐ The organization updates a risk assessment when there is a big change in a system or an environment where a system is running (including identification of a new  A.18.2.3)
incorporating IoT devices. threat or vulnerability) or when any situation which impacts the security status of a system occurs.
○
‐ When planning/designing a new system using an IoT device, the organization identifies existing assets and assets to be protected in the system to be implemented and  ○
O (In addition to the -
organizes security measures according to use and configuration of the system. When handling a component or a system with a long life cycle and a component or a  (3.11.1)
following, SA-12(2))
system requiring availability, consideration in security measures at a phase before designing is especially important.
‐ When considering security measures applied to purchased products and services, the organization makes sure that the levels of measures correspond to the 
CPS.RA-4
importance of such products and services.
<Basic>
‐ The organization defines a security risk assessment process and applies it periodically (e.g., once a year).
○
　‐ Establish and maintain security risk criteria.
（4.2.3.9, 4.2.3.12）
　‐ Identify security risks in the following way.
　　1) Clarify the target of analysis.
　　2) Identify incidents (including changes in circumstances) and their causes. ○
○
　‐ Analyze security risks in the following way. O - (Clause 6.1.2, A.18.2.2, -
(RA-3)
　　1) Evaluate possible results when the above identified risks occur. A.18.2.3)
　　2) Evaluate the possibility of the actual occurrence of the above identified risks.
　‐ Refer to the risk criteria, determine a risk level, and prioritize the risk.
‐ The organization documents and stores the information security risk assessment process.

[Reference] An “asset‐based” method and a “business damage‐based” method are known as security risk assessment methods.
Consider threats, vulnerability, likelihood, L1_1_a_SYS, <High‐Advanced>
and impacts when assessing risks. L1_1_b_SYS, ‐ The organization uses automated mechanisms for risk assessment (e.g. assessment of the scope of impact) as they receive information about newly identified threats 
L1_1_c_SYS and vulnerabilities. O - - - - -
‐ The organization securely shares with their stakeholders in the supply chain the information about threats and vulnerabilities that may have significant impacts on 
relevant parties as well as the organization.
<Advanced>
‐ The organization updates a risk assessment when there is a big change in an information system or an environment where an information system is running (including 
○
identification of a new threat or vulnerability) or when any situation which impacts the security status of a system occurs. In that case, give priority to an information  O - - -
(A.12.6.1)
system or industrial control system with high importance.
* Implementation details common to CPS.RA‐4
<Basic>
CPS.RA-5
‐ The organization defines a security risk assessment process and applies it periodically (e.g., once a year).
　‐ Establish and maintain security risk criteria.
○
　‐ Identify security risks in the following way.
(RA-3)
　　1) Clarify the target of analysis.
　　2) Identify incidents (including changes in circumstances) and their causes. ○
O - - -
　‐ Analyze information security risks in the following way. (Clause 6.1.2)
　　1) Evaluate possible results when the above identified risks occur.
　　2) Evaluate the possibility of the actual occurrence of the above identified risks.
　‐ Refer to the risk criteria, determine a risk level, and prioritize the risk.
‐ The organization documents and stores the information security risk assessment process.
* Implementation details common to CPS.RA‐4

C-4
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
- On the basis of the results of the risk L1_1_a_SYS, <High‐Advanced>
assessment, clearly define the details of L1_1_b_SYS, ‐ On the basis of the results of the hazard analysis performed in CPS.RA‐4, mainly for the industrial control system, the organization appropriately treats the source of a 
measures to prevent possible security risks, L1_1_c_SYS, risk which may lead to a critical hazard as necessary. ○
O - - - -
L2_1_a_COM, (A.5.1.2)
and document the organized outcome from L2_1_a_PRO,
[Reference] Security integration in safety control has been particularly discussed in recent years in terms of international standardization, and IEC TR 63074, IEC TR 
the scope and priorities of the measures. L2_2_a_SYS 63069, etc., are available for reference.
- React accordingly to the security risks and <Advanced>
the associated safety risks identified as a ‐ The organization securely stores the documented information on security risk management processes.
result of the assessment conducted at the ‐ When the organization selects a measure according to the risk assessment results, it is desirable that the organization documents the measure to be taken and the 
planning and design phase of an IoT device reason why the measure is adopted.
CPS.RA-6 and systems incorporating IoT devices. ‐ When applying the measure, the organization formulates a security risk management plan and obtains an approval from the risk owner.
○ ○
‐ The organization reviews the security risk handling plan and checks that the applicable plan conforms to the priority order of the entire organization’s risk management  O - -
(3.12.4) (PM-4)
strategy. ○
‐ The organization informs applicable external business operators regarding security measures necessary for a new system including an IoT device which are extracted in  (Clause 6.1.3, Clause
CPS.RA‐4 as required specifications. 8.3, A.5.1.2)
‐ The organization verifies whether the security measures defined in the required specifications and contracts are implemented at the time of deployment of the 
systems including an IoT device via User Acceptance Test (UAT). If there is anything unclear, confirm with the external business operator.
<Basic>
‐ The organization considers the risk assessment results and selects handling measures to identified risks.
O - - - -
‐ The organization formulates a security risk treatment implementation plan.
‐ The organization obtain an approval from the risk owner for acceptance of the security risk.
Confirm the implementation status of the L1_1_a_PRO, <High‐Advanced>
organization’s’ cyber security risk L1_1_b_PRO, ‐ When formulating and revising a risk management strategy, the organization performs an interview regarding risk management strategies with highly important 
management and communicate the results L1_1_c_PRO, business partners to align awareness on security risks and necessary measures. In that case, it is desirable to handle the following:
L1_3_b_ORG, 　‐ Major security risks related to the business of the organization and continuance of the business O - - - -
to appropriate parties within the L1_3_c_ORG 　‐ Details and scale of impact on the business partner when the above risks are manifested
organization (e.g. senior management).
　‐ Handling policy for the above security risks
Define the scope of responsibilities of the 　‐ (When the risk management strategy is revised) Changes in the internal and external conditions and important point to be changed from the previous versions
organization and the relevant parties (e.g. <Advanced>
subcontractor), and establish and ‐ The organization formulates a comprehensive risk management strategy to manage risks to the organization’s business, capital, persons, and other organizations 
implement the process to confirm the caused by operating and using information system and industrial control system.
implementation status of security risk ‐ The organization implements the risk management strategy while keeping consistency in the entire organization.
management of relevant parties. ‐ The organization reviews and updates the risk management strategy periodically or when it is necessary to cope with an organizational change.
CPS.RM-1 ‐ The organization's management periodically reviews the following aspects of the organization's risk management strategy that are concerned with security.
　‐ How many attacks are you facing (detected)　
○ ○ ○
　  (Detection number by anti‐virus products/IDS, latest threat trends etc.) O - -
(PM-9) (Clause 9.3) （4.3.4.2）
　‐ Is the status of security measures implimentation as planned?
　  (Application rate of security measures to be implemented such as anti‐malware and security patch application etc.)
　‐Did you allow the attacker (including insider) to intrude?
　  (Description of an event suspected of external intrusion or internal fraud through security monitoring activities)
　‐What is the state of security that is not directly related to information systems or industrial control systems
　  (Retirement, loss of PC and devices, occurrence of physical theft etc.)
‐ The organization documents and stores the results of reviews by the management.
<Basic>
‐ The organization identifies the person responsible for security risk management both in information systems and in industrial control systems. Ｏ - - - - -
‐ The organization identifies the scope of security risks responsible for in its business.
Determine the organization’s risk tolerance L1_1_a_ORG, <High‐Advanced>
level based on the result of the risk L1_1_a_SYS, ‐ The organization determines the risk tolerance level of the organization by capturing risk situations related to supply chains performed in CPS.BE‐1 and based on the 
assessment and its role in the supply chain. L1_1_b_ORG, given results of the risk assessments performed in CPS.RA‐4. O - - - -
L1_1_b_SYS, ○
‐ The organization interviews important business partners who may have suffer from an undesirable impact because of a security incident in the organization to discuss 
L1_1_c_SYS (In addition to the
about the organization’s risk tolerance level.
following, SA-14)
<Advanced>
CPS.RM-2
‐ The organization determines the risk tolerance level of the organization by capturing actual risk situations of supply chains performed in CPS.BE‐1 <Advanced> and  O - -
based on the given results of the risk assessments performed in CPS.RA‐4. ○
○
<Basic> (Clause 6.1.3, Clause
（4.3.2.6.5）
‐ The organization determines the risk tolerance level based on the given results of the risk assessments performed in CPS.RA‐4. ○ 8.3)
O - -
‐ The organization obtains approvals to remaining risks from the owners of the risks. (PM-8)
‐ The organization documents the risk management results and safely maintains lists of risk tolerance criteria and accepted risks.
Formulate the standard of security L1_1_a_ORG, Common among <High‐Advanced> and <Advanced>
measures relevant to the supply chain in L1_1_b_ORG, ‐ The organization, in reference to security measure criteria regarding supply chain, prepares and provides to potential partners tender documents such as ITT (Invitation 
consideration of the business life cycle, and L1_1_c_ORG To Tender) and RFP (Request For Proposal). Especially, it is advisable that the following items be included in the tender documents.
agree on contents with the business 　1） Specifications of products or services to be procured
　2） Security requirements that the supplie should comply with during the supply period of the products or services
partners after clarifying the scope of the ○ ○
　3） Service levels and the indices to comply with during the supply period of the products or services
responsibilities. 　4） Penalties that the purchaser may impopse if the supplier breach security requirements
O - (In addition to the (In addition to the - -
following, SA-9(2)) following, A.15.2.1)
CPS.SC-1 　5） Confidentiality clauses to protect the data transmitted during the supplier selection process, the systems, etc. 
‐ The organization prepares procedures for continuously monitoring the conditions in the business partners’ compliance with the security management measures.
‐ To take precautions against cases where a security incident in a business partner impacts the organization, in a written contract, clarify where responsibility lies 
between the external business operator and the organization, and describe the compensation for a damage to the organization for which the external business operator 
is responsible.
<Basic>
○ ○ ○
‐ The organization formulates security measure criteria applicable to business partners (especially those handling the organization’s data or providing a foundation for  O - -
(SA-9) (A.15.1.1, A.15.1.2) （4.3.4.4.1）
handling the data) according to appropriate laws and regulations and makes agreement with the details.

C-5
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Identify, prioritize, and evaluate the L1_1_a_ORG, <High‐Advanced>
○
organizations and people that play L1_1_b_ORG, ‐ The organization determines its core business that must continue/recover before any other operations in prior and identifies and prioritizes important resources (other 
L1_1_c_ORG, （In addition to the
important role in each layer of the three- relevant organizations, employees, items, data, systems, etc.) and functions vital for continuing applicable businesses.
O - following, 4.2.3.3, -
L2_3_c_ORG, ‐ In case of the occurrence of a security incident in business partners which has harmful business impacts, the organization estimate the details of the impacts on the 
layer structure to sustaining the operation of L3_1_b_ORG, 4.2.3.8, 4.2.3.9,
organization and its occurrence level and scale. ○
the organization. L3_1_c_ORG, 4.2.3.10）
* Related requirements of countermeasures include CPS.AM‐6 and CPS.BE‐2. (In addition to the
L3_3_a_ORG, <Advanced> following, SA-14) ○
L3_3_b_ORG, ‐ The organization identifies the business partners in the supply chains which can impact the organization’s missions/business processes and confirms whether  （4.2.3.1, 4.2.3.2,
L3_3_d_ORG O - -
applicable partners can fulfill the security roles and responsibilities specified in the organization’s security policies. 4.2.3.4, 4.2.3.6, 4.2.3.12,
4.2.3.13, 4.2.3.14,
○ 4.3.4.2）
CPS.SC-2
<Basic> (A.15.1.1, A.15.1.2)
‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations considered to be important. In 
addition, identify and prioritize important resources (relevant parties, People, Components, Data, System, etc.) and functions from the viewpoint of business continuity.
‐ When the organization is assumed to use an IoT device for a long period of time, the organization selects a business partner (device vendor) that has adequate 
organizations of management (Ex: service desk(s), maintainance system) from which long‐term support can be expected.
○
‐ The organization confirms with the partner (the device vendor) whether to replace a device at the end of support before implementing a system. O - - -
(SA-4)
‐ When the organization selects a business partner (service provider), it is desirable to select a service provider who operates and manages IT services efficiently and 
effectively. 
　‐ It has acquired ITSMS certification based on JIS Q 20000.
　‐ It has implemented the equivalent measures to ITSMS certification based on self declaration of comformity.

When signing contracts with external L1_1_a_PRO, <High‐Advanced>

organizations, check if the security L1_1_b_PRO, ‐ In a contract with a business partner who provides systems/components/services, the organization requires the partner the following listed below:
management of the other relevant L1_1_c_PRO, 　‐ Create evidence of the implementation of the security assessment plan, and submit results of security tests/evaluations. ○
L1_1_d_ORG, 　‐ Develop a plan for remedying defects identified during security testing / evaluation O - (In addition to the - -
organizations properly comply with the L2_3_c_ORG, 　‐ Disclose a plan for defect remediation and its implementation status following, SA-11)
security requirements defined by the L3_1_b_ORG, ‐ It is desirable that the organization applies necessary requirements among those for security measures to directly consigned parties and accompanying requirements 
organization while considering the L3_1_b_DAT, to reconsigned parties by considering the scales of risks originating from the supply chains.
objectives of such contracts and results of L3_1_c_ORG, <Advanced>
risk management. L3_1_c_DAT, ‐ In accordance with the missions/business needs of the organization, state the following requirements, descriptions, and criteria in a procurement contract of a system, 
L3_3_d_ORG, component, or service.
L3_3_a_ORG,. 　‐ Requirements for security measures
L3_3_b_ORG,
　‐ Requirements for security‐related documents
L3_3_c_ORG,
　‐ Requirements for protection of security‐related documents
L3_4_a_DAT,
　‐ Confidentiality clauses
L3_4_b_DAT ○
CPS.SC-3 　‐ Implementation body and method of each handling: reporting destination at the time of incident occurrence, reporting details, initial reaction, investigation, 
○ (A.13.2.4, A.15.1.2)
recovery, etc.
O - (In addition to the -
　‐ Conditions to allow to confirm the observance to the security requirement which is inspected and defined by the organization or the authorized third party. following, SA-4)
　‐ How to handle an information asset at the end of the contract ○
‐ The organization requires business partners, in a procurement contract, to implement security requirements that comply with applicable laws and regulations,  （4.3.2.6.4, 4.3.2.6.7）
implement additional measures when they are recognized necessary because of the characteristics of the contracted duty, etc.
‐ It is desirable to consider the following items in advance when determining security requirements based on laws and regulations and requiring business partners to 
comply with them. 
　‐ Identification of potential risks in terms of legal regulations that may arise due to difference of  applicable laws between the organization and the business partner
　‐ Negative impacts on the contract in terms of security due to legal and regulatory obligations applicable to the business partner

<Basic>
‐ The organization requires business partners to implement security requirements that complies with applicable laws and regulations. ○
O - -
‐ The organization confirms that the business partner has declared "SECURITY ACTION" in the process of selecting and evaluating a contractor. (SA-9)
* "SECURITY ACTION" is an initiative in Japan that small and medium‐sized enterprises declare themselves to work on information security measures.
When signing contracts with external L1_1_a_PRO, <High‐Advanced>
○
parties, check if the products and services L1_1_b_PRO, ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are fulfilled.
O - - (In addition to the - -
provided by the other relevant organizations L1_1_c_PRO, ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices especially important for their 
following, A.14.3.1)
L1_1_d_ORG, operation are manufactured under appropriate procedures by organizations that have quality and security management ability above a certain level.
properly comply with the security L1_1_d_COM, <Advanced>
requirements defined by the organization L2_1_a_COM, ‐ The organization specifies in the contract the security requirements that the products and services procured from the partner should comply with, such as the 
while considering the objectives of such L2_1_a_PRO, following.
contracts and results of risk management. L2_2_a_ORG, 　‐ Specific certifications related to security (e.g., ISMS certification 、ISASecure EDSA certification, Japan Information Technology Security Evaluation and Certification 
L2_3_a_ORG, Scheme (JISEC) have been gained.
L2_3_c_ORG, 　‐ The vendor itself confirms that it has implemented the security measures in accordance with the standards of specific certifications related to security
L2_3_c_PRO,
　‐ It has implemented the necessary security requirements from the design phase (security by design) based on the results of risk analysis, etc., and test them.
L2_3_d_ORG,
‐ It is desirable that the organization should, at the phase of planning procurement, secure a budget for security requirements regarding products or services  ○
L3_1_b_ORG,
themselves, or protection of assets used for procurement and supply of such products or services. O - - (A.8.3.3, A.14.1.1, - -
L3_3_a_ORG,
‐ The organization formulates, manages and improves security measurement rules to evaluate procurement or supply of products or services, including the following. A.14.2.9, A.15.1.3)
CPS.SC-4 L3_3_b_ORG,
L3_3_c_ORG, 　‐ Target for measurement
L3_3_d_ORG 　‐ Method and frequency of reporting on measures taken
　‐ Measures to be taken when measures are not implemented
‐ The organization checks means of detecting (or preventing) falsifications and leakages during shipments and whether or not the IoT devices and software being 
delivered have been operated without authorization. 
　‐ Goods: security courier, protection seal, etc. 
　‐ Digital transfer: encryption, hash of the entire transmitted data, etc.
<Basic>
‐ During procurement, the organization confirms whether the IoT devices which the organization possesses are genuine products by checking the label.
‐ By utilizing IDs, secret keys, and electronic certificates included in the IoT devices and software, an organization confirms that procured devices are genuine products.
‐ The organization will confirm the following when selecting relevant parties for the provision of products and services. O - - - - -
　‐The product/service support period is sufficient, including the distribution of security patches.
　‐The response after the support period has been identified.

C-6
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Formulate and manage security L1_1_a_PEO, <High‐Advanced>
requirements applicable to members of L1_1_b_PEO, ‐ The organization prepares a procedure to continuously monitor whether the security requirements from the contractee are complied with by the staff of the  O - - -
other relevant organizations, such as L1_1_c_PEO, contractor, and to enable notification to the organization's personnel in charge in the case where irregular behavior is found.
L2_3_b_PEO, <Advanced>
business partners, who are engaged in L3_1_b_PEO, ‐ The organization trains the staff on information security aspects of supplier relationships to particularly ensure that the handling of confidential information is 
operations outsourced from the L3_1_c_PEO O - - -
correctly understood. ○ ○
CPS.SC-5 organization. ‐ The organization regularly confirms that it complies with the security requirements from the contractee in conducting the contracted work. (PS-7) (A.16.1.2, A.16.1.5)
<Basic>
‐ The organization identifies and evaluates the staff who access, disclose or change the data related to the contracted work that should not be disclosed or changed such 
as confidential data or intellectual property. O - - -
‐ After the contract with the contractor is finished, the organization immediately terminates the rights that are temporarily granted to the personnel of the contractor 
such as access rights to its facilities.
Conduct regular assessments through L1_1_a_DAT, <High‐Advanced>
auditing, test results, or other checks of L1_1_a_PRO, ‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and addresses procedures for deviation or 
relevant parties such as business partners L1_1_b_PRO, signs of deviation from contract matters.
L1_1_c_PRO, ‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled, matters which are concerned with  ○
to ensure they are fulfilling their contractual L2_3_c_ORG, ○
security management of the organization and security functions implemented in the products and services that will be delivered, especially for important clients and  (In addition to the
obligations. L2_3_c_PRO, O (In addition to the - -
reconsigned organizations. following, AU-6(1), AU-
L2_3_d_ORG, following, 3.3.5)
‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and field surveys conducted by the  6(3))
L3_1_a_DAT, outsourcer.
L3_1_b_ORG, ‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any fact of information leakage, and  ○
L3_1_b_DAT, (A.12.7.1, A.14.3.1,
regularly report the result to the organization.
L3_1_c_ORG, <Advanced> A.15.2.1)
CPS.SC-6 L3_1_c_DAT,
‐ The organization checks whether requirements that are prescribed in the contract with the client can be audited on the system.
L3_3_a_ORG,.
‐ The information system provides a function that allows for audit records to be created for events defined above that can be audited on the system.
L3_3_b_ORG,
‐ The organization shall be able to maintain consistency in security audits with other organizations that require information on the audit. ○
L3_3_c_ORG, ○ ○ ○
‐ The organization regularly reviews and analyzes audit records that are made manually or automatically by the system, and checks whether there is any deviation or  O (AU-2, AU-6, AU-12, SA-
L3_3_d_ORG, (3.3.1) （4.3.2.6.7, 4.3.4.3.1） （SR 6.1）
sign of deviation from contract matters. 9)
L3_4_a_DAT,
L3_4_b_DAT ‐ State of compliance with security management measures of the external service provider is regularly checked by internal audits that are conducted by the client using 
a checklist.

<Basic>
‐ Acquisition certificate of various authentications and systems (e.g., ISMS, CSMS, privacy mark) are checked as an alternative method to confirm the implementation of  O - - - - -
required security measures.
Formulate and implement procedures to L1_1_a_PRO, <High‐Advanced>
address noncompliance to contractual L1_1_b_PRO, ‐ The organization formulates and manages a procedure to execute the following when nonconformity by the partner is found at an audit or test.
requirements found as a result of an audit, L1_1_c_PRO, 　1） Identify and assess the influence in terms of security arising from such nonconformity.
O - - - - -
L1_1_d_ORG, 　2） Decide whether to review the security requirements defined in the contract.
test, or other check on relevant parties. L2_2_a_ORG, 　3） Decide the corrective action to be taken to achieve the acceptable security level within the procured products and services.
L2_3_c_ORG, 　4） Agree with the partner on the above .
L2_3_c_PRO, <Advanced>
CPS.SC-7 L3_1_b_ORG, ‐ The organization formulates and manages a procedure to, when  nonconformity by the partner is found at an audit or test, require the partner to make a remediation  O - - - - -
L3_1_c_ORG, plan and to confirm the implementation status of the plan as needed.
L3_3_a_ORG, <Basic>
L3_3_b_ORG, ‐ The organization is aware of the risk to its own organization due to the failure of its products and services when the non‐conformances in its audits or tests on 
L3_3_c_ORG, O - - - - -
products and services occurs.
L3_3_d_ORG

Collect and securely store data proving that L1_1_d_ORG, <High‐Advanced>

the organization is fulfilling its contractual L2_2_a_ORG, ‐ The organization uses a trail storage system with the following features to flexibly fulfill the needs of clients and other related organizations, such as a third‐party 
obligations with other relevant parties or L2_3_c_ORG, auditing institution, on a real‐time basis.
O - - - -
L2_3_c_PRO, 　‐ Eligibility of the subject audit trail for the contract matter can be verified quickly.
individuals, and prepare them for disclosure L3_1_b_ORG, 　‐ Only authorized entities such as clients and outsourced auditing agencies can access the system.
as needed within appropriate limits. L3_1_c_ORG, 　‐ Stored data has reliable trails such as time stamps and electronic signatures.
L3_3_a_ORG, <Advanced>
L3_3_b_ORG, ‐ The organization takes measures so that those records among the audit records generated by the system that are acquired over a long period of time can be obtained  ○
CPS.SC-8 L3_3_c_ORG with certainty. ○ (A.12.4.1, A.18.1.3)
‐ In order to protect audit records from the following threats, it is desirable for the system to apply access control with high granularity to the items and systems in  (In addition to the ○
O/S -
which audit records are stored. following, AU-9, ○ （SR 6.1）
　‐ Change format of recorded message AU-11(1)) （4.3.2.6.7）
　‐ Change or delete log file
　‐ Exceed storage space of log file medium
<Basic> ○
O - -
‐ The organization preserves audit records for an appropriate period of time so as to satisfy the requirements of laws and regulations. (AU-11)
Prepare and test a procedure for incident L1_3_b_PEO <High‐Advanced>
response with relevant parties involved in ‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident responses between the 
the incident response activitiy to ensure organization and other organizations that are concerned with the supply chain.
○ ○
action for incident response in the supply ‐ The organization assumes the course of action for security incidents of the supply chain and implements tests that adjust incident responses with other organizations  ○
O (In addition to the - - （In addition to the
that are concerned with the supply chain. (3.6.1, 3.6.3)
chain. following, IR-4, IR-4(10)) following, SR 3.3）

[Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development processes, developers, distribution 
CPS.SC-9
processes, and warehouse facilities.
<Advanced>
○
‐ The organization adjusts the incident response process of an external service provider that contains important features in order to continue its business, as well as  ○ ○
O (CP-2, CP-2(7)) - （SR 2.8, SR 6.1, SR
adjusting the organization’s incident response process to meet the incident response requirements. (3.6.1, 3.6.3) （4.3.2.5.7）
7.3, SR 7.4）
‐ The organization tests the incident response process that requires cooperation between the organization and external service providers.
<Basic>
O - - - - -
‐ The organization is aware of security incidents that may occur in the organization and their potential consequences.

C-7
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Develop and manage a procedure to be L1_1_a_PRO, <High‐Advanced>
executed when a contract with other L1_1_b_PRO, ‐ The organization assures that, after a contract is finished,  it deletes in a timely manner logical and physical access rights that are granted to the contractor to access  O - - - - -
relevant organizations such as business L1_1_c_PRO and handle the organizations's resources necessary for the supply of products or services.
<Advanced>
partners is finished. (e.g., expiration of
‐ The organization agrees with the present business partner whether the supply of the products or services should be cancelled or they should be returned to the 
contract period, end of support)
CPS.SC-10 organization or the other business partner. 
O - - - - -
‐ The organization communicate with the stakeholders who are influenced by the supply of the products or services to provide information on the discontinuation.
‐ The organization executes the discontinuation of the supply of the products or services in accordance with the discontinuation plan.
‐ The organization agrees with business partners on the accomplishment of the discontinuation of the supplied products or services.
<Basic>
O - - - - -
‐ The organization always keeps track of when contracts with relevant parties, such as business partners, are terminated.
Continuously improve the standard of L1_1_a_PRO, Common among <High‐Advanced>, <Advanced> and <Basic>
CPS.SC-11 security measures relevant to the supply L1_1_b_PRO, ‐ The organization continuously monitor the performance of business partners related to security, review and amend as needed the security measure criteria regarding  O - - - - -
chain, related procedures, and so on. L1_1_c_PRO the supply chain and related procedures based on the latest trends of security threats and regulations.
Establish and implement the procedure to L1_1_a_COM, <High‐Advanced>
issue, manage, check, cancel, and monitor L1_1_a_SYS, ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own information systems and industrial 
identification and authentication information L1_1_b_COM, control systems.
L1_1_b_SYS, ○
of authorized goods, people, and 　‐Automatically collect account information periodically from the system to be managed
L1_1_c_COM, (In addition to the
　‐Automatically change password of privileged account  O/S - - -
procedures. L2_3_c_SYS following, AC-2 (1), AC-2
‐ The industrial control system supports integrated account management.
L3_1_a_SYS, (2), AC-2 (3), AC-2(4))
‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use on their system.
L3_3_a_SYS ‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change, and deletion of accounts in the 
system used by the organization. ○
<Advanced> (In addition to the
‐ The organization must obtain approval from the management supervisor when creating a system account. following, A.9.2.4,
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range of using the account can be  A.9.2.5)
identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor. O/S - - -
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system and an industrial control system.
CPS.AC-1 ‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms securely that the account is its own 
to prevent unauthorized tampering with the credentials by a malicious party.

<Basic>
‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system. ○
‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared user/temporary user), with consideration of  (AC-2)
their mission and business functions.
‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control systems, and implements a 
○
function that cannot be set up unless the credential satisfies the policy. The following is an example of the content of the policy. ○
○ （SR 1.1, SR 1.2, SR
　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity. O - (A.9.1.1, A.9.2.1, A.9.2.2,
（4.3.3.5.1） 1.3, SR 1.4, SR 1.5, SR
　‐ When new credentials are created, change them to at least the number of characters defined by the organization. A.9.2.6)
1.7, SR 1.8, SR 1.9 ）
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have forgotten credentials, if they change 
immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an industrial control system except when 
multiple users function as a single group.
Implement appropriate physical security L1_1_a_SYS, <High‐Advanced> ○ ○
measures such as locking and limiting L1_1_c_SYS, ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access. (In addition to the (In addition to the
O - -
access to the areas where the IoT devices L2_3_b_PEO, ‐ The organization regulates output devices of its system by physical access. following, PE-4, PE-5, following, A11.1.1.4,
L2_3_b_SYS, ‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the physical security boundaries. PE-6 (1)) A11.2.3)
and servers are installed, using entrance L2_3_c_SYS, <Advanced> ○
and exit controls, biometric authentication, L2_3_d_SYS, ○
‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log. ○ (In addition to the
deploying surveillance cameras, and L3_1_a_SYS O (In addition to the
following, A.11.1.1, ○
-
‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them. (3.10.2, 3.10.4, 3.10.5)
CPS.AC-2 inspecting belongings and body weight. following, PE-6, PE-8)
A.11.1.5) （4.3.3.3.2, 4.3.3.3.8）
<Basic>
‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission certificates necessary for access. ○
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security requirements of assets placed within the  ○ ○ (A.9.2.6, A.11.1.2,
O -
boundaries and the results of risk assessment. (3.10.1, 3.10.3) (PE-2, PE-3, PE-8) A.11.1.3, A.11.1.6,
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized attendants or monitoring cameras. A.11.2.8, A.11.2.9)

C-8
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Properly authorize wireless connection L2_3_c_SYS, <High‐Advanced>
destinations (including users, IoT devices, L3_3_a_SYS ‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
and servers). ‐ The information system and the industrial control system allow only for remote access routed by the regulated access points.  ○ ○
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements. (In addition to the (In addition to the
○
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands and access security  following, 3.1.12, 3.1,13, following, AC-17(1), AC-
S - - （In addition to the
information by remote access. 3.1.14, 3.1.15, 3.1.17, 17(2), AC-17(3), AC-
following, SR 1.13）
‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in addition to  3.1.19, 3.10.6, 3.13.12, 17(4), AC-18(1), AC-
encryption. 3.13.15) 19(5))
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may handle highly 
CPS.AC-3 confidential data. Signs of the devices in use are provided to the users of these devices.
<Advanced>
○ ○ ○
‐ The organization regulates the mobile devices used in the organization and establishes setting requirements, connection requirements, and implementation guidelines 
O (In addition to the (In addition to the (In addition to the -
for mobile devices.
following, 3.1.18) following, AC-19) following, A.6.2.1)
‐ The organization establishes rules of approval for connecting mobile devices used in the organization to its system. ○
<Basic> （SR 1.1, SR 1.2, SR
‐ The organization establishes usage regulations, configuration requirements, and implementation guidelines for each type of approved remote access. 2.6）
○ ○ ○
‐ The organization in principle prohibits unauthorized wireless connections. O -
(3.1.16) (AC-17, AC-18) (A.6.2.2)
‐ The organization establishes rules of approval for remote access to an information system and an industrial control system.
‐ The organization authorizes wireless access to its system in advance of the approval.
Prevent unauthorized log-in to IoT devices L2_1_b_SYS, <High‐Advanced>
○
and servers by measures such as L3_3_a_SYS ‐ The information system and the industrial control system (excluding some cases where immediacy of response is required) sets a limit to the number of continuous  S -
（SR 1.11）
implementing functions for lockout after a login attempts on its system. If the user fails to log in, he or she will only be able to re‐login after the administrator removes the restriction.
<Advanced>
specified number of incorrect log-in
‐ The information system and the industrial control system set a limit on the number of continuous login attempts on its system. If the user fails to log in, he or she will  ○ ○ ○
attempts and providing a time interval until ○
not be able to re‐login for a certain period of time. (3.1.8) (AC-7) (A.9.4.2)
CPS.AC-4 safety is ensured. ‐ The information system and industrial control system lock the session manually or automatically if the system's non‐operation continues beyond the time set by the  S - （SR 1.11, SR 1.13, SR
organization. 2.6）
* In the  industrial control system, it may be desirable not to lock session when it is assumed that a session in which  an operator is required to respond immediately in 
an emergency may be conducted.
<Basic>
- - - - - -
‐ N/A
Segregate duties and areas of responsibility L1_1_a_SYS, <High‐Advanced>
properly (e.g. segregate user functions from L1_1_b_SYS, ‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged accounts in its system.
system administrator functions) L2_1_c_SYS, ‐ The information system adopts a system monitoring mechanism to check the use of privileged functions. ○
L3_1_a_SYS ‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and changing security measures  ○ (In addition to the
that are changed and implemented by non‐privileged users. O/S (In addition to the following, AC-6(1), - -
‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the damage caused by the security  following, 3.1.6, 3.1.7) AC-6(2), AC-6(5),
incident. AC-6(9), AC-6(10))
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server to minimize the damage caused by  ○
security incidents. (A.6.1.2, A.9.2.3, A.9.4.1,
<Advanced> A.9.4.4)
‐ The organization implements access control in the information system and the industrial control system based on separation of duties (e.g., user / system 
CPS.AC-5
administrator).
○
‐ The organization adopts a general rule on the minimum authority of specific duties. ○ ○
O (AC-3, AC-5, AC-6, SC- -
  ‐ Segregate authority of general user from that of administrator. (3.1.4, 3.1.5, 3.13.3) (4.3.3.2.7)
2)
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge. 
‐ The organization separates and stipulates duties that are assigned by the person in charge.
<Basic>
‐ The organization implements access control based on separation of duties (e.g. user/system administrator) in the highly confidential information system of the 
○
organization. O - - - -
（SR 2.1）
‐ If the separation of duties is difficult to implement due to the shortage of human resources, etc., it is desirable to take alternative measures such as, when a person 
other than the pre‐designated official performs the specific duties, requiring another person to monitor the performance of such duties.
Adopt high confidence methods of L1_1_a_SYS, <High‐Advanced>
authentication where appropriate based on L1_1_b_SYS, ‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts. ○
L2_1_c_SYS, ○
risk (e.g. multi-factor authentication, ‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐privileged accounts in the system, uses  (下In addition to the
S (In addition to the -
L3_1_a_SYS an authentication mechanism that can tolerate attacks of replay. following, IA-2(2), IA-
combining more than two types of following, 3.5.4)
2(8), IA-2(9))
authentication) when logging in to the ○
[Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.
system over the network for the privileged <Advanced>
(In addition to the
user. following, A.9.1.2,
‐ In consideration of the risk of unauthorized login to the privileged account in the system, the organization in principle prohibits login to the privileged account via the 
○ A.9.2.3, A.9.4.1, A.9.4.4) ○
CPS.AC-6 network when it is not possible to implement a sufficient confidence methods of authentication. ○
(In addition to the （SR 2.1）
‐ The information system requires a multifactor authentication in its system for access to the system or network with privileged accounts when cannot implement  S (In addition to the -
following, IA-2(1), IA-
actions such as invalidating the administrator account for the system. following, 3.5.3)
2(3))
‐ In principle, the organization invalidates the default administrator account in the information system.
‐ The information system permits the necessary minimum privileged authority to the user account when performing privileged operations.
<Basic>
‐ Regarding access to the system and network with privileged or non‐privileged accounts in the system, the organization uses an authentication method that uniquely  ○ ○ ○
O/S -
identifies the access. (3.5.1) (IA-2) (A.9.2.1)

C-9
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Develop a policy about controlling data L2_1_b_SYS, <High‐Advanced>
flow, and according that protect the L3_1_a_DAT, ‐ The information system and the industrial control system monitor and control communications on the networks composing internal business systems of the 
integrity of the network by means such as L3_4_b_SYS organization.
○ ○
appropriate network isolation (e.g., ‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network communications as a default and 
(In addition to the (In addition to the
shall only allow connection of approved communication traffic. S ○ - -
development and test environment vs. following, 3.1.3, 3.13.6, following, SC-7(5), SC-
‐ The organization physically or logically separates the network of high importance industrial control systems from the network of control systems with lower  (In addition to the
production environment, and environment importance.
3.13.7) 7(7))
following, A.13.1.1,
incorporates IoT devices vs. other ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple and simultaneous local  A.13.1.3, A.14.1.2,
environments within the organization). connections between the device and the system, as well as prevent access to external network resources by other connections. A.14.1.3)
<Advanced>
CPS.AC-7 ○
○
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the network to which the system is 
O/S - (In addition to the
connected (in the case of industrial control systems, boundaries with information systems). （4.3.3.4.2, 4.3.3.4.3）
following, SC-7)
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks via the device.
<Basic>
○
‐ The organization establishes a data flow regulation policy that defines the range in which data flow within information systems and industrial control system is 
（SR 3.1, SR 3.8）
permitted and the range in which  data flow between systems is permitted, and regulates the flow by segregating the network appropriately.
○ ○ ○ ○
‐ The organization logically or physically segments the control system's network from the network composing of the information system. O/S
(3.1.3) (AC-4) (A.12.1.4, A.13.2.1) （4.3.3.4.1）
[Reference] Implement physical segmentation in environments physically separated from other networks. Alternatively, in environments physically close to other 
networks, it is possible to implement logical segmentation in consideration of the cost of the measure.
Restrict communications by IoT devices L2_1_b_SYS, Common among <High‐Advanced>, <Advanced> and <Basic>
and servers to those with entities (e.g. L3_3_a_SYS ‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of identifiers and invalidating identifiers  ○
○
people, components, system, etc.) after a certain period of time. ○ ○ ○ （SR 1.1, SR 1.2, SR
CPS.AC-8 O/S （4.3.3.2.2, 4.3.3.5.2,
identified through proper procedures. ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a mechanism that uniquely identifies  (3.5.5, 3.5.6, 3.8.2) (IA-4) (A.7.1.1, A.9.2.1) 1.4, SR 1.5, SR 1.9, SR
4.3.3.7.2, 4.3.3.7.3）
and authenticate these devices. 2.1）
‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.
Authenticate and authorize logical accesses L1_1_a_SYS, <High‐Advanced>
to system components by IoT devices and L1_1_b_SYS, ‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to a system that handles 
users according to the transaction risks L2_1_b_SYS, highly confidential data. ○ ○
○ ○
L3_1_a_SYS, * When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade system performance. (In addition to the （In addition to the
(personal security, privacy risks, and other L3_4_b_SYS S (In addition to the （In addition to the
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement a function that  following, IA-2, IA-5(2), following, 4.3.3.6.3,
organizational risks). following, 3.1.11) following, 、SR 1.9）
automatically terminates a user’s session when it falls under these conditions. AC-12) 4.3.3.6.5, 4.3.3.6.7）

[Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3. ○
<Advanced> (A.9.3.1, A.9.4.3, A.9.4.5)
‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction (security‐related risks for 
○ ○ ○
the user, privacy risks, etc.).
(3.1.1, 3.1.2, 3.1.9, ○
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when a user logs into the  （4.3.3.6.1, 4.3.3.6.2, （SR 1.1, SR 1.2, SR
O/S 3.1.10, 3.5.2, 3.5.7, (IA-5, IA-5(1), IA-6, AC-8,
system. 4.3.3.6.4, 4.3.3.6.6, 1.5, SR 1.7, SR 1.8, SR
CPS.AC-9 3.5.8, 3.5.9, 3.5.10, AC-11, AC-11(1))
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the authentication  4.3.3.6.8, 4.3.3.6.9） 1.10）
3.5.11)
process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
<Basic>
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control systems, and implements a 
function that cannot be set up unless the credential satisfies the policy. The following is an example of the content of the policy.
　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
O/S - - - - -
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have forgotten credentials, if they change 
immediately to a strong password.
‐ Information system and industrial control system limit the transactions and functions that can be performed to authenticated users.
Provide appropriate training and education L1_1_a_PEO, <High‐Advanced> ○ ○
to all individuals in the organization and L1_1_b_PEO, ‐ The organization provides security awareness trainings to all necessary personnel so that they will recognize and report signs of internal fraud. O (In addition to the (In addition to the - -
manage the record so that they can fulfill L1_1_c_PEO, following, 3.2.3) following, AT-2(2))
L1_1_d_PEO, <Advanced>
assigned roles and responsibilities to L1_2_a_PEO, ‐ The organization regularly provides basic security awareness training to all members of staff. The organization can, for example, educate the following matters in 
prevent and contain the occurrence and L1_3_a_PEO, addition to the contents explaining general matters.
severity of security incidents. L1_3_a_DAT, 　‐Procedure to response when you receive a suspicious email ○
L1_3_c_PEO, ○
　‐Notes on using mobile devices (e.g. Notes on connecting to a public wireless LAN) O (In addition to the ○ ○ -
CPS.AT-1 L3_4_a_PEO (3.2.1)
　‐Notes on using SNS following, AT-3) (A.7.2.1, A.7.2.2) （4.3.2.3.4, 4.3.2.4.1,
‐ The organization creates a program for each role (e.g., system/software developper, purchasing personnel, system administrator, personnel in charge of security  4.3.2.4.2, 4.3.2.4.6,
measures) to train information security personnel and to improve their skills. The program is conducted regularly on applicable personnel. 4.3.3.2.5, 4.3.4.5.4,
‐ The organization regularly reviews records of security education and training. 4.3.4.5.11）
<Basic>
‐ The organization provides basic security awareness training to new staff, or when necessary due to changes made to the information systems and the industrial control  ○
O - -
systems which the organization uses. (AT-2)
‐ The organization records and manages the contents and results of security education and training for member in the organization.

C-10
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Provide appropriate training and security L1_3_b_PEO, <High‐Advanced>
education to members of the organization L1_3_a_DAT, ‐ The organization monitors its personnel and related organizations that may be involved in the security incident for the accomplishment status of the roles assigned to  O - - - -
and other relevant parties of high L3_3_a_PEO the personnel in charge.
<Advanced>
importance in security management that ○
‐ The organization requests the giving of training (e.g. simulation assuming actual incident) and security education appropriate to execution of the roles assigned to the  ○
may be involved in the security incident （In addition to the
personnel in charge to related organizations that may be involved in the security incident and confirms the training/education implementation status. O (In addition to the - - -
CPS.AT-2 prevention and response. Then, manage following, 4.3.2.4.3,
‐ The organization regularly reviews the records of education and training for persons in charge of relevant parties that are highly important in its own security  following, 3.2.2)
the record of such training and security management.
4.3.4.5.11）
education. <Basic>
○
‐ The organization requests the giving of training (e.g. simulation assuming actual incident) and security education appropriate to execution of the roles assigned to the  ○
O - - （4,3,2,4,1, 4.3.2.4.2, -
personnel in charge to their personnel, and confirms the training/education implementation status. (3.2.1)
4.3.2.4.6）
‐ The organization records and manages the contents and results of security education and training for member in the organization.
Improve the contents of training and L1_1_a_PEO, Common among <High‐Advanced> and <Advanced>
education regarding security to members of L1_1_b_PEO, ‐ The organization continuously verifies the effects of education and training in order to ensure that the member of the organization and persons of relevant parties in 
○
the organization and other relevant parties L1_1_c_PEO, charge have a better understanding of security. O - -
L1_3_a_PEO, (4.3.2.4.4, 4.3.2.4.5)
‐ The organization refers to the results of the review of security education and training records and improves the contents of education and training in light of new or  ○ ○
CPS.AT-3 of high importance in security management L1_3_b_PEO, changing threats and vulnerabilities. (AT-1) (A.7.2.2)
of the organization. L1_3_c_PEO, <Basic>
L3_3_a_PEO, ‐ The organization will conduct questionnaires and simple tests to confirm the subject's understanding of the content and confirm the results after conducting security  O - - -
L3_4_a_PEO, education and training.
If the organization exchanges protected L3 4 b PEO
L3_1_a_PRO, Common among <High‐Advanced> and <Advanced>
information with other organizations, agree L3_4_a_DAT, ‐ The organization specifies concrete security measure requirements considering importance of exchanged data and assumed risks, and requires business partners to 
in advance on security requirements for L3_4_b_DAT implent them.  O - - - - -
protection of such information. ‐ The organization permits outsourcing of data handling operation to subcontractors only if it confirms that such subcontractors have implemented security measures 
CPS.DS-1
whose level is equivalent to those required to direct business partners.
<Basic>
‐ The organization regulate how to handle the data that business partners may handle by concluding a non‐disclosure agreement. O - - - - -
‐ The organization prohibits direct business partners from subcontracting operations related to data management.
Encrypt information with an appropriate L1_1_a_DAT, <High‐Advanced>
level of security strength, and store them. ‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order to suitably implement selected  ○ ○
L3_1_a_DAT, algorithms to software and hardware, and to protect keys, identification codes, and entity authentication information that is used to decrypt encrypted information or  (In addition to the
L3_3_d_SYS,
O/S （In addition to the - -
to grant electronic signatures. following, 3.8.6, 3.13.11,
L3_4_b_SYS following, SC-12(1)）
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization. 3.13.8)
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
<Advanced>
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the appropriate strength, and stores the 
information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it to encrypt information (data) to the appropriate strength and stores 
the information.
CPS.DS-2 ○（A.8.2.3)
‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts and stores high importance  ○ ○
information handled by industrial control systems with appropriate strength without causing unacceptable impact on performance. O/S (In addition to the （In addition to the -
following, 3.13.16) following, SC-28） ○
[Reference]  （SR 3.4, SR 4.1）
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and Evaluation Committees  （CRYPTREC）
" releases to the public the list of such technologies recommended for use that are sufficiently used in the market or are considered to spread in the future. It is 
desirable that the organization should refer to the list as needed when procuring systems that should implement encryption functions.
<Basic>
○ ○
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts important information (data) handled by information systems  O/S -
(3.13.10) （SC-12）
to the appropriate strength, and stores the information.
Encrypt the communication channel when L1_1_a_SYS, <High‐Advanced>
○ ○
communicating between IoT devices and L1_1_b_DAT, ‐ The organization protects th networks composing the information system and industrial control system  that handles important data by implementing encrytion of  O/S -
L3_1_a_DAT, (3.13.15) (下記に加えてSC-12(1))
servers or in cyberspace. communication channels or by alternative physical measures.
○ ○
L3_2_b_DAT, <Advanced>
L3_3_a_SYS, (A.10.1.1,A.13.2.1, （SR 3.1, SR 3.8, SR
‐ The information system employs an cryptographic mechanism and encrypt communciation paths. 
CPS.DS-3 L3_3_d_SYS ○ A.13.2.3, A.14.1.2) 4.1, SR 4.2, SR 4.3）
S ○(SC-8(1), SC-12) -
(3.13.15)
[Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that the organization should select the 
method considering the importance of the data transmitted in the communication paths, the budget, and so on.
<Basic>
- - - - - -
‐ N/A
Encrypt information itself when L1_1_a_DAT, <High‐Advanced>
sending/receiving information. L1_1_b_DAT, ‐ The system /IoT apparatus introduces the code module which it can implement without even little resource losing availability, and it is desirable to encrypt the 
S - - ○ - ○
L3_1_a_DAT, communication data from a high apparatus of the importance at appropriate strength.
(A.10.1.1, A.13.2.1, （SR 3.1, SR 3.8, SR
L3_2_b_DAT, ‐ The information system encrypts all data transmitted outside the organization with appropriate strength, not limited to high or low importance.
CPS.DS-4 L3_3_d_SYS A.13.2.3, A.14.1.2) 4.1, SR 4.2, SR 4.3）
<Advanced>
Ｏ - ○ (SC-8(1)) -
‐ The organization encrypts information with appropriate strength when transmitting highly confidential information to an external organization or the like.
<Basic>
- - - - - -
‐ N/A

C-11
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Securely control encryption keys throughout L1_1_a_DAT, <High‐Advanced>
their life cycle to ensure proper operation L3_1_a_DAT ‐ If the user loses the key, the organization maintains the availability of the information by reissuing key or the like. ○
and securely transmitted, received and ‐ It is desirable to consider authenticity of the public key as well as to securely control the secret key and private key. This authentication process is carried out using the  O/S - (In addition to the - -
stored data. public key certificate issued normally by a certificate authority. It is desirable that the certificate authority should be a recognized organization that implements  following, SC-12(1))
appropriate measures and procedures to provide the required reliablity.
<Advanced>
‐ It is desirable that the organization should set out a policy and procedure regarding the following items to take immediate and appropriate measures when the private 
key is imperiled.
　‐ A structure to take measures against imperilment of the private key (including the stakeholders, roles, cooperation with contractors)
CPS.DS-5 ○ (A10.1.2)
　‐ Criteria to judge whether the private key is imperiled or is in danger of imperilment
　‐ To investigate the cause of imperilment of  the private key, and to attempt to remove the cause O -
○ ○ ○
　‐ Suspension of the services using the key
(3.13.10) (SC-12) （SR 1.9, SR 4.3）
　‐ To create a new pair of keys and issue a certificate for the new key
　‐ Disclosure of information regarding imperilment of the private key (Notified parties, a method of notification, disclosure policy, etc.)

[Reference] It is desirable to refer to the group of standards of ISO/IEC 11770, NIST SP 800‐57 Part 1 Rev.4, and so on for the details about key management.
<Basic>
O -
‐ It is desirable that the organization should protect all encryption keys from modification and loss.
Secure sufficient resources (e.g., People, L1_1_c_SYS, Common among <High‐Advanced> and <Advanced>
Components, system) for components and L2_1_d_SYS, ‐ The information system and industrial control system manage spare storage space, bandwidth, and other spares (People, Components, System) and minimize the 
systems, and protect assets property to L3_3_c_SYS impact of service denial attacks that send a large amount of information. For example, if services provided by an attacked system can not be stopped due to maintaining 
minimize bad effects under cyber attack the level of availability, etc., in order to continue important functions, it is necessary to take the following measures.
　‐ Automatic or manual migration to standby system ○
(e.g., DoS attack). ○
　‐ Automatic or manual segregation of system components attacked by adversal actor （In addition to the
S - （In addition to the -
‐ In order to ensure that required system performance is satisfied, use of resources must be monitored and adjusted. In addition, storage capacity and performance  following, SC-5(2)、
following, A.12.1.3） ○
CPS.DS-6 required in the future must be pre‐estimated. SC-5(3))
‐ The organization shall: （SR 5.2）
(a) Use a monitoring tool which the organization specifies in order to find signs of service jamming attacks on the information system.
(b) Monitor resources of information system and industrial control system identified by the organization and judge whether sufficient resource is secured to prevent 
effective service jamming attacks.
<Basic>
‐ By implementing the security measures which the organization decides on, the information system and the industrial control system minimize the impact or protect  ○
S - ○（SC-5) -
from the impact of service denial attacks which the organization specifies, or from attacks on references to sources of these information, while performing a fallback  （A.17.2.1)
operation
Carry out periodic quality checks, prepare L1_1_c_SYS, Common among <High‐Advanced> and <Advanced>
○
standby devices and uninterruptible power L2_1_d_SYS, ‐ The organization prepares short‐term uninterrupted power supply which supports the switching of the information system to an alternative power source that can be  O - ○（PE-11） -
L3_3_c_SYS （SR 5.2, SR 7.5）
supplies, provide redundancy, detect used for a long period of time when the primary power source is lost.
<Basic> ○
failures, conduct replacement work, and
‐ In order to ensure that required performance of an information system and an industrial control system is satisfied, use of resources must be monitored and adjusted.  （A.11.2.2、A.11.2.3、
CPS.DS-7 update software for IoT devices,
In addition, storage capacity and performance that are required in the future are pre‐estimated. A.11.2.4、A.12.1.3,
communication devices, circuits, etc. O - - - -
‐ The organization protects devices from power outages and other failures that are attributable to malfunctions in the support utility. A.17.2.1）
‐ The organization protects communication cables and power cables that transmit data or that support information service from interception, interference, and harm.
‐ The organization properly maintaines devices to ensure continuous availability and integrity.

When handling information to be protected L1_1_d_COM <High‐Advanced>

or procuring devices that have an important L2_3_b_COM ‐ When handling information that shall be protected or when procuring devices that have a function important to the organization, the organization procures devices 
○
function to the organization, useselect the that use anti‐tampering devices. O - ○（SC-12) ○（A.10.1.2) -
（SR 5.2）
IoT devices and servers equipped with anti- ‐ When storing encryption keys for the cryptographic mechanism used in the information system and the industrial control system, the organization uses anti‐tampering 
CPS.DS-8 devices.
tampering devices.
<Advanced>
- - - - - -
‐ N/A
<Basic>
- - - - - -
‐ N/A
Properly control outbound communications L1_1_a_DAT, <High‐Advanced>
that send information to be protected to L2_3_c_SYS, ‐ The industrial control system shuts down, isolates the malicious code or notifies the administrator when detecting such code  through IDS/IPS. ○
○
prevent improper data breach. L3_1_a_DAT ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that summarizes typical  S （In addition to the - -
(3.13.4)
patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior (communication). following, SC-4）
‐ The information system prevents fraudulent and unexpected transfer of information via common system resources.
<Advanced> ○
CPS.DS-9 ○
‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code. ○ ○ (A.13.2.1)
O/S -
‐ The organization collects information including newly released attacking trends, malware behaviors, and malicious IP addresses/domains (external intelligence). When  (3.13.1) (SC-7) （SR 5.2）
necessary, the organization excutes responces to restrict communications to highly dangerous IP addresses or domains or so.
<Basic>
‐ The organization detects unusual data communications (e.g., too large data size, unexpected communication destination) outbound the organization, and limits such  O/S - - - -
execution of communications when necessary.
Conduct integrity checks of software L2_3_b_SYS <High‐Advanced>
○
runnning on the IoT devices and servers at ‐ The organization uses an automated tool that notifies the information system administrator when an inconsistency is found during integrity verification.
(In addition to the
a time determined by the organization, and ‐ The organization uses tools to prevent the launch of the software if malicious software is detected. O/S - - -
following, SI-7(2),
prevent unauthorized software from ‐ The organization incorporates detection capacity into its incident response capacity to detect unauthorized changes that are made to the settings and security, such as 
SI-7(7)) ○
an unauthorized promotion of system authority.
launching. (A.12.2.1)
CPS.DS-10 <Advanced>
○
‐ The information system regularly inspects the integrity of the software and firmware. ○
S - - （SR 3.1, SR 3.3, SR
‐ The information system and the industrial control system prevent activation of unregistered software by registering in advance software that is permitted to activate. (SI-7, SI-7(1))
3.4, SR 3.8）
<Basic>
- - - - -
‐ N/A

C-12
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Perform integrity checking on information L1_1_b_DAT, <High‐Advanced>
○
to be sent, received, and stored. L1_1_d_PRO, ‐ The organization detects tampering with data transmitted from IoT devices, servers, etc. in industrial control systems, if possible, using integrity checking tools.
O - (In addition to the - -
L3_2_a_DAT, ‐ The organization incorporates detection capacity into its incident response capacity to detect unauthorized changes that are made to the settings and security, such as 
L3_2_b_DAT following, SI-7(7))
an unauthorized promotion of system authority.
○
<Advanced>
(A.14.1.2, A.14.1.3)
CPS.DS-11 ‐ The organization uses an integrity verification tool in an information system to detect any unauthorized changes that are made to communications data transmitted  ○
○
from IoT devices and servers. O/S - - （SR 3.1, SR 3.3, SR
(SI-7, SI-7(1))
‐ The information system regularly inspects the integrity of the stored data. 3.4, SR 3.8）
‐ The information system supports the technology of authenticating the sending domain in e‐mail, and detects spoofing and tampering of e‐mail.
<Basic>
- - - - - -
‐ N/A
Introduce an integrity check mechanism to L1_1_d_PRO, <High‐Advanced>
verify the integrity of hardware. L2_3_b_SYS ‐ The organization detects hardware tampering (insertion of hardware/trojan) based on the difference between the genuine and counterfeit side channel information of 
the IC chip. O - - - - -
‐ The organization detects hardware tampering (insertion of a hardware trojan) through testing physically readable ID of chip generated with the technology of PUF 
(Physically Unclonable Function).
CPS.DS-12 <Advanced>
‐ The organization uses tools that detect unauthorized changes made to hardware components, labels that cannot be replicated easily, and verifiable serial numbers so  ○ ○
O - - -
that integrity can be verified. (PE-6, SA-10(3)) （4.3.4.4.4）
‐ By monitoring the site with surveillance cameras, the organization shall be able to detect physical tampering on the hardware that is significant to its operation.
<Basic>
- - - - - -
‐ N/A
Confirm that IoT devices and software are L1_1_d_PRO, <High‐Advanced>
genuine products during the booting-up L2_3_c_ORG, ‐ The organization utilizes a tool having an automated mechanism to periodically check that the IoT device and installed software are genuine, using the device serial  O - - - - -
process. L2_3_c_SYS number, hash value, and the like.
<Advanced>
CPS.DS-13 O - - - - -
‐ The organization regularly checks that the IoT devices and the installed software are genuine products by using the serial numbers and hash values of the devices.
<Basic>
‐ During procurement and inventory count, the organization confirms that the IoT devices which the organization possesses are genuine products by checking the label. O - - - - -

Maintain, update, and manage information L3_4_a_PRO, <High‐Advanced>

such as the origination of data and data L3_4_b_PRO ‐ The organization checks whether or not there is an entity that does not implement the countermeasures that meet the level requested by the organization to the  O - - - - -
processing history throughout the entire life outsourced organization among the supply chain in the cyberspace where data managed by the organization is processed.
<Advanced>
cycle.
‐ The organization links the source of the data obtained from other organizations or individuals/IoT devices outside of the organization to the data concerned and 
CPS.DS-14 O - - - - -
manages the entire lifecycle of the data from acquisition to deletion.
‐ The organization identifies the source of data that is utilized by the organization and the organization/personnel that processed the data concerned.
<Basic>
‐ The organization links the source of the data obtained from other organizations or individuals outside of the organization to the data concerned, and manages the  O - - - - -
entire lifecycle of the data from acquisition to deletion.
Use products that provide measurable L2_1_a_COM, Common among <High‐Advanced> and <Advanced>
security in order to ensure the availability of L2_1_a_PRO, ‐ When adopting a device (sensor) that has network connectivity, digitalizes dynamics in physical space, and transmits them to cyberspace, it is desirable to procure the 
security reporting and the trustworthiness of L2_3_a_ORG, said device with consideration of the following points:
L2_3_d_ORG 　‐ Whether function that uses integrity verification tools to detect unauthorized changes made to communications data is implemented or not; ○
sensing data through integrity protection. O - - - -
　‐ Whether the device has a unique ID identifiable by other IoT devices and servers, or has a certificate that can prove its genuineness through mutual authentication  (SC-5, SC-6, SI-7)
CPS.DS-15
with the destination;
　‐ Whether or not the device’s resource is at a level which can maintain the availability when subjected to a denial‐of‐service attack of a certain scale;
　‐ Whether or not it has tolerance against physical attacks.
<Basic>
O - - - - -
‐ The organization procures IoT devices (e.g. sensor) that are resistant to physical attacks.
Introduce and implement the process to L1_1_a_SYS, <High‐Advanced>
manage the initial setting procedure (e.g., L1_1_b_SYS, ‐ Before making changes to IoT devices and servers that are subjects of configuration management, the organization tests and approves these changes as well as creates 
L2_1_a_ORG, ○
password) and setting change procedure a document on the changes.
O - (In addition to the -
L2_1_b_COM, ‐ The organization uses an automated mechanism to manage, apply, and confirm settings of IoT devices and servers from a single location.
for IoT devices and servers. L2_1_b_PRO, following, CM-3(2))
‐ The organization integrates security change management procedures particularly for industrial control systems, into existing process safety management procedures.
L2_3_b_ORG,
L3_1_a_SYS, <Advanced>
L3_3_d_SYS ‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the impact the change has on 
security, decides whether the change can be made or not, and creates a document on the procedure.
○ ○
‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
(In addition to the (In addition to the ○ ○ ○
CPS.IP-1 ‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes. O
following, 3.4.3, following, CM-3, CM-4, (A.12.1.2, A.12.5.1) （4.3.4.3.2, 4.3.4.3.3） （SR 7.6）
‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is implemented) if they forget  the password 
3.4.4, 3.4.5) CM-5)
of their accounts, IoT device and  servers.
‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not adversely affect the availability or 
safety of information system and industrial control system.
<Basic>
‐ Upon determining the most restrictive setting criteria that conform to their operation, the organization creates a document on the initial setting procedures and 
setting details for the IoT devices and servers that will be introduced and adjusts the settings according to the document. ○ ○
O -
‐ The organization checks initial setting values of IoT devices before installing them, and adjusts the settings appropriately if they do not comply with the policy  (3.4.2) (CM-6)
stipulated in CPS.AC‐1.
‐ The organization checks and records software installed in IoT devices before introducing them.

C-13
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Restrict the software to be added after L1_1_a_SYS, <High‐Advanced> ○
○ ○
installing in the IoT devices and servers. L2_1_a_ORG, ‐ The organization restricts software by using a list of software that is permitted to be executed on the information system and industrial control system (whitelist) or list  (In addition to the
O/S (In addition to the (In addition to the - -
L2_1_c_SYS, of prohibited software (blacklist).  Or, unpermitted software shall not be installed. following, CM-7(4), CM7-
L3_1_a_SYS, following, 3.4.8) following, A.12.5.1)
(5))
L3_3_a_SYS, <Advanced>
CPS.IP-2 L3_3_d_SYS ○ ○
‐ The organization adopts and manages a mechanism that manages software installation that is performed by users on the organization’s system (information system or  O/S -
(3.4.9) (CM-11)
industrial control system) and monitors the events. ○ ○
<Basic> (A.12.6.2) （4.3.4.3.2, 4.3.4.3.3）
○
‐ The organization establishes a policy on software installation performed by users on the organization’s system (information system or industrial control system) and  O - -
（SR 7.6）
has the users follow it.
Introduce the system development life cycle L1_1_a_ORG, <High‐Advanced>
to manage the systems. L1_1_b_ORG, ‐ The organization explicitly presents the following requirements when procuring the system;
L1_1_c_ORG, 　‐ Requirements for security functions;
L2_1_d_SYS, 　‐ Requirements for security strength; ○
L3_3_c_SYS 　‐ Requirements for security warranty; O - (In addition to the ○ - -
　‐ Requirements for security‐related documents; following, SA-4) (In addition to the
　‐ Requirements for protection of security‐related documents; following, A.6.1.5,
CPS.IP-3 　‐ Description on the development environment of the system and the environment which the system is planned to operate under; A.14.2.2, A.14.2.5)
　‐ Acceptance criteria
<Advanced> ○
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration regarding information security, and  O - (In addition to the
undergoes an information security risk management process throughout the entire system development lifecycle. following, SA-3) ○ ○
<Basic> ○ （4.3.4.3.3） （SR 7.3, SR 7.4）
○ ○
‐ The organization applies the general rules of the system’s security engineering to specifications, design, development, introduction, and changes in building the  O (A.14.1.1, A.14.2.1,
(3.13.2) (SA-8)
system. A.14.2.6)
Perform a periodical system backup and L1_3_a_DAT, <High‐Advanced> ○ ○
testing of components (e.g., IoT devices, L2_1_d_SYS, ‐ The organization confirms the trustworthiness of the medium and integrity of the information by regularly testing the backup information. O - (In addition to the (In addition to the -
communication devices, and circuits). L3_3_c_SYS following, CP-9(1)) following, A.14.3.1)
<Advanced> ○ ○
CPS.IP-4 ‐ The organization backs up their system documents according to the prescribed timing and frequency. O (In addition to the -
（4.3.4.3.9）
‐ The organization protects the confidentiality, integrity, and availability of the information backed up on the storage base. ○ ○ following, A.18.1.3)
<Basic> (3.8.9) (CP-9)
○
‐ The organization backs up information on user level and system level that is included in its information systems or industrial control systems according to the  O -
(A.12.3.1)
prescribed timing and frequency.
Implement physical measures such as L1_1_a_SYS, <High‐Advanced>
O - -
preparing an uninterruptible power supply, a L1_1_c_SYS, ‐ The organization adopts an automatic fire suppression system if a staffer is not stationed full time at a facility where its system is located.
○
fire protection facility, and protection from L2_3_b_SYS, <Advanced> ○
L2_3_d_SYS, - (In addition to the
water infiltration to follow the policies and ‐ The organization maintains machine safety of equipment located within the area of their IoT devices and servers by using an uninterruptible power supply. ○ （4.3.3.3.1, 4.3.3.3.2,
L3_1_a_SYS O following, PE-13, PE-15) -
CPS.IP-5 ‐ The organization adopts and maintains equipment and systems that run on an independent power supply which detect and extinguishes fire. (A.11.1.4, A.11.2.1, 4.3.3.3.3, 4.3.3.3.5,
rules related to the physical operating
‐ The organization have shut‐off valves or isolation valves to protect areas with their IoT decides and servers from damages such as water leakages. A.11.2.2) 4.3.3.3.6）
environment, including the IoT devices and
<Basic>
servers installed in the organization. ○
‐ The organization adopts a system that maintains the temperature and humidity of the area with its IoT devices and servers being within the acceptable level. O - - -
(PE-14)
‐ The organization regularly monitors the temperature and humidity of the area with its IoT devices and servers.
When disposing of an IoT device and L2_3_b_DAT <High‐Advanced> ○
server, delete the stored data and the ID ‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and introduces a mechanism for using the  O (In addition to the -
(identifier) uniquely identifying the genuine proper technique for deleting data with the strength and integrity needed or making the data unreadable according to the definition. following, A.8.2.3)
<Advanced> ○ ○ ○
CPS.IP-6 IoT devices and servers as well as
‐ The organization establishes a procedure for scrapping its equipment including IoT devices and servers, deletes data saved in the equipment or makes the data  O (3.8.3) (MP-6) ○ - （SR 4.2）
important information (e.g., private key and
unreadable in accordance with the procedure, and makes sure that the action has been done successfully. (A.8.3.1, A.8.3.2,
digital certificate), or make them <Basic> A.11.2.7)
unreadable. O -
‐ The organization deletes data that has been saved in its IoT devices or servers to be scrapped, or makes the data unreadable.
Assess the lessons learned from security L1_1_a_PRO, <High‐Advanced> ○
incident response and the results of L1_1_b_PRO, ‐ The organization has its security assessed by a third party. O - (下In addition to the - -
monitoring, measuring, and evaluating L1_1_c_PRO, following, CA-2(1))
L2_1_a_ORG <Advanced>
internal and external attacks, and improve
‐ The organization draws up a security assessment plan before the assessment is carried out that includes the following so as to ensure that its security is assessed 
the processes of protecting the assets. ○
properly and systematically: 
(A.16.1.6, A.18.2.1,
　‐ Security measures for assessment; O -
CPS.IP-7 Clause 9.1, Clause 9.2, ○
　‐ Assessment procedures for measuring the effectiveness of security measures;
○ ○ Clause 10.1, Clause （4.4.3.2, 4.4.3.3,
　‐ Settings and mechanisms for carrying out the security assessment;
(3.12.1) (CA-2) 10.2) 4.4.3.4, 4.4.3.5, 4.4.3.6,
　‐ Methods of putting together the results of the security assessment and applications of the results.
4.4.3.7, 4.4.3.8）
<Basic>
‐ The organization regularly evaluates whether its security measures have achieved expected results (i.e., security assessment) and reports the conclusions to the chief 
O -
security officer, in addition to the evaluation of whether the measures are correctly implemented and managed.
‐ The organization makes improvements on its security measures based on the results of the security assessment.
Share information regarding the L2_1_a_ORG <High‐Advanced>
effectiveness of data protection ‐ The organization prepares a setting through an automated mechanism at just the right time that enables it and its appropriate partners to interactively share new  O - -
technologies with appropriate partners. information about data protection technologies or information about the effectiveness of the protection technologies. ○ ○
<Advanced> (3.14.4) (AC-21)
○
CPS.IP-8 ‐ The organization prepares a setting that enables it to share new information about data protection technologies or information about the effectiveness of the  O - -
(A.16.1.6)
protection technologies with its partners at just the right time.
<Basic>
‐ The organization prepares a setting that enables it to acquire new information about data protection technologies or information about the effectiveness of the  O - - - -
protection technologies from its appropriate partners.

C-14
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Include items concerning security (e.g., L1_1_a_PEO, Common among <High‐Advanced> and <Advanced>
deactivate access authorization and L1_1_b_PEO, ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are reshuffled or transferred 
personnel screening) when roles change in L1_1_c_PEO internally.
○ ○
due to personnel transfer. ‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a supplier including operation and  ○
(In addition to the （下In addition to the
maintenance.  O (In addition to the -
following, A.7.2.3, following, 4.3.3.2.3,
‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and re‐screen if necessary. following, PS-5)
A.7.3.1) 4,3,3,2,4）
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information, throughout the whole process from hiring 
to retirement. ○
CPS.IP-9
<Basic> (3.9.1 3.9.2)
‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this responsibility should be sustained 
for a reasonable period of time after the termination of employment, in order to prevent information leakage after the termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems. ○ ○
○
‐ The organization conducts the following when a staff member resigns or retires: O (A.7.1.1, A.7.1.2, A.7.2.1, （4.3.3.2.1, 4.3.3.2.2, -
(PS-3, PS-4)
　‐ Disables the staff member’s access to its systems within a certain period; A.8.1.4) 4.3.3.2.6, 4.3.4.4.2）
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is leaving.
Develop a vulnerability remediation plan, L1_1_a_SYS, <High‐Advanced> ○
and modify the vulnerability of the L2_1_a_ORG, ‐ The organization adopts and administers an automated mechanism for managing the status of defect correction. O - (In addition to the - -
components according to the plan. L3_1_a_SYS, following, SI-2(2))
L3_3_a_SYS, ○
<Advanced>
L3_3_d_SYS (In addition to the
‐ The organization defines tolerable risk by identifying through investigations and tests the impacts of patch application on the functions of other software applications 
○ ○ following, A.14.2.3)
and services on operations of IoT devices and servers. O -
(3.14.3) (SI-2)
‐ The organization conducts tests to measure the effectiveness of corrections and the possibility of any secondary adverse effects, corrects the defects, and manages the 
corrections as part of the configuration management.
CPS.IP-10 <Basic>
‐ The organization systematically identifies, reports and responds to vulnerabilities in its own information systems and industrial control systems. The organization  ○
considers the following when formulating a plan. (4.3.4.3.7)
　‐ Seriousness of threats or vulnerabilities
○
　‐ Risk in responding to vulnerabilities O - - -
(A.12.6.1)
[Reference] It may be difficult to carry out application of security patches in a timely manner or application of patches itself to IoT devices in consideration of availability 
and functions of devices. In such cases, it is desirable to avoid occurrence of security incidents by thoroughly taking measures against threats (e.g. minimization of 
functions, strengthening of network monitoring).
- Discuss the method of conducting L1_1_a_SYS, <High‐Advanced>
important security updates and the like on L2_1_a_ORG, ‐ The organization gives prior approval for the use of devices and/or tools needed for maintenance to update its IoT devices and servers, and conducts monitoring.
L2_1_c_SYS, ○
IoT devices and servers. Then, apply ‐ The organization inspects the devices and/or tools for maintenance brought in by the staff members who update its IoT devices and servers in order to make sure that 
L3_1_a_SYS, ○ (In addition to the
no inappropriate or unauthorized changes will be made. O -
those security updateswith managed tools L3_3_a_SYS (3.7.1, 3.7.2, 3.7.4) following, MA-3, MA-
‐ The organization inspects the media used for maintenance to update its IoT devices and servers in order to make sure that the media contain no malicious code before 
properly and in a timely manner while L3_3_d_SYS 3(1), MA-3(2))
they are used.
recording the history. ‐ The organization introduces an IoT device designed to remotely update different software programs (OS, driver, application) at the same time.
- Introduce IoT devices having a remote ○
<Advanced>
update mechanism to perform a mass (In addition to the
‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done, and documents the entire 
update of different software programs (OS, following, A.11.2.4,
maintenance.
A.11.2.5, A.11.2.6,
driver, and application) through remote ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
○
○ A.14.2.4)
CPS.MA-1 commands, where applicable. ‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating its IoT devices and servers. It also  ○
(In addition to the （4.3.3.3.7）
takes necessary actions before the travel, such as deleting relevant saved data. O (In addition to the -
following, 3.7.1, 3.7.2,
‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and servers, after the work is  following, MA-2)
3.7.4)
complete in order to make sure that the relevant equipment works correctly.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance organizations or staff members updated.

<Basic>
‐ The organization makes sure that a maintenance staff member sent unattended to do maintenance work on its information system and industrial control system has 
○ ○ ○
the necessary access rights. O -
(3.7.6) (MA-5) (A.11.1.2)
‐ The organization appoints its staff member with the access rights and technical skills needed so as to supervise maintenance work done by a staff member without the 
necessary access rights.
Conduct remote maintenance of the IoT L1_1_a_SYS, Common among <High‐Advanced> and <Advanced>
devices and servers while granting L2_1_a_ORG, ‐ The organization documents the policy and procedure relating to establishing and implementing a connection designed for remote maintenance, and implements the  ○ ○
approvals and recording logs so that L3_1_a_SYS, connection in accordance with the policy and procedure. O (In addition to the (In addition to the - -
L3_3_a_SYS, ‐ The organization provides authentication required for network access that it specifies when remote maintenance is carried out. It also ensures that the session and  following, MA-4(2)) following, A.15.1.1)
unauthorized access can be prevented. L3_3_d_SYS ○
CPS.MA-2 network connection are terminated when the remote maintenance is complete.
(3.7.5)
<Basic>
○
‐ The organization develops and agrees to an implementation plan for remote maintenance before carrying out the maintenance, and checks the results of the  ○ ○
O （4.3.3.6.5, 4.3.3.6.6, -
maintenance done. (MA-4) (A.11.2.4, A.15.2.1)
4.3.3.6.7, 4.3.3.6.8）
‐ The organization keeps the records of remote maintenance done.

C-15
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Determine and document the subject or L1_1_a_SYS, <High‐Advanced>
scope of the audit recording/log recording, L2_1_b_ORG, ‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after the fact. Therefore, the 
and implement and review those records in L3_1_a_SYS, information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
L3_3_a_SYS, ‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the system, logically and 
order to properly detect high-risk security ○
L3_3_d_SYS physically. ○ ○ ○ ○
incidents. (In addition to the
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of information for  O/S (In addition to the (In addition to the （In addition to the （In addition to the
following, AU-6(1),
generating time stamps for an audit record. following, 3.3.7) following, A.12.4.4) following, 4.4.2.4） following, SR 2.10）
AU-11(1))
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those devices to the existing log 
management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a log management system different than the main 
one or using an alternative measure on the part of the system, when collecting and analyzing audit logs from the relevant IoT devices.
CPS.PT-1
<Advanced> ○ ○
○
‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and audit tool each. (In addition to the (In addition to the
O/S (In addition to the
‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal responsibility. following, 3.3.4, 3.3.8, following, AU-9(3),
following, A.12.4.2)
‐ The information system issues an alert when an incident of failure takes place in the audit process. 3.3.9) AU-9(4))
○
<Basic> ○
（4.3.4.4.7, 4.4.2.1,
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the systems can acquire audit logs that  （SR 2.8, SR 2.9,
4.4.2.2, 4.3.3.3.9,
show who did what and when in connection with the subjects of an audit. ○ ○ SR 2.11, SR 2.12）
○ 4.3.3.5.8）
‐ The system generates an audit log prescribed from various system components. O/S (AU-2, AU-3, AU-6, AU- (A.12.4.1, A.12.4.3,
(3.3.1, 3.3.2, 3.3.3)
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause damage to the organization, and  11) A.12.7.1)
make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
Minimize funcions of IoT devices and L1_1_a_SYS, <High‐Advanced>
○
servers by physically and logically blocking L1_1_b_SYS, ‐ The organization identifies software programs that are not allowed to be executed on a system. ○
L1_1_c_SYS, (In addition to the
unnecessary network ports, USBs, and ‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed. O/S (In addition to the - -
L2_1_b_COM, following, CM-7(2),
serial ports accessing directly the main ‐ The organization regularly review and update the black list or the white list. following, 3.4.7, 3.4.8)
L2_3_b_SYS, CM-7(4))
‐ The system blocks the execution of these programs in accordance with the specified rules.
bodies of IoT devices and servers etc. L3_1_a_SYS, <Advanced>
L3_3_d_SYS ‐ The organization reviews the functions and services provided by its systems and items in order to identify the functions and services that could be deleted.
○ ○
‐ The organization uses network scanning tools, intrusion detection and prevention systems, and endpoint protection (e.g., a firewall, host‐based intrusion detection  ○
CPS.PT-2 O (In addition to the (In addition to the -
system) in order to detect and prevent the use of banned functions, ports, protocols, and services. (A.8.2.2, A.8.3.1)
following, 3.4.6) following, CM-7)
‐ The organization minimizes the functions and services of devices connected to the network such as multifunction printers in additional to typical IoT devices and 
○
servers.
（4.3.3.5, 4.3.3.7）
<Basic>
‐ The organization manages peripherals in use (e.g., USB flash drives) using a management ledger and keep them in a locked place.
○ ○ ○
‐ The organization checks external storage devices connected to IoT devices or servers (e.g., USB flash drives) using antivirus software, use USB flash drives that can be  O
(3.8.1, 3.8.4) (MP-2, MP-3, MP-4) （SR 2.3, SR 7.7）
checked for viruses, or take any appropriate action.
‐ The organization plugs USB ports and serial ports out of use to physically block them.
Introduce IoT devices that implement safety L2_2_a_ORG <High‐Advanced>
○
functions, assuming that these devices are ‐ The organization adopt intrinsic safe designing to handle hazards of high severity, thereby minimizing damage (e.g., a design that lowers the energy of a hazard in order  O - - - -
(A.16.1.6)
connected to the network. to limit an impact of an accident).
<Advanced>
‐ The organization carries out a security risk assessment that considers the aspect of safety (CPS.RA‐4) in order to be clear about whether or not to need measures to 
ensure the physical safety of the assessed system, and to be clear about the levels of the measures.
○
CPS.PT-3 ‐ The organization reduces hazards through intrinsic safe designing. If any hazard of high severity persists through this process, it is advisable to take alternative 
O/S - - - - （SR 3.6, SR 7.1, SR
measures such as the following:
7.2）
　‐ Ensure safety using an add‐on such as safety a safety device;
　‐ Adopt a space design that keeps staff members away from hazardous devices.
‐ The industrial control system operates in a predetermined manner when normal operation cannot be maintained due to a cyber attack etc.
<Basic>
- - - - - -
‐ N/A
Establish and implement the procedure to L1_1_a_COM, <High‐Advanced>
identify and manage the baseline of L1_1_a_SYS, ‐ The organization uses a mechanism for automatically collecting information about network configurations and the software configurations of devices in order to 
network operations and expected L1_1_b_COM monitor the most recent status at all times.
L1_1_c_COM ○ ○
information flows between people, goods, ‐ The information system forces the application of users’ access rights approved (by the administrator) in order to control data flows within a system (and between 
L1_3_b_ORG, (In addition to the (In addition to the
interconnected systems). O/S - - -
and systems. L1_3_c_ORG, following, 3.1.3, 3.14.1, following, AC-4,
‐ The organization physically or logically separates a network of industrial control systems with high importance from a network of industrial control systems with lower 
L2_1_b_ORG, 3.14.6, 3.14.7) CM-2(2), SI-4, SI-4(13))
importance.
L3_1_a_SYS, ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that summarizes typical 
L3_3_a_SYS, patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior (communication).
L3_3_d_SYS <Advanced>
‐ As part of its configuration management, the organization identifies and documents the configuration that serves as the latest baseline of an information system and 
an industrial control system.
‐ If any changes are made to the baseline configuration of an information system and industrial control system, promptly update the baseline configuration so that the 
CPS.AE-1 ○
most recent status is available at all times.
O/S - (In addition to the - -
‐ The organization allows one system to connect to a different system only after it determines that connecting the system to the other system is safe enough in terms of 
following, CA-3)
security measures.
‐ The industrial control system provides services to the network of control systems without connecting to networks other than industrial control systems. ○
‐ The organization exercises discretionary access control according to the user’s access rights in order to control data flows within an information system (and between 
（4.4.3.3）
interconnected systems).
<Basic>
‐ The organization documents information that serves as a baseline including an information system’s and an industrial control system's network configuration, assets, 
information about device setups and configurations, and regularly checks the document to see if its content remains relevant.
○ ○
‐ The organization logically or physically segments the control system's network from the network composing of the information system. O - -
(3.4.1) (CM-2)
[Reference] Implement physical segmentation in environments physically separated from other networks. Alternatively, in environments physically close to other 
networks, it is possible to implement logical segmentation in consideration of the cost of the measure.

C-16
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Appoint a chief security officer, establish a L1_3_a_ORG <High‐Advanced>
security management team (SOC/CSIRT), ‐ The organization efficiently analyzes audit logs collected through 24‐h, 365‐day security monitoring by using an automated analysis tool.
○
and prepare a system within the ‐ It is desirable for the organization to include not only its conventional IT environment but also its control system and IoT devices in the scope of security monitoring.
(In addition to the
‐ It is desirable for the organization to regularly evaluate the maturity of its security measure organizations in order to continue improving its security‐related  O/S - - -
organization to detect, analyze, and following, SI-4(2),
operations, including security monitoring and the ways incidents are handled.
respond to security events. SI-4(5))
[Reference] For example, SIM3 (Security Incident Management Maturity Model) is available as metrics for the evaluation of security organizations (SOC/CSIRT).
<Advanced>
‐ The organization refers to risk assessment results and, considering the following angles, establishes what to monitor and what to include in correlation analysis.
○
　‐ The scope of systems to monitor
(In addition to the
　‐ Which device logs should be collected for analysis (see CPS.AE‐3)
following, A.12.4.1,
‐ The organization regularly reviews audit logs collected through monitoring.
CPS.AE-2 A.16.1.5) ○
‐ The organization continues to collect and manage information about assets, device configurations, and network configurations in order to evaluate its security status.
○ ○ （SR 2.8, SR 2.9,
‐ The organization examines the results of correlation analysis and other data to accurately detect security events that must be addressed and take action in accordance  ○
O/S (3.6.1, 3.12.2, 3.14.6, （4.3.4.5.6, 4.3.4.5.7, SR 2.10, SR 2.11,
with the security operation process. See CPS.RP‐1 for details of the process. (CA-7, IR-4, SI-4)
3.14.7) 4.3.4.5.8） SR 2.12, SR 3.9,
‐ The organization regularly reports the state of organizational and system security to the chief security officer or other appropriate staff members. It is desirable that 
SR 6.1, SR 6.2）
the regular report should include the following shown below:
　‐ Results of log analysis (e.g., the number of incidents handled; summaries of typical incidents that have been handled; threats that have emerged; issues in 
monitoring);
　‐ Policy for future improvements in monitoring.

<Basic>
○
‐ The organization identifies who the chief security officer/contact person is in both information system and industrial control system so that the officer/contact person  O - - - -
(A.6.1.1)
can handle security‐related internal and external communications.
Identify the security events accurately by L1_1_b_SYS, <High‐Advanced>
implementing the procedure to conduct a L1_3_a_SYS ‐ The organization conducts a trend analysis examining the latest information about threats, vulnerability, and assessments of security management measures carried 
correlation analysis of the security events out several times in order to determine whether the activities for continuous monitoring need any correction. ○ ○
‐ The organization carries out policy tuning (management of signatures to apply) and maintenance for devices such as IDS, IPS, and SIEM on its own. O (In addition to the (In addition to the - -
and comparative analysis with the threat
‐ The organization creates custom signatures used for sensors on its own. following, 3.14.4) following, CA-7(3))
information obtained from outside the
‐ In order to properly detect security events that are likely to adversely affect the organization, the organization collects and analyzes logs of edge devices such as IoT 
organization. devices in addition to the logs of devices presented in <Advanced>, if possible.
<Advanced>
‐ It is desirable that the organization should monitor mainly logs of the devices listed below for real‐time analysis to appropriately detect security events highly likely to 
○
CPS.AE-3 have an adverse effect on its own organization . This will require the handling of many different logs. Hence, it is necessary to normalize logs to store them in the same 
(A.12.4.1)
database or to use SIEM for efficient analysis. It is also advisable to handle information about network flows if it is available.
○
　‐ Logs and network flows from network systems, e.g., firewalls S -
（SR 6.1）
　‐ Logs from security devices, e.g., IPS/IDS ○ ○
　‐ Access logs of web servers (3.12.3) (CA-7)
　‐ Logs from various systems, e.g., ActiveDirectory; DNS
　‐ Logs related to users’ terminals
<Basic>
‐ The organization checks each notice from firewalls and endpoint security products in order to identify security events that may have an adversal impact on the  O - -
organization.
Identify the impact of security events, L1_3_b_PRO <High‐Advanced>
including the impact on other relevant ‐ The organization adopts an automatic mechanism for quantifying and monitoring the form, scale, and cost of a security event that has occurred.
organizations. ‐ The organization has its security measure organizations (SOC/CSIRT) analyze the functions of the malware, or program, or script that is placed by an attacker if any is 
found in a security event that has occurred.
○
‐ The organization constructs a hypothesis about the profile of the attacker (e.g., his/her organization; the purpose of the organization’s activities).
O/S - - (In addition to the - -
following, A.16.1.6)
[Reference] It is envisaged that the impact assessment of a security event would be difficult in an environment where multiple systems are interconnected to comprise a 
“system of systems”. The document “Observations about the Impact Assessment of an Internet of Things (IoT) Incident” (Cloud Security Alliance, 2016) is an advanced 
CPS.AE-4 attempt to examine issues relating to the impact assessment. It attempts to assess an impact according to the characteristics of the device or the service and to the 
number of devices.
<Advanced>
‐ The organization works with IPA, JPCERT/CC, the industry’s ISAC, and a security vendor to collect information, thereby interlinking and sharing information about 
○ ○ ○
threats and vulnerability to obtain a whole picture of the security event. O - -
(3.6.1) (IR-4, IR-4(8)) (A.6.1.4)
‐ The organization requests an external security vendor to analyze the functions of the malware, or program, or script placed by an attacker if any is found in a security 
event that has occurred.
<Basic>
- - - - - -
‐ N/A
Specify the criteria to determine the risk L1_3_a_PRO <High‐Advanced>
degree of security events. ‐ The organization determines its core business that must continue/recover before any other operations in prior and identifies and prioritizes important resources (other  ○
relevant organizations, employees, items, data, systems, etc.) and functions vital for continuing applicable businesses. 　* CPS.AM‐6 and CPS.BE‐2 include examples of  (In addition to the ○
O - -
similar measures. following, CP-2(8), IR- （4.2.3.10）
‐ The organization uses an automated mechanism designed to help track security events and collect and analyze information about threats and vulnerability related to  5(1))
incidents, so that it applies the findings to classification (triage) of security events.
<Advanced> ○
○
CPS.AE-5 ‐ The organization classifies security events, taking into account the recovery time objectives for the systems, the order of priority in recovery, and metrics in the process  O - (In addition to the - -
(A.16.1.4)
of its security operation. following, CP-2)
<Basic>
‐ The organization specifies security events that must be reported, considering the level of the impact the security event has.
○
O - - -
[Reference] For example, the following document is available for reference when an organization decides on a measure of the severity of the impact of a security event. (IR-8)
　‐ “SP 800‐61 rev.1” (NIST, 2008) Prioritization of the 3.2.6 Incident

C-17
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Conduct network and access monitoring L1_1_a_SYS, <High‐Advanced> ○
○
and control at the contact points between L1_1_c_SYS, ‐ The information system routes communications to the network to which a recipient’s IP address belongs via a proxy server authenticated on a controlled interface. (In addition to the
S (In addition to the - - -
corporate networks and wide area L1_3_a_SYS, ‐ The information system and the industrial control system monitor and control the use of mobile code. following, 3.13.13,
L2_1_b_ORG, following, SC-7(8))
networks. ‐ The information system monitors and controls the use of protocols used for audio and video transmission (e.g. VoIP). 3.13.14)
L2_3_c_SYS, <Advanced>
L3_1_a_SYS, ‐ The organization monitors and controls communications at the boundary between industrial control system and information system.
L3_3_a_SYS, ‐ The organization creates a network segment isolated from access to the internal network (“demilitarized zone [DMZ]”) between the internal network and external 
L3_3_d_SYS networks (e.g., the Internet).
‐ The information system is connected to an external network or system only via a controlled interface that consists of a boundary protection system placed according  ○
○
CPS.CM-1 to the organization’s security architecture. (In addition to the
O/S (In addition to the - -
‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and firewall). following, SC-7(4),
following, 3.13.6) ○
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall). SC-7(5))
（SR 6.2）
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
‐ The organization monitors communications at the external boundaries of the information system and at major internal boundaries within the information system for 
large amounts of communication from a particular source or multiple sources, and takes appropriate action when necessary (e.g., blocking of communication from a 
specific IP address).
<Basic>
○ ○
‐ The organization monitors and controls communications on the information system’s external boundary as well as on the key internal boundary within the information  Ｏ - -
(3.13.1, 3.13.5) (SC-7)
system.
Perform setting, recording, and monitoring L1_1_a_SYS, <High‐Advanced> ○
of proper physical access, considering the L1_1_c_SYS, ‐ The organization tracks and monitors the locations and relocation of important assets within the scope of its management of particularly important assets. O - (In addition to the - - -
importance of IoT devices and servers. L2_3_b_PEO, following, PE-20)
L2_3_b_SYS, <Advanced>
L2_3_d_SYS, ‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log from access control is available 
L3_1_a_SYS while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible (e.g., an office) in order to 
monitor the visitor’s behavior.
O - -
‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations and house IoT devices and 
CPS.CM-2
servers, thereby enabling early detection of any physical security incidents and immediate action. ○
○ ○
‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to the organization’s operation  [A.11.1.1, A.11.1.2,
(3.10.4, 3.10.5) (PE-3, PE-6)
because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment (CPS.DS‐6) or taking any other appropriate measures to  A.11.1.3]
enhance the physical security properties of the equipment itself.
<Basic>
‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited physical access because of issues of 
costs and other reasons, it takes alternative manual measures, such as that its employee in charge accompany a visitor on the premises. O - -
‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for  the general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the records of entry and exit.
- Use IoT devices that can detect abnormal L1_1_b_SYS, <High‐Advanced>
behaviors and suspend operations by L2_2_a_COM, ‐ IoT devices, or systems that contain these devices, examine information output from software programs or applications to see if it matches the expected content in 
comparing the instructed behaviors and L3_3_a_DAT, order to prepare for certain attacks that may have a consequence different to a normally expected outcome (e.g., command injection). ○ ○
L3_3_d_SYS ‐ The information system automatically updates the logic to detect malicious code through an IDS/IPS. S (In addition to the (In addition to the -
actual ones.
‐ The information system detects exploit codes that attacks unknown vulnerabilities by installing on endpoints (especially, IoT devices and servers with various functions)  following, 3.14.4, 3.14.5) following, SI-10, SI-15)
- Validate whether information provided
detection/restoration software using technologies of behavioral detection of malware. 
from cyberspace contains malicious code, ‐ The information system executes real‐time scanning of files from external sources.
and is within the permissible range before <Advanced>
any action based on the data. ○ ○
‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code.
(A.12.2.1) （SR 3.2）
CPS.CM-3 ‐ The information system detects exploit codes by installing on endpoints (IoT devices, servers, and so on) detection/restoration software using technologies of pattern 
matching of malware. 
‐ The organization considers implementing whitelist‐type malware protection for IoT devices with limited functions. ○ ○
S -
(3.14.2, 3.14.3) (SI-3)
* Especially regarding IoT devices and control devices, OS to which anti‐malware software can be applied may not be used. It is desirable for the organization to confirm 
whether devices to be introduced are compatible with anti‐malware software at the phase of procurement and to select compatible ones. If it is difficult to procure 
devices compatible with anti‐malware software, it is desirable to take alternative measures such as introducing/strengthening a malware detection mechanism on a 
network.
<Basic> ○
S - - - -
‐ Information system and industrial control system verify the effectiveness of input data by checking whether the data conforms to a specified format or content. (SR 3.5)
Validate the integrity and authenticity of the L3_3_a_DAT, <High‐Advanced>
information provided from cyberspace L3_3_d_SYS ‐ The organization introduces the concept of “whitelisting” for data entry in order to specify known items and systems considered trustworthy as the sources of input 
○ ○
before operations. data, and the format allowed for the input data.
S (In addition to the (In addition to the -
‐ IoT devices and servers begin communication with other IoT devices only after the devices are mutually authenticated successfully so that the source of data is always 
following, 3.14.5) following, SI-10(5))
clear.
○ ○
‐ The information system and the industrial control system protect the authenticity of communications sessions.
(A.13.2.1, A13.2.3) （SR 3.2）
CPS.CM-4 <Advanced>
‐ The information system uses an integrity verification tool to detect any unauthorized changes that are made to communications data transmitted from IoT devices and  ○
○
servers. S (In addition to the -
(3.14.5)
‐ IoT devices and servers that are acknowledged as critical to the organization’s operations begin communication with other IoT devices only after the devices are  following, SI-7)
mutually authenticated successfully so that the source of data is always clear.
<Basic>
- - - - - -
‐ N/A

C-18
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Monitor communication with external L1_1_a_COM, <High‐Advanced>
○
service providers so that potential security L1_1_a_SYS, ‐ The organization requires its provider of external information system services to make clear the functions, ports, and protocols needed for the use of the services, 
O/S - (In addition to the - -
events can be detected properly. L1_1_b_COM along with other services.
L1_1_c_COM following, SA-9(2))
‐ The organization monitors whether the matters made clear as stated above are observed.
L1_3_b_ORG, <Advanced>
L1_3_c_ORG, ‐ The organization documents its security requirements for the staff from its external service provider and system developer, and includes the requirements in the 
L3_1_a_SYS, ○
agreement.
L3_3_a_SYS, (In addition to the
‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have authorizations for its system are 
L3_3_d_SYS, following, A.13.1.2,
transferred or when their employment terminates. ○
○ A.15.2.2)
‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of relevant information about  O/S (In addition to the - -
（3.14.6, 3.14.7)
CPS.CM-5 operations, the importance of its business systems and processes, and re‐assessed risks. following, PS-7, SI-4)
‐ The organization monitors whether its external service provider and system developer complies with the requirements.
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any unauthorized access by these external 
businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the appropriate system administrator.
<Basic>
‐ The organization requires its provider of external information system services and system developer to draw up and introduce security requirements such as those 
related to the following in accordance with the rules which the organization is subject to or which apply to the provider and developer. ○ ○
O - - -
　‐ Adequate security measures to take (e.g., measures that deserve ISMS Certification) (SA-9) (A.14.2.7)
　‐ Proper management of data in operation
　‐ Proper data erasure when the use of the services ends
As part of the configuration management of L1_1_a_COM, <High‐Advanced>
devices, constantly manage software L1_1_a_SYS, ‐ The organization uses a mechanism for automatically detecting unauthorized hardware, software, or firmware in a system, if any.
configuration information, status of network L1_1_b_COM ‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by the organization, and responds 
L1_1_c_COM appropriately. (Example: blocking unplanned connections except those permitted by the organization as an exception)
connections (e.g., presence/absence of L1_3_a_SYS, ‐ The information system and the industrial control system disable network access by any unauthorized components that have been detected, separate these 
connections and access destination), and L1_3_b_ORG, components from the network, or take any primary action, and notify the system administrator of the components. ○
information transmission/reception status L1_3_c_ORG, O/S - - -
‐ The organization records past versions of baseline configurations (eg, hardware, software, firmware, configuration files, configuration records) to enable rollback of  (In addition to the
between other “organization”, people, L2_1_a_ORG, baseline configurations of information systems. following, CM-8(3))
components, and systems. L2_1_c_ORG, ‐ When a control device or IoT device does not have a rollback function for firmware etc., it is desirable for an organization to have a spare control device or IoT device.
L2_1_c_SYS,
‐ It is envisaged that some IoT devices cannot connect to the existing asset management system. Hence, manage assets and configurations with the possibility of 
L2_3_b_ORG,
operating more than one asset management system in mind, within the organization’s manageable bounds.
L2_3_b_SYS,
*A related measure requirement is CPS.AM‐1.
L2_3_c_SYS,
L3_1_a_SYS,
<Advanced>
CPS.CM-6 L3_3_a_SYS,
‐ It is desirable that the organization should update the list of information about its assets and configurations when it installs or deletes new assets or when it updates its 
L3_3_d_SYS
system.
○
‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and firewall). ○
(In addition to the
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall). （In addition to the
O/S following, CM-3, - -
‐ The system on a controlled interface rejects network communication by default and permits it as an exception. following, 3.4.1, 3.4.3,
CM-8(1), SC-7(4),
‐ The information system and the industrial control system terminate the network connection after a session ends, or when a session remains inactive for a certain  3.13.9, 3.14.6, 3.14.7)
SC-7(5), SI-4)
length of time.
‐ The organization monitors communication on controlled interfaces in order to detect any communication to unapproved items or systems, or communication that 
conveys an inappropriate content.
<Basic>
‐ The organization creates a ledger to manage model numbers of assets that includes servers, software versions, and the expiration of support services. Take regular 
○ ○
inventory. O - -
(3.4.1) (CM-8)
‐ The organization regularly checks whether necessary measures are taken during operation (e.g., checking IoT devices for any unauthorized use or theft; applying a 
patch; checking logs) and the state of IoT devices.
Confirm the existence of vulnerability that L1_1_a_SYS, <High‐Advanced>
requires a regular check-up in IoT devices L2_1_c_SYS, ‐ The organization conducts vulnerability diagnosis at planned timings such as planned stopping so as not to adversely affect the operation of the system managed by 
L3_1_a_SYS, ○
and servers managed within the the organization. And then, identify and list vulnerabilities that exist in the system owned by the organization. ○
L3_3_a_SYS, (In addition to the
‐ When using tools to conduct vulnerability diagnosis, the organization should use tools that can quickly update the vulnerability database of the system being  O (In addition to the -
organization. L3_3_d_SYS following, RA-5(1),
diagnosed. following, 3.11.2)
RA-5(2), RA-5(5))
‐ The organization updates the vulnerability of scanned systems regularly, or when newly‐identified weaknesses are reported.
‐ The organization implements a system for authorizing privileged access to the relevant system components in connection with the specified vulnerability scanning.
<Advanced>
‐ The organization has its systems and applications scanned for vulnerability regularly, or when any newly‐found weaknesses that affect the systems and/or applications 
are reported.　
○
‐ The organization uses a tool for vulnerability scanning. Applying the standard methods that meet the following means that part of the vulnerability management 
○ （下記に加えて, 4.2.3.7）
CPS.CM-7 process should be open to automation.
(A.12.6.1)
　‐ List defects in the platform and software, and wrong setups.
　‐ Format a checklist and test procedure.
O -
　‐ Assess the impact of the vulnerability. ○ ○
‐ The organization corrects identified weaknesses through risk assessment within an appropriate period. (3.11.2, 3.11.3) (RA-5)
‐ The organization shares the information acquired through the above process with other system administrators in the organization, thereby learning about similar 
weaknesses found in the other information systems, and correct them as necessary.

[Reference] Japan Vulnerability Notes (https://jvn.jp/) and other sources of information are available for reference to obtain information regarding vulnerability. Also, 
CVSS (https://www.ipa.go.jp/security/vuln/CVSS.html Illustrated by IPA) could be used as a referential indicator to evaluate the impact level of vulnerability.
<Basic> ○
O -
‐ The organization regularly has its systems and applications scanned for vulnerability. （4.2.3.1）
Clarify the role and responsibility of the L1_3_a_ORG Common among <High‐Advanced>, <Advanced> and <Basic>
organization as well as service providers in ‐ The organization determines the log information that would help detect security events and thus should be collected based on its strategies relating to risk 
detecting security events so that they can management and assessment results.
○ ○ ○ ○
CPS.DP-1 fulfill their accountabilities. ‐ The organization ascertains that its business partner (service provider) has an audit log that records activity of service users, exception handling, and security events  O -
(3.12.3) (CA-7, PM-14) (A.6.1.1, A.12.4.1) （4.4.3.1）
that the provider has acquired.
‐ The organization ascertains that the audit log acquired by its service provider records activity of service users, exception handling, and security events, and is protected 
in a proper way.

C-19
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Detect security events in the monitoring L1_2_a_ORG, Common among <High‐Advanced>, <Advanced> and <Basic>
process, in compliance with applicable local L1_3_a_ORG ‐ The organization sees if any legal system, industry standards, or agreements with customers that are related to monitoring services exist and, if any do, learn what 
○ ○ ○ ○
CPS.DP-2 regulations, directives, industry standards, constraints are imposed. O -
(3.12.3) (CA-7, PM-14) (A.18.2.2) （4.4.3.2）
and other rules. ‐ The organization conducts monitoring in accordance with the rules learned above to detect any security events.
‐ The organization regularly reviews its monitoring activities to make sure that they conform to the rules.
As part of the monitoring process, test L1_3_a_ORG <High‐Advanced>
regularly if the functions for detecting ‐ The organization conducts a trend analysis examining the latest information about threats, vulnerability, and assessments of security management measures carried  ○
○
security events work as intended, and out several times in order to determine whether the activities for continuous monitoring need any correction. (In addition to the
O/S - (In addition to the - -
validate these functions. ‐ The organization introduces known and harmless test cases to its systems to test its mechanism for detecting malware. following, CA-7(3),
following, A.14.3.1)
‐ The organization regularly tests the mechanism it uses for intrusion detection monitoring. The frequency of the test depends on the type of tool the organization uses  SI-3(6), SI-4(9))
and the way the tool is installed.
CPS.DP-3 <Advanced>
‐ The organization establishes and manages a procedure for a regular review of its system monitoring activities to see if they conform to the organization’s risk 
○ ○ ○ ○
management strategy and the order of priority for actions to handle risks. O -
(CA-7, PM-14) (A.14.2.8) （4.4.3.2） （SR 3.3）
‐ The organization calculates the percentages of false detections and false negatives when correlation analysis of information pertaining to the security of network 
devices or endpoints is conducted, thereby checking the validity of the detection mechanism regularly.
<Basic>
- - - - - -
‐ N/A
Continuously improve the process of L1_1_b_SYS, <High‐Advanced>
detecting security events. L1_3_a_ORG ‐ The organization creates and tunes detection rules based on various information as sources in order to improve its detection ability.
　‐ Developing the rules of correlation analysis ○
　‐ Developing own signature of IPSs or IDSs O/S - (In addition to the - -
　‐ Developing the organization’s own black list following, SI-4(13))
‐ The organization/system analyzes the patterns of its system’s communication and security alerts to create and use a profile that summarizes typical patterns of 
communication and security alerts, thereby tuning its efforts to reduce the numbers of false detections and false negatives.
<Advanced>
‐ The organization prepares and manages a procedure for regularly reporting the state of organizational and system security to its appropriate staff members (e.g., 
management). It is desirable that the organization should define the reporting as an occasion for becoming aware of the latest threats or threats to remaining risks so 
that the organization acts to enhance its security. ○
‐ For example, if alerts such as those shown below are issued and there is a sign of increasing security risks, raise the level of the system’s monitoring activities based on  (A.16.1.6)
CPS.DP-4
information from reliable sources. 　* The list below is an excerpt from “Six Ws on cybersecurity information sharing for enhancing SOC/CSIRT Version 1.0” (ISOG‐J, 
2018).
○ ○ ○
　・ Characteristics of the attack O -
(3.14.6, 3.14.7) (CA-7, SI-4) （4.4.3.4）
　　➢ Form of the attack; contents of relevant communications 
　　➢ Core attack code
　・ Traces of the attack
　　➢ Contents of the damaged communications
　　➢ Logs that remain in the server or the hands of clients
　　➢ Other characteristics that remain in the server or the hands of clients
　・Detected names in the security products
<Basic>
- - - - - -
‐ N/A
Develop and implement previously the L1_1_a_SYS, <High‐Advanced> (In addition to the
procedure of response after detecting L1_3_a_PEO, ‐ If the information system and the industrial control system receive any invalid data, they operate as stated in an expected manner in conformity with the purpose of  S - following, SI-10(3), - -
incidents (securith operation process) that L1_3_a_PRO, the organization and system. SI-17)
L2_1_a_PRO, <Advanced>
includes the response of Organization, L2_1_b_PRO, ○
‐ The organization includes contents regarding what to do to detect, analyze, contain, reduce, and recover from incidents in its security operation manual.
People, Componens, System to identify the L2_1_c_PRO, O - (In addition to the -
　‐ Keep a record of all incidents and how they have been handled.
content of response, priority, and scope of L2_2_a_PRO, 　‐ Decide whether the organization should report the fact to any external organization of an incident that has occurred and how it has been handled.'
following, IR-8)
response taken after an incident occurs. L3_1_a_SYS, <Basic>
L3_3_a_SYS, ‐ The organization develops and manages a process of security operation it should follow when a security incident arises that it must address. It is advisable to include 
L3_3_d_SYS contents such as the following in the process:
○
CPS.RP-1 　‐ Response procedure for the person who received the incident report
(A.16.1.5)
　‐ Instructions and orders, and how to prioritize actions in an emergency; ○
　‐ Incident response; （4.3.4.5.1）
　‐ Incident impact assessment and damage analysis; ○ ○
O/S -
　‐ Information gathering, selecting information that the organization needs; (3.6.1) (IR-4)
　‐ Communication and announcement to relevant internal personnel;
　‐ Communication with relevant external organizations;
‐ The system (especially, industrial control system) shuts down, issues an alert to the administrator, or takes other fail‐safe actions if any abnormality (e.g., malfunction) 
occurs in IoT devices or servers.

[Reference] “SP 800‐61 rev.1" (NIST, 2008) is available for reference to determine the process for handling security incidents that have arisen.

C-20
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
As part of the security operation process, L1_3_b_PEO, <High‐Advanced>
define the procedure and the division of L1_3_b_PRO, ‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident responses between the 
roles with regard to cooperative relations L1_3_c_PEO, organization and other organizations that are concerned with the supply chain.
L1_3_c_PRO ‐ The organization adjusts the incident response process of an external service provider that contains important features in order to continue its business, as well as  ○
with relevant parties such as partners, and
adjusting the organization’s incident response process to meet the incident response requirements. (In addition to the
implement the process. O - - -
‐ The organization interlinks information regarding threats and vulnerabilities with how individual security incidents have been handled so as to improve its  following, CP-2(7),
understanding of the situations. IR-4(4), IR-4(10))

[Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development processes, developers, distribution  ○
processes, and warehouse facilities. (In addition to the
<Advanced> following, A.17.1.2)
CPS.RP-2
‐ The organization determines an alternative processing site in case the availability of its primary processing site has been compromised by a security incident.
‐ The organization sets forth in the service agreement that if its primary processing function becomes unavailable, certain operations are moved to resume at the 
○ ○
alternative processing site within the recovery time objective that the organization specifies in order to ensure that it continues to perform its critical missions and 
(In addition to the （4.3.2.5.2, 4.3.2.5.3,
operational functions. O - -
following, CP-7, CP-7(1), 4.3.4.5.1, 4.3.4.5.2,
‐ The organization designates an alternative processing site away from its primary processing site in order to mitigate the vulnerability to the same threats.
CP-7(2), CP-7(3), IR-7) 4.3.4.5.3, 4.3.4.5.5）
‐ The organization prepares internal resources for incident handling assistance (e.g., help desk; CSIRT). These resources offer advice and support related to security 
incident handling and reporting for system users of the information system and industrial control system, and are an integral part of organizational ability to handle 
incidents.
<Basic>
○ ○
‐ If any security incident that requires handling is found, report it promptly to relevant organizations such as IPA and JPCERT/CC in order to receive advice about  O - - -
(IR-6) (A.16.1.1, A.16.1.2)
providing assistance in handling, identifying how the incident has occurred, analyzing the tactic, and preventing any recurrence.
Include security incidents in the business L1_3_a_PRO, Common among <High‐Advanced> and <Advanced>
continuity plan or emergency response plan L1_3_a_DAT ‐ The organization will establish a system of business continuity in emergency for information systems, industrial control systems and managers of related processes. 
that outlines the action plans and response This system defines the priority of the system for recovering operation when an event occurs that causes interruption in business continuity.
procedures to take in case of natural ‐ The organization develops and manages a business continuity plan or an emergency response plan specifically for security incidents with certain characteristics, such as  ○ ○ ○
O - -
that the damage the incident inflicts is less obvious than that caused by a disaster, making it difficult to specify when the business continuity plan should be carried out,  (CP-2) (A.17.1.1) (4.3.2.5.4)
CPS.RP-3 disasters.
or that identifying the cause of the incident has high priority.
‐ The organization ensures that the business continuity plan or emergency response plan it develops specifically for security incidents goes along with the organization‐
wide policy on business continuity.
<Basic>
- - - - - -
‐ N/A
Take appropriate measures on goods L1_3_b_COM Common among <High‐Advanced> and <Advanced>
(products) whose quality is expected to be ‐ The organization provides an overview of a security incident for relevant external entities including business partners and end users, and collects detailed information  ○
○
affected by some reasons, including its about damage inflicted by the incident. O (In addition to the - -
(3.6.2)
production facility damaged by the ‐ The organization coordinates actions related to recovery and post‐incident processing with relevant external entities involved in the supply chain. It is advisable to  following, IR-4, IR-4(10)) ○
CPS.RP-4 identify the items for handling in accordance with the approaches included in CPS.AM‐2 and CPS.AM‐3.
occurrence of the security incident. (A.17.1.1)
<Basic>
‐ The organization considers stating what to do with items produced after the incident in the business continuity plan or emergency response plan, taking into account  ○
O - - -
the type of the organization’s business. Note that the business continuity plan or emergency response plan may not be for security incidents. (CP-2)

Develop and manage rules regarding L1_3_a_PRO Common among <High‐Advanced>, <Advanced> and <Basic>

publishing information after the occurrence ‐ The organization develops and manages rules regarding publishing of information after a security incident that cover the following:
of the security incident. 　‐ What information should be published? ○ ○
CPS.CO-1 O - - -
　‐ Timing of publishing of the information; (Clause 7.4) （4.3.4.5.9）
　‐ Who is in charge of publishing the information?
　‐ The process for publishing the information.
Include the item in the business continuity L1_3_a_PRO Common among <High‐Advanced>, <Advanced> and <Basic>
plan or emergency response plan to the ‐ The organization sets up a single point of contact for the media and business partners requesting information, thereby ensuring consistency in communication with 
CPS.CO-2 effect that the organization shall work to them. O - - - - -
restore its social reputation after the ‐ The organization remains aware of the positive side of providing a detailed explanation about damage caused by a security incident while considering the 
confidentiality of the important information.
occurrence of a high-risk security incident.
Include the item in the business continuity L1_3_a_PRO Common among <High‐Advanced> and <Advanced>
plan or emergency response plan to the ‐ The organization provides an overview of a security incident for relevant external entities including the regulatory authorities, business partners, and end users, and  ○
○
effect that the details of the recovery collects detailed information about damage inflicted by the incident. O (In addition to the - -
(3.6.1)
activities shall be communicated to the ‐ The organization coordinates actions related to recovery and post‐incident processing with relevant external entities involved in the supply chain. An example of these  following, IR-4, IR-4(10))
actions is recalling items produced when a security incident in the production system has occurred. ○
CPS.CO-3 internal and external stakeholders,
<Basic> (A.17.1.2)
executives, and management. ‐ The organization specifies roles and responsibilities taken when any security incident that may affect it occurs, along with the personnel who are assigned to these 
○ ○
roles and responsibilities and their contact information. O - -
(CP-2) （4.3.2.5.5, 4.3.4.5.9）
‐ The organization provides an overview of a security incident and an explanation about damage inflicted by the incident for the personnel responsible for decision‐
making associated with business continuity in order to ensure that the right decision is made.
Understand the impact of the security L1_3_a_COM, <High‐Advanced>
incident on the whole society including the L1_3_a_PRO ‐ The information system adopts an automatic mechanism for quantifying and monitoring the form, scale, and cost of a security incident that has occurred.
organization and relevant parties such as ‐ The organization has its security measure organizations (SOC/CSIRT) analyze the functions of the malware, or program, or script that is placed by an attacker if any is 
partners based on the full account of the found in a security incident that has occurred.
○
‐ The organization constructs a hypothesis about the profile of the attacker (e.g., his/her organization; the purpose of the organization’s activities).
incident and the probable intent of the O/S - - (In addition to the - -
attacker. [Reference] It is envisaged that the impact assessment of a security incident would be difficult in an environment where multiple systems are interconnected to 
following, A.16.1.6)

comprise a “system of systems”. The document “Observations about the Impact Assessment of an Internet of Things (IoT) Incident” (Cloud Security Alliance, 2016) is an 
CPS.AN-1 advanced attempt to examine issues relating to the impact assessment. It attempts to assess an impact according to the characteristics of the device or the service and 
to the number of devices.
<Advanced>
‐ The organization works with IPA, JPCERT/CC, the industry’s ISAC, and a security vendor to collect information, thereby interlinking and sharing information about  ○
○ ○ ○
threats and vulnerability to obtain a whole picture of the security incident. O （4.3.4.5.6, 4.3.4.5.7, -
(3.6.1) (IR-4, IR-4(8)) (A.6.1.4)
‐ The organization requests an external security vendor to analyze the functions of the malware, or program, or script placed by an attacker if any is found in a security  4.3.4.5.8）
incident that has occurred.
<Basic>
- - - - - -
‐ N/A

C-21
Appendix C

Reference Guidelines
Subject that
Measure Corresponding
Requirement ID
Measure Requirement Vulnerability ID
Examples of security measure implements NIST SP 800-53 ISO/IEC 27001:2013
NIST SP 800-171 IEC 62443-2-1:2010 IEC 62443-3-3:2013
measures Rev.4 Annex A
Implement digital forensics upon the L1_3_a_PRO <High‐Advanced> ○
occurrence of the security incident. ‐ The information system provides a procedure for processing an audit record regarding critical security incidents. S - （In addition to the
following, SR 2.10）
<Advanced>
‐ The organization establishes procedures for identifying, collecting, acquiring, and saving proof according to the medium, device, and the state of the device (e.g., 
○
whether it is switched on or off). ○ ○ ○
CPS.AN-2 （SR 2.8, SR 2.9, SR
‐ It is desirable that the organization should retain the following evidence after the occurrence of any serious security incident: O (3.3.6) (AU-7, AU-7(1)) (A.16.1.7) -
2.11, SR 2.12, SR 3.9,
　‐ Identification data (e.g., the location of the incident, date and time of the occurrence, serial numbers on the items, host name, MAC address, IP address);
SR 6.1）
　‐ The titles and names of the people who have collected and processed the evidence; their contact information;
　‐ Date and time the evidence was saved.
<Basic>
O - -
‐ The organization establishes and manages procedures for identifying, collecting, acquiring, and saving data that may serve as proof.
Categorize and store information regarding L1_3_a_PRO <High‐Advanced> ○
the detected security incidents by the size ‐ The organization uses an automated mechanism designed to help track security incidents and collect and analyze information about threats and vulnerability related to 
O -
(In addition to the
- -
of security-related impact, penetration incidents, so that it applies the findings to classification (triage) of security incidents. following, CP-2(8), IR-
vector, and other factors. 5(1))
<Advanced>
‐ The organization classifies security incidents, taking into account the recovery time objectives for the systems, the order of priority in recovery, and metrics in the 
process of its security operation.
‐ The organization tracks and documents security incidents that may affect it. “SP 800‐61 rev.1” lists the following as examples of points of view that may be taken when 
an organization documents a security incident.
○
　　‐ The present state of the incident ○
O (In addition to the -
　　‐ Overview of the incident （3.6.1)
following, CP-2, IR-5)
　　‐ The course of action the organization has taken to deal with the incident
　　‐ Other contact information of relevant personnel (e.g., the system owner, system administrator) ○
CPS.AN-3
　　‐ List of proof collected during the investigation (A.16.1.3, A.16.1.4)
　　‐ Comments by the staff in charge of dealing with the incident ○
　　‐ Next steps （4.3.4.5.6）
<Basic>
‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations considered to be important. In 
addition, identify and prioritize important resources (relevant parties, People, Components, Data, System, etc.) and functions from the viewpoint of business continuity.
* Similar measures are described in CPS.AM‐6 and CPS.BE‐2.
‐ The organization specifies incidents that must be reported, considering the level of the impact the security event has. ○
O - -
(IR-8)
[Reference] For example, the following document is available for reference when an organization decides on a measure of the severity of the impact of a security 
incident.
　‐ “SP 800‐61 rev.1” (NIST, 2008) Prioritization of the 3.2.6 Incident

Take measures to minimize security-related L1_3_a_PRO <High‐Advanced>

damages and mitigate the impacts caused ‐ The organization uses an automated mechanism for assisting with the process of security incident handling.
by such incident. ‐ The organization interlinks information regarding threats and vulnerabilities with how individual security incidents have been handled so as to improve its 
understanding of the situations. ○
(In addition to the
O/S - - -
[Reference] As examples of information expected to be useful in reducing the impact of an incident being handled and in recovery from the incident, “Six Ws on  following, IR-4(1),
cybersecurity information sharing for enhancing SOC/CSIRT Version 1.0” (ISOG‐J, 2018) lists the following: IR-4(4))
　‐ Configuration requirements for security products and related systems to block any attacks;
○
CPS.MI-1 　‐ How to disable attacks (e.g., patching; changing setups);
(A.16.1.5)
　‐ How to recover a damaged system;
Common among <Advanced> and <Basic>
‐ The organization (or its members) takes courses of action to reduce security incidents (e.g., shutting down the system; cutting off the system from a wired/wireless 
network; cutting off a modem cable; disabling certain functions) in accordance with prescribed procedures. ○
○ ○ ○
O （SR 5.1, SR 5.2, SR
（3.6.1) (IR-4) （4.3.4.5.6, 4.3.4.5.10）
[Reference] Courses of action to reduce the impact of a security incident may vary according to the nature of the incident (e.g., according to the threat that has  5.4）
emerged, such as a denial‐of‐service attack, malware infection, or unauthorized access). For example, It is advisable to refer to “SP 800‐61 rev.1" (NIST, 2008) for 
detailed information about courses of action to reduce the impact of an incident.
Review the lessons learned from the L1_3_a_ORG <High‐Advanced>
responses to security incidents, and ‐ It is desirable for the information system to adopt an automatic mechanism for quantifying and monitoring the form, scale, and cost of a security incident that has  S - - ー ー
continuously improve the security operation occurred.
Common among <Advanced> and <Basic>
process.
‐ It is advisable to use information about threats and vulnerability acquired from security incident assessment for the purpose of identifying incidents that may recur or 
have a major impact.
‐ Incorporate the lessons learned from the experience of handling of security incidents into the business continuity plan or emergency response plan and the education 
or training, thereby making necessary changes. NIST SP 800‐61 shows the following as examples of points of view that may be taken when selecting the lessons. ○
CPS.IM-1
　‐ Exactly when and what happened; (A.16.1.6)
○ ○ ○
　‐ How well the staff and management handled the incident; ‐ Whether they followed documented procedures; ‐ Whether that was appropriate; O ー
（3.6.2) (IR-4) （ 4.3.4.5.10）
　‐ What information was immediately needed;
　‐ Whether any steps or actions might have hindered recovery;
　‐ What different actions the staff and management would take if the same incident recurred;
　‐ What corrective measures would prevent the occurrence of similar incidents in the future;
　‐ What additional tools and resources would be needed to detect, analyze, and reduce incidents in the future.

Review the lessons learned from the L1_3_a_ORG Common among <High‐Advanced>, <Advanced> and <Basic>

responses to security incidents, and ‐ The organization makes sure that the procedures for business continuity and the functions of relevant measures go along with the business continuity policy for higher 
positions. ○ ○ ○
CPS.IM-2 continuously improve the business O - -
‐ The organization incorporates the lessons learned from the experience of handling of security incidents into the business continuity plan or emergency response plan  （3.6.2) (IR-4) (A.17.1.3)
continuity plan or emergency response
and the education or training, thereby making necessary changes.
plan.

C-22
Appendix D: Relationship with major overseas standards

D.1 Mapping NIST Cybersecurity Framework v1.1 subcategories to Cyber/Physical Security Framework
NIST Cyberseucurity Framework Ver 1.1 Cyber/Physical Security Framework
Subcategory- Measure
Function Subcategory Measure Requirement
ID Requirement ID
Identify AM-1 Physical devices and systems within the organization are inventoried Document and manage appropriately the list of hardware and software, and management information
(ID) CPS.AM-1 (e.g. name of asset, version, network address, name of asset manager, license information) of
AM-2 Software platforms and applications within the organization are inventoried components in the system.
Create and manage appropriately network configuration diagrams and data flows within the
AM-3 Organizational communication and data flows are mapped CPS.AM-4
organization.
Create and manage appropriately a list of external information systems where the organizationʼs assets
AM-4 External information systems are catalogued CPS.AM-5
are shared.
Classify and prioritize resources (e.g., People, Components, Data, and System) by function, importance,
Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized
AM-5 CPS.AM-6 and business value, and communicate to the organizations and people relevant to those resources in
based on their classification, criticality, and business value
business.
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
AM-6 CPS.AM-7 Define roles and responsibilities for cyber security across the organization and other relevant parties.
(e.g., suppliers, customers, partners) are established
BE-1 The organizationʼs role in the supply chain is identified and communicated
The organizationʼs place in critical infrastructure and its industry sector is identified and CPS.BE-1 Identify and share the role of the organizations in the supply chain.
BE-2
communicated
Define policies and standard measures regarding security that are consistent with the high-priority
Priorities for organizational mission, objectives, and activities are established and
BE-3 CPS.BE-2 business and operations of the organization, and share them with parties relevant to the organizationʼs
communicated
business (including suppliers and third-party providers).
Identify the dependency between the organization and other relevant parties and the important
BE-4 Dependencies and critical functions for delivery of critical services are established CPS.BE-3
functions of each in the course of running the operation.
Provide appropriate training and education to all individuals in the organization and manage the record
CPS.AT-1 so that they can fulfill assigned roles and responsibilities to prevent and contain the occurrence and
severity of security incidents.
Provide appropriate training and security education to members of the organization and other relevant
CPS.AT-2 parties of high importance in security management that may be involved in the security incident
prevention and response. Then, manage the record of such training and security education.
Implement physical measures such as preparing an uninterruptible power supply, a fire protection
Resilience requirements to support delivery of critical services are established for all CPS.IP-5 facility, and protection from water infiltration to follow the policies and rules related to the physical
BE-5
operating states (e.g. under duress/attack, during recovery, normal operations) operating environment, including the IoT devices and servers installed in the organization.
Develop and implement previously the procedure of response after detecting incidents (securith
CPS.RP-1 operation process) that includes the response of Organization, People, Componens, System to identify
the content of response, priority, and scope of response taken after an incident occurs.
As part of the security operation process, define the procedure and the division of roles with regard to
CPS.RP-2
cooperative relations with relevant parties such as partners, and implement the process.
Include security incidents in the business continuity plan or emergency response plan that outlines the
CPS.RP-3
action plans and response procedures to take in case of natural disasters.
GV-1 Organizational cybersecurity policy is established and communicated
Develop security policies, define roles and responsibilities for security across the organization and other
Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and CPS.GV-1
GV-2 relevant parties, and clarify the information-sharing method among stakeholders.
external partners
Formulate internal rules considering domestic and foreign laws, including the Act on the Protection of
Legal and regulatory requirements regarding cybersecurity, including privacy and civil Personal Information and Unfair Competition Prevention Act, as well as industry guidelines, and review
GV-3 CPS.GV-2
liberties obligations, are understood and managed and revise the rules on a continuing and timely basis in accordance with any changes in relevant laws,
regulations, and industry guidelines.
GV-4 Governance and risk management processes address cybersecurity risks CPS.GV-4 Develop a strategy and secure resources to implement risk management regarding security.
Identify the vulnerability of the organizationʼs assets and document the list of identified vulnerability
RA-1 Asset vulnerabilities are identified and documented CPS.RA-1
with the corresponding asset.
The security management team (SOC/CSIRT) collects information, including vulnerability and threats
RA-2 Cyber threat intelligence is received from information sharing forums and sources CPS.RA-2 from internal and external sources (through internal tests, security information, security researchers,
etc.), analyzes the information, and establishes a process to implement and use measures.

D-1-1
Appendix D.1 - Mapping NIST CSF to CPSF

NIST Cyberseucurity Framework Ver 1.1 Cyber/Physical Security Framework

Subcategory- Measure
Function Subcategory Measure Requirement
ID Requirement ID
Identify and document the assumed security incidents, those impacts on the oraganizationʼs assets,
RA-3 Threats, both internal and external, are identified and documented CPS.RA-3
and the causes of those.
- Conduct risk assessments regularly to check if the security rules for managing the components are
effective and applicable to the components for implementation.
RA-4 Potential business impacts and likelihoods are identified CPS.RA-4
- Check the presence of unacceptable known security risks, including safety hazards, from the planning
and design phase of an IoT device and systems incorporating IoT devices.
RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk CPS.RA-5 Consider threats, vulnerability, likelihood, and impacts when assessing risks.
- On the basis of the results of the risk assessment, clearly define the details of measures to prevent
possible security risks, and document the organized outcome from the scope and priorities of the
measures.
RA-6 Risk responses are identified and prioritized CPS.RA-6
- React accordingly to the security risks and the associated safety risks identified as a result of the
assessment conducted at the planning and design phase of an IoT device and systems incorporating IoT
devices.
Confirm the implementation status of the organizationʼsʼ cyber security risk management and
communicate the results to appropriate parties within the organization (e.g. senior management).
Risk management processes are established, managed, and agreed to by organizational
RM-1 CPS.RM-1 Define the scope of responsibilities of the organization and the relevant parties (e.g. subcontractor), and
stakeholders
establish and implement the process to confirm the implementation status of security risk management
of relevant parties.
RM-2 Organizational risk tolerance is determined and clearly expressed
Determine the organizationʼs risk tolerance level based on the result of the risk assessment and its role
The organizationʼs determination of risk tolerance is informed by its role in critical CPS.RM-2
RM-3 in the supply chain.
infrastructure and sector specific risk analysis
Formulate the standard of security measures relevant to the supply chain in consideration of the
Cyber supply chain risk management processes are identified, established, assessed,
SC-1 CPS.SC-1 business life cycle, and agree on contents with the business partners after clarifying the scope of the
managed, and agreed to by organizational stakeholders
responsibilities.
Suppliers and third party partners of information systems, components, and services are Identify, prioritize, and evaluate the organizations and people that play important role in each layer of
SC-2 CPS.SC-2
identified, prioritized, and assessed using a cyber supply chain risk assessment process the three-layer structure to sustaining the operation of the organization.
Contracts with suppliers and third-party partners are used to implement appropriate When signing contracts with external organizations, check if the security management of the other
SC-3 measures designed to meet the objectives of an organizationʼs cybersecurity program and CPS.SC-3 relevant organizations properly comply with the security requirements defined by the organization while
Cyber Supply Chain Risk Management Plan. considering the objectives of such contracts and results of risk management.
Suppliers and third-party partners are routinely assessed using audits, test results, or other Conduct regular assessments through auditing, test results, or other checks of relevant parties such as
SC-4 CPS.SC-6
forms of evaluations to confirm they are meeting their contractual obligations. business partners to ensure they are fulfilling their contractual obligations.
Response and recovery planning and testing are conducted with suppliers and third-party Prepare and test a procedure for incident response with relevant parties involved in the incident
SC-5 CPS.SC-9
providers response activitiy to ensure action for incident response in the supply chain.
Protect Identities and credentials are issued, managed , verified, revoked, and audited for Establish and implement the procedure to issue, manage, check, cancel, and monitor identification and
AC-1 CPS.AC-1
(PR) authorized devices and, users and processes authentication information of authorized goods, people, and procedures.
Implement appropriate physical security measures such as locking and limiting access to the areas
AC-2 Physical access to assets is managed and protected CPS.AC-2 where the IoT devices and servers are installed, using entrance and exit controls, biometric
authentication, deploying surveillance cameras, and inspecting belongings and body weight.
CPS.AC-3 Properly authorize wireless connection destinations (including users, IoT devices, and servers).

AC-3 Remote access is managed Prevent unauthorized log-in to IoT devices and servers by measures such as implementing functions for
CPS.AC-4 lockout after a specified number of incorrect log-in attempts and providing a time interval until safety is
ensured.
Segregate duties and areas of responsibility properly (e.g. segregate user functions from system
CPS.AC-5
administrator functions)
Access permissions and authorizations are managed, incorporating the principles of least
AC-4 Adopt high confidence methods of authentication where appropriate based on risk (e.g. multi-factor
privilege and separation of duties
CPS.AC-6 authentication, combining more than two types of authentication) when logging in to the system over
the network for the privileged user.
Develop a policy about controlling data flow, and according that protect the integrity of the network by
means such as appropriate network isolation (e.g., development and test environment vs. production
AC-5 Network integrity is protected, (e.g., network segregation , network segmentation) CPS.AC-7
environment, and environment incorporates IoT devices vs. other environments within the
organization).
Restrict communications by IoT devices and servers to those with entities (e.g. people, components,
AC-6 Identities are proofed and bound to credentials and asserted in interactions CPS.AC-8
system, etc.) identified through proper procedures.

D-1-2
Appendix D.1 - Mapping NIST CSF to CPSF

NIST Cyberseucurity Framework Ver 1.1 Cyber/Physical Security Framework

Subcategory- Measure
Function Subcategory Measure Requirement
ID Requirement ID
Adopt high confidence methods of authentication where appropriate based on risk (e.g. multi-factor
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) CPS.AC-6 authentication, combining more than two types of authentication) when logging in to the system over
AC-7 commensurate with the risk of the transaction (e.g., individualsʼ security and privacy risks the network for the privileged user.
and other organizational risks) Authenticate and authorize logical accesses to system components by IoT devices and users according
CPS.AC-9
to the transaction risks (personal security, privacy risks, and other organizational risks).
AT-1 All users are informed and trained Provide appropriate training and education to all individuals in the organization and manage the record
CPS.AT-1 so that they can fulfill assigned roles and responsibilities to prevent and contain the occurrence and
AT-2 Privileged users understand their roles and responsibilities severity of security incidents.
Provide appropriate training and security education to members of the organization and other relevant
Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and
AT-3 CPS.AT-2 parties of high importance in security management that may be involved in the security incident
responsibilities
prevention and response. Then, manage the record of such training and security education.
AT-4 Senior executives understand their roles and responsibilities Provide appropriate training and education to all individuals in the organization and manage the record
CPS.AT-1 so that they can fulfill assigned roles and responsibilities to prevent and contain the occurrence and
AT-5 Physical and cybersecurity personnel understand their roles and responsibilities severity of security incidents.
DS-1 Data-at-rest is protected CPS.DS-2 Encrypt information with an appropriate level of security strength, and store them.
Encrypt the communication channel when communicating between IoT devices and servers or in
CPS.DS-3
DS-2 Data-in-transit is protected cyberspace.
CPS.DS-4 Encrypt information itself when sending/receiving information.
When disposing of an IoT device and server, delete the stored data and the ID (identifier) uniquely
DS-3 Assets are formally managed throughout removal, transfers, and disposition CPS.IP-6 identifying the genuine IoT devices and servers as well as important information (e.g., private key and
digital certificate), or make them unreadable.
Secure sufficient resources (e.g., People, Components, system) for components and systems, and
CPS.DS-6
protect assets property to minimize bad effects under cyber attack (e.g., DoS attack).
DS-4 Adequate capacity to ensure availability is maintained Carry out periodic quality checks, prepare standby devices and uninterruptible power supplies, provide
CPS.DS-7 redundancy, detect failures, conduct replacement work, and update software for IoT devices,
communication devices, circuits, etc.
When handling information to be protected or procuring devices that have an important function to the
CPS.DS-8
organization, useselect the IoT devices and servers equipped with anti-tampering devices.
DS-5 Protections against data leaks are implemented
Properly control outbound communications that send information to be protected to prevent improper
CPS.DS-9
data breach.
Conduct integrity checks of software runnning on the IoT devices and servers at a time determined by
Integrity checking mechanisms are used to verify software, firmware, and information CPS.DS-10
DS-6 the organization, and prevent unauthorized software from launching.
integrity
CPS.DS-11 Perform integrity checking on information to be sent, received, and stored.
Develop a policy about controlling data flow, and according that protect the integrity of the network by
means such as appropriate network isolation (e.g., development and test environment vs. production
DS-7 The development and testing environment(s) are separate from the production environment CPS.AC-7
environment, and environment incorporates IoT devices vs. other environments within the
organization).
DS-8 Integrity checking mechanisms are used to verify hardware integrity CPS.DS-12 Introduce an integrity check mechanism to verify the integrity of hardware.
Introduce and implement the process to manage the initial setting procedure (e.g., password) and
A baseline configuration of information technology/industrial control systems is created and CPS.IP-1
IP-1 setting change procedure for IoT devices and servers.
maintained incorporating security principles (e.g. concept of least functionality)
CPS.IP-2 Restrict the software to be added after installing in the IoT devices and servers.
IP-2 A System Development Life Cycle to manage systems is implemented CPS.IP-3 Introduce the system development life cycle to manage the systems.
Introduce and implement the process to manage the initial setting procedure (e.g., password) and
IP-3 Configuration change control processes are in place CPS.IP-1
setting change procedure for IoT devices and servers.
Perform a periodical system backup and testing of components (e.g., IoT devices, communication
IP-4 Backups of information are conducted, maintained, and tested CPS.IP-4
devices, and circuits).
Implement physical measures such as preparing an uninterruptible power supply, a fire protection
Policy and regulations regarding the physical operating environment for organizational
IP-5 CPS.IP-5 facility, and protection from water infiltration to follow the policies and rules related to the physical
assets are met
operating environment, including the IoT devices and servers installed in the organization.

D-1-3
Appendix D.1 - Mapping NIST CSF to CPSF

NIST Cyberseucurity Framework Ver 1.1 Cyber/Physical Security Framework

Subcategory- Measure
Function Subcategory Measure Requirement
ID Requirement ID
When disposing of an IoT device and server, delete the stored data and the ID (identifier) uniquely
IP-6 Data is destroyed according to policy CPS.IP-6 identifying the genuine IoT devices and servers as well as important information (e.g., private key and
digital certificate), or make them unreadable.
Assess the lessons learned from security incident response and the results of monitoring, measuring,
IP-7 Protection processes are improved CPS.IP-7
and evaluating internal and external attacks, and improve the processes of protecting the assets.

IP-8 Effectiveness of protection technologies is shared CPS.IP-8 Share information regarding the effectiveness of data protection technologies with appropriate partners.

Develop and implement previously the procedure of response after detecting incidents (securith
CPS.RP-1 operation process) that includes the response of Organization, People, Componens, System to identify
Response plans (Incident Response and Business Continuity) and recovery plans (Incident
IP-9 the content of response, priority, and scope of response taken after an incident occurs.
Recovery and Disaster Recovery) are in place and managed
As part of the security operation process, define the procedure and the division of roles with regard to
CPS.RP-2
cooperative relations with relevant parties such as partners, and implement the process.
Provide appropriate training and security education to members of the organization and other relevant
IP-10 Response and recovery plans are tested CPS.AT-2 parties of high importance in security management that may be involved in the security incident
prevention and response. Then, manage the record of such training and security education.
Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel Include items concerning security (e.g., deactivate access authorization and personnel screening) when
IP-11 CPS.IP-9
screening) roles change in due to personnel transfer.
Develop a vulnerability remediation plan, and modify the vulnerability of the components according to
IP-12 A vulnerability management plan is developed and implemented CPS.IP-10
the plan.
- Discuss the method of conducting important security updates and the like on IoT devices and servers.
Then, apply those security updateswith managed tools properly and in a timely manner while
Maintenance and repair of organizational assets isare performed and logged with approved
MA-1 CPS.MA-1 recording the history.
and controlled tools
- Introduce IoT devices having a remote update mechanism to perform a mass update of different
software programs (OS, driver, and application) through remote commands, where applicable.
Remote maintenance of organizational assets is approved, logged, and performed in a Conduct remote maintenance of the IoT devices and servers while granting approvals and recording logs
MA-2 CPS.MA-2
manner that prevents unauthorized access so that unauthorized access can be prevented.
Audit/log records are determined, documented, implemented, and reviewed in accordance Determine and document the subject or scope of the audit recording/log recording, and implement and
PT-1 CPS.PT-1
with policy review those records in order to properly detect high-risk security incidents.
PT-2 Removable media is protected and its use restricted according to policy
Minimize funcions of IoT devices and servers by physically and logically blocking unnecessary network
The principle of least functionality is incorporated by configuring systems to provide only CPS.PT-2
PT-3 ports, USBs, and serial ports accessing directly the main bodies of IoT devices and servers etc.
essential capabilities
Develop a policy about controlling data flow, and according that protect the integrity of the network by
means such as appropriate network isolation (e.g., development and test environment vs. production
PT-4 Communications and control networks are protected CPS.AC-7
environment, and environment incorporates IoT devices vs. other environments within the
organization).
Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience Introduce IoT devices that implement safety functions, assuming that these devices are connected to
PT-5 CPS.PT-3
requirements in normal and adverse situations the network.
Detect A baseline of network operations and expected data flows for users and systems is Establish and implement the procedure to identify and manage the baseline of network operations and
AE-1 CPS.AE-1
(DE) established and managed expected information flows between people, goods, and systems.
Appoint a chief security officer, establish a security management team (SOC/CSIRT), and prepare a
AE-2 Detected events are analyzed to understand attack targets and methods CPS.AE-2
system within the organization to detect, analyze, and respond to security events.
Identify the security events accurately by implementing the procedure to conduct a correlation analysis
AE-3 Event data are collected and correlated from multiple sources and sensors CPS.AE-3 of the security events and comparative analysis with the threat information obtained from outside the
organization.
AE-4 Impact of events is determined CPS.AE-4 Identify the impact of security events, including the impact on other relevant organizations.
AE-5 Incident alert thresholds are established CPS.AE-5 Specify the criteria to determine the risk degree of security events.
Conduct network and access monitoring and control at the contact points between corporate networks
CM-1 The network is monitored to detect potential cybersecurity events CPS.CM-1
and wide area networks.
Perform setting, recording, and monitoring of proper physical access, considering the importance of IoT
CM-2 The physical environment is monitored to detect potential cybersecurity events CPS.CM-2
devices and servers.

D-1-4
Appendix D.1 - Mapping NIST CSF to CPSF

NIST Cyberseucurity Framework Ver 1.1 Cyber/Physical Security Framework

Subcategory- Measure
Function Subcategory Measure Requirement
ID Requirement ID
As part of the configuration management of devices, constantly manage software configuration
information, status of network connections (e.g., presence/absence of connections and access
CM-3 Personnel activity is monitored to detect potential cybersecurity events CPS.CM-6
destination), and information transmission/reception status between other “organization”, people,
components, and systems.
- Use IoT devices that can detect abnormal behaviors and suspend operations by comparing the
instructed behaviors and actual ones.
CPS.CM-3
CM-4 Malicious code is detected - Validate whether information provided from cyberspace contains malicious code, and is within the
permissible range before any action based on the data.
CPS.CM-4 Validate the integrity and authenticity of the information provided from cyberspace before operations.
- Use IoT devices that can detect abnormal behaviors and suspend operations by comparing the
instructed behaviors and actual ones.
CPS.CM-3
CM-5 Unauthorized mobile code is detected - Validate whether information provided from cyberspace contains malicious code, and is within the
permissible range before any action based on the data.
CPS.CM-4 Validate the integrity and authenticity of the information provided from cyberspace before operations.
Monitor communication with external service providers so that potential security events can be detected
CM-6 External service provider activity is monitored to detect potential cybersecurity events CPS.CM-5
properly.
As part of the configuration management of devices, constantly manage software configuration
information, status of network connections (e.g., presence/absence of connections and access
CM-7 Monitoring for unauthorized personnel, connections, devices, and software is performed CPS.CM-6
destination), and information transmission/reception status between other “organization”, people,
components, and systems.
Confirm the existence of vulnerability that requires a regular check-up in IoT devices and servers
CM-8 Vulnerability scans are performed CPS.CM-7
managed within the organization.
Clarify the role and responsibility of the organization as well as service providers in detecting security
DP-1 Roles and responsibilities for detection are well defined to ensure accountability CPS.DP-1
events so that they can fulfill their accountabilities.
Detect security events in the monitoring process, in compliance with applicable local regulations,
DP-2 Detection activities comply with all applicable requirements CPS.DP-2
directives, industry standards, and other rules.
As part of the monitoring process, test regularly if the functions for detecting security events work as
DP-3 Detection processes are tested CPS.DP-3
intended, and validate these functions.
Develop and implement previously the procedure of response after detecting incidents (securith
DP-4 Event detection information is communicated CPS.RP-1 operation process) that includes the response of Organization, People, Componens, System to identify
the content of response, priority, and scope of response taken after an incident occurs.
DP-5 Detection processes are continuously improved CPS.DP-4 Continuously improve the process of detecting security events.
Respond Develop and implement previously the procedure of response after detecting incidents (securith
(RS) RP-1 Response plan is executed during or after an incident CPS.RP-1 operation process) that includes the response of Organization, People, Componens, System to identify
the content of response, priority, and scope of response taken after an incident occurs.
Provide appropriate training and security education to members of the organization and other relevant
CO-1 Personnel know their roles and order of operations when a response is needed CPS.AT-2 parties of high importance in security management that may be involved in the security incident
prevention and response. Then, manage the record of such training and security education.
CO-2 Incidents are reported consistent with established criteria Develop and implement previously the procedure of response after detecting incidents (securith
CPS.RP-1 operation process) that includes the response of Organization, People, Componens, System to identify
CO-3 Information is shared consistent with response plans the content of response, priority, and scope of response taken after an incident occurs.
CO-4 Coordination with stakeholders occurs consistent with response plans
As part of the security operation process, define the procedure and the division of roles with regard to
Voluntary information sharing occurs with external stakeholders to achieve broader CPS.RP-2
CO-5 cooperative relations with relevant parties such as partners, and implement the process.
cybersecurity situational awareness
Identify the security events accurately by implementing the procedure to conduct a correlation analysis
AN-1 Notifications from detection systems are investigated CPS.AE-3 of the security events and comparative analysis with the threat information obtained from outside the
organization.
Understand the impact of the security incident on the whole society including the organization and
AN-2 The impact of the incident is understood CPS.AN-1 relevant parties such as partners based on the full account of the incident and the probable intent of
the attacker.
AN-3 Forensics are performed CPS.AN-2 Implement digital forensics upon the occurrence of the security incident.

D-1-5
Appendix D.1 - Mapping NIST CSF to CPSF

NIST Cyberseucurity Framework Ver 1.1 Cyber/Physical Security Framework

Subcategory- Measure
Function Subcategory Measure Requirement
ID Requirement ID
Categorize and store information regarding the detected security incidents by the size of security-related
AN-4 Incidents are categorized consistent with response plans CPS.AN-3
impact, penetration vector, and other factors.
Processes are established to receive, analyze and respond to vulnerabilities disclosed to the The security management team (SOC/CSIRT) collects information, including vulnerability and threats
AN-5 organization from internal and external sources (e.g. internal testing, security bulletins, or CPS.RA-2 from internal and external sources (through internal tests, security information, security researchers,
security researchers) etc.), analyzes the information, and establishes a process to implement and use measures.
IM-1 Response plans incorporate lessons learned Review the lessons learned from the responses to security incidents, and continuously improve the
CPS.IM-1
IM-2 Response strategies are updated security operation process.

MI-1 Incidents are contained

CPS.MI-1 Take measures to minimize security-related damages and mitigate the impacts caused by such incident.
MI-2 Incidents are mitigated
- Conduct risk assessments regularly to check if the security rules for managing the components are
effective and applicable to the components for implementation.
CPS.RA-4
- Check the presence of unacceptable known security risks, including safety hazards, from the planning
and design phase of an IoT device and systems incorporating IoT devices.
- On the basis of the results of the risk assessment, clearly define the details of measures to prevent
MI-3 Newly identified vulnerabilities are mitigated or documented as accepted risks
possible security risks, and document the organized outcome from the scope and priorities of the
measures.
CPS.RA-6
- React accordingly to the security risks and the associated safety risks identified as a result of the
assessment conducted at the planning and design phase of an IoT device and systems incorporating IoT
devices.
Recovery Include security incidents in the business continuity plan or emergency response plan that outlines the
RP-1 Recovery plan is executed during or after a cybersecurity incident CPS.RP-3
(RC) action plans and response procedures to take in case of natural disasters.
IM-1 Recovery plans incorporate lessons learned Review the lessons learned from the responses to security incidents, and continuously improve the
CPS.IM-2
IM-2 Recovery strategies are updated business continuity plan or emergency response plan.
Develop and manage rules regarding publishing information after the occurrence of the security
CO-1 Public relations are managed CPS.CO-1
incident.
Include the item in the business continuity plan or emergency response plan to the effect that the
CO-2 Reputation is repaired after an incident CPS.CO-2 organization shall work to restore its social reputation after the occurrence of a high-risk security
incident.
Include the item in the business continuity plan or emergency response plan to the effect that the
Recovery activities are communicated to internal and external stakeholders as well as
CO-3 CPS.CO-3 details of the recovery activities shall be communicated to the internal and external stakeholders,
executive and management teams
executives, and management.

D-1-6
D.2 Mapping NIST SP 800-171 controls to Cyber/Physical Security Framework
NIST SP 800-53 Relevant Security Controls
NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
ACCESS CONTROL ‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to
Limit system access to authorized users, a function that automatically terminates a user’s session when it falls under these conditions.
・AC-2 Account Management system components by IoT devices and users
processes acting on behalf of authorized users, or
3.1.1 ・AC-3 Access Enforcement CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
devices
・AC-17 Remote Access security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(including other systems). (security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to
Limit system access to the types of transactions a function that automatically terminates a user’s session when it falls under these conditions.
・AC-2 Account Management system components by IoT devices and users
and functions that authorized users are
3.1.2 ・AC-3 Access Enforcement CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
permitted
・AC-17 Remote Access security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
to execute. risks).
(security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and the industrial control system monitor and control communications on the networks composing internal business 
systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network 
communications as a default and shall only allow connection of approved communication traffic.
Develop a policy about controlling data flow, and H‐Advanced
‐ The organization physically or logically separates the network of high importance industrial control systems from the network of control systems 
according that protect the integrity of the network with lower importance.
by means such as appropriate network isolation ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple and 
CPS.AC-7 (e.g., development and test environment vs. simultaneous local connections between the device and the system, as well as prevent access to external network resources by other connections.
production environment, and environment ‐ The organization establishes a data flow regulation policy that defines the range in which data flow within information systems and industrial 
incorporates IoT devices vs. other environments control system is permitted and the range in which  data flow between systems is permitted, and regulates the flow by segregating the network 
Control the flow of CUI in accordance with within the organization). appropriately.
3.1.3 ・AC-4 Information Flow Enforcement Basic ‐ The organization logically or physically segments the control system's network from the network composing of the information system.
approved authorizations.
[Reference] Implement physical segmentation in environments physically separated from other networks. Alternatively, in environments physically 
close to other networks, it is possible to implement logical segmentation in consideration of the cost of the measure.
‐ The organization uses a mechanism for automatically collecting information about network configurations and the software configurations of 
devices in order to monitor the most recent status at all times.
Establish and implement the procedure to identify ‐ The information system forces the application of users’ access rights approved (by the administrator) in order to control data flows within a 
system (and between interconnected systems).
and manage the baseline of network operations and
CPS.AE-1 H‐Advanced ‐ The organization physically or logically separates a network of industrial control systems with high importance from a network of industrial 
expected information flows between people, goods, control systems with lower importance.
and systems. ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
(communication).
‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged accounts in its 
system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and changing 
H‐Advanced security measures that are changed and implemented by non‐privileged users.
‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the damage 
Segregate duties and areas of responsibility caused by the security incident.
Separate the duties of individuals to reduce the ‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server to minimize 
3.1.4 ・AC-5 Separation of Duties CPS.AC-5 properly (e.g. segregate user functions from
risk of malevolent activity without collusion. the damage caused by security incidents.
system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties (e.g., user 
/ system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge. 
‐ The organization separates and stipulates duties that are assigned by the person in charge.

D-2-1
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged accounts in its 
system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and changing 
H‐Advanced security measures that are changed and implemented by non‐privileged users.
・AC-6 Least Privilege ‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the damage 
Employ the principle of least privilege, including ・AC-6(1) Least Privilege Segregate duties and areas of responsibility caused by the security incident.
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server to minimize 
3.1.5 for specific security functions and privileged 　Authorize Access to Security Functions CPS.AC-5 properly (e.g. segregate user functions from
the damage caused by security incidents.
accounts ・AC-6(5) Least Privilege system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties (e.g., user 
　Privileged Accounts / system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge. 
‐ The organization separates and stipulates duties that are assigned by the person in charge.

Use non-privileged accounts or roles when ・AC-6(2) Least Privilege ‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged accounts in its 

3.1.6 system.
accessing nonsecurity functions. 　Non-Privileged Access for Nonsecurity Functions
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
Segregate duties and areas of responsibility ‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and changing 
・AC-6(9) Least Privilege CPS.AC-5 properly (e.g. segregate user functions from H‐Advanced security measures that are changed and implemented by non‐privileged users.
Prevent non-privileged users from executing 　Auditing Use of Privileged Functions system administrator functions) ‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the damage 
caused by the security incident.
3.1.7 privileged functions and audit the execution of ・AC-6(10) Least Privilege
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server to minimize 
such functions. 　Prohibit Non-Privileged Users from Executing the damage caused by security incidents.
　Privileged Functions
‐ The information system and the industrial control system (excluding some cases where immediacy of response is required) sets a limit to the 
H‐Advanced number of continuous login attempts on its system. If the user fails to log in, he or she will only be able to re‐login after the administrator removes 
Prevent unauthorized log-in to IoT devices and the restriction.
servers by measures such as implementing ‐ The information system and the industrial control system set a limit on the number of continuous login attempts on its system. If the user fails to 
3.1.8 Limit unsuccessful logon attempts. ・AC-7 Unsuccessful Logon Attempts CPS.AC-4 functions for lockout after a specified number of log in, he or she will not be able to re‐login for a certain period of time.
incorrect log-in attempts and providing a time Advanced
‐ The information system and industrial control system lock the session manually or automatically if the system's non‐operation continues beyond 
the time set by the organization.
interval until safety is ensured.
* In the  industrial control system, it may be desirable not to lock session when it is assumed that a session in which  an operator is required to 
respond immediately in an emergency may be conducted.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
Provide privacy and security notices consistent
3.1.9 ・AC-8 System Use Notification CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
with applicable CUI rules.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
Use session lock with pattern-hiding displays to ・AC-11 Session Lock system components by IoT devices and users
3.1.10 prevent access and viewing of data after period of ・AC-11(1) Session Lock CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
inactivity. 　Pattern-Hiding Displays security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
Authenticate and authorize logical accesses to a system that handles highly confidential data.
system components by IoT devices and users * When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
Terminate (automatically) a user session after a system performance.
3.1.11 ・AC-12 Session Termination CPS.AC-9 according to the transaction risks (personal H‐Advanced
defined condition. ‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
security, privacy risks, and other organizational a function that automatically terminates a user’s session when it falls under these conditions.
risks).
[Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.

D-2-2
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
Properly authorize wireless connection destinations
CPS.AC-3 H‐Advanced and access security information by remote access.
(including users, IoT devices, and servers). ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
‐ The organization monitors and controls communications at the boundary between industrial control system and information system.
‐ The organization creates a network segment isolated from access to the internal network (“demilitarized zone [DMZ]”) between the internal 
network and external networks (e.g., the Internet).
‐ The information system is connected to an external network or system only via a controlled interface that consists of a boundary protection 
system placed according to the organization’s security architecture.
Conduct network and access monitoring and control Advanced ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
firewall).
CPS.CM-1 at the contact points between corporate networks
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
and wide area networks. ‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
・AC-17(1) Remote Access
3.1.12 Monitor and control remote access sessions. ‐ The organization monitors communications at the external boundaries of the information system and at major internal boundaries within the 
　Automated Monitoring / Control information system for large amounts of communication from a particular source or multiple sources, and takes appropriate action when 
necessary (e.g., blocking of communication from a specific IP address).
‐ The organization monitors and controls communications on the information system’s external boundary as well as on the key internal boundary 
Basic
within the information system.
‐ The organization requires its provider of external information system services to make clear the functions, ports, and protocols needed for the 
H‐Advanced use of the services, along with other services.
‐ The organization monitors whether the matters made clear as stated above are observed.
‐ The organization documents its security requirements for the staff from its external service provider and system developer, and includes the 
requirements in the agreement.
Monitor communication with external service ‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have authorizations 
for its system are transferred or when their employment terminates.
CPS.CM-5 providers so that potential security events can be
‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of relevant 
detected properly. Advanced information about operations, the importance of its business systems and processes, and re‐assessed risks.
‐ The organization monitors whether its external service provider and system developer complies with the requirements.
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any unauthorized access 
by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the appropriate 
system administrator.
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
Properly authorize wireless connection destinations
CPS.AC-3 H‐Advanced and access security information by remote access.
・AC-17(2) Remote Access (including users, IoT devices, and servers). ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
Employ cryptographic mechanisms to protect the
3.1.13 　Protection of Confidentiality / Integrity Using addition to encryption.
confidentiality of remote access sessions.
　Encryption ‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths. 

CPS.DS-3 communicating between IoT devices and servers or Advanced

[Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that the 
in cyberspace. organization should select the method considering the importance of the data transmitted in the communication paths, the budget, and so on.
‐ The information system routes communications to the network to which a recipient’s IP address belongs via a proxy server authenticated on a 
controlled interface.
H‐Advanced
‐ The information system and the industrial control system monitor and control the use of mobile code.
‐ The information system monitors and controls the use of protocols used for audio and video transmission (e.g. VoIP).
‐ The organization monitors and controls communications at the boundary between industrial control system and information system.
‐ The organization creates a network segment isolated from access to the internal network (“demilitarized zone [DMZ]”) between the internal 
Conduct network and access monitoring and control network and external networks (e.g., the Internet).
Route remote access via managed access control ・AC-17(3) Remote Access ‐ The information system is connected to an external network or system only via a controlled interface that consists of a boundary protection 
3.1.14 CPS.CM-1 at the contact points between corporate networks
points. 　Managed Access Control Points system placed according to the organization’s security architecture.
and wide area networks. ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
Advanced
firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
‐ The organization monitors communications at the external boundaries of the information system and at major internal boundaries within the 
information system for large amounts of communication from a particular source or multiple sources, and takes appropriate action when 
necessary (e.g., blocking of communication from a specific IP address).
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
Authorize remote execution of privileged ‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
・AC-17(4) Remote Access Properly authorize wireless connection destinations
3.1.15 commands and remote access to security-relevant CPS.AC-3 H‐Advanced and access security information by remote access.
　Privileged Commands / Access (including users, IoT devices, and servers).
information. ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.

D-2-3
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
H‐Advanced and access security information by remote access.
‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
Authorize wireless access prior to allowing such Properly authorize wireless connection destinations
3.1.16 ・AC-18 Wireless Access CPS.AC-3 handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
connections. (including users, IoT devices, and servers). ‐ The organization regulates the mobile devices used in the organization and establishes setting requirements, connection requirements, and 
Advanced implementation guidelines for mobile devices.
‐ The organization establishes rules of approval for connecting mobile devices used in the organization to its system.
‐ The organization establishes usage regulations, configuration requirements, and implementation guidelines for each type of approved remote 
access.
Basic ‐ The organization in principle prohibits unauthorized wireless connections.
‐ The organization establishes rules of approval for remote access to an information system and an industrial control system.
‐ The organization authorizes wireless access to its system in advance of the approval.
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
Protect wireless access using authentication and ・AC-18(1) Wireless Access Properly authorize wireless connection destinations
3.1.17 CPS.AC-3 H‐Advanced and access security information by remote access.
encryption. 　Authentication and Encryption (including users, IoT devices, and servers). ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
H‐Advanced and access security information by remote access.
Properly authorize wireless connection destinations ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
CPS.AC-3
(including users, IoT devices, and servers). addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
‐ The organization regulates the mobile devices used in the organization and establishes setting requirements, connection requirements, and 
Advanced implementation guidelines for mobile devices.
‐ The organization establishes rules of approval for connecting mobile devices used in the organization to its system.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
3.1.18 Control connection of mobile devices. ・AC-19 Access Control for Mobile Devices a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order to suitably 
implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity authentication information that is 
H‐Advanced used to decrypt encrypted information or to grant electronic signatures.
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the appropriate 
strength, and stores the information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it to encrypt information 
(data) to the appropriate strength and stores the information.
Encrypt CUI on mobile devices and mobile ・AC-19(5) Access Control for Mobile Devices Encrypt information with an appropriate level of
3.1.19 CPS.DS-2 ‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts and stores 
computing platforms. 　Full Device / Container-Based Encryption security strength, and store them. high importance information handled by industrial control systems with appropriate strength without causing unacceptable impact on 
performance.
Advanced
[Reference] 
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and Evaluation 
Committees （CRYPTREC）" releases to the public the list of such technologies recommended for use that are sufficiently used in the market or 
are considered to spread in the future. It is desirable that the organization should refer to the list as needed when procuring systems that should 
implement encryption functions.
‐ The system makes a list of external information services in use and manages the users, devices as well as serviced in use in real time.
H‐Advanced ‐ The system uses a mechanism to give notice to the system administrator when an unpermitted external information system service is detected.
・AC-20 Use of External Systems Create and manage appropriately a list of external ‐ The organization identifies functions, ports, protocols, and other services which are necessary for using services offered by external providers.
Verify and control/limit connections to and use of
3.1.20 ・AC-20(1) Use of External Systems CPS.AM-5 information systems where the organizationʼs ‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the following:
external systems.
　Limits on Authorized Use assets are shared. Advanced
　a. Accessing an information system in the organization from an external information system
　b. Processing, saving, or transmitting information under the control of the organization using an external information system
‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.
Create and manage appropriately a list of external ‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the following:
Limit use of organizational portable storage ・AC-20(2) Use of External Systems 　a. Accessing an information system in the organization from an external information system
3.1.21 CPS.AM-5 information systems where the organizationʼs Advanced
devices on external systems. 　Portable Storage Devices 　b. Processing, saving, or transmitting information under the control of the organization using an external information system
assets are shared. ‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.

D-2-4
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each system and each 
laws and arrangements regarding handling of data organization and the organization’s activities to satisfy these requirements, and update them to the latest.
Control CUI posted or processed on publicly shared only by relevant organizations, develop data ‐ The organization classifies its data appropriately according to the classification of the identified rules.
3.1.22 ・AC-22 Publicly Accessible Content CPS.GV-3 Basic
accessible systems. classification methods based on each requirement, ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of the 
and properly classify and protect data throughout identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data in the 
organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
the whole life cycle.
AWARENESS H‐Advanced ‐ The organization provides security awareness trainings to all necessary personnel so that they will recognize and report signs of internal fraud.
AND TRAINING ‐ The organization regularly provides basic security awareness training to all members of staff. The organization can, for example, educate the 
Provide appropriate training and education to all following matters in addition to the contents explaining general matters.
individuals in the organization and manage the 　‐Procedure to response when you receive a suspicious email
CPS.AT-1 record so that they can fulfill assigned roles and 　‐Notes on using mobile devices (e.g. Notes on connecting to a public wireless LAN)
Ensure that managers, systems administrators, responsibilities to prevent and contain the
Advanced 　‐Notes on using SNS
‐ The organization creates a program for each role (e.g., system/software developper, purchasing personnel, system administrator, personnel in 
and users of organizational systems are made occurrence and severity of security incidents. charge of security measures) to train information security personnel and to improve their skills. The program is conducted regularly on applicable 
aware of the security risks associated with their ・AT-2 Security Awareness Training
3.2.1 personnel.
activities and of the applicable policies, standards, ・AT-3 Role-Based Security Training ‐ The organization regularly reviews records of security education and training.
and procedures related to the security of those Provide appropriate training and security education
‐ The organization requests the giving of training (e.g. simulation assuming actual incident) and security education appropriate to execution of the 
systems. roles assigned to the personnel in charge to related organizations that may be involved in the security incident and confirms the 
to members of the organization and other relevant Advanced training/education implementation status.
parties of high importance in security management ‐ The organization regularly reviews the records of education and training for persons in charge of relevant parties that are highly important in its 
CPS.AT-2
that may be involved in the security incident own security management.
prevention and response. Then, manage the record ‐ The organization requests the giving of training (e.g. simulation assuming actual incident) and security education appropriate to execution of the 
Basic roles assigned to the personnel in charge to their personnel, and confirms the training/education implementation status.
of such training and security education.
‐ The organization records and manages the contents and results of security education and training for member in the organization.
‐ The organization regularly provides basic security awareness training to all members of staff. The organization can, for example, educate the 
following matters in addition to the contents explaining general matters.
Provide appropriate training and education to all 　‐Procedure to response when you receive a suspicious email
individuals in the organization and manage the 　‐Notes on using mobile devices (e.g. Notes on connecting to a public wireless LAN)
CPS.AT-1 record so that they can fulfill assigned roles and Advanced 　‐Notes on using SNS
responsibilities to prevent and contain the ‐ The organization creates a program for each role (e.g., system/software developper, purchasing personnel, system administrator, personnel in 
Ensure that organizational personnel are occurrence and severity of security incidents.
charge of security measures) to train information security personnel and to improve their skills. The program is conducted regularly on applicable 
personnel.
adequately trained to carry out their assigned ・AT-2 Security Awareness Training
3.2.2 ‐ The organization regularly reviews records of security education and training.
information security-related duties and ・AT-3 Role-Based Security Training
responsibilities. Provide appropriate training and security education
to members of the organization and other relevant ‐ The organization requests the giving of training (e.g. simulation assuming actual incident) and security education appropriate to execution of the 
roles assigned to the personnel in charge to related organizations that may be involved in the security incident and confirms the 
parties of high importance in security management
CPS.AT-2 Advanced training/education implementation status.
that may be involved in the security incident ‐ The organization regularly reviews the records of education and training for persons in charge of relevant parties that are highly important in its 
prevention and response. Then, manage the record own security management.
of such training and security education.

Provide appropriate training and education to all

Provide security awareness training on individuals in the organization and manage the
・AT-2(2) Security Awareness Training
3.2.3 recognizing and reporting potential indicators of CPS.AT-1 record so that they can fulfill assigned roles and H‐Advanced ‐ The organization provides security awareness trainings to all necessary personnel so that they will recognize and report signs of internal fraud.
　Insider Threat
insider threat. responsibilities to prevent and contain the
occurrence and severity of security incidents.

D-2-5
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
AUDIT AND ‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and addresses 
procedures for deviation or signs of deviation from contract matters.
ACCOUNTABILITY ‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled, matters 
which are concerned with security management of the organization and security functions implemented in the products and services that will be 
H‐Advanced delivered, especially for important clients and reconsigned organizations.
‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and field surveys 
conducted by the outsourcer.
Conduct regular assessments through auditing, test ‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any fact of 
results, or other checks of relevant parties such as information leakage, and regularly report the result to the organization.
CPS.SC-6
business partners to ensure they are fulfilling their ‐ The organization checks whether requirements that are prescribed in the contract with the client can be audited on the system.
contractual obligations. ‐ The information system provides a function that allows for audit records to be created for events defined above that can be audited on the 
system.
‐ The organization shall be able to maintain consistency in security audits with other organizations that require information on the audit.
Advanced ‐ The organization regularly reviews and analyzes audit records that are made manually or automatically by the system, and checks whether there 
is any deviation or sign of deviation from contract matters.
‐ State of compliance with security management measures of the external service provider is regularly checked by internal audits that are 
conducted by the client using a checklist.
・AU-2 Audit Events
Create, protect, and retain system audit records ・AU-3 Content of Audit Records ‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
to the extent needed to enable the monitoring, ・AU-3(1) Content of Audit Records the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
3.3.1
analysis, investigation, and reporting of unlawful, 　Additional Audit Information ‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
system, logically and physically.
unauthorized, or inappropriate system activity. ・AU-6 Audit Review, Analysis, and Reporting
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
・AU-12 Audit Generation H‐Advanced information for generating time stamps for an audit record.
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
Determine and document the subject or scope of log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
the audit recording/log recording, and implement audit logs from the relevant IoT devices.
CPS.PT-1
and review those records in order to properly ‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and 
detect high-risk security incidents. audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal 
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the systems can 
acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause damage to 
the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
H‐Advanced information for generating time stamps for an audit record.
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
・AU-2 Audit Events
devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
・AU-3 Content of Audit Records Determine and document the subject or scope of
Ensure that the actions of individual system users log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
・AU-3(1) Content of Audit Records the audit recording/log recording, and implement audit logs from the relevant IoT devices.
3.3.2 can be uniquely traced to those users so they can CPS.PT-1
　Additional Audit Information and review those records in order to properly ‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and 
be held accountable for their actions. audit tool each.
・AU-6 Audit Review, Analysis, and Reporting detect high-risk security incidents.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal 
・AU-12 Audit Generation responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the systems can 
acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause damage to 
the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.

D-2-6
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
H‐Advanced information for generating time stamps for an audit record.
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
Determine and document the subject or scope of log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
・AU-2(3) Audit Events the audit recording/log recording, and implement audit logs from the relevant IoT devices.
3.3.3 Review and update audited events. CPS.PT-1
　Reviews and Updates and review those records in order to properly ‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and 
detect high-risk security incidents. audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal 
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the systems can 
acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause damage to 
the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
H‐Advanced information for generating time stamps for an audit record.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
the audit recording/log recording, and implement ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
3.3.4 Alert in the event of an audit process failure. ・AU-5 Response to Audit Processing Failures CPS.PT-1
and review those records in order to properly devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
detect high-risk security incidents. log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
audit logs from the relevant IoT devices.
‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and 
audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal 
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and addresses 
procedures for deviation or signs of deviation from contract matters.
Conduct regular assessments through auditing, test ‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled, matters 
which are concerned with security management of the organization and security functions implemented in the products and services that will be 
results, or other checks of relevant parties such as
CPS.SC-6 H‐Advanced delivered, especially for important clients and reconsigned organizations.
business partners to ensure they are fulfilling their ‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and field surveys 
contractual obligations. conducted by the outsourcer.
‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any fact of 
information leakage, and regularly report the result to the organization.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
Correlate audit review, analysis, and reporting ‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
processes for investigation and response to ・AU-6(3) Audit Review, Analysis, and Reporting system, logically and physically.
3.3.5
indications of inappropriate, suspicious, or unusual 　Correlate Audit Repositories ‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
H‐Advanced information for generating time stamps for an audit record.
activity.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
the audit recording/log recording, and implement
CPS.PT-1 devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
and review those records in order to properly log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
detect high-risk security incidents. audit logs from the relevant IoT devices.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the systems can 
acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause damage to 
the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
Determine and document the subject or scope of system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
Provide audit reduction and report generation to the audit recording/log recording, and implement
3.3.6 ・AU-7 Audit Reduction and Report Generation CPS.PT-1 H‐Advanced information for generating time stamps for an audit record.
support on-demand analysis and reporting. and review those records in order to properly ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
detect high-risk security incidents. ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
audit logs from the relevant IoT devices.

D-2-7
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
Provide a system capability that compares and Determine and document the subject or scope of system, logically and physically.
・AU-8 Time Stamps ‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
synchronizes internal system clocks with an the audit recording/log recording, and implement
3.3.7 ・AU-8(1) Time Stamps CPS.PT-1 H‐Advanced information for generating time stamps for an audit record.
authoritative source to generate time stamps for and review those records in order to properly
　Synchronization with Authoritative Time Source ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
audit records. detect high-risk security incidents. ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
audit logs from the relevant IoT devices.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
H‐Advanced information for generating time stamps for an audit record.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
Protect audit information and audit tools from the audit recording/log recording, and implement ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
3.3.8 ・AU-9 Protection of Audit Information CPS.PT-1
unauthorized access, modification, and deletion. and review those records in order to properly devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
detect high-risk security incidents. log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
audit logs from the relevant IoT devices.
‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and 
audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal 
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security incidents after 
the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails across the 
system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official source of 
H‐Advanced information for generating time stamps for an audit record.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated manner.
Limit management of audit functionality to a ・AU-9(4) Protection of Audit Information the audit recording/log recording, and implement ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of those 
3.3.9 CPS.PT-1
subset of privileged users. 　Access by Subset of Privileged Users and review those records in order to properly devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices, such as using a 
detect high-risk security incidents. log management system different than the main one or using an alternative measure on the part of the system, when collecting and analyzing 
audit logs from the relevant IoT devices.
‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit log and 
audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal 
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
CONFIGURATION ‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and location) by 
reviewing and updating them periodically.
MANAGEMENT ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information system or 
industrial control system), and manages the use of them.
Document and manage appropriately the list of Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable ownwer of 
hardware and software, and management portable storage devices, the organization prohibits the use of such devices. 
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of the media 
CPS.AM-1 information (e.g. name of asset, version, network
taken outside of the controlled areas.
address, name of asset manager, license
information) of components in the system. ‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and information), assigns 
a responsible person to each asset, and documents a list of them.
Establish and maintain baseline configurations and ・CM-2 Baseline Configuration Basic ‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration (grouping) of the 
inventories of organizational systems (including ・CM-6 Configuration Settings analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
3.4.1 hardware, software, firmware, and ・CM-8 System Component Inventory
‐ It is desirable that the organization should update the list of information about its assets and configurations when it installs or deletes new assets 
documentation) throughout the respective system ・CM-8(1) System Component Inventory or when it updates its system.
development life cycles. 　Updates During Installations / Removals ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
As part of the configuration management of firewall).
devices, constantly manage software configuration Advanced
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
information, status of network connections (e.g., ‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
‐ The information system and the industrial control system terminate the network connection after a session ends, or when a session remains 
CPS.CM-6 presence/absence of connections and access
inactive for a certain length of time.
destination), and information ‐ The organization monitors communication on controlled interfaces in order to detect any communication to unapproved items or systems, or 
transmission/reception status between other communication that conveys an inappropriate content.
“organization”, people, components, and systems. ‐ The organization creates a ledger to manage model numbers of assets that includes servers, software versions, and the expiration of support 
services. Take regular inventory.
Basic
‐ The organization regularly checks whether necessary measures are taken during operation (e.g., checking IoT devices for any unauthorized use or 
theft; applying a patch; checking logs) and the state of IoT devices.

D-2-8
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices; software; 
Document and manage appropriately the list of and information) uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists periodically, or at the request 
hardware and software, and management of the operator including configuration information of assets (e.g., names, version information, license information, and location) while 
recognizing situations in real time.
CPS.AM-1 information (e.g. name of asset, version, network H‐Advanced
‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by the 
address, name of asset manager, license organization, and responds appropriately. (Example: blocking unplanned connections except those permitted by the organization as an exception)
information) of components in the system. ‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses to 
unauthorized assets.
・CM-2 Baseline Configuration ‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the impact the 
Establish and enforce security configuration ・CM-6 Configuration Settings change has on security, decides whether the change can be made or not, and creates a document on the procedure.
3.4.2 settings for information technology products ・CM-8 System Component Inventory ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
employed in organizational systems. ・CM-8(1) System Component Inventory Advanced
‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
　Updates During Installations / Removals Introduce and implement the process to manage ‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is implemented) if they 
forget  the password of their accounts, IoT device and  servers.
the initial setting procedure (e.g., password) and
CPS.IP-1 ‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not adversely affect 
setting change procedure for IoT devices and the availability or safety of information system and industrial control system.
servers. ‐ Upon determining the most restrictive setting criteria that conform to their operation, the organization creates a document on the initial setting 
procedures and setting details for the IoT devices and servers that will be introduced and adjusts the settings according to the document.
Basic ‐ The organization checks initial setting values of IoT devices before installing them, and adjusts the settings appropriately if they do not comply 
with the policy stipulated in CPS.AC‐1.
‐ The organization checks and records software installed in IoT devices before introducing them.
‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the impact the 
change has on security, decides whether the change can be made or not, and creates a document on the procedure.
Introduce and implement the process to manage ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
the initial setting procedure (e.g., password) and ‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
CPS.IP-1 Advanced
setting change procedure for IoT devices and ‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is implemented) if they 
servers. forget  the password of their accounts, IoT device and  servers.
‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not adversely affect 
the availability or safety of information system and industrial control system.
Track, review, approve/disapprove, and audit ‐ It is desirable that the organization should update the list of information about its assets and configurations when it installs or deletes new assets 
3.4.3 ・CM-3 Configuration Change Control As part of the configuration management of
changes to organizational systems. or when it updates its system.
devices, constantly manage software configuration ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
information, status of network connections (e.g., firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
CPS.CM-6 presence/absence of connections and access Advanced
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
destination), and information ‐ The information system and the industrial control system terminate the network connection after a session ends, or when a session remains 
transmission/reception status between other inactive for a certain length of time.
“organization”, people, components, and systems. ‐ The organization monitors communication on controlled interfaces in order to detect any communication to unapproved items or systems, or 
communication that conveys an inappropriate content.
Analyze the security impact of changes prior to ‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the impact the 
3.4.4 ・CM-4 Security Impact Analysis Introduce and implement the process to manage change has on security, decides whether the change can be made or not, and creates a document on the procedure.
implementation.
the initial setting procedure (e.g., password) and ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
Define, document, approve, and enforce physical CPS.IP-1 Advanced
setting change procedure for IoT devices and ‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
3.4.5 and logical access restrictions associated with ・CM-5 Access Restrictions for Change ‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is implemented) if they 
servers.
changes to organizational systems. forget  the password of their accounts, IoT device and  servers.
‐ The organization identifies software programs that are not allowed to be executed on a system.
‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed.
H‐Advanced
Minimize funcions of IoT devices and servers by ‐ The organization regularly review and update the black list or the white list.
Employ the principle of least functionality by physically and logically blocking unnecessary ‐ The system blocks the execution of these programs in accordance with the specified rules.
‐ The organization reviews the functions and services provided by its systems and items in order to identify the functions and services that could 
3.4.6 configuring organizational systems to provide only ・CM-7 Least Functionality CPS.PT-2 network ports, USBs, and serial ports accessing
be deleted.
essential capabilities. directly the main bodies of IoT devices and servers ‐ The organization uses network scanning tools, intrusion detection and prevention systems, and endpoint protection (e.g., a firewall, host‐based 
Advanced
etc. intrusion detection system) in order to detect and prevent the use of banned functions, ports, protocols, and services.
‐ The organization minimizes the functions and services of devices connected to the network such as multifunction printers in additional to typical 
IoT devices and servers.
Minimize funcions of IoT devices and servers by
・CM-7(1) Least Functionality ‐ The organization identifies software programs that are not allowed to be executed on a system.
Restrict, disable, and prevent the use of physically and logically blocking unnecessary
　Periodic Review ‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed.
3.4.7 nonessential functions, ports, protocols, and CPS.PT-2 network ports, USBs, and serial ports accessing H‐Advanced
・CM-7(2) Least Functionality ‐ The organization regularly review and update the black list or the white list.
services. directly the main bodies of IoT devices and servers ‐ The system blocks the execution of these programs in accordance with the specified rules.
　Prevent program execution
etc.
Restrict the software to be added after installing in ‐ The organization restricts software by using a list of software that is permitted to be executed on the information system and industrial control 
CPS.IP-2 H‐Advanced
the IoT devices and servers. system (whitelist) or list of prohibited software (blacklist).  Or, unpermitted software shall not be installed.
Apply deny-by-exception (blacklist) policy to ・CM-7(2) Least Functionality
prevent the use of unauthorized software or deny- 　Unauthorized Software/ Blacklisting Minimize funcions of IoT devices and servers by
3.4.8 physically and logically blocking unnecessary ‐ The organization identifies software programs that are not allowed to be executed on a system.
all, permit-by-exception (whitelisting) policy to ・CM-7(5) Least Functionality ‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed.
allow the execution of authorized software. 　Authorized Software/ Whitelisting CPS.PT-2 network ports, USBs, and serial ports accessing H‐Advanced
‐ The organization regularly review and update the black list or the white list.
directly the main bodies of IoT devices and servers ‐ The system blocks the execution of these programs in accordance with the specified rules.
etc.
‐ The organization restricts software by using a list of software that is permitted to be executed on the information system and industrial control 
H‐Advanced
Restrict the software to be added after installing in system (whitelist) or list of prohibited software (blacklist).  Or, unpermitted software shall not be installed.
3.4.9 Control and monitor user-installed software. ・CM-11 User-Installed Software CPS.IP-2
the IoT devices and servers. Advanced
‐ The organization adopts and manages a mechanism that manages software installation that is performed by users on the organization’s system 
(information system or industrial control system) and monitors the events.
IDENTIFICATION ‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of identifiers and 
・IA-2 Identification and Authentication Restrict communications by IoT devices and servers invalidating identifiers after a certain period of time.
AND Identify system users, processes acting on behalf
3.5.1 　(Organizational Users) CPS.AC-8 to those with entities (e.g. people, components, Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a mechanism 
AUTHENTICATION of users, or devices.
・IA-5 Authenticator Management system, etc.) identified through proper procedures. that uniquely identifies and authenticate these devices.
‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.

D-2-9
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
Authenticate (or verify) the identities of those ・IA-2 Identification and Authentication system components by IoT devices and users
3.5.2 users, processes, or devices, as a prerequisite to 　(Organizational Users) CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
allowing access to organizational systems. ・IA-5 Authenticator Management security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts.
・IA-2(1) Identification and Authentication ‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐privileged 
　(Organizational Users) H‐Advanced accounts in the system, uses an authentication mechanism that can tolerate attacks of replay.
　Network Access to Privileged Accounts Adopt high confidence methods of authentication
Use multifactor authentication for local and ・IA-2(2) Identification and Authentication where appropriate based on risk (e.g. multi-factor [Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.

3.5.3 network access to privileged accounts and for 　(Organizational Users) CPS.AC-6 authentication, combining more than two types of ‐ In consideration of the risk of unauthorized login to the privileged account in the system, the organization in principle prohibits login to the 
network access to non-privileged accounts. 　Network Access to Non-Privileged Accounts authentication) when logging in to the system over privileged account via the network when it is not possible to implement a sufficient confidence methods of authentication.
‐ The information system requires a multifactor authentication in its system for access to the system or network with privileged accounts when 
・IA-2(3) Identification and Authentication the network for the privileged user. Advanced
cannot implement actions such as invalidating the administrator account for the system.
　(Organizational Users) ‐ In principle, the organization invalidates the default administrator account in the information system.
　Local Access to Privileged Accounts ‐ The information system permits the necessary minimum privileged authority to the user account when performing privileged operations.

・IA-2(8) Identification and Authentication

　(Organizational Users)
Adopt high confidence methods of authentication
　Network Access to Privileged Accounts-Replay ‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts.
Employ replay-resistant authentication where appropriate based on risk (e.g. multi-factor ‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐privileged 
　Resistant
3.5.4 mechanisms for network access to privileged and CPS.AC-6 authentication, combining more than two types of H‐Advanced accounts in the system, uses an authentication mechanism that can tolerate attacks of replay.
・IA-2(9) Identification and Authentication
non-privileged accounts. authentication) when logging in to the system over
　(Organizational Users) [Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.
the network for the privileged user.
　Network Access to Non-Privileged Accounts-
Replay Resistant
‐ The organization must obtain approval from the management supervisor when creating a system account.
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range of using 
the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system and an 
industrial control system.
‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms securely that 
the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
Establish and implement the procedure to issue, ‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system.
manage, check, cancel, and monitor identification ‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared user/temporary user), 
CPS.AC-1
and authentication information of authorized goods, with consideration of their mission and business functions.
people, and procedures. ‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
3.5.5 Prevent reuse of identifiers for a defined period. ・IA-4 Identifier Management ‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control systems, and 
implements a function that cannot be set up unless the credential satisfies the policy. The following is an example of the content of the policy.
　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
Basic
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have forgotten 
credentials, if they change immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an industrial control 
system except when multiple users function as a single group.
‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of identifiers and 
Restrict communications by IoT devices and servers invalidating identifiers after a certain period of time.
CPS.AC-8 to those with entities (e.g. people, components, Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a mechanism 
system, etc.) identified through proper procedures. that uniquely identifies and authenticate these devices.
‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.

D-2-10
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization must obtain approval from the management supervisor when creating a system account.
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range of using 
the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system and an 
industrial control system.
‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms securely that 
the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
Establish and implement the procedure to issue, ‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system.
Disable identifiers after a defined period of manage, check, cancel, and monitor identification ‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared user/temporary user), 
3.5.6 ・IA-4 Identifier Management CPS.AC-1
inactivity. and authentication information of authorized goods, with consideration of their mission and business functions.
people, and procedures. ‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control systems, and 
implements a function that cannot be set up unless the credential satisfies the policy. The following is an example of the content of the policy.
　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
Basic
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have forgotten 
credentials, if they change immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an industrial control 
system except when multiple users function as a single group.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
Enforce a minimum password complexity and system components by IoT devices and users
・IA-5(1) Authenticator Management
3.5.7 change of characters when new passwords are CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
　Password-Based Authentication
created. security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
Prohibit password reuse for a specified number of ・IA-5(1) Authenticator Management
3.5.8 CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
generations. 　Password-Based Authentication
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
Allow temporary password use for system logons system components by IoT devices and users
・IA-5(1) Authenticator Management
3.5.9 with an immediate change to a permanent CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
　Password-Based Authentication
password. security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.

D-2-11
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
Store and transmit only cryptographically- ・IA-5(1) Authenticator Management
3.5.10 CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
protected passwords. 　Password-Based Authentication
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
Authenticate and authorize logical accesses to a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
3.5.11 Obscure feedback of authentication information. ・IA-6 Authenticator Feedback CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
INCIDENT ‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident responses 
between the organization and other organizations that are concerned with the supply chain.
RESPONSE ‐ The organization assumes the course of action for security incidents of the supply chain and implements tests that adjust incident responses with 
Prepare and test a procedure for incident response H‐Advanced other organizations that are concerned with the supply chain.
with relevant parties involved in the incident
CPS.SC-9
response activitiy to ensure action for incident [Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development processes, 
response in the supply chain. developers, distribution processes, and warehouse facilities.
‐ The organization adjusts the incident response process of an external service provider that contains important features in order to continue its 
Advanced business, as well as adjusting the organization’s incident response process to meet the incident response requirements.
‐ The organization tests the incident response process that requires cooperation between the organization and external service providers.
‐ The organization refers to risk assessment results and, considering the following angles, establishes what to monitor and what to include in 
correlation analysis.
　‐ The scope of systems to monitor
　‐ Which device logs should be collected for analysis (see CPS.AE‐3)
‐ The organization regularly reviews audit logs collected through monitoring.
Appoint a chief security officer, establish a security ‐ The organization continues to collect and manage information about assets, device configurations, and network configurations in order to 
management team (SOC/CSIRT), and prepare a evaluate its security status.
CPS.AE-2 Advanced
system within the organization to detect, analyze, ‐ The organization examines the results of correlation analysis and other data to accurately detect security events that must be addressed and take 
action in accordance with the security operation process. See CPS.RP‐1 for details of the process.
and respond to security events.
‐ The organization regularly reports the state of organizational and system security to the chief security officer or other appropriate staff members. 
It is desirable that the regular report should include the following shown below:
　‐ Results of log analysis (e.g., the number of incidents handled; summaries of typical incidents that have been handled; threats that have 
emerged; issues in monitoring);
　‐ Policy for future improvements in monitoring.
‐ The organization works with IPA, JPCERT/CC, the industry’s ISAC, and a security vendor to collect information, thereby interlinking and sharing 
Identify the impact of security events, including the information about threats and vulnerability to obtain a whole picture of the security event.
CPS.AE-4 Advanced
impact on other relevant organizations. ‐ The organization requests an external security vendor to analyze the functions of the malware, or program, or script placed by an attacker if any 
is found in a security event that has occurred.
‐ The organization develops and manages a process of security operation it should follow when a security incident arises that it must address. It is 
advisable to include contents such as the following in the process:
　‐ Response procedure for the person who received the incident report
Develop and implement previously the procedure of 　‐ Instructions and orders, and how to prioritize actions in an emergency;
response after detecting incidents (securith 　‐ Incident response;
Establish an operational incident-handling ・IR-2 Incident Response Training operation process) that includes the response of
　‐ Incident impact assessment and damage analysis;
capability for organizational systems that includes ・IR-4 Incident Handling CPS.RP-1 Basic 　‐ Information gathering, selecting information that the organization needs;
Organization, People, Componens, System to 　‐ Communication and announcement to relevant internal personnel;
3.6.1 adequate preparation, detection, analysis, ・IR-5 Incident Monitoring identify the content of response, priority, and scope 　‐ Communication with relevant external organizations;
containment, recovery, and user response ・IR-6 Incident Reporting of response taken after an incident occurs. ‐ The system (especially, industrial control system) shuts down, issues an alert to the administrator, or takes other fail‐safe actions if any 
activities. ・IR-7 Incident Response Assistance abnormality (e.g., malfunction) occurs in IoT devices or servers.

[Reference] “SP 800‐61 rev.1" (NIST, 2008) is available for reference to determine the process for handling security incidents that have arisen.

Include the item in the business continuity plan or

emergency response plan to the effect that the ‐ The organization provides an overview of a security incident for relevant external entities including the regulatory authorities, business partners, 
and end users, and collects detailed information about damage inflicted by the incident.
CPS.CO-3 details of the recovery activities shall be Advanced
‐ The organization coordinates actions related to recovery and post‐incident processing with relevant external entities involved in the supply 
communicated to the internal and external chain. An example of these actions is recalling items produced when a security incident in the production system has occurred.
stakeholders, executives, and management.

Understand the impact of the security incident on

the whole society including the organization and ‐ The organization works with IPA, JPCERT/CC, the industry’s ISAC, and a security vendor to collect information, thereby interlinking and sharing 
information about threats and vulnerability to obtain a whole picture of the security incident.
CPS.AN-1 relevant parties such as partners based on the full Advanced
‐ The organization requests an external security vendor to analyze the functions of the malware, or program, or script placed by an attacker if any 
account of the incident and the probable intent of is found in a security incident that has occurred.
the attacker.

D-2-12
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization classifies security incidents, taking into account the recovery time objectives for the systems, the order of priority in recovery, 
and metrics in the process of its security operation.
‐ The organization tracks and documents security incidents that may affect it. “SP 800‐61 rev.1” lists the following as examples of points of view 
Categorize and store information regarding the that may be taken when an organization documents a security incident.
　　‐ The present state of the incident
detected security incidents by the size of security-
CPS.AN-3 Advanced 　　‐ Overview of the incident
related impact, penetration vector, and other 　　‐ The course of action the organization has taken to deal with the incident
factors. 　　‐ Other contact information of relevant personnel (e.g., the system owner, system administrator)
　　‐ List of proof collected during the investigation
　　‐ Comments by the staff in charge of dealing with the incident
　　‐ Next steps
‐ The organization (or its members) takes courses of action to reduce security incidents (e.g., shutting down the system; cutting off the system 
Take measures to minimize security-related from a wired/wireless network; cutting off a modem cable; disabling certain functions) in accordance with prescribed procedures.

CPS.MI-1 damages and mitigate the impacts caused by such Basic

[Reference] Courses of action to reduce the impact of a security incident may vary according to the nature of the incident (e.g., according to the 
incident. threat that has emerged, such as a denial‐of‐service attack, malware infection, or unauthorized access). For example, It is advisable to refer to “SP 
800‐61 rev.1" (NIST, 2008) for detailed information about courses of action to reduce the impact of an incident.

Take appropriate measures on goods (products) ‐ The organization provides an overview of a security incident for relevant external entities including business partners and end users, and collects 

whose quality is expected to be affected by some detailed information about damage inflicted by the incident.
CPS.RP-4 Advanced
reasons, including its production facility damaged ‐ The organization coordinates actions related to recovery and post‐incident processing with relevant external entities involved in the supply 
by the occurrence of the security incident. chain. It is advisable to identify the items for handling in accordance with the approaches included in CPS.AM‐2 and CPS.AM‐3.

Include the item in the business continuity plan or

emergency response plan to the effect that the ‐ The organization sets up a single point of contact for the media and business partners requesting information, thereby ensuring consistency in 
communication with them.
・IR-2 Incident Response Training CPS.CO-2 organization shall work to restore its social Basic
‐ The organization remains aware of the positive side of providing a detailed explanation about damage caused by a security incident while 
Track, document, and report incidents to ・IR-4 Incident Handling reputation after the occurrence of a high-risk considering the confidentiality of the important information.
3.6.2 appropriate organizational officials and/or ・IR-5 Incident Monitoring security incident.
authorities. ・IR-6 Incident Reporting ‐ The organization classifies security incidents, taking into account the recovery time objectives for the systems, the order of priority in recovery, 
and metrics in the process of its security operation.
・IR-7 Incident Response Assistance
‐ The organization tracks and documents security incidents that may affect it. “SP 800‐61 rev.1” lists the following as examples of points of view 
Categorize and store information regarding the that may be taken when an organization documents a security incident.
　　‐ The present state of the incident
detected security incidents by the size of security-
CPS.AN-3 Advanced 　　‐ Overview of the incident
related impact, penetration vector, and other 　　‐ The course of action the organization has taken to deal with the incident
factors. 　　‐ Other contact information of relevant personnel (e.g., the system owner, system administrator)
　　‐ List of proof collected during the investigation
　　‐ Comments by the staff in charge of dealing with the incident
　　‐ Next steps
‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident responses 
between the organization and other organizations that are concerned with the supply chain.
‐ The organization assumes the course of action for security incidents of the supply chain and implements tests that adjust incident responses with 
Prepare and test a procedure for incident response H‐Advanced other organizations that are concerned with the supply chain.
with relevant parties involved in the incident
CPS.SC-9
response activitiy to ensure action for incident [Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development processes, 
response in the supply chain. developers, distribution processes, and warehouse facilities.
‐ The organization adjusts the incident response process of an external service provider that contains important features in order to continue its 
Advanced business, as well as adjusting the organization’s incident response process to meet the incident response requirements.
・IR-3 Incident Response Testing ‐ The organization tests the incident response process that requires cooperation between the organization and external service providers.
Test the organizational incident response ‐ The organization regularly provides basic security awareness training to all members of staff. The organization can, for example, educate the 
3.6.3 ・IR-3(2) Incident Response Testing
capability. following matters in addition to the contents explaining general matters.
　Coordination with Related Plans 　‐Procedure to response when you receive a suspicious email
Provide appropriate training and education to all 　‐Notes on using mobile devices (e.g. Notes on connecting to a public wireless LAN)
individuals in the organization and manage the H‐Advanced 　‐Notes on using SNS
‐ The organization creates a program for each role (e.g., system/software developper, purchasing personnel, system administrator, personnel in 
CPS.AT-1 record so that they can fulfill assigned roles and
charge of security measures) to train information security personnel and to improve their skills. The program is conducted regularly on applicable 
responsibilities to prevent and contain the personnel.
occurrence and severity of security incidents. ‐ The organization regularly reviews records of security education and training.
‐ The organization provides basic security awareness training to new staff, or when necessary due to changes made to the information systems and 
Advanced the industrial control systems which the organization uses.
‐ The organization records and manages the contents and results of security education and training for member in the organization.
MAINTENANCE ‐ The organization gives prior approval for the use of devices and/or tools needed for maintenance to update its IoT devices and servers, and 
conducts monitoring.
‐ The organization inspects the devices and/or tools for maintenance brought in by the staff members who update its IoT devices and servers in 
- Discuss the method of conducting important H‐Advanced order to make sure that no inappropriate or unauthorized changes will be made.
‐ The organization inspects the media used for maintenance to update its IoT devices and servers in order to make sure that the media contain no 
security updates and the like on IoT devices and
・MA-2 Controlled Maintenance malicious code before they are used.
servers. Then, apply those security updateswith
・MA-3 Maintenance Tools ‐ The organization introduces an IoT device designed to remotely update different software programs (OS, driver, application) at the same time.
managed tools properly and in a timely manner ‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done, and 
・MA-3(1) Maintenance Tools
3.7.1 Perform maintenance on organizational systems. CPS.MA-1 while recording the history. documents the entire maintenance.
　Inspect Tools
- Introduce IoT devices having a remote update ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
・MA-3(2) Maintenance Tools ‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating its IoT 
mechanism to perform a mass update of different
　Inspect media devices and servers. It also takes necessary actions before the travel, such as deleting relevant saved data.
software programs (OS, driver, and application) Advanced
‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and servers, 
through remote commands, where applicable. after the work is complete in order to make sure that the relevant equipment works correctly.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance organizations or staff 
members updated.

D-2-13
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization gives prior approval for the use of devices and/or tools needed for maintenance to update its IoT devices and servers, and 
conducts monitoring.
‐ The organization inspects the devices and/or tools for maintenance brought in by the staff members who update its IoT devices and servers in 
- Discuss the method of conducting important H‐Advanced order to make sure that no inappropriate or unauthorized changes will be made.
‐ The organization inspects the media used for maintenance to update its IoT devices and servers in order to make sure that the media contain no 
security updates and the like on IoT devices and
・MA-2 Controlled Maintenance malicious code before they are used.
servers. Then, apply those security updateswith
・MA-3 Maintenance Tools ‐ The organization introduces an IoT device designed to remotely update different software programs (OS, driver, application) at the same time.
Provide effective controls on the tools, techniques, managed tools properly and in a timely manner ‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done, and 
・MA-3(1) Maintenance Tools
3.7.2 mechanisms, and personnel used to conduct CPS.MA-1 while recording the history. documents the entire maintenance.
　Inspect Tools
system maintenance. - Introduce IoT devices having a remote update ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
・MA-3(2) Maintenance Tools ‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating its IoT 
mechanism to perform a mass update of different
　Inspect media devices and servers. It also takes necessary actions before the travel, such as deleting relevant saved data.
software programs (OS, driver, and application) Advanced
‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and servers, 
through remote commands, where applicable. after the work is complete in order to make sure that the relevant equipment works correctly.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance organizations or staff 
members updated.
‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and introduces a 
When disposing of an IoT device and server, delete
H‐Advanced mechanism for using the proper technique for deleting data with the strength and integrity needed or making the data unreadable according to 
the stored data and the ID (identifier) uniquely
Ensure equipment removed for off-site the definition.
3.7.3 ・MA-2 Controlled Maintenance CPS.IP-6 identifying the genuine IoT devices and servers as ‐ The organization establishes a procedure for scrapping its equipment including IoT devices and servers, deletes data saved in the equipment or 
maintenance is sanitized of any CUI. Advanced
well as important information (e.g., private key and makes the data unreadable in accordance with the procedure, and makes sure that the action has been done successfully.
digital certificate), or make them unreadable. Basic ‐ The organization deletes data that has been saved in its IoT devices or servers to be scrapped, or makes the data unreadable.
‐ The organization gives prior approval for the use of devices and/or tools needed for maintenance to update its IoT devices and servers, and 
conducts monitoring.
‐ The organization inspects the devices and/or tools for maintenance brought in by the staff members who update its IoT devices and servers in 
- Discuss the method of conducting important H‐Advanced order to make sure that no inappropriate or unauthorized changes will be made.
‐ The organization inspects the media used for maintenance to update its IoT devices and servers in order to make sure that the media contain no 
security updates and the like on IoT devices and
malicious code before they are used.
servers. Then, apply those security updateswith ‐ The organization introduces an IoT device designed to remotely update different software programs (OS, driver, application) at the same time.
Check media containing diagnostic and test managed tools properly and in a timely manner ‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done, and 
・MA-3(2) Maintenance Tools
3.7.4 programs for malicious code before the media are CPS.MA-1 while recording the history. documents the entire maintenance.
　Inspect media
used in organizational systems. - Introduce IoT devices having a remote update ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating its IoT 
mechanism to perform a mass update of different
devices and servers. It also takes necessary actions before the travel, such as deleting relevant saved data.
software programs (OS, driver, and application) Advanced
‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and servers, 
through remote commands, where applicable. after the work is complete in order to make sure that the relevant equipment works correctly.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance organizations or staff 
members updated.
‐ The organization documents the policy and procedure relating to establishing and implementing a connection designed for remote maintenance, 
Require multifactor authentication to establish and implements the connection in accordance with the policy and procedure.
nonlocal maintenance sessions via external Conduct remote maintenance of the IoT devices Advanced
‐ The organization provides authentication required for network access that it specifies when remote maintenance is carried out. It also ensures 
3.7.5 network connections and terminate such ・MA-4 Nonlocal Maintenance CPS.MA-2 and servers while granting approvals and recording that the session and network connection are terminated when the remote maintenance is complete.
connections when nonlocal maintenance is logs so that unauthorized access can be prevented. ‐ The organization develops and agrees to an implementation plan for remote maintenance before carrying out the maintenance, and checks the 
Basic results of the maintenance done.
complete.
‐ The organization keeps the records of remote maintenance done.

Formulate and manage security requirements H‐Advanced

‐ The organization prepares a procedure to continuously monitor whether the security requirements from the contractee are complied with by the 
applicable to members of other relevant staff of the contractor, and to enable notification to the organization's personnel in charge in the case where irregular behavior is found.
CPS.SC-5 organizations, such as business partners, who are ‐ The organization trains the staff on information security aspects of supplier relationships to particularly ensure that the handling of confidential 
engaged in operations outsourced from the Advanced information is correctly understood.
organization. ‐ The organization regularly confirms that it complies with the security requirements from the contractee in conducting the contracted work.
‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done, and 
documents the entire maintenance.
Supervise the maintenance activities of - Discuss the method of conducting important ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
3.7.6 maintenance personnel without required access ・MA-5 Maintenance Personnel security updates and the like on IoT devices and ‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating its IoT 
authorization. servers. Then, apply those security updateswith Advanced
devices and servers. It also takes necessary actions before the travel, such as deleting relevant saved data.
managed tools properly and in a timely manner ‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and servers, 
after the work is complete in order to make sure that the relevant equipment works correctly.
CPS.MA-1 while recording the history.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
- Introduce IoT devices having a remote update ‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance organizations or staff 
mechanism to perform a mass update of different members updated.
software programs (OS, driver, and application) ‐ The organization makes sure that a maintenance staff member sent unattended to do maintenance work on its information system and industrial 
through remote commands, where applicable. control system has the necessary access rights.
Basic
‐ The organization appoints its staff member with the access rights and technical skills needed so as to supervise maintenance work done by a staff 
member without the necessary access rights.

D-2-14
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
MEDIA PROTECTION ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
‐ The organization regulates output devices of its system by physical access.
H‐Advanced
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the physical 
Implement appropriate physical security measures
security boundaries.
such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
where the IoT devices and servers are installed, ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission certificates 
authentication, deploying surveillance cameras, and necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security requirements of 
inspecting belongings and body weight. Basic
assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized attendants or 
Protect (i.e., physically control and securely store) ・MP-2 Media Access monitoring cameras.
‐ The organization identifies software programs that are not allowed to be executed on a system.
3.8.1 system media containing CUI, both paper and ・MP-4 Media Storage
‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed.
digital. ・MP-6 Media Sanitization H‐Advanced
‐ The organization regularly review and update the black list or the white list.
‐ The system blocks the execution of these programs in accordance with the specified rules.
Minimize funcions of IoT devices and servers by ‐ The organization reviews the functions and services provided by its systems and items in order to identify the functions and services that could 
physically and logically blocking unnecessary be deleted.
‐ The organization uses network scanning tools, intrusion detection and prevention systems, and endpoint protection (e.g., a firewall, host‐based 
CPS.PT-2 network ports, USBs, and serial ports accessing Advanced
intrusion detection system) in order to detect and prevent the use of banned functions, ports, protocols, and services.
directly the main bodies of IoT devices and servers ‐ The organization minimizes the functions and services of devices connected to the network such as multifunction printers in additional to typical 
etc. IoT devices and servers.
‐ The organization manages peripherals in use (e.g., USB flash drives) using a management ledger and keep them in a locked place.
‐ The organization checks external storage devices connected to IoT devices or servers (e.g., USB flash drives) using antivirus software, use USB 
Basic
flash drives that can be checked for viruses, or take any appropriate action.
‐ The organization plugs USB ports and serial ports out of use to physically block them.
‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of identifiers and 
Restrict communications by IoT devices and servers invalidating identifiers after a certain period of time.
CPS.AC-8 to those with entities (e.g. people, components, Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a mechanism 
system, etc.) identified through proper procedures. that uniquely identifies and authenticate these devices.
‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially regarding  login to 
a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not degrade 
・MP-2 Media Access H‐Advanced
system performance.
Limit access to CUI on system media to ‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and implement 
3.8.2 ・MP-4 Media Storage Authenticate and authorize logical accesses to
authorized users. a function that automatically terminates a user’s session when it falls under these conditions.
・MP-6 Media Sanitization system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the transaction 
(security‐related risks for the user, privacy risks, etc.).
risks).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks, etc.) when 
Advanced a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system during the 
authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and introduces a 
When disposing of an IoT device and server, delete
H‐Advanced mechanism for using the proper technique for deleting data with the strength and integrity needed or making the data unreadable according to 
・MP-2 Media Access the stored data and the ID (identifier) uniquely
Mark media with necessary CUI markings and the definition.
3.8.3 ・MP-4 Media Storage CPS.IP-6 identifying the genuine IoT devices and servers as ‐ The organization establishes a procedure for scrapping its equipment including IoT devices and servers, deletes data saved in the equipment or 
distribution limitations. Advanced
・MP-6 Media Sanitization well as important information (e.g., private key and makes the data unreadable in accordance with the procedure, and makes sure that the action has been done successfully.
digital certificate), or make them unreadable. Basic ‐ The organization deletes data that has been saved in its IoT devices or servers to be scrapped, or makes the data unreadable.
‐ The organization considers business requirements and legal requirements which share or restrict data when classifying resources of the 
Classify and prioritize resources (e.g., People, information system and industrial control system (data, components processing data, system, etc).
Components, Data, and System) by function, Advanced
‐ The person responsible for an asset is responsible for the classification of the data.
Sanitize or destroy system media containing CUI
3.8.4 ・MP-3 Media Marking CPS.AM-6 importance, and business value, and communicate ‐ The organization includes classification rules and classification review standards after time passes in a resource classification system.
before disposal or release for reuse.
to the organizations and people relevant to those ‐ The organization sets priorities on identified information assets according to importance to the organization. 
Basic ‐ When related laws or regulations require us to follow a certain classification for resources of the organization (e.g., system and data), apply an 
resources in business.
appropriate classification to the asset.
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and location) by 
reviewing and updating them periodically.
‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information system or 
industrial control system), and manages the use of them.
Document and manage appropriately the list of Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable ownwer of 
Control access to media containing CUI and hardware and software, and management portable storage devices, the organization prohibits the use of such devices. 
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of the media 
3.8.5 maintain accountability for media during transport ・MP-5 Media Transport CPS.AM-1 information (e.g. name of asset, version, network
taken outside of the controlled areas.
outside of controlled areas. address, name of asset manager, license
information) of components in the system. ‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and information), assigns 
a responsible person to each asset, and documents a list of them.
Basic ‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration (grouping) of the 
analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.

Implement cryptographic mechanisms to protect ‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order to suitably 

the confidentiality of information stored on digital implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity authentication information that is 
・MP-5(4) Media Transport Encrypt information with an appropriate level of
3.8.6 media during transport outside of controlled areas CPS.DS-2 H‐Advanced used to decrypt encrypted information or to grant electronic signatures.
　Cryptographic Protection security strength, and store them.
unless otherwise protected by alternative physical ‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
safeguards.

D-2-15
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and location) by 
reviewing and updating them periodically.
‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information system or 
industrial control system), and manages the use of them.
Document and manage appropriately the list of Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable ownwer of 
hardware and software, and management portable storage devices, the organization prohibits the use of such devices. 
Control the use of removable media on system ‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of the media 
3.8.7 ・MP-7 Media Use CPS.AM-1 information (e.g. name of asset, version, network
components. taken outside of the controlled areas.
address, name of asset manager, license
information) of components in the system. ‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and information), assigns 
a responsible person to each asset, and documents a list of them.
Basic ‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration (grouping) of the 
analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and location) by 
reviewing and updating them periodically.
‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information system or 
industrial control system), and manages the use of them.
Document and manage appropriately the list of Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable ownwer of 
hardware and software, and management portable storage devices, the organization prohibits the use of such devices. 
Prohibit the use of portable storage devices when ・MP-7(1) Media Use ‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of the media 
3.8.8 CPS.AM-1 information (e.g. name of asset, version, network
such devices have no identifiable owner. 　Prohibit Use Without Owner taken outside of the controlled areas.
address, name of asset manager, license
information) of components in the system. ‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and information), assigns 
a responsible person to each asset, and documents a list of them.
Basic ‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration (grouping) of the 
analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
Perform a periodical system backup and testing of ‐ The organization backs up their system documents according to the prescribed timing and frequency.
Advanced
Protect the confidentiality of backup CUI at ‐ The organization protects the confidentiality, integrity, and availability of the information backed up on the storage base.
3.8.9 ・CP-9 System Backup CPS.IP-4 components (e.g., IoT devices, communication
storage locations. ‐ The organization backs up information on user level and system level that is included in its information systems or industrial control systems 
devices, and circuits). Basic
according to the prescribed timing and frequency.
PERSONNEL ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are reshuffled or 
transferred internally.
SECURITY ‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a supplier including 
operation and maintenance. 
Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and re‐screen if 
necessary.
‐ The organization conducts an interview on information security when personnel leave.
・PS-3 Personnel Screening Include items concerning security (e.g., deactivate ‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information, throughout the 
Screen individuals prior to authorizing access to whole process from hiring to retirement.
3.9.1 ・PS-4 Personnel Termination CPS.IP-9 access authorization and personnel screening)
organizational systems containing CUI. ‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this responsibility 
・PS-5 Personnel Transfer when roles change in due to personnel transfer. should be sustained for a reasonable period of time after the termination of employment, in order to prevent information leakage after the 
termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems.
Basic ‐ The organization conducts the following when a staff member resigns or retires:
　‐ Disables the staff member’s access to its systems within a certain period;
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is leaving.
‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are reshuffled or 
transferred internally.
‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a supplier including 
operation and maintenance. 
Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and re‐screen if 
necessary.
‐ The organization conducts an interview on information security when personnel leave.
Ensure that CUI and organizational systems
・PS-3 Personnel Screening Include items concerning security (e.g., deactivate ‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information, throughout the 
containing CUI are protected during and after whole process from hiring to retirement.
3.9.2 ・PS-4 Personnel Termination CPS.IP-9 access authorization and personnel screening)
personnel actions such as terminations and ‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this responsibility 
・PS-5 Personnel Transfer when roles change in due to personnel transfer. should be sustained for a reasonable period of time after the termination of employment, in order to prevent information leakage after the 
transfers.
termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems.
Basic ‐ The organization conducts the following when a staff member resigns or retires:
　‐ Disables the staff member’s access to its systems within a certain period;
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is leaving.
PHYSICAL Implement appropriate physical security measures ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission certificates 
PROTECTION such as locking and limiting access to the areas necessary for access.
Limit physical access to organizational systems, ・PE-2 Physical Access Authorizations
where the IoT devices and servers are installed, ‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security requirements of 
3.10.1 equipment, and the respective operating ・PE-5 Access Control for Output Devices CPS.AC-2 Basic
using entrance and exit controls, biometric assets placed within the boundaries and the results of risk assessment.
environments to authorized individuals. ・PE-6 Monitoring Physical Access ‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized attendants or 
authentication, deploying surveillance cameras, and
monitoring cameras.
inspecting belongings and body weight.

D-2-16
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
Implement appropriate physical security measures
such as locking and limiting access to the areas
where the IoT devices and servers are installed, ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
CPS.AC-2 Advanced
using entrance and exit controls, biometric ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
authentication, deploying surveillance cameras, and
inspecting belongings and body weight.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log from access 
control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
・PE-2 Physical Access Authorizations ‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible (e.g., an 
Protect and monitor the physical facility and
3.10.2 ・PE-5 Access Control for Output Devices office) in order to monitor the visitor’s behavior.
support infrastructure for organizational systems. Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations and house 
・PE-6 Monitoring Physical Access IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
Perform setting, recording, and monitoring of ‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to the 
organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment (CPS.DS‐6) or 
CPS.CM-2 proper physical access, considering the importance
taking any other appropriate measures to enhance the physical security properties of the equipment itself.
of IoT devices and servers. ‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited physical access 
because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge accompany a visitor on the 
premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for  the 
general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the records of 
entry and exit.

Implement appropriate physical security measures ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission certificates 

such as locking and limiting access to the areas necessary for access.
where the IoT devices and servers are installed, ‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security requirements of 
3.10.3 Escort visitors and monitor visitor activity. ・PE-3 Physical Access Control CPS.AC-2 Basic
using entrance and exit controls, biometric assets placed within the boundaries and the results of risk assessment.
authentication, deploying surveillance cameras, and ‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized attendants or 
monitoring cameras.
inspecting belongings and body weight.

Implement appropriate physical security measures

such as locking and limiting access to the areas
where the IoT devices and servers are installed, ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
CPS.AC-2 Advanced
using entrance and exit controls, biometric ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
authentication, deploying surveillance cameras, and
inspecting belongings and body weight.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log from access 
control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible (e.g., an 
office) in order to monitor the visitor’s behavior.
3.10.4 Maintain audit logs of physical access. ・PE-3 Physical Access Control
Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations and house 
IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
Perform setting, recording, and monitoring of ‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to the 
organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment (CPS.DS‐6) or 
CPS.CM-2 proper physical access, considering the importance
taking any other appropriate measures to enhance the physical security properties of the equipment itself.
of IoT devices and servers. ‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited physical access 
because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge accompany a visitor on the 
premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for  the 
general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the records of 
entry and exit.

Implement appropriate physical security measures

such as locking and limiting access to the areas
where the IoT devices and servers are installed, ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
CPS.AC-2 Advanced
using entrance and exit controls, biometric ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
authentication, deploying surveillance cameras, and
inspecting belongings and body weight.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log from access 
control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible (e.g., an 
office) in order to monitor the visitor’s behavior.
3.10.5 Control and manage physical access devices. ・PE-3 Physical Access Control
Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations and house 
IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
Perform setting, recording, and monitoring of ‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to the 
organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment (CPS.DS‐6) or 
CPS.CM-2 proper physical access, considering the importance
taking any other appropriate measures to enhance the physical security properties of the equipment itself.
of IoT devices and servers. ‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited physical access 
because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge accompany a visitor on the 
premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for  the 
general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the records of 
entry and exit.

D-2-17
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
Enforce safeguarding measures for CUI at Properly authorize wireless connection destinations
3.10.6 ・PE-17 Alternate Work Site CPS.AC-3 H‐Advanced and access security information by remote access.
alternate work sites (e.g., telework sites). (including users, IoT devices, and servers). ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
RISK ASSESSMENT - Conduct risk assessments regularly to check if the
‐ The organization updates a risk assessment when there is a big change in a system or an environment where a system is running (including 
Periodically assess the risk to organizational security rules for managing the components are
identification of a new threat or vulnerability) or when any situation which impacts the security status of a system occurs.
operations (including mission, functions, image, or effective and applicable to the components for ‐ When planning/designing a new system using an IoT device, the organization identifies existing assets and assets to be protected in the system to 
reputation), organizational assets, and individuals, implementation. be implemented and organizes security measures according to use and configuration of the system. When handling a component or a system with 
3.11.1 ・RA-3 Risk Assessment CPS.RA-4 Advanced
resulting from the operation of organizational - Check the presence of unacceptable known a long life cycle and a component or a system requiring availability, consideration in security measures at a phase before designing is especially 
security risks, including safety hazards, from the important.
systems and the associated processing, storage,
‐ When considering security measures applied to purchased products and services, the organization makes sure that the levels of measures 
or transmission of CUI. planning and design phase of an IoT device and correspond to the importance of such products and services.
systems incorporating IoT devices.
‐ The organization conducts vulnerability diagnosis at planned timings such as planned stopping so as not to adversely affect the operation of the 
system managed by the organization. And then, identify and list vulnerabilities that exist in the system owned by the organization.
‐ When using tools to conduct vulnerability diagnosis, the organization should use tools that can quickly update the vulnerability database of the 
H‐Advanced system being diagnosed.
‐ The organization updates the vulnerability of scanned systems regularly, or when newly‐identified weaknesses are reported.
‐ The organization implements a system for authorizing privileged access to the relevant system components in connection with the specified 
vulnerability scanning.
‐ The organization has its systems and applications scanned for vulnerability regularly, or when any newly‐found weaknesses that affect the 
systems and/or applications are reported.　
Scan for vulnerabilities in organizational systems ‐ The organization uses a tool for vulnerability scanning. Applying the standard methods that meet the following means that part of the 
・RA-5 Vulnerability Scanning Confirm the existence of vulnerability that requires
and applications periodically and when new vulnerability management process should be open to automation.
3.11.2 ・RA-5(5) Vulnerability Scanning CPS.CM-7 a regular check-up in IoT devices and servers 　‐ List defects in the platform and software, and wrong setups.
vulnerabilities affecting those systems and
　Privileged Access managed within the organization. 　‐ Format a checklist and test procedure.
applications are identified. 　‐ Assess the impact of the vulnerability.
Advanced
‐ The organization corrects identified weaknesses through risk assessment within an appropriate period.
‐ The organization shares the information acquired through the above process with other system administrators in the organization, thereby 
learning about similar weaknesses found in the other information systems, and correct them as necessary.

[Reference] Japan Vulnerability Notes (https://jvn.jp/) and other sources of information are available for reference to obtain information regarding 
vulnerability. Also, CVSS (https://www.ipa.go.jp/security/vuln/CVSS.html Illustrated by IPA) could be used as a referential indicator to evaluate the 
impact level of vulnerability.
Basic ‐ The organization regularly has its systems and applications scanned for vulnerability.
‐ The organization securely stores the documented information on security risk management processes.
- On the basis of the results of the risk assessment, ‐ When the organization selects a measure according to the risk assessment results, it is desirable that the organization documents the measure to 
clearly define the details of measures to prevent be taken and the reason why the measure is adopted.
‐ When applying the measure, the organization formulates a security risk management plan and obtains an approval from the risk owner.
possible security risks, and document the organized
‐ The organization reviews the security risk handling plan and checks that the applicable plan conforms to the priority order of the entire 
outcome from the scope and priorities of the Advanced organization’s risk management strategy.
measures. ‐ The organization informs applicable external business operators regarding security measures necessary for a new system including an IoT device 
CPS.RA-6
- React accordingly to the security risks and the which are extracted in CPS.RA‐4 as required specifications.
associated safety risks identified as a result of the ‐ The organization verifies whether the security measures defined in the required specifications and contracts are implemented at the time of 
deployment of the systems including an IoT device via User Acceptance Test (UAT). If there is anything unclear, confirm with the external business 
assessment conducted at the planning and design
operator.
phase of an IoT device and systems incorporating ‐ The organization considers the risk assessment results and selects handling measures to identified risks.
IoT devices. Basic ‐ The organization formulates a security risk treatment implementation plan.
‐ The organization obtain an approval from the risk owner for acceptance of the security risk.
Remediate vulnerabilities in accordance with
3.11.3 ・RA-5 Vulnerability Scanning ‐ The organization has its systems and applications scanned for vulnerability regularly, or when any newly‐found weaknesses that affect the 
assessments of risk. systems and/or applications are reported.　
‐ The organization uses a tool for vulnerability scanning. Applying the standard methods that meet the following means that part of the 
vulnerability management process should be open to automation.
　‐ List defects in the platform and software, and wrong setups.
　‐ Format a checklist and test procedure.
Confirm the existence of vulnerability that requires Advanced
　‐ Assess the impact of the vulnerability.
CPS.CM-7 a regular check-up in IoT devices and servers ‐ The organization corrects identified weaknesses through risk assessment within an appropriate period.
‐ The organization shares the information acquired through the above process with other system administrators in the organization, thereby 
managed within the organization.
learning about similar weaknesses found in the other information systems, and correct them as necessary.

[Reference] Japan Vulnerability Notes (https://jvn.jp/) and other sources of information are available for reference to obtain information regarding 
vulnerability. Also, CVSS (https://www.ipa.go.jp/security/vuln/CVSS.html Illustrated by IPA) could be used as a referential indicator to evaluate the 
impact level of vulnerability.
Basic ‐ The organization regularly has its systems and applications scanned for vulnerability.
SECURITY ‐ The organization draws up a security assessment plan before the assessment is carried out that includes the following so as to ensure that its 
security is assessed properly and systematically: 
ASSESSMENT
・CA-2 Security Assessments Assess the lessons learned from security incident 　‐ Security measures for assessment;
Periodically assess the security controls in Advanced
　‐ Assessment procedures for measuring the effectiveness of security measures;
・CA-5 Plan of Action and Milestones response and the results of monitoring, measuring,
3.12.1 organizational systems to determine if the CPS.IP-7 　‐ Settings and mechanisms for carrying out the security assessment;
・CA-7 Continuous Monitoring and evaluating internal and external attacks, and
controls are effective in their application. 　‐ Methods of putting together the results of the security assessment and applications of the results.
・PL-2 System Security Plan improve the processes of protecting the assets. ‐ The organization regularly evaluates whether its security measures have achieved expected results (i.e., security assessment) and reports the 
Basic conclusions to the chief security officer, in addition to the evaluation of whether the measures are correctly implemented and managed.
‐ The organization makes improvements on its security measures based on the results of the security assessment.

D-2-18
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
- On the basis of the results of the risk assessment, ‐ The organization securely stores the documented information on security risk management processes.
clearly define the details of measures to prevent ‐ When the organization selects a measure according to the risk assessment results, it is desirable that the organization documents the measure to 
possible security risks, and document the organized be taken and the reason why the measure is adopted.
・CA-2 Security Assessments outcome from the scope and priorities of the ‐ When applying the measure, the organization formulates a security risk management plan and obtains an approval from the risk owner.
Develop and implement plans of action designed ‐ The organization reviews the security risk handling plan and checks that the applicable plan conforms to the priority order of the entire 
・CA-5 Plan of Action and Milestones measures.
3.12.2 to correct deficiencies and reduce or eliminate CPS.RA-6 Advanced organization’s risk management strategy.
・CA-7 Continuous Monitoring - React accordingly to the security risks and the
vulnerabilities in organizational systems. ‐ The organization informs applicable external business operators regarding security measures necessary for a new system including an IoT device 
・PL-2 System Security Plan associated safety risks identified as a result of the which are extracted in CPS.RA‐4 as required specifications.
assessment conducted at the planning and design ‐ The organization verifies whether the security measures defined in the required specifications and contracts are implemented at the time of 
phase of an IoT device and systems incorporating deployment of the systems including an IoT device via User Acceptance Test (UAT). If there is anything unclear, confirm with the external business 
operator.
IoT devices.
‐ When developing a new device or a new component which may have an impact on a physical space such as components of an industrial control 
system, the organization collects/analyzes accident case studies of conventional products and others to identify safety‐related hazards.
‐ The organization analyzes a situation where a hazard leads to harm and identifies the possibility of occurrence and the severity of the harm to 
H‐Advanced estimate a possible risk especially regarding an industrial control system. At the time, it is desirable to check whether there is any hazard caused 
by a security issue.
‐ The organization updates the risk assessment if there is a significant change in the industrial control system or the environment in which it 
operates, or the other change that affects the security state of the industrial control system.
‐ The organization updates a risk assessment when there is a big change in a system or an environment where a system is running (including 
identification of a new threat or vulnerability) or when any situation which impacts the security status of a system occurs.
- Conduct risk assessments regularly to check if the ‐ When planning/designing a new system using an IoT device, the organization identifies existing assets and assets to be protected in the system to 
security rules for managing the components are be implemented and organizes security measures according to use and configuration of the system. When handling a component or a system with 
Advanced
・CA-2 Security Assessments effective and applicable to the components for a long life cycle and a component or a system requiring availability, consideration in security measures at a phase before designing is especially 
important.
Monitor security controls on an ongoing basis to ・CA-5 Plan of Action and Milestones implementation.
3.12.3 CPS.RA-4 ‐ When considering security measures applied to purchased products and services, the organization makes sure that the levels of measures 
ensure the continued effectiveness of the controls. ・CA-7 Continuous Monitoring - Check the presence of unacceptable known correspond to the importance of such products and services.
・PL-2 System Security Plan security risks, including safety hazards, from the ‐ The organization defines a security risk assessment process and applies it periodically (e.g., once a year).
planning and design phase of an IoT device and 　‐ Establish and maintain security risk criteria.
systems incorporating IoT devices. 　‐ Identify security risks in the following way.
　　1) Clarify the target of analysis.
　　2) Identify incidents (including changes in circumstances) and their causes.
　‐ Analyze security risks in the following way.
Basic
　　1) Evaluate possible results when the above identified risks occur.
　　2) Evaluate the possibility of the actual occurrence of the above identified risks.
　‐ Refer to the risk criteria, determine a risk level, and prioritize the risk.
‐ The organization documents and stores the information security risk assessment process.

[Reference] An “asset‐based” method and a “business damage‐based” method are known as security risk assessment methods.
‐ The system makes a list of external information services in use and manages the users, devices as well as serviced in use in real time.
H‐Advanced ‐ The system uses a mechanism to give notice to the system administrator when an unpermitted external information system service is detected.
Create and manage appropriately a list of external ‐ The organization identifies functions, ports, protocols, and other services which are necessary for using services offered by external providers.
CPS.AM-5 information systems where the organizationʼs ‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the following:
assets are shared. Advanced
　a. Accessing an information system in the organization from an external information system
　b. Processing, saving, or transmitting information under the control of the organization using an external information system
Develop, document, and periodically update ‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.

system security plans that describe system ・CA-2 Security Assessments - On the basis of the results of the risk assessment, ‐ The organization securely stores the documented information on security risk management processes.
boundaries, system environments of operation, ・CA-5 Plan of Action and Milestones clearly define the details of measures to prevent ‐ When the organization selects a measure according to the risk assessment results, it is desirable that the organization documents the measure to 
3.12.4
how security requirements are implemented, and ・CA-7 Continuous Monitoring possible security risks, and document the organized be taken and the reason why the measure is adopted.
the relationships with or connections to other ・PL-2 System Security Plan outcome from the scope and priorities of the ‐ When applying the measure, the organization formulates a security risk management plan and obtains an approval from the risk owner.
‐ The organization reviews the security risk handling plan and checks that the applicable plan conforms to the priority order of the entire 
systems. measures.
CPS.RA-6 Advanced organization’s risk management strategy.
- React accordingly to the security risks and the ‐ The organization informs applicable external business operators regarding security measures necessary for a new system including an IoT device 
associated safety risks identified as a result of the which are extracted in CPS.RA‐4 as required specifications.
assessment conducted at the planning and design ‐ The organization verifies whether the security measures defined in the required specifications and contracts are implemented at the time of 
phase of an IoT device and systems incorporating deployment of the systems including an IoT device via User Acceptance Test (UAT). If there is anything unclear, confirm with the external business 
operator.
IoT devices.

D-2-19
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
SYSTEM AND ‐ The industrial control system shuts down, isolates the malicious code or notifies the administrator when detecting such code  through IDS/IPS.
‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
COMMUNICATIONS H‐Advanced summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
PROTECTION Properly control outbound communications that (communication).
CPS.DS-9 send information to be protected to prevent ‐ The information system prevents fraudulent and unexpected transfer of information via common system resources.
improper data breach. ‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code.
‐ The organization collects information including newly released attacking trends, malware behaviors, and malicious IP addresses/domains 
Advanced
(external intelligence). When necessary, the organization excutes responces to restrict communications to highly dangerous IP addresses or 
domains or so.
‐ The information system routes communications to the network to which a recipient’s IP address belongs via a proxy server authenticated on a 
controlled interface.
Monitor, control, and protect communications H‐Advanced
‐ The information system and the industrial control system monitor and control the use of mobile code.
(i.e., information transmitted or received by ‐ The information system monitors and controls the use of protocols used for audio and video transmission (e.g. VoIP).
・SC-7 Boundary Protection
3.13.1 organizational systems) at the external ‐ The organization monitors and controls communications at the boundary between industrial control system and information system.
・SA-8 Security Engineering Principles
boundaries and key internal boundaries of ‐ The organization creates a network segment isolated from access to the internal network (“demilitarized zone [DMZ]”) between the internal 
network and external networks (e.g., the Internet).
organizational systems.
Conduct network and access monitoring and control ‐ The information system is connected to an external network or system only via a controlled interface that consists of a boundary protection 
system placed according to the organization’s security architecture.
CPS.CM-1 at the contact points between corporate networks
‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
and wide area networks. Advanced
firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
‐ The organization monitors communications at the external boundaries of the information system and at major internal boundaries within the 
information system for large amounts of communication from a particular source or multiple sources, and takes appropriate action when 
necessary (e.g., blocking of communication from a specific IP address).
‐ The organization monitors and controls communications on the information system’s external boundary as well as on the key internal boundary 
Basic
within the information system.

Employ architectural designs, software

development techniques, and systems
・SC-7 Boundary Protection Introduce the system development life cycle to ‐ The organization applies the general rules of the system’s security engineering to specifications, design, development, introduction, and changes 
3.13.2 engineering principles that promote effective CPS.IP-3 Basic
・SA-8 Security Engineering Principles manage the systems. in building the system.
information security within organizational
systems.
‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged accounts in its 
system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and changing 
H‐Advanced security measures that are changed and implemented by non‐privileged users.
‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the damage 
Segregate duties and areas of responsibility caused by the security incident.
Separate user functionality from system ‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server to minimize 
3.13.3 ・SC-2 Application Partitioning CPS.AC-5 properly (e.g. segregate user functions from
management functionality. the damage caused by security incidents.
system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties (e.g., user 
/ system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge. 
‐ The organization separates and stipulates duties that are assigned by the person in charge.
‐ The industrial control system shuts down, isolates the malicious code or notifies the administrator when detecting such code  through IDS/IPS.
Properly control outbound communications that ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
Prevent unauthorized and unintended information
3.13.4 ・SC-4 Information in Shared Resources CPS.DS-9 send information to be protected to prevent H‐Advanced summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
transfer via shared system resources.
improper data breach. (communication).
‐ The information system prevents fraudulent and unexpected transfer of information via common system resources.

D-2-20
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The information system and the industrial control system monitor and control communications on the networks composing internal business 
systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network 
communications as a default and shall only allow connection of approved communication traffic.
Develop a policy about controlling data flow, and H‐Advanced
‐ The organization physically or logically separates the network of high importance industrial control systems from the network of control systems 
according that protect the integrity of the network with lower importance.
by means such as appropriate network isolation ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple and 
CPS.AC-7 (e.g., development and test environment vs. simultaneous local connections between the device and the system, as well as prevent access to external network resources by other connections.
production environment, and environment ‐ The organization establishes a data flow regulation policy that defines the range in which data flow within information systems and industrial 
incorporates IoT devices vs. other environments control system is permitted and the range in which  data flow between systems is permitted, and regulates the flow by segregating the network 
within the organization). appropriately.
Basic ‐ The organization logically or physically segments the control system's network from the network composing of the information system.

[Reference] Implement physical segmentation in environments physically separated from other networks. Alternatively, in environments physically 
Implement subnetworks for publicly accessible close to other networks, it is possible to implement logical segmentation in consideration of the cost of the measure.
‐ The information system routes communications to the network to which a recipient’s IP address belongs via a proxy server authenticated on a 
3.13.5 system components that are physically or logically ・SC-7 Boundary Protection controlled interface.
separated from internal networks. H‐Advanced
‐ The information system and the industrial control system monitor and control the use of mobile code.
‐ The information system monitors and controls the use of protocols used for audio and video transmission (e.g. VoIP).
‐ The organization monitors and controls communications at the boundary between industrial control system and information system.
‐ The organization creates a network segment isolated from access to the internal network (“demilitarized zone [DMZ]”) between the internal 
network and external networks (e.g., the Internet).
Conduct network and access monitoring and control ‐ The information system is connected to an external network or system only via a controlled interface that consists of a boundary protection 
system placed according to the organization’s security architecture.
CPS.CM-1 at the contact points between corporate networks
‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
and wide area networks. Advanced
firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
‐ The organization monitors communications at the external boundaries of the information system and at major internal boundaries within the 
information system for large amounts of communication from a particular source or multiple sources, and takes appropriate action when 
necessary (e.g., blocking of communication from a specific IP address).
‐ The organization monitors and controls communications on the information system’s external boundary as well as on the key internal boundary 
Basic
within the information system.
‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of identifiers and 
Restrict communications by IoT devices and servers invalidating identifiers after a certain period of time.
CPS.AC-8 to those with entities (e.g. people, components, Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a mechanism 
system, etc.) identified through proper procedures. that uniquely identifies and authenticate these devices.
‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.
‐ The information system routes communications to the network to which a recipient’s IP address belongs via a proxy server authenticated on a 
controlled interface.
H‐Advanced
‐ The information system and the industrial control system monitor and control the use of mobile code.
‐ The information system monitors and controls the use of protocols used for audio and video transmission (e.g. VoIP).
Deny network communications traffic by default ‐ The organization monitors and controls communications at the boundary between industrial control system and information system.
・SC-7(5) Boundary Protection
3.13.6 and allow network communications traffic by ‐ The organization creates a network segment isolated from access to the internal network (“demilitarized zone [DMZ]”) between the internal 
　Deny by Default / Allow by Exception
exception (i.e., deny all, permit by exception). Conduct network and access monitoring and control network and external networks (e.g., the Internet).
‐ The information system is connected to an external network or system only via a controlled interface that consists of a boundary protection 
CPS.CM-1 at the contact points between corporate networks
system placed according to the organization’s security architecture.
and wide area networks. ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
Advanced
firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
‐ The organization monitors communications at the external boundaries of the information system and at major internal boundaries within the 
information system for large amounts of communication from a particular source or multiple sources, and takes appropriate action when 
necessary (e.g., blocking of communication from a specific IP address).
Develop a policy about controlling data flow, and ‐ The information system and the industrial control system monitor and control communications on the networks composing internal business 
Prevent remote devices from simultaneously according that protect the integrity of the network systems of the organization.
establishing non-remote connections with by means such as appropriate network isolation ‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network 
・SC-7(7) Boundary Protection communications as a default and shall only allow connection of approved communication traffic.
3.13.7 organizational systems and communicating via CPS.AC-7 (e.g., development and test environment vs. H‐Advanced
　Prevent Split Tunneling for Remote Devices ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of control systems 
some other connection to resources in external production environment, and environment with lower importance.
networks (i.e. split tunneling). incorporates IoT devices vs. other environments ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple and 
within the organization). simultaneous local connections between the device and the system, as well as prevent access to external network resources by other connections.
‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order to suitably 
implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity authentication information that is 
H‐Advanced used to decrypt encrypted information or to grant electronic signatures.
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the appropriate 
Implement cryptographic mechanisms to prevent ・SC-8 Transmission Confidentiality and Integrity strength, and stores the information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it to encrypt information 
(data) to the appropriate strength and stores the information.
unauthorized disclosure of CUI during ・SC-8(1) Transmission Confidentiality and Encrypt information with an appropriate level of
3.13.8 CPS.DS-2 ‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts and stores 
transmission unless otherwise protected by Integrity security strength, and store them. high importance information handled by industrial control systems with appropriate strength without causing unacceptable impact on 
alternative physical safeguards. 　Cryptographic or Alternate Physical Protection performance.
Advanced
[Reference] 
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and Evaluation 
Committees （CRYPTREC）" releases to the public the list of such technologies recommended for use that are sufficiently used in the market or 
are considered to spread in the future. It is desirable that the organization should refer to the list as needed when procuring systems that should 
implement encryption functions.

D-2-21
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ It is desirable that the organization should update the list of information about its assets and configurations when it installs or deletes new assets 
As part of the configuration management of or when it updates its system.
devices, constantly manage software configuration ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
Terminate network connections associated with information, status of network connections (e.g., firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
3.13.9 communications sessions at the end of the ・SC-10 Network Disconnect CPS.CM-6 presence/absence of connections and access Advanced
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
sessions or after a defined period of inactivity. destination), and information ‐ The information system and the industrial control system terminate the network connection after a session ends, or when a session remains 
transmission/reception status between other inactive for a certain length of time.
“organization”, people, components, and systems. ‐ The organization monitors communication on controlled interfaces in order to detect any communication to unapproved items or systems, or 
communication that conveys an inappropriate content.
‐ It is desirable that the organization should set out a policy and procedure regarding the following items to take immediate and appropriate 
measures when the private key is imperiled.
　‐ A structure to take measures against imperilment of the private key (including the stakeholders, roles, cooperation with contractors)
　‐ Criteria to judge whether the private key is imperiled or is in danger of imperilment
　‐ To investigate the cause of imperilment of  the private key, and to attempt to remove the cause
Securely control encryption keys throughout their
Establish and manage cryptographic keys for ・SC-12 Cryptographic Key Establishment and Advanced 　‐ Suspension of the services using the key
3.13.10 CPS.DS-5 life cycle to ensure proper operation and securely 　‐ To create a new pair of keys and issue a certificate for the new key
cryptography employed in organizational systems. Management
transmitted, received and stored data. 　‐ Disclosure of information regarding imperilment of the private key (Notified parties, a method of notification, disclosure policy, etc.)

[Reference] It is desirable to refer to the group of standards of ISO/IEC 11770, NIST SP 800‐57 Part 1 Rev.4, and so on for the details about key 
management.
Basic ‐ It is desirable that the organization should protect all encryption keys from modification and loss.
‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order to suitably 
implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity authentication information that is 
H‐Advanced used to decrypt encrypted information or to grant electronic signatures.
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the appropriate 
strength, and stores the information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it to encrypt information 
(data) to the appropriate strength and stores the information.
Employ FIPS-validated cryptography when used Encrypt information with an appropriate level of
3.13.11 ・SC-13 Cryptographic Protection CPS.DS-2 ‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts and stores 
to protect the confidentiality of CUI. security strength, and store them. high importance information handled by industrial control systems with appropriate strength without causing unacceptable impact on 
performance.
Advanced
[Reference] 
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and Evaluation 
Committees （CRYPTREC）" releases to the public the list of such technologies recommended for use that are sufficiently used in the market or 
are considered to spread in the future. It is desirable that the organization should refer to the list as needed when procuring systems that should 
implement encryption functions.
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
Prohibit remote activation of collaborative ‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
Properly authorize wireless connection destinations
3.13.12 computing devices and provide indication of ・SC-15 Collaborative Computing Devices CPS.AC-3 H‐Advanced and access security information by remote access.
(including users, IoT devices, and servers).
devices in use to users present at the device. ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
Conduct network and access monitoring and control ‐ The information system routes communications to the network to which a recipient’s IP address belongs via a proxy server authenticated on a 
3.13.13 Control and monitor the use of mobile code ・SC-18 Mobile Code
controlled interface.
Control and monitor the use of Voice over CPS.CM-1 at the contact points between corporate networks H‐Advanced
3.13.14 ・SC-19 Voice over Internet Protocol and wide area networks.
‐ The information system and the industrial control system monitor and control the use of mobile code.
Internet Protocol (VoIP) technologies. ‐ The information system monitors and controls the use of protocols used for audio and video transmission (e.g. VoIP).
‐ The information system and the industrial control system automatically monitor or regulate remote access to its system.
‐ The information system and the industrial control system allow only for remote access routed by the regulated access points. 
‐ The information system allows privileged command via remote access only for those purposes based on specified requirements.
‐ The information system records reasons why the users accessing the system which handles highly confidential data execute privileged commands 
Properly authorize wireless connection destinations
CPS.AC-3 H‐Advanced and access security information by remote access.
(including users, IoT devices, and servers). ‐ The information system protects wireless access to the system which handles highly confidential data by using user and device authentication in 
addition to encryption.
Protect the authenticity of communications
3.13.15 ・SC-23 Session Authenticity ‐ The information system blocks remote activation of devices such as white boards, cameras, and microphones connected via networks which may 
sessions. handle highly confidential data. Signs of the devices in use are provided to the users of these devices.
‐ The organization protects th networks composing the information system and industrial control system  that handles important data by 
H‐Advanced
Encrypt the communication channel when implementing encrytion of communication channels or by alternative physical measures.
‐ The information system employs an cryptographic mechanism and encrypt communciation paths. 
CPS.DS-3 communicating between IoT devices and servers or
in cyberspace. Advanced
[Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that the 
organization should select the method considering the importance of the data transmitted in the communication paths, the budget, and so on.
‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order to suitably 
implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity authentication information that is 
H‐Advanced used to decrypt encrypted information or to grant electronic signatures.
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the appropriate 
strength, and stores the information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it to encrypt information 
(data) to the appropriate strength and stores the information.
Encrypt information with an appropriate level of
3.13.16 Protect the confidentiality of CUI at rest. ・SC-28 Protection of Information at Rest CPS.DS-2 ‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts and stores 
security strength, and store them. high importance information handled by industrial control systems with appropriate strength without causing unacceptable impact on 
performance.
Advanced
[Reference] 
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and Evaluation 
Committees （CRYPTREC）" releases to the public the list of such technologies recommended for use that are sufficiently used in the market or 
are considered to spread in the future. It is desirable that the organization should refer to the list as needed when procuring systems that should 
implement encryption functions.

D-2-22
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
SYSTEM AND ‐ The organization uses a mechanism for automatically collecting information about network configurations and the software configurations of 
devices in order to monitor the most recent status at all times.
INFORMATION
Establish and implement the procedure to identify ‐ The information system forces the application of users’ access rights approved (by the administrator) in order to control data flows within a 
INTEGRITY ・SI-2 Flaw Remediation system (and between interconnected systems).
Identify, report, and correct information and and manage the baseline of network operations and
3.14.1 ・SI-3 Malicious Code Protection CPS.AE-1 H‐Advanced ‐ The organization physically or logically separates a network of industrial control systems with high importance from a network of industrial 
system flaws in a timely manner. expected information flows between people, goods,
・SI-5 Security Alerts, Advisories, and Directives control systems with lower importance.
and systems. ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
(communication).
‐ IoT devices, or systems that contain these devices, examine information output from software programs or applications to see if it matches the 
expected content in order to prepare for certain attacks that may have a consequence different to a normally expected outcome (e.g., command 
injection).
H‐Advanced ‐ The information system automatically updates the logic to detect malicious code through an IDS/IPS.
- Use IoT devices that can detect abnormal ‐ The information system detects exploit codes that attacks unknown vulnerabilities by installing on endpoints (especially, IoT devices and servers 
behaviors and suspend operations by comparing with various functions) detection/restoration software using technologies of behavioral detection of malware. 
Provide protection from malicious code at ・SI-2 Flaw Remediation the instructed behaviors and actual ones. ‐ The information system executes real‐time scanning of files from external sources.
‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code.
3.14.2 appropriate locations within organizational ・SI-3 Malicious Code Protection CPS.CM-3 - Validate whether information provided from
‐ The information system detects exploit codes by installing on endpoints (IoT devices, servers, and so on) detection/restoration software using 
systems. ・SI-5 Security Alerts, Advisories, and Directives cyberspace contains malicious code, and is within technologies of pattern matching of malware. 
the permissible range before any action based on ‐ The organization considers implementing whitelist‐type malware protection for IoT devices with limited functions.
the data. Advanced
* Especially regarding IoT devices and control devices, OS to which anti‐malware software can be applied may not be used. It is desirable for the 
organization to confirm whether devices to be introduced are compatible with anti‐malware software at the phase of procurement and to select 
compatible ones. If it is difficult to procure devices compatible with anti‐malware software, it is desirable to take alternative measures such as 
introducing/strengthening a malware detection mechanism on a network.
Develop a vulnerability remediation plan, and ‐ The organization defines tolerable risk by identifying through investigations and tests the impacts of patch application on the functions of other 
software applications and services on operations of IoT devices and servers.
CPS.IP-10 modify the vulnerability of the components Advanced
‐ The organization conducts tests to measure the effectiveness of corrections and the possibility of any secondary adverse effects, corrects the 
according to the plan. defects, and manages the corrections as part of the configuration management.
‐ IoT devices, or systems that contain these devices, examine information output from software programs or applications to see if it matches the 
expected content in order to prepare for certain attacks that may have a consequence different to a normally expected outcome (e.g., command 
injection).
H‐Advanced ‐ The information system automatically updates the logic to detect malicious code through an IDS/IPS.
・SI-2 Flaw Remediation - Use IoT devices that can detect abnormal ‐ The information system detects exploit codes that attacks unknown vulnerabilities by installing on endpoints (especially, IoT devices and servers 
Monitor system security alerts and advisories and behaviors and suspend operations by comparing with various functions) detection/restoration software using technologies of behavioral detection of malware. 
3.14.3 ・SI-3 Malicious Code Protection
take appropriate actions in response. the instructed behaviors and actual ones. ‐ The information system executes real‐time scanning of files from external sources.
・SI-5 Security Alerts, Advisories, and Directives ‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code.
CPS.CM-3 - Validate whether information provided from
‐ The information system detects exploit codes by installing on endpoints (IoT devices, servers, and so on) detection/restoration software using 
cyberspace contains malicious code, and is within technologies of pattern matching of malware. 
the permissible range before any action based on ‐ The organization considers implementing whitelist‐type malware protection for IoT devices with limited functions.
the data. Advanced
* Especially regarding IoT devices and control devices, OS to which anti‐malware software can be applied may not be used. It is desirable for the 
organization to confirm whether devices to be introduced are compatible with anti‐malware software at the phase of procurement and to select 
compatible ones. If it is difficult to procure devices compatible with anti‐malware software, it is desirable to take alternative measures such as 
introducing/strengthening a malware detection mechanism on a network.
Share information regarding the effectiveness of ‐ The organization prepares a setting through an automated mechanism at just the right time that enables it and its appropriate partners to 
H‐Advanced
interactively share new information about data protection technologies or information about the effectiveness of the protection technologies.
CPS.IP-8 data protection technologies with appropriate
‐ The organization prepares a setting that enables it to share new information about data protection technologies or information about the 
partners. Advanced
effectiveness of the protection technologies with its partners at just the right time.
‐ The organization conducts a trend analysis examining the latest information about threats, vulnerability, and assessments of security 
Identify the security events accurately by management measures carried out several times in order to determine whether the activities for continuous monitoring need any correction.
implementing the procedure to conduct a ‐ The organization carries out policy tuning (management of signatures to apply) and maintenance for devices such as IDS, IPS, and SIEM on its 
CPS.AE-3 correlation analysis of the security events and H‐Advanced own.
comparative analysis with the threat information ‐ The organization creates custom signatures used for sensors on its own.
Update malicious code protection mechanisms obtained from outside the organization.
‐ In order to properly detect security events that are likely to adversely affect the organization, the organization collects and analyzes logs of edge 
3.14.4 ・SI-3 Malicious Code Protection devices such as IoT devices in addition to the logs of devices presented in <Advanced>, if possible.
when new releases are available.
- Use IoT devices that can detect abnormal
‐ IoT devices, or systems that contain these devices, examine information output from software programs or applications to see if it matches the 
behaviors and suspend operations by comparing expected content in order to prepare for certain attacks that may have a consequence different to a normally expected outcome (e.g., command 
the instructed behaviors and actual ones. injection).
CPS.CM-3 - Validate whether information provided from H‐Advanced ‐ The information system automatically updates the logic to detect malicious code through an IDS/IPS.
cyberspace contains malicious code, and is within ‐ The information system detects exploit codes that attacks unknown vulnerabilities by installing on endpoints (especially, IoT devices and servers 
with various functions) detection/restoration software using technologies of behavioral detection of malware. 
the permissible range before any action based on
‐ The information system executes real‐time scanning of files from external sources.
the data.

- Use IoT devices that can detect abnormal

‐ IoT devices, or systems that contain these devices, examine information output from software programs or applications to see if it matches the 
behaviors and suspend operations by comparing expected content in order to prepare for certain attacks that may have a consequence different to a normally expected outcome (e.g., command 
the instructed behaviors and actual ones. injection).
CPS.CM-3 - Validate whether information provided from H‐Advanced ‐ The information system automatically updates the logic to detect malicious code through an IDS/IPS.
cyberspace contains malicious code, and is within ‐ The information system detects exploit codes that attacks unknown vulnerabilities by installing on endpoints (especially, IoT devices and servers 
with various functions) detection/restoration software using technologies of behavioral detection of malware. 
the permissible range before any action based on
Perform periodic scans of organizational systems the data.
‐ The information system executes real‐time scanning of files from external sources.

3.14.5 and real-time scans of files from external sources ・SI-3 Malicious Code Protection
‐ The organization introduces the concept of “whitelisting” for data entry in order to specify known items and systems considered trustworthy as 
as files are downloaded, opened, or executed. the sources of input data, and the format allowed for the input data.
H‐Advanced ‐ IoT devices and servers begin communication with other IoT devices only after the devices are mutually authenticated successfully so that the 
Validate the integrity and authenticity of the source of data is always clear.
CPS.CM-4 information provided from cyberspace before ‐ The information system and the industrial control system protect the authenticity of communications sessions.
operations. ‐ The information system uses an integrity verification tool to detect any unauthorized changes that are made to communications data transmitted 
from IoT devices and servers.
Advanced
‐ IoT devices and servers that are acknowledged as critical to the organization’s operations begin communication with other IoT devices only after 
the devices are mutually authenticated successfully so that the source of data is always clear.

D-2-23
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The industrial control system shuts down, isolates the malicious code or notifies the administrator when detecting such code  through IDS/IPS.
‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
H‐Advanced summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
Properly control outbound communications that (communication).
CPS.DS-9 send information to be protected to prevent ‐ The information system prevents fraudulent and unexpected transfer of information via common system resources.
improper data breach. ‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code.
‐ The organization collects information including newly released attacking trends, malware behaviors, and malicious IP addresses/domains 
Advanced
(external intelligence). When necessary, the organization excutes responces to restrict communications to highly dangerous IP addresses or 
domains or so.
‐ The organization uses a mechanism for automatically collecting information about network configurations and the software configurations of 
devices in order to monitor the most recent status at all times.
Establish and implement the procedure to identify ‐ The information system forces the application of users’ access rights approved (by the administrator) in order to control data flows within a 
system (and between interconnected systems).
and manage the baseline of network operations and
CPS.AE-1 H‐Advanced ‐ The organization physically or logically separates a network of industrial control systems with high importance from a network of industrial 
expected information flows between people, goods, control systems with lower importance.
and systems. ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
(communication).
‐ The organization refers to risk assessment results and, considering the following angles, establishes what to monitor and what to include in 
correlation analysis.
　‐ The scope of systems to monitor
　‐ Which device logs should be collected for analysis (see CPS.AE‐3)
‐ The organization regularly reviews audit logs collected through monitoring.
Appoint a chief security officer, establish a security ‐ The organization continues to collect and manage information about assets, device configurations, and network configurations in order to 
management team (SOC/CSIRT), and prepare a evaluate its security status.
CPS.AE-2 Advanced
system within the organization to detect, analyze, ‐ The organization examines the results of correlation analysis and other data to accurately detect security events that must be addressed and take 
action in accordance with the security operation process. See CPS.RP‐1 for details of the process.
and respond to security events.
‐ The organization regularly reports the state of organizational and system security to the chief security officer or other appropriate staff members. 
It is desirable that the regular report should include the following shown below:
　‐ Results of log analysis (e.g., the number of incidents handled; summaries of typical incidents that have been handled; threats that have 
emerged; issues in monitoring);
　‐ Policy for future improvements in monitoring.
Monitor organizational systems, including inbound ・SI-4 System Monitoring ‐ The organization documents its security requirements for the staff from its external service provider and system developer, and includes the 
3.14.6 and outbound communications traffic, to detect ・SI-4(4) System Monitoring requirements in the agreement.
attacks and indicators of potential attacks. 　Inbound and Outbound Communications Traffic ‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have authorizations 
for its system are transferred or when their employment terminates.
Monitor communication with external service ‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of relevant 
CPS.CM-5 providers so that potential security events can be Advanced information about operations, the importance of its business systems and processes, and re‐assessed risks.
detected properly. ‐ The organization monitors whether its external service provider and system developer complies with the requirements.
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any unauthorized access 
by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the appropriate 
system administrator.
‐ It is desirable that the organization should update the list of information about its assets and configurations when it installs or deletes new assets 
As part of the configuration management of or when it updates its system.
devices, constantly manage software configuration ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
information, status of network connections (e.g., firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
CPS.CM-6 presence/absence of connections and access Advanced
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
destination), and information ‐ The information system and the industrial control system terminate the network connection after a session ends, or when a session remains 
transmission/reception status between other inactive for a certain length of time.
“organization”, people, components, and systems. ‐ The organization monitors communication on controlled interfaces in order to detect any communication to unapproved items or systems, or 
communication that conveys an inappropriate content.
‐ The organization prepares and manages a procedure for regularly reporting the state of organizational and system security to its appropriate 
staff members (e.g., management). It is desirable that the organization should define the reporting as an occasion for becoming aware of the 
latest threats or threats to remaining risks so that the organization acts to enhance its security.
‐ For example, if alerts such as those shown below are issued and there is a sign of increasing security risks, raise the level of the system’s 
monitoring activities based on information from reliable sources.　* The list below is an excerpt from “Six Ws on cybersecurity information 
sharing for enhancing SOC/CSIRT Version 1.0” (ISOG‐J, 2018).
Continuously improve the process of detecting 　・ Characteristics of the attack
CPS.DP-4 Advanced
security events. 　　➢ Form of the attack; contents of relevant communications 
　　➢ Core attack code
　・ Traces of the attack
　　➢ Contents of the damaged communications
　　➢ Logs that remain in the server or the hands of clients
　　➢ Other characteristics that remain in the server or the hands of clients
　・Detected names in the security products

D-2-24
Appendix D.2 - Mapping NIST SP 800-171 to CPSF

NIST SP 800-53 Relevant Security Controls

NIST SP 800-171 referred from NIST SP 800-171
Cyber/Physical Security Framework
Measure
FAMILY ID Security Requirements Security Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The industrial control system shuts down, isolates the malicious code or notifies the administrator when detecting such code  through IDS/IPS.
‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
H‐Advanced summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
Properly control outbound communications that (communication).
CPS.DS-9 send information to be protected to prevent ‐ The information system prevents fraudulent and unexpected transfer of information via common system resources.
improper data breach. ‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the code.
‐ The organization collects information including newly released attacking trends, malware behaviors, and malicious IP addresses/domains 
Advanced
(external intelligence). When necessary, the organization excutes responces to restrict communications to highly dangerous IP addresses or 
domains or so.
‐ The organization uses a mechanism for automatically collecting information about network configurations and the software configurations of 
devices in order to monitor the most recent status at all times.
Establish and implement the procedure to identify ‐ The information system forces the application of users’ access rights approved (by the administrator) in order to control data flows within a 
system (and between interconnected systems).
and manage the baseline of network operations and
CPS.AE-1 H‐Advanced ‐ The organization physically or logically separates a network of industrial control systems with high importance from a network of industrial 
expected information flows between people, goods, control systems with lower importance.
and systems. ‐ The organization/system analyzes the regular patterns of its systems’ communication status and security alerts to create and use a profile that 
summarizes typical patterns of communication and security alerts, thereby enabling the detection of unknown threats and suspicious behavior 
(communication).
‐ The organization refers to risk assessment results and, considering the following angles, establishes what to monitor and what to include in 
correlation analysis.
　‐ The scope of systems to monitor
　‐ Which device logs should be collected for analysis (see CPS.AE‐3)
‐ The organization regularly reviews audit logs collected through monitoring.
Appoint a chief security officer, establish a security ‐ The organization continues to collect and manage information about assets, device configurations, and network configurations in order to 
management team (SOC/CSIRT), and prepare a evaluate its security status.
CPS.AE-2 Advanced
system within the organization to detect, analyze, ‐ The organization examines the results of correlation analysis and other data to accurately detect security events that must be addressed and take 
action in accordance with the security operation process. See CPS.RP‐1 for details of the process.
and respond to security events.
‐ The organization regularly reports the state of organizational and system security to the chief security officer or other appropriate staff members. 
It is desirable that the regular report should include the following shown below:
　‐ Results of log analysis (e.g., the number of incidents handled; summaries of typical incidents that have been handled; threats that have 
emerged; issues in monitoring);
　‐ Policy for future improvements in monitoring.
‐ The organization documents its security requirements for the staff from its external service provider and system developer, and includes the 
Identify unauthorized use of organizational
3.14.7 ・SI-4 System Monitoring requirements in the agreement.
systems. ‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have authorizations 
for its system are transferred or when their employment terminates.
Monitor communication with external service ‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of relevant 
CPS.CM-5 providers so that potential security events can be Advanced information about operations, the importance of its business systems and processes, and re‐assessed risks.
detected properly. ‐ The organization monitors whether its external service provider and system developer complies with the requirements.
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any unauthorized access 
by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the appropriate 
system administrator.
‐ It is desirable that the organization should update the list of information about its assets and configurations when it installs or deletes new assets 
As part of the configuration management of or when it updates its system.
devices, constantly manage software configuration ‐ The information system ensures that each external communications service is provided via a controlled interface (e.g., a gateway, router, and 
information, status of network connections (e.g., firewall).
‐ The organization establishes a communications control policy for each controlled interface (e.g., a gateway, router, and firewall).
CPS.CM-6 presence/absence of connections and access Advanced
‐ The system on a controlled interface rejects network communication by default and permits it as an exception.
destination), and information ‐ The information system and the industrial control system terminate the network connection after a session ends, or when a session remains 
transmission/reception status between other inactive for a certain length of time.
“organization”, people, components, and systems. ‐ The organization monitors communication on controlled interfaces in order to detect any communication to unapproved items or systems, or 
communication that conveys an inappropriate content.
‐ The organization prepares and manages a procedure for regularly reporting the state of organizational and system security to its appropriate 
staff members (e.g., management). It is desirable that the organization should define the reporting as an occasion for becoming aware of the 
latest threats or threats to remaining risks so that the organization acts to enhance its security.
‐ For example, if alerts such as those shown below are issued and there is a sign of increasing security risks, raise the level of the system’s 
monitoring activities based on information from reliable sources.　* The list below is an excerpt from “Six Ws on cybersecurity information 
sharing for enhancing SOC/CSIRT Version 1.0” (ISOG‐J, 2018).
Continuously improve the process of detecting 　・ Characteristics of the attack
CPS.DP-4 Advanced
security events. 　　➢ Form of the attack; contents of relevant communications 
　　➢ Core attack code
　・ Traces of the attack
　　➢ Contents of the damaged communications
　　➢ Logs that remain in the server or the hands of clients
　　➢ Other characteristics that remain in the server or the hands of clients
　・Detected names in the security products

D-2-25
D.3 Mapping ISO/IEC 27001 controls to Cyber/Physical Security Framework
ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework
Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.5 A.5.1 A.5.1.1 A set of policies for information security Define policies and standard measures regarding
Information security Management direction Policies for information shall be defined, approved by security that are consistent with the high-priority
policies for information security security management, published and business and operations of the organization, and
‐ The organization defines its missions and business processes and gives priorities to actions, in consideration of risks to its business, its
communicated to employees and relevant CPS.BE-2 Advanced assets, persons, other organizations, etc.
share them with parties relevant to the ‐ The organization informs other organizations of their roles and responsibilities specified in its security policies.
external parties. organizationʼs business (including suppliers and
third-party providers).
‐ The organization formulates a series of lower level security policies, such as the policies and implementation procedures of the
following individual topics, to support policies at a higher level.
　a) Access control and authentication
　b) Physical security measures
　c) System development and maintenance
　d) Management of external contractors
　e) Classification and handling of information
Develop security policies, define roles and Advanced ‐ The organization formulates a series of security policies by fully considering the organization’s a) business strategies, b) related rules,
responsibilities for security across the organization laws, regulations, and contracts, and c) environments under threats to security to sufficiently reflect the actual situation of the
CPS.GV-1
and other relevant parties, and clarify the organization.
information-sharing method among stakeholders. ‐ The organization reviews and updates a security plan according to changes in its a) business strategies, b) related rules, laws,
regulations, and contracts, and c) environments under threats to security.

[Reference] To formulate a policy at a more detailed level, refer to related standards such as ISO/IEC 27002 for identification of fields
which require the policy, and refer to more detailed guidelines.
‐ The organization formulates a basic security policy at the highest level of its series of security policies, obtains an approval of the
Basic management, and operates it appropriately.
‐ The organization reviews and updates the security policy periodically (e.g., once a year).
A.5.1.2 The policies for information security shall ‐ On the basis of the results of the hazard analysis performed in CPS.RA‐4, mainly for the industrial control system, the organization
Review of the policies be reviewed at planned intervals or if appropriately treats the source of a risk which may lead to a critical hazard as necessary.
H‐Advanced
for information security significant changes occur to ensure their
[Reference] Security integration in safety control has been particularly discussed in recent years in terms of international
continuing suitability, adequacy and standardization, and IEC TR 63074, IEC TR 63069, etc., are available for reference.
effectiveness. - On the basis of the results of the risk
‐ The organization securely stores the documented information on security risk management processes.
assessment, clearly define the details of measures
‐ When the organization selects a measure according to the risk assessment results, it is desirable that the organization documents the
to prevent possible security risks, and document measure to be taken and the reason why the measure is adopted.
the organized outcome from the scope and ‐ When applying the measure, the organization formulates a security risk management plan and obtains an approval from the risk
priorities of the measures. owner.
CPS.RA-6
- React accordingly to the security risks and the Advanced
‐ The organization reviews the security risk handling plan and checks that the applicable plan conforms to the priority order of the
associated safety risks identified as a result of the entire organization’s risk management strategy.
‐ The organization informs applicable external business operators regarding security measures necessary for a new system including an
assessment conducted at the planning and design
IoT device which are extracted in CPS.RA‐4 as required specifications.
phase of an IoT device and systems incorporating ‐ The organization verifies whether the security measures defined in the required specifications and contracts are implemented at the
IoT devices. time of deployment of the systems including an IoT device via User Acceptance Test (UAT). If there is anything unclear, confirm with the
external business operator.
‐ The organization considers the risk assessment results and selects handling measures to identified risks.
Basic ‐ The organization formulates a security risk treatment implementation plan.
‐ The organization obtain an approval from the risk owner for acceptance of the security risk.
A.6 A.6.1 A.6.1.1 All information security responsibilities ‐ The system makes a list of external information services in use and manages the users, devices as well as serviced in use in real time.
Organization of Internal organization Information security shall be defined and allocated. ‐ The system uses a mechanism to give notice to the system administrator when an unpermitted external information system service is
H‐Advanced detected.
information security roles and
‐ The organization identifies functions, ports, protocols, and other services which are necessary for using services offered by external
responsibilities providers.
‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the
following:
Create and manage appropriately a list of external
Advanced 　a. Accessing an information system in the organization from an external information system
CPS.AM-5 information systems where the organizationʼs
　b. Processing, saving, or transmitting information under the control of the organization using an external information system
assets are shared. ‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.
‐ The organization makes a list of external information system services in use and defines roles and responsibilities as users in each
service.
Basic
[Reference] Appendix A "Concret examples of contract provisions and commentaries" of “Guidebook for using Cloud Security
Guideline” (METI, 2013) could be referred to regarding the points to consider when stipulating in the contract the roles and
responsibilities of users especially in terms of usage of cloud service.
‐ The organization considers business requirements and legal requirements which share or restrict data when classifying resources of
Classify and prioritize resources (e.g., People, the information system and industrial control system (data, components processing data, system, etc).
Advanced
Components, Data, and System) by function, ‐ The person responsible for an asset is responsible for the classification of the data.
CPS.AM-6 importance, and business value, and communicate ‐ The organization includes classification rules and classification review standards after time passes in a resource classification system.
to the organizations and people relevant to those ‐ The organization sets priorities on identified information assets according to importance to the organization.
resources in business. Basic ‐ When related laws or regulations require us to follow a certain classification for resources of the organization (e.g., system and data),
apply an appropriate classification to the asset.

D-3-1
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ In preparation for damages caused by security incidents, the organization considers risk transfer by using cyber insurance, etc., in
Advanced
addition to implementing security measures designated by business partners.
‐ In a contract with a contractor or an outsourcer, the organization specifies the scope of the responsibilities of the organization and
that of the business partner (state the disclaimer and an upper limit on agreed compensation for damages) in case of a damage caused
Define roles and responsibilities for cyber security
CPS.AM-7 by a security incident in the business.
across the organization and other relevant parties. Basic ‐ To increase the effectiveness of the requirements related to security which a business partner requires or is required to satisfy in a
contract, it is desirable that the organization makes an agreement in meeting the requirements, identifying deficiencies and details of
actions, paying expenses, and using an alternative when they cannot be satisfied at the time of the contract or in the early stage of the
contract.
‐ The organization determines the log information that would help detect security events and thus should be collected based on its
Clarify the role and responsibility of the strategies relating to risk management and assessment results.
organization as well as service providers in ‐ The organization ascertains that its business partner (service provider) has an audit log that records activity of service users, exception
CPS.DP-1 Basic
detecting security events so that they can fulfill handling, and security events that the provider has acquired.
their accountabilities. ‐ The organization ascertains that the audit log acquired by its service provider records activity of service users, exception handling, and
security events, and is protected in a proper way.
A.6.1.2 Conflicting duties and areas of ‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged
Segregation of duties responsibility shall be segregated to accounts in its system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
reduce opportunities for unauthorized or
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and
unintentional modification or misuse of the H‐Advanced changing security measures that are changed and implemented by non‐privileged users.
organizationʼs assets. ‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the
damage caused by the security incident.
Segregate duties and areas of responsibility
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server
CPS.AC-5 properly (e.g. segregate user functions from to minimize the damage caused by security incidents.
system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties
(e.g., user / system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge.
‐ The organization separates and stipulates duties that are assigned by the person in charge.
A.6.1.3 Appropriate contacts with relevant
Formulate internal rules considering domestic and ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context
Contact with authorities authorities shall be maintained.
foreign laws, including the Act on the Protection of of security as well as the organization’s effort to fulfill these requirements, document them, and maintain those documents at their
latest.
Personal Information and Unfair Competition
‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements.
CPS.GV-2 Prevention Act, as well as industry guidelines, and Basic
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of
review and revise the rules on a continuing and business.
timely basis in accordance with any changes in ‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all
relevant laws, regulations, and industry guidelines. related countries.

A.6.1.4 Appropriate contacts with special interest ‐ The organization establishes a security measure organization managing comprehensively the systems including industrial control

Contact with special groups or other specialist security forums systems, IoT systems, etc., and takes security measures integrally within the organization.
interest groups and professional associations shall be The security management team (SOC/CSIRT) ‐ The person in charge of security updates knowledge about security in both an information system and industrial control system to the

maintained. collects information, including vulnerability and H‐Advanced latest by attending workshops and meetings related to security and by maintaining an appropriate communication structure with

security professional associations/institutions.
threats from internal and external sources
‐ Mainly analyze the products/services that the company offers to check if any new vulnerability is contained, and if detected, submit
CPS.RA-2 (through internal tests, security information,
related information to IPA.
security researchers, etc.), analyzes the ‐ The organization, with a chief security officer at the center, establishes a security management team mainly for information systems
information, and establishes a process to and IoT systems with high business importance, and prepares a structure for handling security measures within the organization.
implement and use measures. Advanced ‐ The organization collects information on vulnerabilities, threats, etc., from organizations, including the Information‐technology
Promotion Agency (IPA), JPCERT/CC, industry ISAC, and business partners (device vendors and software vendors), and determines the
necessity of actions by comparing to the organization’s asset list.
‐ The organization updates security knowledge to the latest by attending workshops and meetings related to security and by
Identify and document the assumed security
maintaining an appropriate communication structure with security professional associations/institutions.
CPS.RA-3 incidents, those impacts on the oraganizationʼs H‐Advanced
‐ As necessary, the organization utilizes services provided by experts, obtains information that only some experts can know, and uses
assets, and the causes of those. them to identify threats.
‐ The organization works with IPA, JPCERT/CC, the industry’s ISAC, and a security vendor to collect information, thereby interlinking and
Identify the impact of security events, including sharing information about threats and vulnerability to obtain a whole picture of the security event.
CPS.AE-4 Advanced
the impact on other relevant organizations. ‐ The organization requests an external security vendor to analyze the functions of the malware, or program, or script placed by an
attacker if any is found in a security event that has occurred.

Understand the impact of the security incident on

‐ The organization works with IPA, JPCERT/CC, the industry’s ISAC, and a security vendor to collect information, thereby interlinking and
the whole society including the organization and
sharing information about threats and vulnerability to obtain a whole picture of the security incident.
CPS.AN-1 relevant parties such as partners based on the full Advanced
‐ The organization requests an external security vendor to analyze the functions of the malware, or program, or script placed by an
account of the incident and the probable intent of attacker if any is found in a security incident that has occurred.
the attacker.

A.6.1.5 Information security shall be addressed in ‐ The organization explicitly presents the following requirements when procuring the system;

Information security in project management, regardless of the 　‐ Requirements for security functions;
　‐ Requirements for security strength;
project management type of the project.
　‐ Requirements for security warranty;
H‐Advanced
Introduce the system development life cycle to 　‐ Requirements for security‐related documents;
CPS.IP-3 　‐ Requirements for protection of security‐related documents;
manage the systems.
　‐ Description on the development environment of the system and the environment which the system is planned to operate under;
　‐ Acceptance criteria
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration
Advanced regarding information security, and undergoes an information security risk management process throughout the entire system
development lifecycle.

D-3-2
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.6.2 A.6.2.1 A policy and supporting security measures ‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices;
Mobile devices and Mobile device policy shall be adopted to manage the risks software; and information) uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists
teleworking introduced by using mobile devices. periodically, or at the request of the operator including configuration information of assets (e.g., names, version information, license
information, and location) while recognizing situations in real time.
H‐Advanced ‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by
the organization, and responds appropriately. (Example: blocking unplanned connections except those permitted by the organization as
an exception)
‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses
to unauthorized assets.
Document and manage appropriately the list of
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
hardware and software, and management location) by reviewing and updating them periodically.
CPS.AM-1 information (e.g. name of asset, version, network ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
address, name of asset manager, license system or industrial control system), and manages the use of them.
information) of components in the system. Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
the media taken outside of the controlled areas.

‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and
information), assigns a responsible person to each asset, and documents a list of them.
‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration
Basic
(grouping) of the analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
‐ The system makes a list of external information services in use and manages the users, devices as well as serviced in use in real time.
‐ The system uses a mechanism to give notice to the system administrator when an unpermitted external information system service is
H‐Advanced detected.
‐ The organization identifies functions, ports, protocols, and other services which are necessary for using services offered by external
Create and manage appropriately a list of external
providers.
CPS.AM-5 information systems where the organizationʼs
‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the
assets are shared. following:
Advanced 　a. Accessing an information system in the organization from an external information system
　b. Processing, saving, or transmitting information under the control of the organization using an external information system
‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.
‐ The organization regulates the mobile devices used in the organization and establishes setting requirements, connection
Properly authorize wireless connection destinations
CPS.AC-3 Advanced requirements, and implementation guidelines for mobile devices.
(including users, IoT devices, and servers). ‐ The organization establishes rules of approval for connecting mobile devices used in the organization to its system.
‐ The organization restricts software by using a list of software that is permitted to be executed on the information system and
H‐Advanced
industrial control system (whitelist) or list of prohibited software (blacklist).  Or, unpermitted software shall not be installed.
Restrict the software to be added after installing in ‐ The organization adopts and manages a mechanism that manages software installation that is performed by users on the organization’
CPS.IP-2 Advanced
the IoT devices and servers. s system (information system or industrial control system) and monitors the events.
‐ The organization establishes a policy on software installation performed by users on the organization’s system (information system or
Basic
industrial control system) and has the users follow it.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log
from access control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible
(e.g., an office) in order to monitor the visitor’s behavior.
Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations
and house IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to
Perform setting, recording, and monitoring of
the organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment
CPS.CM-2 proper physical access, considering the importance (CPS.DS‐6) or taking any other appropriate measures to enhance the physical security properties of the equipment itself.
of IoT devices and servers. ‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited
physical access because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge
accompany a visitor on the premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for
the general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the
records of entry and exit.
‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the
- Use IoT devices that can detect abnormal code.
behaviors and suspend operations by comparing ‐ The information system detects exploit codes by installing on endpoints (IoT devices, servers, and so on) detection/restoration
software using technologies of pattern matching of malware.
the instructed behaviors and actual ones.
‐ The organization considers implementing whitelist‐type malware protection for IoT devices with limited functions.
CPS.CM-3 - Validate whether information provided from Advanced
cyberspace contains malicious code, and is within * Especially regarding IoT devices and control devices, OS to which anti‐malware software can be applied may not be used. It is
the permissible range before any action based on desirable for the organization to confirm whether devices to be introduced are compatible with anti‐malware software at the phase of
the data. procurement and to select compatible ones. If it is difficult to procure devices compatible with anti‐malware software, it is desirable to
take alternative measures such as introducing/strengthening a malware detection mechanism on a network.

D-3-3
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.6.2.2 A policy and supporting security measures ‐ The organization regulates the mobile devices used in the organization and establishes setting requirements, connection
Teleworking shall be implemented to protect Advanced requirements, and implementation guidelines for mobile devices.
‐ The organization establishes rules of approval for connecting mobile devices used in the organization to its system.
information accessed, processed or stored
Properly authorize wireless connection destinations ‐ The organization establishes usage regulations, configuration requirements, and implementation guidelines for each type of approved
at teleworking sites. CPS.AC-3
(including users, IoT devices, and servers). remote access.
Basic ‐ The organization in principle prohibits unauthorized wireless connections.
‐ The organization establishes rules of approval for remote access to an information system and an industrial control system.
‐ The organization authorizes wireless access to its system in advance of the approval.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially
regarding  login to a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not
degrade system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and
Authenticate and authorize logical accesses to implement a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the
risks). transaction (security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks,
Advanced etc.) when a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system
during the authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
H‐Advanced
by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.
‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the
- Use IoT devices that can detect abnormal code.
behaviors and suspend operations by comparing ‐ The information system detects exploit codes by installing on endpoints (IoT devices, servers, and so on) detection/restoration
software using technologies of pattern matching of malware.
the instructed behaviors and actual ones.
‐ The organization considers implementing whitelist‐type malware protection for IoT devices with limited functions.
CPS.CM-3 - Validate whether information provided from Advanced
cyberspace contains malicious code, and is within * Especially regarding IoT devices and control devices, OS to which anti‐malware software can be applied may not be used. It is
the permissible range before any action based on desirable for the organization to confirm whether devices to be introduced are compatible with anti‐malware software at the phase of
the data. procurement and to select compatible ones. If it is difficult to procure devices compatible with anti‐malware software, it is desirable to
take alternative measures such as introducing/strengthening a malware detection mechanism on a network.
A.7 A.7.1 A.7.1.1 Background verification checks on all Restrict communications by IoT devices and ‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of
Human resource Prior to employment Screening candidates for employment shall be carried servers to those with entities (e.g. people,
identifiers and invalidating identifiers after a certain period of time.
security out in accordance with relevant laws, CPS.AC-8 Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a
components, system, etc.) identified through mechanism that uniquely identifies and authenticate these devices.
regulations and ethics and shall be proper procedures. ‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.
proportional to the business requirements, ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are
the classification of the information to be reshuffled or transferred internally.
accessed and the perceived risks. ‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a
supplier including operation and maintenance.
Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and
re‐screen if necessary.
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information,
Include items concerning security (e.g., deactivate throughout the whole process from hiring to retirement.
CPS.IP-9 access authorization and personnel screening) ‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this
when roles change in due to personnel transfer. responsibility should be sustained for a reasonable period of time after the termination of employment, in order to prevent information
leakage after the termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems.
‐ The organization conducts the following when a staff member resigns or retires:
Basic
　‐ Disables the staff member’s access to its systems within a certain period;
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is
leaving.

D-3-4
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.7.1.2 The contractual agreements with ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are
Terms and conditions of employees and contractors shall state their reshuffled or transferred internally.
‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a
employment and the organizationʼs responsibilities for
supplier including operation and maintenance.
information security. Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and
re‐screen if necessary.
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information,
Include items concerning security (e.g., deactivate throughout the whole process from hiring to retirement.
CPS.IP-9 access authorization and personnel screening) ‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this
when roles change in due to personnel transfer. responsibility should be sustained for a reasonable period of time after the termination of employment, in order to prevent information
leakage after the termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems.
‐ The organization conducts the following when a staff member resigns or retires:
Basic
　‐ Disables the staff member’s access to its systems within a certain period;
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is
leaving.
A.7.2 A.7.2.1 Management shall require all employees H‐Advanced
‐ The organization provides security awareness trainings to all necessary personnel so that they will recognize and report signs of
During employment Management and contractors to apply information internal fraud.
‐ The organization regularly provides basic security awareness training to all members of staff. The organization can, for example,
responsibilities security in accordance with the established
educate the following matters in addition to the contents explaining general matters.
policies and procedures of the
Provide appropriate training and education to all 　‐Procedure to response when you receive a suspicious email
organization. 　‐Notes on using mobile devices (e.g. Notes on connecting to a public wireless LAN)
individuals in the organization and manage the
Advanced 　‐Notes on using SNS
CPS.AT-1 record so that they can fulfill assigned roles and
‐ The organization creates a program for each role (e.g., system/software developper, purchasing personnel, system administrator,
responsibilities to prevent and contain the personnel in charge of security measures) to train information security personnel and to improve their skills. The program is conducted
occurrence and severity of security incidents. regularly on applicable personnel.
‐ The organization regularly reviews records of security education and training.
‐ The organization provides basic security awareness training to new staff, or when necessary due to changes made to the information
Basic systems and the industrial control systems which the organization uses.
‐ The organization records and manages the contents and results of security education and training for member in the organization.
‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are
reshuffled or transferred internally.
‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a
supplier including operation and maintenance.
Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and
re‐screen if necessary.
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information,
Include items concerning security (e.g., deactivate throughout the whole process from hiring to retirement.
CPS.IP-9 access authorization and personnel screening) ‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this
when roles change in due to personnel transfer. responsibility should be sustained for a reasonable period of time after the termination of employment, in order to prevent information
leakage after the termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems.
‐ The organization conducts the following when a staff member resigns or retires:
Basic
　‐ Disables the staff member’s access to its systems within a certain period;
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is
leaving.
A.7.2.2 All employees of the organization and, H‐Advanced
‐ The organization provides security awareness trainings to all necessary personnel so that they will recognize and report signs of
Information security where relevant, contractors shall receive internal fraud.
‐ The organization regularly provides basic security awareness training to all members of staff. The organization can, for example,
awareness, education appropriate awareness education and
educate the following matters in addition to the contents explaining general matters.
and training training and regular updates in
Provide appropriate training and education to all 　‐Procedure to response when you receive a suspicious email
organizational policies and procedures, as 　‐Notes on using mobile devices (e.g. Notes on connecting to a public wireless LAN)
individuals in the organization and manage the
relevant for their job function. Advanced 　‐Notes on using SNS
CPS.AT-1 record so that they can fulfill assigned roles and
‐ The organization creates a program for each role (e.g., system/software developper, purchasing personnel, system administrator,
responsibilities to prevent and contain the personnel in charge of security measures) to train information security personnel and to improve their skills. The program is conducted
occurrence and severity of security incidents. regularly on applicable personnel.
‐ The organization regularly reviews records of security education and training.
‐ The organization provides basic security awareness training to new staff, or when necessary due to changes made to the information
Basic systems and the industrial control systems which the organization uses.
‐ The organization records and manages the contents and results of security education and training for member in the organization.
A.7.2.3 There shall be a formal and communicated ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are
Disciplinary process disciplinary process in place to take action reshuffled or transferred internally.
‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a
against employees who have committed
Include items concerning security (e.g., deactivate supplier including operation and maintenance.
an information security breach.
CPS.IP-9 access authorization and personnel screening) Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and
when roles change in due to personnel transfer. re‐screen if necessary.
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information,
throughout the whole process from hiring to retirement.

D-3-5
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.7.3 A.7.3.1 Information security responsibilities and ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are
Termination and change Termination or change duties that remain valid after termination reshuffled or transferred internally.
‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a
of employment of employment or change of employment shall be defined,
Include items concerning security (e.g., deactivate supplier including operation and maintenance.
responsibilities communicated to the employee or
CPS.IP-9 access authorization and personnel screening) Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and
contractor and enforced.
when roles change in due to personnel transfer. re‐screen if necessary.
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information,
throughout the whole process from hiring to retirement.
A.8 A.8.1 A.8.1.1 Assets associated with information and ‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices;
Asset management Responsibility for assets Inventory of assets information processing facilities shall be software; and information) uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists
periodically, or at the request of the operator including configuration information of assets (e.g., names, version information, license
identified and an inventory of these assets
information, and location) while recognizing situations in real time.
shall be drawn up and maintained. H‐Advanced ‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by
the organization, and responds appropriately. (Example: blocking unplanned connections except those permitted by the organization as
an exception)
‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses
to unauthorized assets.
Document and manage appropriately the list of ‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
hardware and software, and management location) by reviewing and updating them periodically.
CPS.AM-1 information (e.g. name of asset, version, network ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
address, name of asset manager, license system or industrial control system), and manages the use of them.
information) of components in the system. Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
the media taken outside of the controlled areas.

‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and
information), assigns a responsible person to each asset, and documents a list of them.
Basic ‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration
(grouping) of the analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
A.8.1.2 Ownership of Assets maintained in the inventory shall be ‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices;
assets owned. software; and information) uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists
periodically, or at the request of the operator including configuration information of assets (e.g., names, version information, license
information, and location) while recognizing situations in real time.
H‐Advanced ‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by
the organization, and responds appropriately. (Example: blocking unplanned connections except those permitted by the organization as
an exception)
‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses
to unauthorized assets.
Document and manage appropriately the list of ‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
hardware and software, and management location) by reviewing and updating them periodically.
CPS.AM-1 information (e.g. name of asset, version, network ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
address, name of asset manager, license system or industrial control system), and manages the use of them.
information) of components in the system. Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
the media taken outside of the controlled areas.

‐ The organization identifies assets constituting its information system and industrial control system (hardware, software and
information), assigns a responsible person to each asset, and documents a list of them.
Basic ‐ It is desirable to list all the assets held, but if the target is huge, consider narrowing down the target assets through integration
(grouping) of the analysis target and exclusion from the analysis target.
‐ The organization sets priorities to the identified assets based on the importance of them in its business operation.
A.8.1.3 Rules for the acceptable use of information ‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices;
Acceptable use of assets and of assets associated with information software; and information) uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists
periodically, or at the request of the operator including configuration information of assets (e.g., names, version information, license
and information processing facilities shall
information, and location) while recognizing situations in real time.
be identified, documented and H‐Advanced ‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by
implemented. the organization, and responds appropriately. (Example: blocking unplanned connections except those permitted by the organization as
Document and manage appropriately the list of an exception)
‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses
hardware and software, and management
to unauthorized assets.
CPS.AM-1 information (e.g. name of asset, version, network
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
address, name of asset manager, license location) by reviewing and updating them periodically.
information) of components in the system. ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
system or industrial control system), and manages the use of them.
Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
the media taken outside of the controlled areas.

D-3-6
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.8.1.4 All employees and external party users ‐ The organization makes changes to its staff members’ rights to access certain systems and/or rooms on the premises when they are
Return of assets shall return all of the organizational assets reshuffled or transferred internally.
‐ To minimize impacts when a staff member leaves the organization, designate backup members regarding important duties as a
in their possession upon termination of
supplier including operation and maintenance.
their employment, contract or agreement. Advanced ‐ The organization identifies conditions in which re‐screening is required such as changes in access authority to their own systems, and
re‐screen if necessary.
‐ The organization conducts an interview on information security when personnel leave.
‐ The organization ensures that responsibilities for security are met, particularly of personnel handling sensitive information,
Include items concerning security (e.g., deactivate throughout the whole process from hiring to retirement.
CPS.IP-9 access authorization and personnel screening) ‐ The organization identifies the responsibility for security of personnel in the employment contract. The organization states that this
when roles change in due to personnel transfer. responsibility should be sustained for a reasonable period of time after the termination of employment, in order to prevent information
leakage after the termination of employment.
‐ The organization reviews a staff member before granting him or her access to its systems.
‐ The organization conducts the following when a staff member resigns or retires:
Basic
　‐ Disables the staff member’s access to its systems within a certain period;
　‐ Disables the authentication and credentials related to the staff member;
　‐ Collects all system‐related things for security that the staff member has used;
　‐ Retains access to the information about the organization and information systems that have been managed by the individual who is
leaving.
A.8.2 A.8.2.1 Information shall be classified in terms of ‐ The organization considers business requirements and legal requirements which share or restrict data when classifying resources of
Classify and prioritize resources (e.g., People,
Information Classification of legal requirements, value, criticality and Advanced
the information system and industrial control system (data, components processing data, system, etc).
Components, Data, and System) by function, ‐ The person responsible for an asset is responsible for the classification of the data.
classification information sensitivity to unauthorised disclosure or
CPS.AM-6 importance, and business value, and communicate ‐ The organization includes classification rules and classification review standards after time passes in a resource classification system.
modification.
to the organizations and people relevant to those ‐ The organization sets priorities on identified information assets according to importance to the organization.
resources in business. Basic ‐ When related laws or regulations require us to follow a certain classification for resources of the organization (e.g., system and data),
apply an appropriate classification to the asset.

Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each

laws and arrangements regarding handling of data system and each organization and the organization’s activities to satisfy these requirements, and update them to the latest.
shared only by relevant organizations, develop ‐ The organization classifies its data appropriately according to the classification of the identified rules.
CPS.GV-3 Basic
data classification methods based on each ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of
requirement, and properly classify and protect data the identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data
in the organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
throughout the whole life cycle.

A.8.2.2 An appropriate set of procedures for ‐ The organization identifies software programs that are not allowed to be executed on a system.

Labelling of information information labelling shall be developed ‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed.
H‐Advanced
‐ The organization regularly review and update the black list or the white list.
and implemented in accordance with the
‐ The system blocks the execution of these programs in accordance with the specified rules.
information classification scheme adopted
Minimize funcions of IoT devices and servers by ‐ The organization reviews the functions and services provided by its systems and items in order to identify the functions and services
by the organization. that could be deleted.
physically and logically blocking unnecessary
‐ The organization uses network scanning tools, intrusion detection and prevention systems, and endpoint protection (e.g., a firewall,
CPS.PT-2 network ports, USBs, and serial ports accessing Advanced
host‐based intrusion detection system) in order to detect and prevent the use of banned functions, ports, protocols, and services.
directly the main bodies of IoT devices and servers ‐ The organization minimizes the functions and services of devices connected to the network such as multifunction printers in additional
etc. to typical IoT devices and servers.
‐ The organization manages peripherals in use (e.g., USB flash drives) using a management ledger and keep them in a locked place.
‐ The organization checks external storage devices connected to IoT devices or servers (e.g., USB flash drives) using antivirus software,
Basic
use USB flash drives that can be checked for viruses, or take any appropriate action.
‐ The organization plugs USB ports and serial ports out of use to physically block them.
A.8.2.3 Procedures for handling assets shall be ‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially
Handling of assets developed and implemented in accordance regarding  login to a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not
with the information classification scheme
degrade system performance.
adopted by the organization. H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and
Authenticate and authorize logical accesses to implement a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the
risks). transaction (security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks,
Advanced etc.) when a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system
during the authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.

D-3-7
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order
to suitably implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity
H‐Advanced authentication information that is used to decrypt encrypted information or to grant electronic signatures.
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the
appropriate strength, and stores the information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it
to encrypt information (data) to the appropriate strength and stores the information.
‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts
Encrypt information with an appropriate level of
CPS.DS-2 and stores high importance information handled by industrial control systems with appropriate strength without causing unacceptable
security strength, and store them. impact on performance.
Advanced
[Reference]
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and
Evaluation Committees （CRYPTREC）" releases to the public the list of such technologies recommended for use that are sufficiently
used in the market or are considered to spread in the future. It is desirable that the organization should refer to the list as needed when
procuring systems that should implement encryption functions.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts important information (data)
Basic
handled by information systems to the appropriate strength, and stores the information.

When disposing of an IoT device and server, delete

the stored data and the ID (identifier) uniquely ‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and
CPS.IP-6 identifying the genuine IoT devices and servers as H‐Advanced introduces a mechanism for using the proper technique for deleting data with the strength and integrity needed or making the data
well as important information (e.g., private key unreadable according to the definition.
and digital certificate), or make them unreadable.
A.8.3 A.8.3.1 Procedures shall be implemented for the ‐The organization identifies assets constituting its information systems and industrial control systems (hardware, including IoT devices;
Media handling Management of management of removable media in software; and information) uniquely, assigns a responsible person to each asset. And the organization maintains/manages lists
periodically, or at the request of the operator including configuration information of assets (e.g., names, version information, license
removable media accordance with the classification scheme
information, and location) while recognizing situations in real time.
adopted by the organization. H‐Advanced ‐ The information system regularly audits whether the actual configuration grasped conforms to the baseline configuration defined by
the organization, and responds appropriately. (Example: blocking unplanned connections except those permitted by the organization as
Document and manage appropriately the list of an exception)
‐The information system and industrial control system implement and operate a mechanism which automatically detects and responses
hardware and software, and management
to unauthorized assets.
CPS.AM-1 information (e.g. name of asset, version, network
‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
address, name of asset manager, license location) by reviewing and updating them periodically.
information) of components in the system. ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
system or industrial control system), and manages the use of them.
Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
the media taken outside of the controlled areas.

‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and
H‐Advanced introduces a mechanism for using the proper technique for deleting data with the strength and integrity needed or making the data
When disposing of an IoT device and server, delete
unreadable according to the definition.
the stored data and the ID (identifier) uniquely
‐ The organization establishes a procedure for scrapping its equipment including IoT devices and servers, deletes data saved in the
CPS.IP-6 identifying the genuine IoT devices and servers as
Advanced equipment or makes the data unreadable in accordance with the procedure, and makes sure that the action has been done
well as important information (e.g., private key successfully.
and digital certificate), or make them unreadable.
Basic ‐ The organization deletes data that has been saved in its IoT devices or servers to be scrapped, or makes the data unreadable.
‐ The organization identifies software programs that are not allowed to be executed on a system.
‐ Manage a “black list” or "white list" so that the software programs not allowed on the system cannot be executed.
H‐Advanced
‐ The organization regularly review and update the black list or the white list.
‐ The system blocks the execution of these programs in accordance with the specified rules.
Minimize funcions of IoT devices and servers by ‐ The organization reviews the functions and services provided by its systems and items in order to identify the functions and services
that could be deleted.
physically and logically blocking unnecessary
‐ The organization uses network scanning tools, intrusion detection and prevention systems, and endpoint protection (e.g., a firewall,
CPS.PT-2 network ports, USBs, and serial ports accessing Advanced
host‐based intrusion detection system) in order to detect and prevent the use of banned functions, ports, protocols, and services.
directly the main bodies of IoT devices and servers ‐ The organization minimizes the functions and services of devices connected to the network such as multifunction printers in additional
etc. to typical IoT devices and servers.
‐ The organization manages peripherals in use (e.g., USB flash drives) using a management ledger and keep them in a locked place.
‐ The organization checks external storage devices connected to IoT devices or servers (e.g., USB flash drives) using antivirus software,
Basic
use USB flash drives that can be checked for viruses, or take any appropriate action.
‐ The organization plugs USB ports and serial ports out of use to physically block them.
A.8.3.2 Procedures shall be implemented for the ‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and
Disposal of media management of removable media in When disposing of an IoT device and server, delete
H‐Advanced introduces a mechanism for using the proper technique for deleting data with the strength and integrity needed or making the data
unreadable according to the definition.
accordance with the classification scheme the stored data and the ID (identifier) uniquely
adopted by the organization. CPS.IP-6 identifying the genuine IoT devices and servers as
‐ The organization establishes a procedure for scrapping its equipment including IoT devices and servers, deletes data saved in the
Advanced equipment or makes the data unreadable in accordance with the procedure, and makes sure that the action has been done
well as important information (e.g., private key successfully.
and digital certificate), or make them unreadable.
Basic ‐ The organization deletes data that has been saved in its IoT devices or servers to be scrapped, or makes the data unreadable.

D-3-8
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.8.3.3 Media containing information shall be ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are
Physical media transfer protected against unauthorized access, fulfilled.
H‐Advanced ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices
misuse or corruption during
especially important for their operation are manufactured under appropriate procedures by organizations that have quality and
transportation. security management ability above a certain level.
‐ The organization specifies in the contract the security requirements that the products and services procured from the partner should
comply with, such as the following.
　‐ Specific certifications related to security (e.g., ISMS certification、ISASecure EDSA certification, Japan Information Technology
Security Evaluation and Certification Scheme (JISEC) have been gained.
When signing contracts with external parties, 　‐ The vendor itself confirms that it has implemented the security measures in accordance with the standards of specific certifications
check if the products and services provided by the related to security
other relevant organizations properly comply with 　‐ It has implemented the necessary security requirements from the design phase (security by design) based on the results of risk
CPS.SC-4
the security requirements defined by the analysis, etc., and test them.
organization while considering the objectives of ‐ It is desirable that the organization should, at the phase of planning procurement, secure a budget for security requirements regarding
Advanced products or services themselves, or protection of assets used for procurement and supply of such products or services.
such contracts and results of risk management.
‐ The organization formulates, manages and improves security measurement rules to evaluate procurement or supply of products or
services, including the following.
　‐ Target for measurement
　‐ Method and frequency of reporting on measures taken
　‐ Measures to be taken when measures are not implemented
‐ The organization checks means of detecting (or preventing) falsifications and leakages during shipments and whether or not the IoT
devices and software being delivered have been operated without authorization.
　‐ Goods: security courier, protection seal, etc.
　‐ Digital transfer: encryption, hash of the entire transmitted data, etc.
A.9 A.9.1 A.9.1.1 An access control policy shall be ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own
Access control Business requirements Access control established, documented and reviewed information systems and industrial control systems.
　‐Automatically collect account information periodically from the system to be managed
of access control policyAccess control based on business and information
　‐Automatically change password of privileged account
policy security requirements. H‐Advanced ‐ The industrial control system supports integrated account management.
‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use
on their system.
‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change,
and deletion of accounts in the system used by the organization.
‐ The organization must obtain approval from the management supervisor when creating a system account.
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range
of using the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
Establish and implement the procedure to issue, ‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system
manage, check, cancel, and monitor identification and an industrial control system.
CPS.AC-1
and authentication information of authorized ‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms
goods, people, and procedures. securely that the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system.
‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared
user/temporary user), with consideration of their mission and business functions.
‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control
systems, and implements a function that cannot be set up unless the credential satisfies the policy. The following is an example of the
content of the policy.
Basic 　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have
forgotten credentials, if they change immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an
industrial control system except when multiple users function as a single group.
A.9.1.2 Users shall only be provided with access to ‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts.
Access to networks and the network and network services that ‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐
H‐Advanced privileged accounts in the system, uses an authentication mechanism that can tolerate attacks of replay.
network services they have been specifically authorized to
use. Adopt high confidence methods of authentication
[Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.
where appropriate based on risk (e.g. multi-factor
‐ In consideration of the risk of unauthorized login to the privileged account in the system, the organization in principle prohibits login to
CPS.AC-6 authentication, combining more than two types of
the privileged account via the network when it is not possible to implement a sufficient confidence methods of authentication.
authentication) when logging in to the system over ‐ The information system requires a multifactor authentication in its system for access to the system or network with privileged
the network for the privileged user. Advanced accounts when cannot implement actions such as invalidating the administrator account for the system.
‐ In principle, the organization invalidates the default administrator account in the information system.
‐ The information system permits the necessary minimum privileged authority to the user account when performing privileged
operations.

D-3-9
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.9.2 A.9.2.1 A formal user registration and de- ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own
User access User registration and registration process shall be implemented information systems and industrial control systems.
　‐Automatically collect account information periodically from the system to be managed
management de-registration to enable assignment of access rights.
　‐Automatically change password of privileged account
H‐Advanced ‐ The industrial control system supports integrated account management.
‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use
on their system.
‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change,
and deletion of accounts in the system used by the organization.
‐ The organization must obtain approval from the management supervisor when creating a system account.
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range
of using the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
Establish and implement the procedure to issue, ‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system
manage, check, cancel, and monitor identification and an industrial control system.
CPS.AC-1
and authentication information of authorized ‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms
goods, people, and procedures. securely that the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system.
‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared
user/temporary user), with consideration of their mission and business functions.
‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control
systems, and implements a function that cannot be set up unless the credential satisfies the policy. The following is an example of the
content of the policy.
Basic 　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have
forgotten credentials, if they change immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an
industrial control system except when multiple users function as a single group.

Restrict communications by IoT devices and ‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of

identifiers and invalidating identifiers after a certain period of time.
servers to those with entities (e.g. people,
CPS.AC-8 Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a
components, system, etc.) identified through mechanism that uniquely identifies and authenticate these devices.
proper procedures. ‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.

A.9.2.2 A formal user access provisioning process ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own

User access shall be implemented to assign or revoke information systems and industrial control systems.
　‐Automatically collect account information periodically from the system to be managed
provisioning access rights for all user types to all
　‐Automatically change password of privileged account
systems and services. H‐Advanced ‐ The industrial control system supports integrated account management.
‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use
on their system.
‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change,
and deletion of accounts in the system used by the organization.
‐ The organization must obtain approval from the management supervisor when creating a system account.
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range
of using the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
Establish and implement the procedure to issue, ‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system
manage, check, cancel, and monitor identification and an industrial control system.
CPS.AC-1
and authentication information of authorized ‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms
goods, people, and procedures. securely that the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system.
‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared
user/temporary user), with consideration of their mission and business functions.
‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control
systems, and implements a function that cannot be set up unless the credential satisfies the policy. The following is an example of the
content of the policy.
Basic 　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have
forgotten credentials, if they change immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an
industrial control system except when multiple users function as a single group.

D-3-10
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.9.2.3 The allocation and use of privileged access ‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged
Management of rights shall be restricted and controlled. accounts in its system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
privileged access rights
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and
H‐Advanced changing security measures that are changed and implemented by non‐privileged users.
‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the
damage caused by the security incident.
Segregate duties and areas of responsibility
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server
CPS.AC-5 properly (e.g. segregate user functions from to minimize the damage caused by security incidents.
system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties
(e.g., user / system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge.
‐ The organization separates and stipulates duties that are assigned by the person in charge.
‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts.
‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐
H‐Advanced privileged accounts in the system, uses an authentication mechanism that can tolerate attacks of replay.
Adopt high confidence methods of authentication
[Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.
where appropriate based on risk (e.g. multi-factor
‐ In consideration of the risk of unauthorized login to the privileged account in the system, the organization in principle prohibits login to
CPS.AC-6 authentication, combining more than two types of
the privileged account via the network when it is not possible to implement a sufficient confidence methods of authentication.
authentication) when logging in to the system over ‐ The information system requires a multifactor authentication in its system for access to the system or network with privileged
the network for the privileged user. Advanced accounts when cannot implement actions such as invalidating the administrator account for the system.
‐ In principle, the organization invalidates the default administrator account in the information system.
‐ The information system permits the necessary minimum privileged authority to the user account when performing privileged
operations.
A.9.2.4 The allocation of secret authentication ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own
Management of secret information shall be controlled through a information systems and industrial control systems.
　‐Automatically collect account information periodically from the system to be managed
authentication formal management process.
　‐Automatically change password of privileged account
information of users H‐Advanced ‐ The industrial control system supports integrated account management.
‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use
on their system.
Establish and implement the procedure to issue, ‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change,
and deletion of accounts in the system used by the organization.
manage, check, cancel, and monitor identification
CPS.AC-1 ‐ The organization must obtain approval from the management supervisor when creating a system account.
and authentication information of authorized
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range
goods, people, and procedures. of using the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system
and an industrial control system.
‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms
securely that the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
A.9.2.5 Asset owners shall review usersʼ access ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own
Review of user access rights at regular intervals. information systems and industrial control systems.
　‐Automatically collect account information periodically from the system to be managed
rights
　‐Automatically change password of privileged account
H‐Advanced ‐ The industrial control system supports integrated account management.
‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use
on their system.
Establish and implement the procedure to issue, ‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change,
and deletion of accounts in the system used by the organization.
manage, check, cancel, and monitor identification
CPS.AC-1 ‐ The organization must obtain approval from the management supervisor when creating a system account.
and authentication information of authorized
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range
goods, people, and procedures. of using the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system
and an industrial control system.
‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms
securely that the account is its own to prevent unauthorized tampering with the credentials by a malicious party.

D-3-11
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.9.2.6 The access rights of all employees and ‐ The organization introduces and operates, for example, the following automated mechanisms for managing accounts in their own
Removal or adjustment external party users to information and information systems and industrial control systems.
　‐Automatically collect account information periodically from the system to be managed
of access rights information processing facilities shall be
　‐Automatically change password of privileged account
removed upon termination of their H‐Advanced ‐ The industrial control system supports integrated account management.
employment, contract or agreement, or ‐ After a certain period of time, the system automatically invalidates temporary accounts, emergency accounts, and accounts not in use
adjusted upon change. on their system.
‐ The information system automatically audits and reports account validation and invalidation that is associated with creation, change,
and deletion of accounts in the system used by the organization.
‐ The organization must obtain approval from the management supervisor when creating a system account.
‐ With regard to the shared user account, a user who can know authentication information is managed in a list or the like, and the range
of using the account can be identified.
‐ The organization monitors the usage of system accounts used in an information system.
‐ If an account needs change or becomes unnecessary, the organization notifies the management supervisor.
Advanced
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
Establish and implement the procedure to issue, ‐ The organization notifies the user (or the person in charge of management) when the password is changed in an information system
manage, check, cancel, and monitor identification and an industrial control system.
CPS.AC-1
and authentication information of authorized ‐ If the information system resets the credentials for reasons such as user"s forgetting credentials, the information system confirms
goods, people, and procedures. securely that the account is its own to prevent unauthorized tampering with the credentials by a malicious party.
‐ The organization appoints a management supervisor for the accounts in its information system and industrial control system.
‐ The organization decides and selects types of system accounts necessary (e.g., general user/system administrator/shared
user/temporary user), with consideration of their mission and business functions.
‐ The organization creates and enables system accounts as per the procedure, and changes, disables and deletes them as needed.
‐ The organization develops a policy of credentials (e.g. password, security key) for its own information systems and industrial control
systems, and implements a function that cannot be set up unless the credential satisfies the policy. The following is an example of the
content of the policy.
Basic 　‐ Devolop and operate the requirements for passwords in order to ensure the minimum required complexity.
　‐ When new credentials are created, change them to at least the number of characters defined by the organization.
　‐ Store and transmit only cryptographically protected credentials.
　‐ Prohibit reuse of the same credentials for the period that the organization defines.
‐ The organization allows its members to use temporary credentials exceptionally when logging on to the system when they have
forgotten credentials, if they change immediately to a strong password.
‐ The organization does not share user identification information among multiple system users in an information system and an
industrial control system except when multiple users function as a single group.
‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
‐ The organization regulates output devices of its system by physical access.
H‐Advanced
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
Implement appropriate physical security measures physical security boundaries.
such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
where the IoT devices and servers are installed, ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission
authentication, deploying surveillance cameras, certificates necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security
and inspecting belongings and body weight. Basic
requirements of assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized
attendants or monitoring cameras.
A.9.3 A.9.3.1 Users shall be required to follow the ‐ The information system and the industrial control system (excluding some cases where immediacy of response is required) sets a limit
User responsibilities Use of secret organizationʼs practices in the use of H‐Advanced to the number of continuous login attempts on its system. If the user fails to log in, he or she will only be able to re‐login after the
Prevent unauthorized log-in to IoT devices and administrator removes the restriction.
authentication secret authentication information.
servers by measures such as implementing ‐ The information system and the industrial control system set a limit on the number of continuous login attempts on its system. If the
information
CPS.AC-4 functions for lockout after a specified number of user fails to log in, he or she will not be able to re‐login for a certain period of time.
incorrect log-in attempts and providing a time Advanced
‐ The information system and industrial control system lock the session manually or automatically if the system's non‐operation
interval until safety is ensured. continues beyond the time set by the organization.
* In the  industrial control system, it may be desirable not to lock session when it is assumed that a session in which  an operator is
required to respond immediately in an emergency may be conducted.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially
regarding  login to a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not
degrade system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and
Authenticate and authorize logical accesses to implement a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the
risks). transaction (security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks,
Advanced etc.) when a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system
during the authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ Upon determining the most restrictive setting criteria that conform to their operation, the organization creates a document on the
Introduce and implement the process to manage initial setting procedures and setting details for the IoT devices and servers that will be introduced and adjusts the settings according to
the initial setting procedure (e.g., password) and the document.
CPS.IP-1 Basic
setting change procedure for IoT devices and ‐ The organization checks initial setting values of IoT devices before installing them, and adjusts the settings appropriately if they do not
servers. comply with the policy stipulated in CPS.AC‐1.
‐ The organization checks and records software installed in IoT devices before introducing them.

D-3-12
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.9.4 A.9.4.1 Access to information and application ‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged
System and application Information access system functions shall be restricted in accounts in its system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
access control restriction accordance with the access control policy.
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and
H‐Advanced changing security measures that are changed and implemented by non‐privileged users.
‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the
damage caused by the security incident.
Segregate duties and areas of responsibility
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server
CPS.AC-5 properly (e.g. segregate user functions from to minimize the damage caused by security incidents.
system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties
(e.g., user / system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge.
‐ The organization separates and stipulates duties that are assigned by the person in charge.
‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts.
‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐
H‐Advanced privileged accounts in the system, uses an authentication mechanism that can tolerate attacks of replay.
Adopt high confidence methods of authentication
[Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.
where appropriate based on risk (e.g. multi-factor
‐ In consideration of the risk of unauthorized login to the privileged account in the system, the organization in principle prohibits login to
CPS.AC-6 authentication, combining more than two types of
the privileged account via the network when it is not possible to implement a sufficient confidence methods of authentication.
authentication) when logging in to the system over ‐ The information system requires a multifactor authentication in its system for access to the system or network with privileged
the network for the privileged user. Advanced accounts when cannot implement actions such as invalidating the administrator account for the system.
‐ In principle, the organization invalidates the default administrator account in the information system.
‐ The information system permits the necessary minimum privileged authority to the user account when performing privileged
operations.
A.9.4.2 Where required by the access control ‐ The information system and the industrial control system (excluding some cases where immediacy of response is required) sets a limit
Secure log-on policy, access to systems and applications H‐Advanced to the number of continuous login attempts on its system. If the user fails to log in, he or she will only be able to re‐login after the
Prevent unauthorized log-in to IoT devices and administrator removes the restriction.
procedures shall be controlled by a secure log-on
servers by measures such as implementing ‐ The information system and the industrial control system set a limit on the number of continuous login attempts on its system. If the
procedure.
CPS.AC-4 functions for lockout after a specified number of user fails to log in, he or she will not be able to re‐login for a certain period of time.
incorrect log-in attempts and providing a time Advanced
‐ The information system and industrial control system lock the session manually or automatically if the system's non‐operation
interval until safety is ensured. continues beyond the time set by the organization.
* In the  industrial control system, it may be desirable not to lock session when it is assumed that a session in which  an operator is
required to respond immediately in an emergency may be conducted.
A.9.4.3 Password management systems shall be ‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially
Password management interactive and shall ensure quality regarding  login to a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not
system passwords.
degrade system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and
Authenticate and authorize logical accesses to implement a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the
risks). transaction (security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks,
Advanced etc.) when a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system
during the authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
A.9.4.4 The use of utility programs that might be ‐ The organization specifies administrators who use the security functions (e.g., access authority setting) and regulates privileged
Use of privileged utility capable of overriding system and accounts in its system.
‐ The information system adopts a system monitoring mechanism to check the use of privileged functions.
programs application controls shall be restricted and
‐ The information system prohibits non‐privileged users from executing privileged functions on the system by invalidating, avoiding, and
tightly controlled. H‐Advanced changing security measures that are changed and implemented by non‐privileged users.
‐ The organization can minimize the number of users who can use the system administrator's authority in an emergency to minimize the
damage caused by the security incident.
Segregate duties and areas of responsibility
‐ The organization can prevent even system administrators from stopping critical services and protected processes through the server
CPS.AC-5 properly (e.g. segregate user functions from to minimize the damage caused by security incidents.
system administrator functions) ‐ The organization implements access control in the information system and the industrial control system based on separation of duties
(e.g., user / system administrator).
‐ The organization adopts a general rule on the minimum authority of specific duties.
Advanced   ‐ Segregate authority of general user from that of administrator.
    (Require users to use the system with a non‐privileged account when using a non‐security function.)
  ‐ Minimize authority for duties not in charge.
‐ The organization separates and stipulates duties that are assigned by the person in charge.

D-3-13
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The system uses a multifactor authentication in its system for access to the system or network with non‐privileged accounts.
‐ Regarding an information system that handles highly confidential data, access to the system and network with privileged or non‐
H‐Advanced privileged accounts in the system, uses an authentication mechanism that can tolerate attacks of replay.
Adopt high confidence methods of authentication
[Reference] It is desirable to refer to NIST SP 800 63‐3 regarding strength of authentication methods and appropriate use cases.
where appropriate based on risk (e.g. multi-factor
‐ In consideration of the risk of unauthorized login to the privileged account in the system, the organization in principle prohibits login to
CPS.AC-6 authentication, combining more than two types of
the privileged account via the network when it is not possible to implement a sufficient confidence methods of authentication.
authentication) when logging in to the system over ‐ The information system requires a multifactor authentication in its system for access to the system or network with privileged
the network for the privileged user. Advanced accounts when cannot implement actions such as invalidating the administrator account for the system.
‐ In principle, the organization invalidates the default administrator account in the information system.
‐ The information system permits the necessary minimum privileged authority to the user account when performing privileged
operations.
A.9.4.5 Access to program source code shall be ‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially
Access control to restricted. regarding  login to a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not
program source code
degrade system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and
Authenticate and authorize logical accesses to implement a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the
risks). transaction (security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks,
Advanced etc.) when a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system
during the authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
A.10 A.10.1 A.10.1.1 A policy on the use of cryptographic ‐ The organization selects products that have been authenticated based on Cryptographic Module Validation Program (CMVP) in order
Cryptography Cryptographic controls Policy on the use of controls for protection of information shall to suitably implement selected algorithms to software and hardware, and to protect keys, identification codes, and entity
H‐Advanced authentication information that is used to decrypt encrypted information or to grant electronic signatures.
cryptographic controls be developed and implemented.
‐ The organization protects are encrypts data to the appropriate strength when that data is taken outside of the organization.
‐ The organization uses IoT devices that can encrypt and store data in internal memory.
‐ The organization examines safety and trustworthiness that are necessary, selects an algorithm, encrypts information (data) to the
appropriate strength, and stores the information. If an algorithm on the CRYPTREC Ciphers List can be selected, the organization uses it
to encrypt information (data) to the appropriate strength and stores the information.
Encrypt information with an appropriate level of
CPS.DS-2 ‐ The organization considers the level of security and trustworthiness required for the information, chooses an algorithm, and encrypts
security strength, and store them. and stores high importance information handled by industrial control systems with appropriate strength without causing unacceptable
impact on performance.
Advanced
[Reference]
Regarding encryption technologies whose security and implementation performance are confirmed, "Cryptography Research and
Evaluation Committees （CRYPTREC）" releases to the public the list of such technologies recommended for use that are sufficiently
used in the market or are considered to spread in the future. It is desirable that the organization should refer to the list as needed when
procuring systems that should implement encryption functions.
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
H‐Advanced
by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.
‐ The system /IoT apparatus introduces the code module which it can implement without even little resource losing availability, and it is
desirable to encrypt the communication data from a high apparatus of the importance at appropriate strength.
H‐Advanced
Encrypt information itself when sending/receiving ‐ The information system encrypts all data transmitted outside the organization with appropriate strength, not limited to high or low
CPS.DS-4
information. importance.
‐ The organization encrypts information with appropriate strength when transmitting highly confidential information to an external
Advanced
organization or the like.

D-3-14
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.10.1.2 A policy on the use, protection and lifetime ‐ If the user loses the key, the organization maintains the availability of the information by reissuing key or the like.
Key management of cryptographic keys shall be developed ‐ It is desirable to consider authenticity of the public key as well as to securely control the secret key and private key. This authentication
H‐Advanced
and implemented through their whole process is carried out using the public key certificate issued normally by a certificate authority. It is desirable that the certificate
lifecycle. authority should be a recognized organization that implements appropriate measures and procedures to provide the required reliablity.

‐ It is desirable that the organization should set out a policy and procedure regarding the following items to take immediate and
appropriate measures when the private key is imperiled.
　‐ A structure to take measures against imperilment of the private key (including the stakeholders, roles, cooperation with
Securely control encryption keys throughout their
contractors)
CPS.DS-5 life cycle to ensure proper operation and securely 　‐ Criteria to judge whether the private key is imperiled or is in danger of imperilment
transmitted, received and stored data. 　‐ To investigate the cause of imperilment of  the private key, and to attempt to remove the cause
Advanced
　‐ Suspension of the services using the key
　‐ To create a new pair of keys and issue a certificate for the new key
　‐ Disclosure of information regarding imperilment of the private key (Notified parties, a method of notification, disclosure policy, etc.)

[Reference] It is desirable to refer to the group of standards of ISO/IEC 11770, NIST SP 800‐57 Part 1 Rev.4, and so on for the details
about key management.

Basic ‐ It is desirable that the organization should protect all encryption keys from modification and loss.

When handling information to be protected or ‐ When handling information that shall be protected or when procuring devices that have a function important to the organization, the

procuring devices that have an important function organization procures devices that use anti‐tampering devices.
CPS.DS-8 H‐Advanced
to the organization, useselect the IoT devices and ‐ When storing encryption keys for the cryptographic mechanism used in the information system and the industrial control system, the
servers equipped with anti-tampering devices. organization uses anti‐tampering devices.

A.11 A.11.1 A.11.1.1 Security perimeters shall be defined and

Implement appropriate physical security measures ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
Physical and Secure areas Physical security used to protect areas that contain either ‐ The organization regulates output devices of its system by physical access.
such as locking and limiting access to the areas H‐Advanced
environmental security perimeter sensitive or critical information and ‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
where the IoT devices and servers are installed,
information processing facilities. CPS.AC-2 physical security boundaries.
using entrance and exit controls, biometric
authentication, deploying surveillance cameras, ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
and inspecting belongings and body weight. ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.

‐ The organization tracks and monitors the locations and relocation of important assets within the scope of its management of
H‐Advanced
particularly important assets.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log
from access control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible
(e.g., an office) in order to monitor the visitor’s behavior.
Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations
and house IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
Perform setting, recording, and monitoring of
‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to
CPS.CM-2 proper physical access, considering the importance
the organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment
of IoT devices and servers. (CPS.DS‐6) or taking any other appropriate measures to enhance the physical security properties of the equipment itself.
‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited
physical access because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge
accompany a visitor on the premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for
the general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the
records of entry and exit.
A.11.1.2 Secure areas shall be protected by ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
Physical entry controls appropriate entry controls to ensure that H‐Advanced
‐ The organization regulates output devices of its system by physical access.
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
only authorized personnel are allowed Implement appropriate physical security measures physical security boundaries.
access. such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
where the IoT devices and servers are installed, ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission
authentication, deploying surveillance cameras, certificates necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security
and inspecting belongings and body weight. Basic
requirements of assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized
attendants or monitoring cameras.

D-3-15
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization tracks and monitors the locations and relocation of important assets within the scope of its management of
H‐Advanced
particularly important assets.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log
from access control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible
(e.g., an office) in order to monitor the visitor’s behavior.
Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations
and house IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
Perform setting, recording, and monitoring of
‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to
CPS.CM-2 proper physical access, considering the importance
the organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment
of IoT devices and servers. (CPS.DS‐6) or taking any other appropriate measures to enhance the physical security properties of the equipment itself.
‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited
physical access because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge
accompany a visitor on the premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for
the general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the
records of entry and exit.
A.11.1.3 Physical security for offices, rooms and ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
Securing offices, rooms facilities shall be designed and applied. H‐Advanced
‐ The organization regulates output devices of its system by physical access.
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
and facilities Implement appropriate physical security measures physical security boundaries.
such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
where the IoT devices and servers are installed, ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission
authentication, deploying surveillance cameras, certificates necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security
and inspecting belongings and body weight. Basic
requirements of assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized
attendants or monitoring cameras.
‐ The organization tracks and monitors the locations and relocation of important assets within the scope of its management of
H‐Advanced
particularly important assets.
‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log
from access control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible
(e.g., an office) in order to monitor the visitor’s behavior.
Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations
and house IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
Perform setting, recording, and monitoring of
‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to
CPS.CM-2 proper physical access, considering the importance
the organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment
of IoT devices and servers. (CPS.DS‐6) or taking any other appropriate measures to enhance the physical security properties of the equipment itself.
‐ If the organization is unable to control access to, or provide video surveillance service for, the areas that should allow only limited
physical access because of issues of costs and other reasons, it takes alternative manual measures, such as that its employee in charge
accompany a visitor on the premises.
Basic ‐ The organization implements physical security measures to control access to designated areas in the facility that do not be allowed for
the general public to access.
‐ The organization verifies the access authority of the personnel before permitting the physical access and collects and manages the
records of entry and exit.
A.11.1.4 Physical protection against natural
Implement appropriate physical security measures
Protecting against disasters, malicious attack or accidents
such as locking and limiting access to the areas ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
external and shall be designed and applied.
where the IoT devices and servers are installed, ‐ The organization regulates output devices of its system by physical access.
environmental threats CPS.AC-2 H‐Advanced
using entrance and exit controls, biometric ‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
authentication, deploying surveillance cameras, physical security boundaries.

and inspecting belongings and body weight.

‐ The organization adopts an automatic fire suppression system if a staffer is not stationed full time at a facility where its system is
H‐Advanced
located.
Implement physical measures such as preparing ‐ The organization maintains machine safety of equipment located within the area of their IoT devices and servers by using an
an uninterruptible power supply, a fire protection uninterruptible power supply.
‐ The organization adopts and maintains equipment and systems that run on an independent power supply which detect and
facility, and protection from water infiltration to Advanced
CPS.IP-5 extinguishes fire.
follow the policies and rules related to the physical ‐ The organization have shut‐off valves or isolation valves to protect areas with their IoT decides and servers from damages such as
operating environment, including the IoT devices water leakages.
and servers installed in the organization. ‐ The organization adopts a system that maintains the temperature and humidity of the area with its IoT devices and servers being
Basic within the acceptable level.
‐ The organization regularly monitors the temperature and humidity of the area with its IoT devices and servers.
A.11.1.5 Procedures for working in secure areas
Implement appropriate physical security measures ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
Working in secure areas shall be designed and applied. ‐ The organization regulates output devices of its system by physical access.
such as locking and limiting access to the areas H‐Advanced
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
where the IoT devices and servers are installed,
CPS.AC-2 physical security boundaries.
using entrance and exit controls, biometric
authentication, deploying surveillance cameras, ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
and inspecting belongings and body weight. ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.

D-3-16
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.11.1.6 Access points such as delivery and loading ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
Delivery and loading areas and other points where H‐Advanced
‐ The organization regulates output devices of its system by physical access.
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
areas unauthorized persons could enter the Implement appropriate physical security measures physical security boundaries.
premises shall be controlled and, if such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
possible, isolated from information where the IoT devices and servers are installed,
Advanced
‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
processing facilities to avoid unauthorized CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission
access. authentication, deploying surveillance cameras, certificates necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security
and inspecting belongings and body weight. Basic
requirements of assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized
attendants or monitoring cameras.
A.11.2 A.11.2.1 Equipment shall be sited and protected to H‐Advanced
‐ The organization adopts an automatic fire suppression system if a staffer is not stationed full time at a facility where its system is
Equipment Equipment siting and reduce the risks from environmental located.

protection threats and hazards, and opportunities for Implement physical measures such as preparing ‐ The organization maintains machine safety of equipment located within the area of their IoT devices and servers by using an

unauthorized access. an uninterruptible power supply, a fire protection uninterruptible power supply.

‐ The organization adopts and maintains equipment and systems that run on an independent power supply which detect and
facility, and protection from water infiltration to Advanced
CPS.IP-5 extinguishes fire.
follow the policies and rules related to the physical ‐ The organization have shut‐off valves or isolation valves to protect areas with their IoT decides and servers from damages such as
operating environment, including the IoT devices water leakages.
and servers installed in the organization. ‐ The organization adopts a system that maintains the temperature and humidity of the area with its IoT devices and servers being
Basic within the acceptable level.
‐ The organization regularly monitors the temperature and humidity of the area with its IoT devices and servers.
A.11.2.2 Equipment shall be protected from power ‐ The organization identifies the functions of the following support utilities for the continuation of its business and the dependence
Supporting utilities failures and other disruptions caused by relationship between them.
　‐ Communication service
failures in supporting utilities.
　‐ Electrical power equipment (including power cables)
Identify the dependency between the organization ‐ Among the above identified utilities, for those which have important roles for the continuation of its business, the organization
examines the possibility of taking measures as follows:
and other relevant parties and the important
CPS.BE-3 H‐Advanced 　‐ Establishment of alternative communication services
functions of each in the course of running the 　‐ Physical protection of electrical power equipment and power cables
operation. 　‐ Preparation of short‐term permanent power supply equipment
‐ When examining the possibility of using an alternative communication service, the organization considers the following:
　‐ Identify the requirements on the availability of the organization (including the target recovery time) when examining a contract with
a communication service provider.
　‐ Reduce the possibility of sharing a single point of failure with a primary communication service.
‐ The organization prepares short‐term uninterrupted power supply which supports the switching of the information system to an
Advanced
Carry out periodic quality checks, prepare standby alternative power source that can be used for a long period of time when the primary power source is lost.
devices and uninterruptible power supplies, ‐ In order to ensure that required performance of an information system and an industrial control system is satisfied, use of resources
must be monitored and adjusted. In addition, storage capacity and performance that are required in the future are pre‐estimated.
CPS.DS-7 provide redundancy, detect failures, conduct
‐ The organization protects devices from power outages and other failures that are attributable to malfunctions in the support utility.
replacement work, and update software for IoT Basic
‐ The organization protects communication cables and power cables that transmit data or that support information service from
devices, communication devices, circuits, etc. interception, interference, and harm.
‐ The organization properly maintaines devices to ensure continuous availability and integrity.
‐ The organization adopts an automatic fire suppression system if a staffer is not stationed full time at a facility where its system is
H‐Advanced
located.
Implement physical measures such as preparing ‐ The organization maintains machine safety of equipment located within the area of their IoT devices and servers by using an
an uninterruptible power supply, a fire protection uninterruptible power supply.
‐ The organization adopts and maintains equipment and systems that run on an independent power supply which detect and
facility, and protection from water infiltration to Advanced
CPS.IP-5 extinguishes fire.
follow the policies and rules related to the physical ‐ The organization have shut‐off valves or isolation valves to protect areas with their IoT decides and servers from damages such as
operating environment, including the IoT devices water leakages.
and servers installed in the organization. ‐ The organization adopts a system that maintains the temperature and humidity of the area with its IoT devices and servers being
Basic within the acceptable level.
‐ The organization regularly monitors the temperature and humidity of the area with its IoT devices and servers.
A.11.2.3 Power and telecommunications cabling
Implement appropriate physical security measures
Cabling security carrying data or supporting information
such as locking and limiting access to the areas
services shall be protected from ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
where the IoT devices and servers are installed, ‐ The organization regulates output devices of its system by physical access.
interception, interference or damage. CPS.AC-2 H‐Advanced
using entrance and exit controls, biometric ‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
authentication, deploying surveillance cameras, physical security boundaries.

and inspecting belongings and body weight.

‐ The organization prepares short‐term uninterrupted power supply which supports the switching of the information system to an
Advanced
Carry out periodic quality checks, prepare standby alternative power source that can be used for a long period of time when the primary power source is lost.
devices and uninterruptible power supplies, ‐ In order to ensure that required performance of an information system and an industrial control system is satisfied, use of resources
must be monitored and adjusted. In addition, storage capacity and performance that are required in the future are pre‐estimated.
CPS.DS-7 provide redundancy, detect failures, conduct
‐ The organization protects devices from power outages and other failures that are attributable to malfunctions in the support utility.
replacement work, and update software for IoT Basic
‐ The organization protects communication cables and power cables that transmit data or that support information service from
devices, communication devices, circuits, etc. interception, interference, and harm.
‐ The organization properly maintaines devices to ensure continuous availability and integrity.
A.11.2.4 Equipment shall be correctly maintained to Advanced
‐ The organization prepares short‐term uninterrupted power supply which supports the switching of the information system to an
Equipment maintenance ensure its continued availability and Carry out periodic quality checks, prepare standby alternative power source that can be used for a long period of time when the primary power source is lost.
devices and uninterruptible power supplies, ‐ In order to ensure that required performance of an information system and an industrial control system is satisfied, use of resources
integrity.
must be monitored and adjusted. In addition, storage capacity and performance that are required in the future are pre‐estimated.
CPS.DS-7 provide redundancy, detect failures, conduct
‐ The organization protects devices from power outages and other failures that are attributable to malfunctions in the support utility.
replacement work, and update software for IoT Basic
‐ The organization protects communication cables and power cables that transmit data or that support information service from
devices, communication devices, circuits, etc. interception, interference, and harm.
‐ The organization properly maintaines devices to ensure continuous availability and integrity.

D-3-17
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization gives prior approval for the use of devices and/or tools needed for maintenance to update its IoT devices and
servers, and conducts monitoring.
‐ The organization inspects the devices and/or tools for maintenance brought in by the staff members who update its IoT devices and
servers in order to make sure that no inappropriate or unauthorized changes will be made.
H‐Advanced
- Discuss the method of conducting important ‐ The organization inspects the media used for maintenance to update its IoT devices and servers in order to make sure that the media
security updates and the like on IoT devices and contain no malicious code before they are used.
servers. Then, apply those security updateswith ‐ The organization introduces an IoT device designed to remotely update different software programs (OS, driver, application) at the
same time.
managed tools properly and in a timely manner
‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done,
CPS.MA-1 while recording the history.
and documents the entire maintenance.
- Introduce IoT devices having a remote update ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
mechanism to perform a mass update of different ‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating
software programs (OS, driver, and application) its IoT devices and servers. It also takes necessary actions before the travel, such as deleting relevant saved data.
Advanced
through remote commands, where applicable. ‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and
servers, after the work is complete in order to make sure that the relevant equipment works correctly.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance
organizations or staff members updated.
‐ The organization documents the policy and procedure relating to establishing and implementing a connection designed for remote
Conduct remote maintenance of the IoT devices Advanced
maintenance, and implements the connection in accordance with the policy and procedure.
‐ The organization provides authentication required for network access that it specifies when remote maintenance is carried out. It also
and servers while granting approvals and
CPS.MA-2 ensures that the session and network connection are terminated when the remote maintenance is complete.
recording logs so that unauthorized access can be ‐ The organization develops and agrees to an implementation plan for remote maintenance before carrying out the maintenance, and
prevented. Basic checks the results of the maintenance done.
‐ The organization keeps the records of remote maintenance done.
A.11.2.5 Equipment, information or software shall ‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
Removal of assets not be taken off-site without prior location) by reviewing and updating them periodically.
Document and manage appropriately the list of ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
authorization.
hardware and software, and management system or industrial control system), and manages the use of them.
CPS.AM-1 information (e.g. name of asset, version, network Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
address, name of asset manager, license ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
information) of components in the system.
the media taken outside of the controlled areas.

Perform setting, recording, and monitoring of

‐ The organization tracks and monitors the locations and relocation of important assets within the scope of its management of
CPS.CM-2 proper physical access, considering the importance H‐Advanced particularly important assets.
of IoT devices and servers.
A.11.2.6 Security shall be applied to off-site assets ‐ The organization reviews the relevant audit log regularly or when an incident or a sign of an incident appears if a physical access log
Security of equipment taking into account the different risks of from access control is available while 24‐h monitoring is not conducted through security cameras or by any other means.
‐ A person in charge accompanies a visitor into the area where the organization’s assets that must be protected are directly accessible
and assets off-premises working outside the organizationʼs
Perform setting, recording, and monitoring of (e.g., an office) in order to monitor the visitor’s behavior.
premises.
CPS.CM-2 proper physical access, considering the importance Advanced ‐ The organization monitors through security cameras or by other means physical access to its facilities that are vital for its operations
of IoT devices and servers. and house IoT devices and servers, thereby enabling early detection of any physical security incidents and immediate action.
‐ If the above physical security measures may be difficult to implement for items such as IoT devices and servers that may be critical to
the organization’s operation because they are in a remote location or for any other reasons, consider using tamper‐resistant equipment
(CPS.DS‐6) or taking any other appropriate measures to enhance the physical security properties of the equipment itself.
A.11.2.7 All items of equipment containing storage ‐ The organization defines classifications including security categories of data saved in an IoT device or server to be scrapped, and
Secure disposal or media shall be verified to ensure that any When disposing of an IoT device and server, delete H‐Advanced introduces a mechanism for using the proper technique for deleting data with the strength and integrity needed or making the data
reuse of equipment sensitive data and licensed software has the stored data and the ID (identifier) uniquely unreadable according to the definition.
been removed or securely overwritten CPS.IP-6 identifying the genuine IoT devices and servers as ‐ The organization establishes a procedure for scrapping its equipment including IoT devices and servers, deletes data saved in the
prior to disposal or re-use. well as important information (e.g., private key Advanced equipment or makes the data unreadable in accordance with the procedure, and makes sure that the action has been done
successfully.
and digital certificate), or make them unreadable.
Basic ‐ The organization deletes data that has been saved in its IoT devices or servers to be scrapped, or makes the data unreadable.

A.11.2.8 Users shall ensure that unattended ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.

Unattended user equipment has appropriate protection. H‐Advanced
‐ The organization regulates output devices of its system by physical access.
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
equipment Implement appropriate physical security measures physical security boundaries.
such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
where the IoT devices and servers are installed, ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission
authentication, deploying surveillance cameras, certificates necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security
and inspecting belongings and body weight. Basic
requirements of assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized
attendants or monitoring cameras.

D-3-18
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.11.2.9 A clear desk policy for papers and ‐ The organization regulates service wires and transmission paths that are related to their IoT devices and servers by physical access.
Clear desk and clear removable storage media and a clear H‐Advanced
‐ The organization regulates output devices of its system by physical access.
‐ The organization monitors alarms and monitoring devices (e.g., surveillance cameras) for physical intrusions into the areas within the
screen policy screen policy for information processing Implement appropriate physical security measures physical security boundaries.
facilities shall be adopted. such as locking and limiting access to the areas ‐ The organization monitors physical accesses to the areas within the physical security boundaries and regularly reviews the audit log.
Advanced
where the IoT devices and servers are installed, ‐ The organization keeps the records of visitor’s access to the areas within the physical security boundaries and regularly reviews them.
CPS.AC-2
using entrance and exit controls, biometric ‐ The organization maintains upkeep of the access list for areas where their IoT devices and servers are located and issues permission
authentication, deploying surveillance cameras, certificates necessary for access.
‐ The organization defines physical security boundaries at its facilities, and implement access control according to the security
and inspecting belongings and body weight. Basic
requirements of assets placed within the boundaries and the results of risk assessment.
‐ The organization monitors the work of temporarily authorized party within the physical security boundaries, such as by authorized
attendants or monitoring cameras.
A.12 A.12.1 A.12.1.1 Operating procedures shall be documented ‐ While sharing the basic policy with operations used in a conventional IT environment, the organization formulates security policies and
Operations security Operational procedures Documented operating and made available to all users who need operational procedures by fully considering the characteristics of a site on which an IoT device is installed.
H‐Advanced
and responsibilities procedures them.
[Reference] For example, IEC 62443‐2‐1, a security management standard for industrial automation and control systems (IACS),
requires formulation of cyber security policies at an upper level for an IACS environment.
‐ The organization formulates a series of lower level security policies, such as the policies and implementation procedures of the
following individual topics, to support policies at a higher level.
　a) Access control and authentication
Develop security policies, define roles and 　b) Physical security measures
responsibilities for security across the organization 　c) System development and maintenance
CPS.GV-1
and other relevant parties, and clarify the 　d) Management of external contractors
information-sharing method among stakeholders. 　e) Classification and handling of information
Advanced ‐ The organization formulates a series of security policies by fully considering the organization’s a) business strategies, b) related rules,
laws, regulations, and contracts, and c) environments under threats to security to sufficiently reflect the actual situation of the
organization.
‐ The organization reviews and updates a security plan according to changes in its a) business strategies, b) related rules, laws,
regulations, and contracts, and c) environments under threats to security.

[Reference] To formulate a policy at a more detailed level, refer to related standards such as ISO/IEC 27002 for identification of fields
which require the policy, and refer to more detailed guidelines.
A.12.1.2 Changes to the organization, business ‐ Before making changes to IoT devices and servers that are subjects of configuration management, the organization tests and approves
Change management processes, information processing facilities these changes as well as creates a document on the changes.
‐ The organization uses an automated mechanism to manage, apply, and confirm settings of IoT devices and servers from a single
and systems that affect information H‐Advanced
location.
security shall be controlled. ‐ The organization integrates security change management procedures particularly for industrial control systems, into existing process
safety management procedures.
‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the
impact the change has on security, decides whether the change can be made or not, and creates a document on the procedure.
Introduce and implement the process to manage ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
the initial setting procedure (e.g., password) and ‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
CPS.IP-1 Advanced
setting change procedure for IoT devices and ‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is
servers. implemented) if they forget  the password of their accounts, IoT device and  servers.
‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not
adversely affect the availability or safety of information system and industrial control system.
‐ Upon determining the most restrictive setting criteria that conform to their operation, the organization creates a document on the
initial setting procedures and setting details for the IoT devices and servers that will be introduced and adjusts the settings according to
the document.
Basic
‐ The organization checks initial setting values of IoT devices before installing them, and adjusts the settings appropriately if they do not
comply with the policy stipulated in CPS.AC‐1.
‐ The organization checks and records software installed in IoT devices before introducing them.
A.12.1.3 The use of resources shall be monitored, ‐ The information system and industrial control system manage spare storage space, bandwidth, and other spares (People,
Capacity management tuned and projections made of future Components, System) and minimize the impact of service denial attacks that send a large amount of information. For example, if
services provided by an attacked system can not be stopped due to maintaining the level of availability, etc., in order to continue
capacity requirements to ensure the
important functions, it is necessary to take the following measures.
required system performance. Secure sufficient resources (e.g., People, 　‐ Automatic or manual migration to standby system
Components, system) for components and 　‐ Automatic or manual segregation of system components attacked by adversal actor
CPS.DS-6 Advanced
systems, and protect assets property to minimize ‐ In order to ensure that required system performance is satisfied, use of resources must be monitored and adjusted. In addition,
bad effects under cyber attack (e.g., DoS attack). storage capacity and performance required in the future must be pre‐estimated.
‐ The organization shall:
(a) Use a monitoring tool which the organization specifies in order to find signs of service jamming attacks on the information system.
(b) Monitor resources of information system and industrial control system identified by the organization and judge whether sufficient
resource is secured to prevent effective service jamming attacks.
‐ The organization prepares short‐term uninterrupted power supply which supports the switching of the information system to an
Advanced
Carry out periodic quality checks, prepare standby alternative power source that can be used for a long period of time when the primary power source is lost.
devices and uninterruptible power supplies, ‐ In order to ensure that required performance of an information system and an industrial control system is satisfied, use of resources
must be monitored and adjusted. In addition, storage capacity and performance that are required in the future are pre‐estimated.
CPS.DS-7 provide redundancy, detect failures, conduct
‐ The organization protects devices from power outages and other failures that are attributable to malfunctions in the support utility.
replacement work, and update software for IoT Basic
‐ The organization protects communication cables and power cables that transmit data or that support information service from
devices, communication devices, circuits, etc. interception, interference, and harm.
‐ The organization properly maintaines devices to ensure continuous availability and integrity.

D-3-19
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.12.1.4 Development, testing, and operational ‐ The information system and the industrial control system monitor and control communications on the networks composing internal
Separation of environments shall be separated to reduce business systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network
development, testing the risks of unauthorized access or
communications as a default and shall only allow connection of approved communication traffic.
and operational changes to the operational environment. H‐Advanced ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of
environments control systems with lower importance.
‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple
Develop a policy about controlling data flow, and and simultaneous local connections between the device and the system, as well as prevent access to external network resources by
according that protect the integrity of the network other connections.
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the
by means such as appropriate network isolation
network to which the system is connected (in the case of industrial control systems, boundaries with information systems).
CPS.AC-7 (e.g., development and test environment vs. Advanced
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks
production environment, and environment via the device.
incorporates IoT devices vs. other environments ‐ The organization establishes a data flow regulation policy that defines the range in which data flow within information systems and
within the organization). industrial control system is permitted and the range in which  data flow between systems is permitted, and regulates the flow by
segregating the network appropriately.
‐ The organization logically or physically segments the control system's network from the network composing of the information
Basic system.

[Reference] Implement physical segmentation in environments physically separated from other networks. Alternatively, in
environments physically close to other networks, it is possible to implement logical segmentation in consideration of the cost of the
measure.
A.12.2 A.12.2.1 Detection, prevention and recovery ‐ The organization uses an automated tool that notifies the information system administrator when an inconsistency is found during
Protection from Controls against controls to protect against malware shall integrity verification.
Conduct integrity checks of software runnning on H‐Advanced ‐ The organization uses tools to prevent the launch of the software if malicious software is detected.
malware malware be implemented, combined with
the IoT devices and servers at a time determined ‐ The organization incorporates detection capacity into its incident response capacity to detect unauthorized changes that are made to
appropriate user awareness. CPS.DS-10
by the organization, and prevent unauthorized the settings and security, such as an unauthorized promotion of system authority.
software from launching. ‐ The information system regularly inspects the integrity of the software and firmware.
Advanced ‐ The information system and the industrial control system prevent activation of unregistered software by registering in advance
software that is permitted to activate.
‐ IoT devices, or systems that contain these devices, examine information output from software programs or applications to see if it
matches the expected content in order to prepare for certain attacks that may have a consequence different to a normally expected
outcome (e.g., command injection).
H‐Advanced ‐ The information system automatically updates the logic to detect malicious code through an IDS/IPS.
‐ The information system detects exploit codes that attacks unknown vulnerabilities by installing on endpoints (especially, IoT devices
- Use IoT devices that can detect abnormal and servers with various functions) detection/restoration software using technologies of behavioral detection of malware.
behaviors and suspend operations by comparing ‐ The information system executes real‐time scanning of files from external sources.
the instructed behaviors and actual ones. ‐ The information system blocks or isolates any malicious code for it detected through an IDS/IPS, or notifies the administrator of the
CPS.CM-3 - Validate whether information provided from code.
cyberspace contains malicious code, and is within ‐ The information system detects exploit codes by installing on endpoints (IoT devices, servers, and so on) detection/restoration
the permissible range before any action based on software using technologies of pattern matching of malware.
‐ The organization considers implementing whitelist‐type malware protection for IoT devices with limited functions.
the data. Advanced
* Especially regarding IoT devices and control devices, OS to which anti‐malware software can be applied may not be used. It is
desirable for the organization to confirm whether devices to be introduced are compatible with anti‐malware software at the phase of
procurement and to select compatible ones. If it is difficult to procure devices compatible with anti‐malware software, it is desirable to
take alternative measures such as introducing/strengthening a malware detection mechanism on a network.
A.12.3 A.12.3.1 Backup copies of information, software ‐ The organization identifies the functions of the following support utilities for the continuation of its business and the dependence
Backup Information backup and system images shall be taken and relationship between them.
　‐ Communication service
tested regularly in accordance with an
　‐ Electrical power equipment (including power cables)
agreed backup policy. ‐ Among the above identified utilities, for those which have important roles for the continuation of its business, the organization
examines the possibility of taking measures as follows:
Identify the dependency between the organization H‐Advanced 　‐ Establishment of alternative communication services
　‐ Physical protection of electrical power equipment and power cables
and other relevant parties and the important
CPS.BE-3 　‐ Preparation of short‐term permanent power supply equipment
functions of each in the course of running the ‐ When examining the possibility of using an alternative communication service, the organization considers the following:
operation. 　‐ Identify the requirements on the availability of the organization (including the target recovery time) when examining a contract with
a communication service provider.
　‐ Reduce the possibility of sharing a single point of failure with a primary communication service.
‐ The organization identifies the requirements for the capacity/capability of an applicable system according to the requirements for its
availability stipulated in CPS.AM‐6.
Advanced
‐ In order to fulfill the required system performance, the organization monitors/adjusts the use of resources in the information systems
and industrial control systems in operation, and pre‐estimates the storage capacity/performance required in the future.
‐ The organization confirms the trustworthiness of the medium and integrity of the information by regularly testing the backup
H‐Advanced
information.
Perform a periodical system backup and testing of
‐ The organization backs up their system documents according to the prescribed timing and frequency.
CPS.IP-4 components (e.g., IoT devices, communication Advanced
‐ The organization protects the confidentiality, integrity, and availability of the information backed up on the storage base.
devices, and circuits). ‐ The organization backs up information on user level and system level that is included in its information systems or industrial control
Basic
systems according to the prescribed timing and frequency.

D-3-20
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.12.4 A.12.4.1 Event logs recording user activities, ‐ The organization uses a trail storage system with the following features to flexibly fulfill the needs of clients and other related
Logging and monitoring Event logging exceptions, faults and information security organizations, such as a third‐party auditing institution, on a real‐time basis.
H‐Advanced 　‐ Eligibility of the subject audit trail for the contract matter can be verified quickly.
events shall be produced, kept and
　‐ Only authorized entities such as clients and outsourced auditing agencies can access the system.
regularly reviewed. Collect and securely store data proving that the 　‐ Stored data has reliable trails such as time stamps and electronic signatures.
organization is fulfilling its contractual obligations ‐ The organization takes measures so that those records among the audit records generated by the system that are acquired over a long
CPS.SC-8 with other relevant parties or individuals, and period of time can be obtained with certainty.
prepare them for disclosure as needed within ‐ In order to protect audit records from the following threats, it is desirable for the system to apply access control with high granularity
Advanced to the items and systems in which audit records are stored.
appropriate limits.
　‐ Change format of recorded message
　‐ Change or delete log file
　‐ Exceed storage space of log file medium
Basic ‐ The organization preserves audit records for an appropriate period of time so as to satisfy the requirements of laws and regulations.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
across the system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
H‐Advanced source of information for generating time stamps for an audit record.
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
Determine and document the subject or scope of those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
the audit recording/log recording, and implement such as using a log management system different than the main one or using an alternative measure on the part of the system, when
CPS.PT-1
and review those records in order to properly collecting and analyzing audit logs from the relevant IoT devices.
detect high-risk security incidents. ‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit
log and audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the
systems can acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause
damage to the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
‐ The organization efficiently analyzes audit logs collected through 24‐h, 365‐day security monitoring by using an automated analysis
tool.
‐ It is desirable for the organization to include not only its conventional IT environment but also its control system and IoT devices in the
scope of security monitoring.
H‐Advanced ‐ It is desirable for the organization to regularly evaluate the maturity of its security measure organizations in order to continue
improving its security‐related operations, including security monitoring and the ways incidents are handled.

[Reference] For example, SIM3 (Security Incident Management Maturity Model) is available as metrics for the evaluation of security
organizations (SOC/CSIRT).
Appoint a chief security officer, establish a security ‐ The organization refers to risk assessment results and, considering the following angles, establishes what to monitor and what to
include in correlation analysis.
management team (SOC/CSIRT), and prepare a
CPS.AE-2 　‐ The scope of systems to monitor
system within the organization to detect, analyze,
　‐ Which device logs should be collected for analysis (see CPS.AE‐3)
and respond to security events. ‐ The organization regularly reviews audit logs collected through monitoring.
‐ The organization continues to collect and manage information about assets, device configurations, and network configurations in
order to evaluate its security status.
Advanced
‐ The organization examines the results of correlation analysis and other data to accurately detect security events that must be
addressed and take action in accordance with the security operation process. See CPS.RP‐1 for details of the process.
‐ The organization regularly reports the state of organizational and system security to the chief security officer or other appropriate
staff members. It is desirable that the regular report should include the following shown below:
　‐ Results of log analysis (e.g., the number of incidents handled; summaries of typical incidents that have been handled; threats that
have emerged; issues in monitoring);
　‐ Policy for future improvements in monitoring.
‐ The organization conducts a trend analysis examining the latest information about threats, vulnerability, and assessments of security
management measures carried out several times in order to determine whether the activities for continuous monitoring need any
correction.
‐ The organization carries out policy tuning (management of signatures to apply) and maintenance for devices such as IDS, IPS, and SIEM
H‐Advanced
on its own.
‐ The organization creates custom signatures used for sensors on its own.
‐ In order to properly detect security events that are likely to adversely affect the organization, the organization collects and analyzes
Identify the security events accurately by logs of edge devices such as IoT devices in addition to the logs of devices presented in <Advanced>, if possible.
implementing the procedure to conduct a ‐ It is desirable that the organization should monitor mainly logs of the devices listed below for real‐time analysis to appropriately detect
CPS.AE-3 correlation analysis of the security events and security events highly likely to have an adverse effect on its own organization . This will require the handling of many different logs.
comparative analysis with the threat information Hence, it is necessary to normalize logs to store them in the same database or to use SIEM for efficient analysis. It is also advisable to
obtained from outside the organization. handle information about network flows if it is available.
Advanced 　‐ Logs and network flows from network systems, e.g., firewalls
　‐ Logs from security devices, e.g., IPS/IDS
　‐ Access logs of web servers
　‐ Logs from various systems, e.g., ActiveDirectory; DNS
　‐ Logs related to users’ terminals
‐ The organization checks each notice from firewalls and endpoint security products in order to identify security events that may have
Basic
an adversal impact on the organization.

D-3-21
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization determines the log information that would help detect security events and thus should be collected based on its
Clarify the role and responsibility of the strategies relating to risk management and assessment results.
organization as well as service providers in ‐ The organization ascertains that its business partner (service provider) has an audit log that records activity of service users, exception
CPS.DP-1 Basic
detecting security events so that they can fulfill handling, and security events that the provider has acquired.
their accountabilities. ‐ The organization ascertains that the audit log acquired by its service provider records activity of service users, exception handling, and
security events, and is protected in a proper way.
A.12.4.2 Logging facilities and log information shall ‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
Protection of log be protected against tampering and incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
information unauthorized access.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
across the system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
H‐Advanced source of information for generating time stamps for an audit record.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
the audit recording/log recording, and implement manner.
CPS.PT-1
and review those records in order to properly ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
detect high-risk security incidents. those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
such as using a log management system different than the main one or using an alternative measure on the part of the system, when
collecting and analyzing audit logs from the relevant IoT devices.
‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit
log and audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
A.12.4.3 System administrator and system operator ‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
Administrator and activities shall be logged and the logs incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
operator logs protected and regularly reviewed.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
across the system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
H‐Advanced source of information for generating time stamps for an audit record.
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
Determine and document the subject or scope of those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
the audit recording/log recording, and implement such as using a log management system different than the main one or using an alternative measure on the part of the system, when
CPS.PT-1
and review those records in order to properly collecting and analyzing audit logs from the relevant IoT devices.
detect high-risk security incidents. ‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit
log and audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the
systems can acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause
damage to the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
A.12.4.4 The clocks of all relevant information ‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
Clock synchronisation processing systems within an organization incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
or security domain shall be synchronised
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
to a single reference time source. across the system, logically and physically.
Determine and document the subject or scope of
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
the audit recording/log recording, and implement
CPS.PT-1 H‐Advanced source of information for generating time stamps for an audit record.
and review those records in order to properly ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
detect high-risk security incidents. manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
such as using a log management system different than the main one or using an alternative measure on the part of the system, when
collecting and analyzing audit logs from the relevant IoT devices.

D-3-22
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.12.5 A.12.5.1 Procedures shall be implemented to ‐ Before making changes to IoT devices and servers that are subjects of configuration management, the organization tests and approves
Control of operational Installation of software control the installation of software on these changes as well as creates a document on the changes.
‐ The organization uses an automated mechanism to manage, apply, and confirm settings of IoT devices and servers from a single
software on operational systems operational systems. H‐Advanced
location.
‐ The organization integrates security change management procedures particularly for industrial control systems, into existing process
safety management procedures.
‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the
impact the change has on security, decides whether the change can be made or not, and creates a document on the procedure.
Introduce and implement the process to manage ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
the initial setting procedure (e.g., password) and ‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
CPS.IP-1 Advanced
setting change procedure for IoT devices and ‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is
servers. implemented) if they forget  the password of their accounts, IoT device and  servers.
‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not
adversely affect the availability or safety of information system and industrial control system.
‐ Upon determining the most restrictive setting criteria that conform to their operation, the organization creates a document on the
initial setting procedures and setting details for the IoT devices and servers that will be introduced and adjusts the settings according to
the document.
Basic
‐ The organization checks initial setting values of IoT devices before installing them, and adjusts the settings appropriately if they do not
comply with the policy stipulated in CPS.AC‐1.
‐ The organization checks and records software installed in IoT devices before introducing them.
Restrict the software to be added after installing in ‐ The organization restricts software by using a list of software that is permitted to be executed on the information system and
CPS.IP-2 H‐Advanced
the IoT devices and servers. industrial control system (whitelist) or list of prohibited software (blacklist).  Or, unpermitted software shall not be installed.
A.12.6 A.12.6.1 Information about technical vulnerabilities ‐ The organization conducts vulnerability diagnosis at planned timings such as planned stopping so as not to adversely affect the
Technical vulnerability Management of of information systems being used shall be operation of the system managed by the organization. And then, identify and list vulnerabilities that exist in the system owned by the
organization.
management technical vulnerabilities obtained in a timely fashion, the
‐ It is desirable to conduct a penetration test periodically to recognize an existing vulnerability in a system it manages.
organizationʼs exposure to such H‐Advanced
‐ When conducting vulnerability diagnosis, it is desirable to use a vulnerability diagnosis tool that can immediately update the
vulnerabilities evaluated and appropriate vulnerability of the system to be diagnosed.
measures taken to address the associated ‐ The organization develops mechanisms to temporarily permit privileged access to a inspector in vulnerability diagnosis to more
risk. Identify the vulnerability of the organizationʼs thoroughly identify vulnerabilities.
CPS.RA-1 assets and document the list of identified ‐ The organization carries out a vulnerability diagnosis to recognize vulnerabilities existing in the information system which has high
vulnerability with the corresponding asset. importance and makes a list of them.
‐ In the operation phase of an information system owned by the organization, the organization uses a vulnerability diagnosis tool to
periodically identify its system vulnerability within vulnerabilities collected from various sources, which are supposed to be related to
Advanced the organization. The organization shall add the identified vulnerability and its impact degree to a list.

[Reference] Japan Vulnerability Notes (https://jvn.jp/) and other sources of information are available for reference to obtain
information regarding vulnerability. Also, CVSS (https://www.ipa.go.jp/security/vuln/CVSS.html Illustrated by IPA) could be used as a
referential indicator to evaluate the impact level of vulnerability.
‐ When developing a new device or a new component which may have an impact on a physical space such as components of an
industrial control system, the organization collects/analyzes accident case studies of conventional products and others to identify
safety‐related hazards.
‐ The organization analyzes a situation where a hazard leads to harm and identifies the possibility of occurrence and the severity of the
- Conduct risk assessments regularly to check if H‐Advanced
harm to estimate a possible risk especially regarding an industrial control system. At the time, it is desirable to check whether there is
the security rules for managing the components any hazard caused by a security issue.
are effective and applicable to the components for ‐ The organization updates the risk assessment if there is a significant change in the industrial control system or the environment in
implementation. which it operates, or the other change that affects the security state of the industrial control system.
CPS.RA-4
- Check the presence of unacceptable known ‐ The organization updates a risk assessment when there is a big change in a system or an environment where a system is running
security risks, including safety hazards, from the (including identification of a new threat or vulnerability) or when any situation which impacts the security status of a system occurs.
‐ When planning/designing a new system using an IoT device, the organization identifies existing assets and assets to be protected in
planning and design phase of an IoT device and
the system to be implemented and organizes security measures according to use and configuration of the system. When handling a
systems incorporating IoT devices. Advanced
component or a system with a long life cycle and a component or a system requiring availability, consideration in security measures at a
phase before designing is especially important.
‐ When considering security measures applied to purchased products and services, the organization makes sure that the levels of
measures correspond to the importance of such products and services.
‐ The organization updates a risk assessment when there is a big change in an information system or an environment where an
Consider threats, vulnerability, likelihood, and information system is running (including identification of a new threat or vulnerability) or when any situation which impacts the security
CPS.RA-5 Advanced
impacts when assessing risks. status of a system occurs. In that case, give priority to an information system or industrial control system with high importance.
* Implementation details common to CPS.RA‐4
H‐Advanced ‐ The organization adopts and administers an automated mechanism for managing the status of defect correction.
‐ The organization defines tolerable risk by identifying through investigations and tests the impacts of patch application on the functions
of other software applications and services on operations of IoT devices and servers.
Advanced
‐ The organization conducts tests to measure the effectiveness of corrections and the possibility of any secondary adverse effects,
corrects the defects, and manages the corrections as part of the configuration management.
Develop a vulnerability remediation plan, and ‐ The organization systematically identifies, reports and responds to vulnerabilities in its own information systems and industrial control
CPS.IP-10 modify the vulnerability of the components systems. The organization considers the following when formulating a plan.
according to the plan. 　‐ Seriousness of threats or vulnerabilities
　‐ Risk in responding to vulnerabilities
Basic
[Reference] It may be difficult to carry out application of security patches in a timely manner or application of patches itself to IoT
devices in consideration of availability and functions of devices. In such cases, it is desirable to avoid occurrence of security incidents by
thoroughly taking measures against threats (e.g. minimization of functions, strengthening of network monitoring).

D-3-23
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization conducts vulnerability diagnosis at planned timings such as planned stopping so as not to adversely affect the
operation of the system managed by the organization. And then, identify and list vulnerabilities that exist in the system owned by the
organization.
‐ When using tools to conduct vulnerability diagnosis, the organization should use tools that can quickly update the vulnerability
H‐Advanced
database of the system being diagnosed.
‐ The organization updates the vulnerability of scanned systems regularly, or when newly‐identified weaknesses are reported.
‐ The organization implements a system for authorizing privileged access to the relevant system components in connection with the
specified vulnerability scanning.
‐ The organization has its systems and applications scanned for vulnerability regularly, or when any newly‐found weaknesses that affect
the systems and/or applications are reported.
Confirm the existence of vulnerability that requires ‐ The organization uses a tool for vulnerability scanning. Applying the standard methods that meet the following means that part of the
CPS.CM-7 a regular check-up in IoT devices and servers vulnerability management process should be open to automation.
managed within the organization. 　‐ List defects in the platform and software, and wrong setups.
　‐ Format a checklist and test procedure.
　‐ Assess the impact of the vulnerability.
Advanced
‐ The organization corrects identified weaknesses through risk assessment within an appropriate period.
‐ The organization shares the information acquired through the above process with other system administrators in the organization,
thereby learning about similar weaknesses found in the other information systems, and correct them as necessary.

[Reference] Japan Vulnerability Notes (https://jvn.jp/) and other sources of information are available for reference to obtain
information regarding vulnerability. Also, CVSS (https://www.ipa.go.jp/security/vuln/CVSS.html Illustrated by IPA) could be used as a
referential indicator to evaluate the impact level of vulnerability.
Basic ‐ The organization regularly has its systems and applications scanned for vulnerability.
A.12.6.2 Rules governing the installation of H‐Advanced
‐ The organization restricts software by using a list of software that is permitted to be executed on the information system and
Restrictions on software software by users shall be established and industrial control system (whitelist) or list of prohibited software (blacklist).  Or, unpermitted software shall not be installed.
Restrict the software to be added after installing in ‐ The organization adopts and manages a mechanism that manages software installation that is performed by users on the organization’
installation implemented. CPS.IP-2 Advanced
the IoT devices and servers. s system (information system or industrial control system) and monitors the events.
‐ The organization establishes a policy on software installation performed by users on the organization’s system (information system or
Basic
industrial control system) and has the users follow it.
A.12.7 A.12.7.1 Audit requirements and activities involving ‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and
Information systems Information systems verification of operational systems shall be addresses procedures for deviation or signs of deviation from contract matters.
‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled,
audit considerations audit controls carefully planned and agreed to minimise
matters which are concerned with security management of the organization and security functions implemented in the products and
disruptions to business processes. H‐Advanced services that will be delivered, especially for important clients and reconsigned organizations.
‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and
field surveys conducted by the outsourcer.
Conduct regular assessments through auditing, ‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any
test results, or other checks of relevant parties fact of information leakage, and regularly report the result to the organization.
CPS.SC-6
such as business partners to ensure they are ‐ The organization checks whether requirements that are prescribed in the contract with the client can be audited on the system.
fulfilling their contractual obligations. ‐ The information system provides a function that allows for audit records to be created for events defined above that can be audited
on the system.
‐ The organization shall be able to maintain consistency in security audits with other organizations that require information on the audit.
Advanced ‐ The organization regularly reviews and analyzes audit records that are made manually or automatically by the system, and checks
whether there is any deviation or sign of deviation from contract matters.
‐ State of compliance with security management measures of the external service provider is regularly checked by internal audits that
are conducted by the client using a checklist.

‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
across the system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
H‐Advanced source of information for generating time stamps for an audit record.
‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
manner.
‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
Determine and document the subject or scope of those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
the audit recording/log recording, and implement such as using a log management system different than the main one or using an alternative measure on the part of the system, when
CPS.PT-1
and review those records in order to properly collecting and analyzing audit logs from the relevant IoT devices.
detect high-risk security incidents. ‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit
log and audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the
systems can acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause
damage to the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.

D-3-24
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.13 A.13.1 A.13.1.1 Networks shall be managed and controlled ‐ The information system and the industrial control system monitor and control communications on the networks composing internal
Communications Network security Network controls to protect information in systems and business systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network
security management applications. Develop a policy about controlling data flow, and
communications as a default and shall only allow connection of approved communication traffic.
according that protect the integrity of the network H‐Advanced ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of
by means such as appropriate network isolation control systems with lower importance.
CPS.AC-7 (e.g., development and test environment vs. ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple
production environment, and environment and simultaneous local connections between the device and the system, as well as prevent access to external network resources by
other connections.
incorporates IoT devices vs. other environments
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the
within the organization).
network to which the system is connected (in the case of industrial control systems, boundaries with information systems).
Advanced
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks
via the device.
‐ The information system and industrial control system require authentication using a public key infrastructure (PKI) , especially
regarding  login to a system that handles highly confidential data.
* When performing authentication using PKI in an industrial control system, ensure that the processing wait time that occurs does not
degrade system performance.
H‐Advanced
‐ The information system and industrial control system lay down conditions that require disconnection of the session for its system and
Authenticate and authorize logical accesses to implement a function that automatically terminates a user’s session when it falls under these conditions.
system components by IoT devices and users
CPS.AC-9 according to the transaction risks (personal [Reference] For the strength of authentication schemes and appropriate use cases, it is advisable to refer to NIST SP 800‐63‐3.
security, privacy risks, and other organizational ‐ The organization checks the user’s identity and authenticates using a mechanism that has sufficient strength for the risk of the
risks). transaction (security‐related risks for the user, privacy risks, etc.).
‐ The information system displays a notification message on the risk of the transaction (security‐related risks for the user, privacy risks,
Advanced etc.) when a user logs into the system.
‐ The information system and the industrial control system make the feedback on the authentication information invisible in its system
during the authentication process.
‐ The organization sets the expiration date of the credential and manages whether the password over the expiration date is used.
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
H‐Advanced
by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.
‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
across the system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
H‐Advanced source of information for generating time stamps for an audit record.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
manner.
the audit recording/log recording, and implement
CPS.PT-1 ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
and review those records in order to properly those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
detect high-risk security incidents. such as using a log management system different than the main one or using an alternative measure on the part of the system, when
collecting and analyzing audit logs from the relevant IoT devices.
‐ The organization specifies what is to be audited based on its risk management strategy and risk assessment results, and sees if the
systems can acquire audit logs that show who did what and when in connection with the subjects of an audit.
‐ The system generates an audit log prescribed from various system components.
Basic
‐ The organization reviews and analyze a system’s audit log regularly to see if there are any signs of security incidents that may cause
damage to the organization, and make a report to the system administrator where necessary.
‐ The organization confirms that the impact of audit activities on the performance of industrial control systems is tolerable.
A.13.1.2 Security mechanisms, service levels and ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are
Security of network management requirements of all network fulfilled.
H‐Advanced ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices
services services shall be identified and included in
especially important for their operation are manufactured under appropriate procedures by organizations that have quality and
network services agreements, whether security management ability above a certain level.
these services are provided in-house or ‐ The organization specifies in the contract the security requirements that the products and services procured from the partner should
outsourced. comply with, such as the following.
　‐ Specific certifications related to security (e.g., ISMS certification、ISASecure EDSA certification, Japan Information Technology
Security Evaluation and Certification Scheme (JISEC) have been gained.
When signing contracts with external parties, 　‐ The vendor itself confirms that it has implemented the security measures in accordance with the standards of specific certifications
check if the products and services provided by the related to security
other relevant organizations properly comply with 　‐ It has implemented the necessary security requirements from the design phase (security by design) based on the results of risk
CPS.SC-4
the security requirements defined by the analysis, etc., and test them.
organization while considering the objectives of ‐ It is desirable that the organization should, at the phase of planning procurement, secure a budget for security requirements regarding
Advanced products or services themselves, or protection of assets used for procurement and supply of such products or services.
such contracts and results of risk management.
‐ The organization formulates, manages and improves security measurement rules to evaluate procurement or supply of products or
services, including the following.
　‐ Target for measurement
　‐ Method and frequency of reporting on measures taken
　‐ Measures to be taken when measures are not implemented
‐ The organization checks means of detecting (or preventing) falsifications and leakages during shipments and whether or not the IoT
devices and software being delivered have been operated without authorization.
　‐ Goods: security courier, protection seal, etc.
　‐ Digital transfer: encryption, hash of the entire transmitted data, etc.

D-3-25
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization requires its provider of external information system services to make clear the functions, ports, and protocols
H‐Advanced needed for the use of the services, along with other services.
‐ The organization monitors whether the matters made clear as stated above are observed.
‐ The organization documents its security requirements for the staff from its external service provider and system developer, and
includes the requirements in the agreement.
‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have
authorizations for its system are transferred or when their employment terminates.
‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of
Advanced relevant information about operations, the importance of its business systems and processes, and re‐assessed risks.
Monitor communication with external service
‐ The organization monitors whether its external service provider and system developer complies with the requirements.
CPS.CM-5 providers so that potential security events can be
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any
detected properly. unauthorized access by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the
appropriate system administrator.
‐ The organization requires its provider of external information system services and system developer to draw up and introduce security
requirements such as those related to the following in accordance with the rules which the organization is subject to or which apply to
the provider and developer.
Basic
　‐ Adequate security measures to take (e.g., measures that deserve ISMS Certification)
　‐ Proper management of data in operation
　‐ Proper data erasure when the use of the services ends
A.13.1.3 Groups of information services, users and ‐ The information system and the industrial control system monitor and control communications on the networks composing internal
Segregation in networks information systems shall be segregated business systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network
on networks. Develop a policy about controlling data flow, and
communications as a default and shall only allow connection of approved communication traffic.
according that protect the integrity of the network H‐Advanced ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of
by means such as appropriate network isolation control systems with lower importance.
CPS.AC-7 (e.g., development and test environment vs. ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple
production environment, and environment and simultaneous local connections between the device and the system, as well as prevent access to external network resources by
other connections.
incorporates IoT devices vs. other environments
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the
within the organization).
network to which the system is connected (in the case of industrial control systems, boundaries with information systems).
Advanced
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks
via the device.
A.13.2 A.13.2.1 Formal transfer policies, procedures and H‐Advanced
‐ The organization implements/manages an automated mechanism for monitoring and managing system configurations,
Information transfer Information transfer controls shall be in place to protect the communication network configurations, and data flows of their information systems and industrial control systems in real time.
‐ The organization states the characteristics of the interface, security requirements, and characteristics of transmitted data for network
policies and procedures transfer of information through the use of Advanced
Create and manage appropriately network connection in a diagram in the associated documents.
all types of communication facilities.
CPS.AM-4 configuration diagrams and data flows within the ‐ The organization documents and stores system configurations, communication network configurations, and data flows  of an
organization. information systems and an industrial control systems in a range managed by the organization (for example, in units of business
Basic establishments).
‐ The organization reviews related documents periodically or when there is a change in system configurations, network configurations,
or data flows and updates them as necessary.
‐ The system makes a list of external information services in use and manages the users, devices as well as serviced in use in real time.
‐ The system uses a mechanism to give notice to the system administrator when an unpermitted external information system service is
H‐Advanced detected.
‐ The organization identifies functions, ports, protocols, and other services which are necessary for using services offered by external
Create and manage appropriately a list of external
providers.
CPS.AM-5 information systems where the organizationʼs
‐ The organization sets conditions for allowing other organizations which own or operate external information systems to do the
assets are shared. following:
Advanced 　a. Accessing an information system in the organization from an external information system
　b. Processing, saving, or transmitting information under the control of the organization using an external information system
‐ The organization restricts a use of storage in an external system the organization owns to an authorized one.
‐ The information system and the industrial control system monitor and control communications on the networks composing internal
business systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network
communications as a default and shall only allow connection of approved communication traffic.
H‐Advanced ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of
control systems with lower importance.
Develop a policy about controlling data flow, and ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple
according that protect the integrity of the network and simultaneous local connections between the device and the system, as well as prevent access to external network resources by
other connections.
by means such as appropriate network isolation
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the
CPS.AC-7 (e.g., development and test environment vs.
network to which the system is connected (in the case of industrial control systems, boundaries with information systems).
production environment, and environment Advanced
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks
incorporates IoT devices vs. other environments via the device.
‐ The organization establishes a data flow regulation policy that defines the range in which data flow within information systems and
within the organization).
industrial control system is permitted and the range in which  data flow between systems is permitted, and regulates the flow by
segregating the network appropriately.
‐ The organization logically or physically segments the control system's network from the network composing of the information
Basic
system.

[Reference] Implement physical segmentation in environments physically separated from other networks. Alternatively, in
environments physically close to other networks it is possible to implement logical segmentation in consideration of the cost of the
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
H‐Advanced
by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.

D-3-26
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The system /IoT apparatus introduces the code module which it can implement without even little resource losing availability, and it is
desirable to encrypt the communication data from a high apparatus of the importance at appropriate strength.
H‐Advanced
Encrypt information itself when sending/receiving ‐ The information system encrypts all data transmitted outside the organization with appropriate strength, not limited to high or low
CPS.DS-4
information. importance.
‐ The organization encrypts information with appropriate strength when transmitting highly confidential information to an external
Advanced
organization or the like.
‐ The organization introduces the concept of “whitelisting” for data entry in order to specify known items and systems considered
trustworthy as the sources of input data, and the format allowed for the input data.
H‐Advanced ‐ IoT devices and servers begin communication with other IoT devices only after the devices are mutually authenticated successfully so
Validate the integrity and authenticity of the that the source of data is always clear.
CPS.CM-4 information provided from cyberspace before ‐ The information system and the industrial control system protect the authenticity of communications sessions.
operations. ‐ The information system uses an integrity verification tool to detect any unauthorized changes that are made to communications data
transmitted from IoT devices and servers.
Advanced
‐ IoT devices and servers that are acknowledged as critical to the organization’s operations begin communication with other IoT devices
only after the devices are mutually authenticated successfully so that the source of data is always clear.
A.13.2.2 Agreements shall address the secure H‐Advanced
‐ The organization implements/manages an automated mechanism for monitoring and managing system configurations,
Agreements on transfer of business information between communication network configurations, and data flows of their information systems and industrial control systems in real time.
‐ The organization states the characteristics of the interface, security requirements, and characteristics of transmitted data for network
information transfer the organization and external parties. Advanced
Create and manage appropriately network connection in a diagram in the associated documents.
CPS.AM-4 configuration diagrams and data flows within the ‐ The organization documents and stores system configurations, communication network configurations, and data flows  of an
organization. information systems and an industrial control systems in a range managed by the organization (for example, in units of business
Basic establishments).
‐ The organization reviews related documents periodically or when there is a change in system configurations, network configurations,
or data flows and updates them as necessary.
‐ The organization specifies concrete security measure requirements considering importance of exchanged data and assumed risks, and
If the organization exchanges protected requires business partners to implent them.
Advanced
information with other organizations, agree in ‐ The organization permits outsourcing of data handling operation to subcontractors only if it confirms that such subcontractors have
CPS.DS-1
advance on security requirements for protection of implemented security measures whose level is equivalent to those required to direct business partners.
such information. Basic
‐ The organization regulate how to handle the data that business partners may handle by concluding a non‐disclosure agreement.
‐ The organization prohibits direct business partners from subcontracting operations related to data management.
A.13.2.3 Information involved in electronic H‐Advanced
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
Electronic messaging messaging shall be appropriately by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
protected.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.
‐ The system /IoT apparatus introduces the code module which it can implement without even little resource losing availability, and it is
desirable to encrypt the communication data from a high apparatus of the importance at appropriate strength.
H‐Advanced
Encrypt information itself when sending/receiving ‐ The information system encrypts all data transmitted outside the organization with appropriate strength, not limited to high or low
CPS.DS-4
information. importance.
‐ The organization encrypts information with appropriate strength when transmitting highly confidential information to an external
Advanced
organization or the like.
‐ The organization introduces the concept of “whitelisting” for data entry in order to specify known items and systems considered
trustworthy as the sources of input data, and the format allowed for the input data.
H‐Advanced ‐ IoT devices and servers begin communication with other IoT devices only after the devices are mutually authenticated successfully so
Validate the integrity and authenticity of the that the source of data is always clear.
CPS.CM-4 information provided from cyberspace before ‐ The information system and the industrial control system protect the authenticity of communications sessions.
operations. ‐ The information system uses an integrity verification tool to detect any unauthorized changes that are made to communications data
transmitted from IoT devices and servers.
Advanced
‐ IoT devices and servers that are acknowledged as critical to the organization’s operations begin communication with other IoT devices
only after the devices are mutually authenticated successfully so that the source of data is always clear.

D-3-27
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.13.2.4 Requirements for confidentiality or non- ‐ In a contract with a business partner who provides systems/components/services, the organization requires the partner the following
Confidentiality or disclosure agreements reflecting the listed below:
　‐ Create evidence of the implementation of the security assessment plan, and submit results of security tests/evaluations.
nondisclosure organizationʼs needs for the protection of
H‐Advanced 　‐ Develop a plan for remedying defects identified during security testing / evaluation
agreements information shall be identified, regularly 　‐ Disclose a plan for defect remediation and its implementation status
reviewed and documented. ‐ It is desirable that the organization applies necessary requirements among those for security measures to directly consigned parties
and accompanying requirements to reconsigned parties by considering the scales of risks originating from the supply chains.
‐ In accordance with the missions/business needs of the organization, state the following requirements, descriptions, and criteria in a
procurement contract of a system, component, or service.
　‐ Requirements for security measures
　‐ Requirements for security‐related documents
　‐ Requirements for protection of security‐related documents
When signing contracts with external 　‐ Confidentiality clauses
organizations, check if the security management of 　‐ Implementation body and method of each handling: reporting destination at the time of incident occurrence, reporting details,
initial reaction, investigation, recovery, etc.
the other relevant organizations properly comply
CPS.SC-3 　‐ Conditions to allow to confirm the observance to the security requirement which is inspected and defined by the organization or the
with the security requirements defined by the Advanced authorized third party.
organization while considering the objectives of 　‐ How to handle an information asset at the end of the contract
such contracts and results of risk management. ‐ The organization requires business partners, in a procurement contract, to implement security requirements that comply with
applicable laws and regulations, implement additional measures when they are recognized necessary because of the characteristics of
the contracted duty, etc.
‐ It is desirable to consider the following items in advance when determining security requirements based on laws and regulations and
requiring business partners to comply with them.
　‐ Identification of potential risks in terms of legal regulations that may arise due to difference of  applicable laws between the
organization and the business partner
　‐ Negative impacts on the contract in terms of security due to legal and regulatory obligations applicable to the business partner
‐ The organization requires business partners to implement security requirements that complies with applicable laws and regulations.
‐ The organization confirms that the business partner has declared "SECURITY ACTION" in the process of selecting and evaluating a
Basic contractor.
* "SECURITY ACTION" is an initiative in Japan that small and medium‐sized enterprises declare themselves to work on information
security measures.
A.14 A.14.1 A.14.1.1 The information security related ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are
System acquisition, Security requirements Information security requirements shall be included in the fulfilled.
H‐Advanced ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices
development and of information systems requirements analysis requirements for new information systems
especially important for their operation are manufactured under appropriate procedures by organizations that have quality and
maintenance and specification or enhancements to existing information security management ability above a certain level.
systems. ‐ The organization specifies in the contract the security requirements that the products and services procured from the partner should
comply with, such as the following.
　‐ Specific certifications related to security (e.g., ISMS certification、ISASecure EDSA certification, Japan Information Technology
Security Evaluation and Certification Scheme (JISEC) have been gained.
When signing contracts with external parties, 　‐ The vendor itself confirms that it has implemented the security measures in accordance with the standards of specific certifications
check if the products and services provided by the related to security
other relevant organizations properly comply with 　‐ It has implemented the necessary security requirements from the design phase (security by design) based on the results of risk
CPS.SC-4
the security requirements defined by the analysis, etc., and test them.
organization while considering the objectives of ‐ It is desirable that the organization should, at the phase of planning procurement, secure a budget for security requirements regarding
Advanced products or services themselves, or protection of assets used for procurement and supply of such products or services.
such contracts and results of risk management.
‐ The organization formulates, manages and improves security measurement rules to evaluate procurement or supply of products or
services, including the following.
　‐ Target for measurement
　‐ Method and frequency of reporting on measures taken
　‐ Measures to be taken when measures are not implemented
‐ The organization checks means of detecting (or preventing) falsifications and leakages during shipments and whether or not the IoT
devices and software being delivered have been operated without authorization.
　‐ Goods: security courier, protection seal, etc.
　‐ Digital transfer: encryption, hash of the entire transmitted data, etc.
‐ The organization explicitly presents the following requirements when procuring the system;
　‐ Requirements for security functions;
　‐ Requirements for security strength;
　‐ Requirements for security warranty;
H‐Advanced
　‐ Requirements for security‐related documents;
　‐ Requirements for protection of security‐related documents;
Introduce the system development life cycle to
CPS.IP-3 　‐ Description on the development environment of the system and the environment which the system is planned to operate under;
manage the systems. 　‐ Acceptance criteria
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration
Advanced regarding information security, and undergoes an information security risk management process throughout the entire system
development lifecycle.
‐ The organization applies the general rules of the system’s security engineering to specifications, design, development, introduction,
Basic
and changes in building the system.

D-3-28
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.14.1.2 Information involved in application ‐ The information system and the industrial control system monitor and control communications on the networks composing internal
Securing application services passing over public networks shall business systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network
services on public be protected from fraudulent activity, Develop a policy about controlling data flow, and
communications as a default and shall only allow connection of approved communication traffic.
networks contract dispute and unauthorized according that protect the integrity of the network H‐Advanced ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of
disclosure and modification. by means such as appropriate network isolation control systems with lower importance.
CPS.AC-7 (e.g., development and test environment vs. ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple
production environment, and environment and simultaneous local connections between the device and the system, as well as prevent access to external network resources by
other connections.
incorporates IoT devices vs. other environments
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the
within the organization).
network to which the system is connected (in the case of industrial control systems, boundaries with information systems).
Advanced
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks
via the device.
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
H‐Advanced
by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.
‐ The system /IoT apparatus introduces the code module which it can implement without even little resource losing availability, and it is
desirable to encrypt the communication data from a high apparatus of the importance at appropriate strength.
H‐Advanced
Encrypt information itself when sending/receiving ‐ The information system encrypts all data transmitted outside the organization with appropriate strength, not limited to high or low
CPS.DS-4
information. importance.
‐ The organization encrypts information with appropriate strength when transmitting highly confidential information to an external
Advanced
organization or the like.
‐ The organization detects tampering with data transmitted from IoT devices, servers, etc. in industrial control systems, if possible, using
integrity checking tools.
H‐Advanced
‐ The organization incorporates detection capacity into its incident response capacity to detect unauthorized changes that are made to
the settings and security, such as an unauthorized promotion of system authority.
Perform integrity checking on information to be
CPS.DS-11 ‐ The organization uses an integrity verification tool in an information system to detect any unauthorized changes that are made to
sent, received, and stored. communications data transmitted from IoT devices and servers.
Advanced ‐ The information system regularly inspects the integrity of the stored data.
‐ The information system supports the technology of authenticating the sending domain in e‐mail, and detects spoofing and tampering
of e‐mail.
A.14.1.3 Information involved in application service ‐ The information system and the industrial control system monitor and control communications on the networks composing internal
Protecting application transactions shall be protected to prevent business systems of the organization.
‐ Regarding the network which the system that handles highly confidential data is connected to, the organization shall deny network
services transactions incomplete transmission, mis-routing, Develop a policy about controlling data flow, and
communications as a default and shall only allow connection of approved communication traffic.
unauthorized message alteration, according that protect the integrity of the network H‐Advanced ‐ The organization physically or logically separates the network of high importance industrial control systems from the network of
unauthorized disclosure, unauthorized by means such as appropriate network isolation control systems with lower importance.
message duplication or replay. CPS.AC-7 (e.g., development and test environment vs. ‐ If the information system that handles highly confidential data is connected to a remote device, the organization is to prevent multiple
production environment, and environment and simultaneous local connections between the device and the system, as well as prevent access to external network resources by
other connections.
incorporates IoT devices vs. other environments
‐ The information system and industrial control system monitor and regulate connection of external and internal boundaries of the
within the organization).
network to which the system is connected (in the case of industrial control systems, boundaries with information systems).
Advanced
‐ The organization installs boundary protection devices to promote effective security in the system and connects to external networks
via the device.
Restrict communications by IoT devices and ‐ The organization assigns identifiers to its IoT devices and servers, as well as managing the identification by preventing re‐use of
identifiers and invalidating identifiers after a certain period of time.
servers to those with entities (e.g. people,
CPS.AC-8 Basic ‐ Before connecting their IoT devices and servers to the network, the information system and the industrial control system prepare a
components, system, etc.) identified through mechanism that uniquely identifies and authenticate these devices.
proper procedures. ‐ Communication using IoT devices is denied as default. The protocol to be used is authorized as an exception.
‐ The organization protects th networks composing the information system and industrial control system  that handles important data
H‐Advanced
by implementing encrytion of communication channels or by alternative physical measures.
Encrypt the communication channel when ‐ The information system employs an cryptographic mechanism and encrypt communciation paths.
CPS.DS-3 communicating between IoT devices and servers
or in cyberspace. Advanced [Reference] For encryption of communication paths, there are several methods such as IP‐VPN, Ipsec‐VPN, SSL VPN. It is desirable that
the organization should select the method considering the importance of the data transmitted in the communication paths, the budget,
and so on.
‐ The organization detects tampering with data transmitted from IoT devices, servers, etc. in industrial control systems, if possible, using
integrity checking tools.
H‐Advanced
‐ The organization incorporates detection capacity into its incident response capacity to detect unauthorized changes that are made to
the settings and security, such as an unauthorized promotion of system authority.
Perform integrity checking on information to be
CPS.DS-11 ‐ The organization uses an integrity verification tool in an information system to detect any unauthorized changes that are made to
sent, received, and stored. communications data transmitted from IoT devices and servers.
Advanced ‐ The information system regularly inspects the integrity of the stored data.
‐ The information system supports the technology of authenticating the sending domain in e‐mail, and detects spoofing and tampering
of e‐mail.
‐ The organization introduces the concept of “whitelisting” for data entry in order to specify known items and systems considered
trustworthy as the sources of input data, and the format allowed for the input data.
H‐Advanced ‐ IoT devices and servers begin communication with other IoT devices only after the devices are mutually authenticated successfully so
Validate the integrity and authenticity of the that the source of data is always clear.
CPS.CM-4 information provided from cyberspace before ‐ The information system and the industrial control system protect the authenticity of communications sessions.
operations. ‐ The information system uses an integrity verification tool to detect any unauthorized changes that are made to communications data
transmitted from IoT devices and servers.
Advanced
‐ IoT devices and servers that are acknowledged as critical to the organization’s operations begin communication with other IoT devices
only after the devices are mutually authenticated successfully so that the source of data is always clear.

D-3-29
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.14.2 A.14.2.1 Rules for the development of software and ‐ The organization explicitly presents the following requirements when procuring the system;
Security in development Secure development systems shall be established and applied to 　‐ Requirements for security functions;
　‐ Requirements for security strength;
and support processes policy developments within the organization.
　‐ Requirements for security warranty;
H‐Advanced
　‐ Requirements for security‐related documents;
　‐ Requirements for protection of security‐related documents;
Introduce the system development life cycle to
CPS.IP-3 　‐ Description on the development environment of the system and the environment which the system is planned to operate under;
manage the systems. 　‐ Acceptance criteria
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration
Advanced regarding information security, and undergoes an information security risk management process throughout the entire system
development lifecycle.
‐ The organization applies the general rules of the system’s security engineering to specifications, design, development, introduction,
Basic
and changes in building the system.
A.14.2.2 Changes to systems within the ‐ Before making changes to IoT devices and servers that are subjects of configuration management, the organization tests and approves
System change control development lifecycle shall be controlled these changes as well as creates a document on the changes.
‐ The organization uses an automated mechanism to manage, apply, and confirm settings of IoT devices and servers from a single
procedures by the use of formal change control H‐Advanced
location.
procedures. ‐ The organization integrates security change management procedures particularly for industrial control systems, into existing process
Introduce and implement the process to manage safety management procedures.
the initial setting procedure (e.g., password) and ‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the
CPS.IP-1
setting change procedure for IoT devices and impact the change has on security, decides whether the change can be made or not, and creates a document on the procedure.
servers. ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
Advanced
‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is
implemented) if they forget  the password of their accounts, IoT device and  servers.
‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not
adversely affect the availability or safety of information system and industrial control system.
‐ The organization explicitly presents the following requirements when procuring the system;
　‐ Requirements for security functions;
　‐ Requirements for security strength;
　‐ Requirements for security warranty;
H‐Advanced
　‐ Requirements for security‐related documents;
Introduce the system development life cycle to
CPS.IP-3 　‐ Requirements for protection of security‐related documents;
manage the systems. 　‐ Description on the development environment of the system and the environment which the system is planned to operate under;
　‐ Acceptance criteria
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration
Advanced regarding information security, and undergoes an information security risk management process throughout the entire system
development lifecycle.
A.14.2.3 When operating platforms are changed, ‐ Before making changes to IoT devices and servers that are subjects of configuration management, the organization tests and approves
Technical review of business critical applications shall be these changes as well as creates a document on the changes.
‐ The organization uses an automated mechanism to manage, apply, and confirm settings of IoT devices and servers from a single
applications after reviewed and tested to ensure there is no H‐Advanced
location.
operating platform adverse impact on organizational ‐ The organization integrates security change management procedures particularly for industrial control systems, into existing process
changes operations or security. Introduce and implement the process to manage safety management procedures.
the initial setting procedure (e.g., password) and ‐ When changes are made to the IoT devices and servers that are subjects of configuration management, the organization analyzes the
CPS.IP-1
setting change procedure for IoT devices and impact the change has on security, decides whether the change can be made or not, and creates a document on the procedure.
servers. ‐ The organization limits personnel who can make changes to approved IoT devices and servers (restricted access).
‐ The organization makes changes to approved IoT devices and servers, as well as implements, records, and monitors those changes.
Advanced
‐ The organization uses a secure recovery method (e.g. entering a security code known only to the user before the change is
implemented) if they forget  the password of their accounts, IoT device and  servers.
‐ The organization regularly reviews policies and procedures for operation and change management to ensure that changes do not
adversely affect the availability or safety of information system and industrial control system.
H‐Advanced ‐ The organization adopts and administers an automated mechanism for managing the status of defect correction.
Develop a vulnerability remediation plan, and ‐ The organization defines tolerable risk by identifying through investigations and tests the impacts of patch application on the functions
CPS.IP-10 modify the vulnerability of the components of other software applications and services on operations of IoT devices and servers.
Advanced
according to the plan. ‐ The organization conducts tests to measure the effectiveness of corrections and the possibility of any secondary adverse effects,
corrects the defects, and manages the corrections as part of the configuration management.

D-3-30
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.14.2.4 Modifications to software packages shall be ‐ Maintain/manage lists including configuration information of assets (e.g., names, version information, license information, and
Restrictions on changes discouraged, limited to necessary changes location) by reviewing and updating them periodically.
Document and manage appropriately the list of ‐ The organization makes a list of removable media (e.g., USB memory sticks) that can be used on system components (information
to software packages and all changes shall be strictly controlled.
hardware and software, and management system or industrial control system), and manages the use of them.
CPS.AM-1 information (e.g. name of asset, version, network Advanced ‐ The organization uses only removable media (e.g. USB memory) permitted in the organization.  Also,  if there is no identifiable
address, name of asset manager, license ownwer of portable storage devices, the organization prohibits the use of such devices.
‐ The organization controles access to the media that contain highly confidential data, and properly grasps and manages the usage of
information) of components in the system.
the media taken outside of the controlled areas.

‐ The organization gives prior approval for the use of devices and/or tools needed for maintenance to update its IoT devices and
servers, and conducts monitoring.
‐ The organization inspects the devices and/or tools for maintenance brought in by the staff members who update its IoT devices and
servers in order to make sure that no inappropriate or unauthorized changes will be made.
H‐Advanced
- Discuss the method of conducting important ‐ The organization inspects the media used for maintenance to update its IoT devices and servers in order to make sure that the media
security updates and the like on IoT devices and contain no malicious code before they are used.
servers. Then, apply those security updateswith ‐ The organization introduces an IoT device designed to remotely update different software programs (OS, driver, application) at the
same time.
managed tools properly and in a timely manner
‐ The organization plans maintenance work such as updating its IoT devices and servers, implements the plan, checks the work done,
CPS.MA-1 while recording the history.
and documents the entire maintenance.
- Introduce IoT devices having a remote update ‐ The organization gives prior approval for maintenance work such as updating its IoT devices and servers, and conducts monitoring.
mechanism to perform a mass update of different ‐ The organization gives prior approval for travel from its premises for any maintenance work away from its premises, such as updating
software programs (OS, driver, and application) its IoT devices and servers. It also takes necessary actions before the travel, such as deleting relevant saved data.
Advanced
through remote commands, where applicable. ‐ The organization checks all security measures that may have been affected by maintenance work, such as updating its IoT devices and
servers, after the work is complete in order to make sure that the relevant equipment works correctly.
‐ The organization keeps the records of maintenance work done, such as updating its IoT devices and servers.
‐ The organization establishes a process for authorizing maintenance staff in order to keep the list of authorized maintenance
organizations or staff members updated.
A.14.2.5 Principles for engineering secure systems ‐ The organization explicitly presents the following requirements when procuring the system;
Secure system shall be established, documented, 　‐ Requirements for security functions;
　‐ Requirements for security strength;
engineering principles maintained and applied to any information
　‐ Requirements for security warranty;
system implementation efforts. H‐Advanced
　‐ Requirements for security‐related documents;
Introduce the system development life cycle to
CPS.IP-3 　‐ Requirements for protection of security‐related documents;
manage the systems. 　‐ Description on the development environment of the system and the environment which the system is planned to operate under;
　‐ Acceptance criteria
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration
Advanced regarding information security, and undergoes an information security risk management process throughout the entire system
development lifecycle.
A.14.2.6 Organizations shall establish and ‐ The organization explicitly presents the following requirements when procuring the system;
Secure development appropriately protect secure development 　‐ Requirements for security functions;
　‐ Requirements for security strength;
environment environments for system development and
　‐ Requirements for security warranty;
integration efforts that cover the entire H‐Advanced
　‐ Requirements for security‐related documents;
system development lifecycle. 　‐ Requirements for protection of security‐related documents;
Introduce the system development life cycle to
CPS.IP-3 　‐ Description on the development environment of the system and the environment which the system is planned to operate under;
manage the systems. 　‐ Acceptance criteria
‐ The organization manages the system in accordance with the system development lifecycle, which includes items of consideration
Advanced regarding information security, and undergoes an information security risk management process throughout the entire system
development lifecycle.
‐ The organization applies the general rules of the system’s security engineering to specifications, design, development, introduction,
Basic
and changes in building the system.
A.14.2.7 The organization shall supervise and ‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and
Outsourced monitor the activity of outsourced system addresses procedures for deviation or signs of deviation from contract matters.
‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled,
development development.
matters which are concerned with security management of the organization and security functions implemented in the products and
H‐Advanced services that will be delivered, especially for important clients and reconsigned organizations.
‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and
field surveys conducted by the outsourcer.
Conduct regular assessments through auditing, ‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any
test results, or other checks of relevant parties fact of information leakage, and regularly report the result to the organization.
CPS.SC-6
such as business partners to ensure they are ‐ The organization checks whether requirements that are prescribed in the contract with the client can be audited on the system.
fulfilling their contractual obligations. ‐ The information system provides a function that allows for audit records to be created for events defined above that can be audited
on the system.
‐ The organization shall be able to maintain consistency in security audits with other organizations that require information on the audit.
Advanced ‐ The organization regularly reviews and analyzes audit records that are made manually or automatically by the system, and checks
whether there is any deviation or sign of deviation from contract matters.
‐ State of compliance with security management measures of the external service provider is regularly checked by internal audits that
are conducted by the client using a checklist.

D-3-31
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization requires its provider of external information system services to make clear the functions, ports, and protocols
H‐Advanced needed for the use of the services, along with other services.
‐ The organization monitors whether the matters made clear as stated above are observed.
‐ The organization documents its security requirements for the staff from its external service provider and system developer, and
includes the requirements in the agreement.
‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have
authorizations for its system are transferred or when their employment terminates.
‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of
Advanced relevant information about operations, the importance of its business systems and processes, and re‐assessed risks.
Monitor communication with external service
‐ The organization monitors whether its external service provider and system developer complies with the requirements.
CPS.CM-5 providers so that potential security events can be
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any
detected properly. unauthorized access by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the
appropriate system administrator.
‐ The organization requires its provider of external information system services and system developer to draw up and introduce security
requirements such as those related to the following in accordance with the rules which the organization is subject to or which apply to
the provider and developer.
Basic
　‐ Adequate security measures to take (e.g., measures that deserve ISMS Certification)
　‐ Proper management of data in operation
　‐ Proper data erasure when the use of the services ends
A.14.2.8 Testing of security functionality shall be ‐ The organization conducts a trend analysis examining the latest information about threats, vulnerability, and assessments of security
System security testing carried out during development. management measures carried out several times in order to determine whether the activities for continuous monitoring need any
correction.
H‐Advanced
‐ The organization introduces known and harmless test cases to its systems to test its mechanism for detecting malware.
As part of the monitoring process, test regularly if
‐ The organization regularly tests the mechanism it uses for intrusion detection monitoring. The frequency of the test depends on the
CPS.DP-3 the functions for detecting security events work as
type of tool the organization uses and the way the tool is installed.
intended, and validate these functions. ‐ The organization establishes and manages a procedure for a regular review of its system monitoring activities to see if they conform to
the organization’s risk management strategy and the order of priority for actions to handle risks.
Advanced
‐ The organization calculates the percentages of false detections and false negatives when correlation analysis of information pertaining
to the security of network devices or endpoints is conducted, thereby checking the validity of the detection mechanism regularly.
A.14.2.9 Acceptance testing programs and related ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are
System acceptance criteria shall be established for new fulfilled.
H‐Advanced ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices
testing information systems, upgrades and new
especially important for their operation are manufactured under appropriate procedures by organizations that have quality and
versions. security management ability above a certain level.
‐ The organization specifies in the contract the security requirements that the products and services procured from the partner should
comply with, such as the following.
　‐ Specific certifications related to security (e.g., ISMS certification、ISASecure EDSA certification, Japan Information Technology
Security Evaluation and Certification Scheme (JISEC) have been gained.
When signing contracts with external parties, 　‐ The vendor itself confirms that it has implemented the security measures in accordance with the standards of specific certifications
check if the products and services provided by the related to security
other relevant organizations properly comply with 　‐ It has implemented the necessary security requirements from the design phase (security by design) based on the results of risk
CPS.SC-4
the security requirements defined by the analysis, etc., and test them.
organization while considering the objectives of ‐ It is desirable that the organization should, at the phase of planning procurement, secure a budget for security requirements regarding
Advanced products or services themselves, or protection of assets used for procurement and supply of such products or services.
such contracts and results of risk management.
‐ The organization formulates, manages and improves security measurement rules to evaluate procurement or supply of products or
services, including the following.
　‐ Target for measurement
　‐ Method and frequency of reporting on measures taken
　‐ Measures to be taken when measures are not implemented
‐ The organization checks means of detecting (or preventing) falsifications and leakages during shipments and whether or not the IoT
devices and software being delivered have been operated without authorization.
　‐ Goods: security courier, protection seal, etc.
　‐ Digital transfer: encryption, hash of the entire transmitted data, etc.
A.14.3 A.14.3.1 Test data shall be selected carefully,
Test data Protection of test data protected and controlled. When signing contracts with external parties,
check if the products and services provided by the ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are
fulfilled.
other relevant organizations properly comply with
CPS.SC-4 H‐Advanced ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices
the security requirements defined by the especially important for their operation are manufactured under appropriate procedures by organizations that have quality and
organization while considering the objectives of security management ability above a certain level.
such contracts and results of risk management.

D-3-32
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and
addresses procedures for deviation or signs of deviation from contract matters.
‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled,
matters which are concerned with security management of the organization and security functions implemented in the products and
H‐Advanced services that will be delivered, especially for important clients and reconsigned organizations.
‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and
field surveys conducted by the outsourcer.
Conduct regular assessments through auditing, ‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any
test results, or other checks of relevant parties fact of information leakage, and regularly report the result to the organization.
CPS.SC-6
such as business partners to ensure they are ‐ The organization checks whether requirements that are prescribed in the contract with the client can be audited on the system.
fulfilling their contractual obligations. ‐ The information system provides a function that allows for audit records to be created for events defined above that can be audited
on the system.
‐ The organization shall be able to maintain consistency in security audits with other organizations that require information on the audit.
Advanced ‐ The organization regularly reviews and analyzes audit records that are made manually or automatically by the system, and checks
whether there is any deviation or sign of deviation from contract matters.
‐ State of compliance with security management measures of the external service provider is regularly checked by internal audits that
are conducted by the client using a checklist.

Perform a periodical system backup and testing of

‐ The organization confirms the trustworthiness of the medium and integrity of the information by regularly testing the backup
CPS.IP-4 components (e.g., IoT devices, communication H‐Advanced
information.
devices, and circuits).

‐ In addition to the detection of security incidents, the collected logs are considered to be useful in tracking the cause of security
incidents after the fact. Therefore, the information system collects, if possible, detailed logs (e.g. OS command level) that do not remain
in the OS function.
‐ If time stamps in multiple audit logs match, the audit logs of the subjects specified by the organization are managed as audit trails
across the system, logically and physically.
‐ The information system provides system functions designed to compare and synchronize internal system clocks by using an official
H‐Advanced source of information for generating time stamps for an audit record.
Determine and document the subject or scope of ‐ The information system adopts an automatic mechanism designed to handle an audit review, analysis, and report in an integrated
the audit recording/log recording, and implement manner.
CPS.PT-1
and review those records in order to properly ‐ It may be difficult to generate security‐related audit logs for some of the IoT devices that an organization uses, or to connect some of
detect high-risk security incidents. those devices to the existing log management system. Hence, it is necessary to take measures that consider the specs of the IoT devices,
such as using a log management system different than the main one or using an alternative measure on the part of the system, when
collecting and analyzing audit logs from the relevant IoT devices.
‐ The information system and the industrial control system uses a cryptographic mechanism in order to ensure the integrity of an audit
log and audit tool each.
Advanced ‐ The organization grants control over an audit log only to users assigned in accordance with the rules about security‐related internal
responsibility.
‐ The information system issues an alert when an incident of failure takes place in the audit process.
A.15 A.15.1 A.15.1 Information security requirements for Advanced
‐ In preparation for damages caused by security incidents, the organization considers risk transfer by using cyber insurance, etc., in
Supplier relationships Information security in Information security in mitigating the risks associated with addition to implementing security measures designated by business partners.
‐ In a contract with a contractor or an outsourcer, the organization specifies the scope of the responsibilities of the organization and
supplier relationships supplier relationships supplierʼs access to the organizationʼs
that of the business partner (state the disclaimer and an upper limit on agreed compensation for damages) in case of a damage caused
assets shall be agreed with the supplier Define roles and responsibilities for cyber security
CPS.AM-7 by a security incident in the business.
and documented. across the organization and other relevant parties. Basic ‐ To increase the effectiveness of the requirements related to security which a business partner requires or is required to satisfy in a
contract, it is desirable that the organization makes an agreement in meeting the requirements, identifying deficiencies and details of
actions, paying expenses, and using an alternative when they cannot be satisfied at the time of the contract or in the early stage of the
contract.
‐ The organization, in reference to security measure criteria regarding supply chain, prepares and provides to potential partners tender
documents such as ITT (Invitation To Tender) and RFP (Request For Proposal). Especially, it is advisable that the following items be
included in the tender documents.
　1） Specifications of products or services to be procured
　2） Security requirements that the supplie should comply with during the supply period of the products or services
　3） Service levels and the indices to comply with during the supply period of the products or services
Formulate the standard of security measures
Advanced 　4） Penalties that the purchaser may impopse if the supplier breach security requirements
relevant to the supply chain in consideration of the 　5） Confidentiality clauses to protect the data transmitted during the supplier selection process, the systems, etc.
CPS.SC-1 business life cycle, and agree on contents with the ‐ The organization prepares procedures for continuously monitoring the conditions in the business partners’ compliance with the
business partners after clarifying the scope of the security management measures.
responsibilities. ‐ To take precautions against cases where a security incident in a business partner impacts the organization, in a written contract, clarify
where responsibility lies between the external business operator and the organization, and describe the compensation for a damage to
the organization for which the external business operator is responsible.
‐ The organization formulates security measure criteria applicable to business partners (especially those handling the organization’s
Basic data or providing a foundation for handling the data) according to appropriate laws and regulations and makes agreement with the
details.

D-3-33
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization determines its core business that must continue/recover before any other operations in prior and identifies and
prioritizes important resources (other relevant organizations, employees, items, data, systems, etc.) and functions vital for continuing
applicable businesses.
H‐Advanced
‐ In case of the occurrence of a security incident in business partners which has harmful business impacts, the organization estimate the
details of the impacts on the organization and its occurrence level and scale.
* Related requirements of countermeasures include CPS.AM‐6 and CPS.BE‐2.
‐ The organization identifies the business partners in the supply chains which can impact the organization’s missions/business processes
Advanced and confirms whether applicable partners can fulfill the security roles and responsibilities specified in the organization’s security
Identify, prioritize, and evaluate the organizations policies.

and people that play important role in each layer ‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations

CPS.SC-2
of the three-layer structure to sustaining the considered to be important. In addition, identify and prioritize important resources (relevant parties, People, Components, Data,
operation of the organization. System, etc.) and functions from the viewpoint of business continuity.
‐ When the organization is assumed to use an IoT device for a long period of time, the organization selects a business partner (device
vendor) that has adequate organizations of management (Ex: service desk(s), maintainance system) from which long‐term support can
be expected.
Basic
‐ The organization confirms with the partner (the device vendor) whether to replace a device at the end of support before
implementing a system.
‐ When the organization selects a business partner (service provider), it is desirable to select a service provider who operates and
manages IT services efficiently and effectively.
　‐ It has acquired ITSMS certification based on JIS Q 20000.
　‐ It has implemented the equivalent measures to ITSMS certification based on self declaration of comformity.

Conduct remote maintenance of the IoT devices ‐ The organization documents the policy and procedure relating to establishing and implementing a connection designed for remote

and servers while granting approvals and maintenance, and implements the connection in accordance with the policy and procedure.
CPS.MA-2 Advanced
recording logs so that unauthorized access can be ‐ The organization provides authentication required for network access that it specifies when remote maintenance is carried out. It also
prevented. ensures that the session and network connection are terminated when the remote maintenance is complete.

A.15.1.2 All relevant information security ‐ The organization, in reference to security measure criteria regarding supply chain, prepares and provides to potential partners tender

Addressing security requirements shall be established and documents such as ITT (Invitation To Tender) and RFP (Request For Proposal). Especially, it is advisable that the following items be
included in the tender documents.
within supplier agreed with each supplier that may
　1） Specifications of products or services to be procured
agreements access, process, store, communicate, or 　2） Security requirements that the supplie should comply with during the supply period of the products or services
provide IT infrastructure components for, 　3） Service levels and the indices to comply with during the supply period of the products or services
Formulate the standard of security measures
the organizationʼs information. Advanced 　4） Penalties that the purchaser may impopse if the supplier breach security requirements
relevant to the supply chain in consideration of the 　5） Confidentiality clauses to protect the data transmitted during the supplier selection process, the systems, etc.
CPS.SC-1 business life cycle, and agree on contents with the ‐ The organization prepares procedures for continuously monitoring the conditions in the business partners’ compliance with the
business partners after clarifying the scope of the security management measures.
responsibilities. ‐ To take precautions against cases where a security incident in a business partner impacts the organization, in a written contract, clarify
where responsibility lies between the external business operator and the organization, and describe the compensation for a damage to
the organization for which the external business operator is responsible.
‐ The organization formulates security measure criteria applicable to business partners (especially those handling the organization’s
Basic data or providing a foundation for handling the data) according to appropriate laws and regulations and makes agreement with the
details.
‐ The organization determines its core business that must continue/recover before any other operations in prior and identifies and
prioritizes important resources (other relevant organizations, employees, items, data, systems, etc.) and functions vital for continuing
applicable businesses.
H‐Advanced
‐ In case of the occurrence of a security incident in business partners which has harmful business impacts, the organization estimate the
details of the impacts on the organization and its occurrence level and scale.
* Related requirements of countermeasures include CPS.AM‐6 and CPS.BE‐2.
‐ The organization identifies the business partners in the supply chains which can impact the organization’s missions/business processes
Advanced and confirms whether applicable partners can fulfill the security roles and responsibilities specified in the organization’s security
Identify, prioritize, and evaluate the organizations policies.

and people that play important role in each layer ‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations

CPS.SC-2
of the three-layer structure to sustaining the considered to be important. In addition, identify and prioritize important resources (relevant parties, People, Components, Data,
System, etc.) and functions from the viewpoint of business continuity.
operation of the organization.
‐ When the organization is assumed to use an IoT device for a long period of time, the organization selects a business partner (device
vendor) that has adequate organizations of management (Ex: service desk(s), maintainance system) from which long‐term support can
be expected.
Basic
‐ The organization confirms with the partner (the device vendor) whether to replace a device at the end of support before
implementing a system.
‐ When the organization selects a business partner (service provider), it is desirable to select a service provider who operates and
manages IT services efficiently and effectively.
　‐ It has acquired ITSMS certification based on JIS Q 20000.
　‐ It has implemented the equivalent measures to ITSMS certification based on self declaration of comformity.

D-3-34
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ In a contract with a business partner who provides systems/components/services, the organization requires the partner the following
listed below:
　‐ Create evidence of the implementation of the security assessment plan, and submit results of security tests/evaluations.
H‐Advanced 　‐ Develop a plan for remedying defects identified during security testing / evaluation
　‐ Disclose a plan for defect remediation and its implementation status
‐ It is desirable that the organization applies necessary requirements among those for security measures to directly consigned parties
and accompanying requirements to reconsigned parties by considering the scales of risks originating from the supply chains.
‐ In accordance with the missions/business needs of the organization, state the following requirements, descriptions, and criteria in a
procurement contract of a system, component, or service.
　‐ Requirements for security measures
　‐ Requirements for security‐related documents
　‐ Requirements for protection of security‐related documents
When signing contracts with external 　‐ Confidentiality clauses
organizations, check if the security management of 　‐ Implementation body and method of each handling: reporting destination at the time of incident occurrence, reporting details,
initial reaction, investigation, recovery, etc.
the other relevant organizations properly comply
CPS.SC-3 　‐ Conditions to allow to confirm the observance to the security requirement which is inspected and defined by the organization or the
with the security requirements defined by the Advanced authorized third party.
organization while considering the objectives of 　‐ How to handle an information asset at the end of the contract
such contracts and results of risk management. ‐ The organization requires business partners, in a procurement contract, to implement security requirements that comply with
applicable laws and regulations, implement additional measures when they are recognized necessary because of the characteristics of
the contracted duty, etc.
‐ It is desirable to consider the following items in advance when determining security requirements based on laws and regulations and
requiring business partners to comply with them.
　‐ Identification of potential risks in terms of legal regulations that may arise due to difference of  applicable laws between the
organization and the business partner
　‐ Negative impacts on the contract in terms of security due to legal and regulatory obligations applicable to the business partner
‐ The organization requires business partners to implement security requirements that complies with applicable laws and regulations.
‐ The organization confirms that the business partner has declared "SECURITY ACTION" in the process of selecting and evaluating a
Basic contractor.
* "SECURITY ACTION" is an initiative in Japan that small and medium‐sized enterprises declare themselves to work on information
security measures.
A.15.1.3 Agreements with suppliers shall include ‐ The organization or a third party tests the procured devices to see whether the security requirements stipulated in the contract are
Information and requirements to address the information fulfilled.
H‐Advanced ‐ The organization checks throughout the entire relevant supply chain (including reconsigned organizations) as to whether the devices
communication security risks associated with information
especially important for their operation are manufactured under appropriate procedures by organizations that have quality and
technology supply chain and communications technology services security management ability above a certain level.
and product supply chain. ‐ The organization specifies in the contract the security requirements that the products and services procured from the partner should
comply with, such as the following.
　‐ Specific certifications related to security (e.g., ISMS certification、ISASecure EDSA certification, Japan Information Technology
Security Evaluation and Certification Scheme (JISEC) have been gained.
When signing contracts with external parties, 　‐ The vendor itself confirms that it has implemented the security measures in accordance with the standards of specific certifications
check if the products and services provided by the related to security
other relevant organizations properly comply with 　‐ It has implemented the necessary security requirements from the design phase (security by design) based on the results of risk
CPS.SC-4
the security requirements defined by the analysis, etc., and test them.
organization while considering the objectives of ‐ It is desirable that the organization should, at the phase of planning procurement, secure a budget for security requirements regarding
Advanced products or services themselves, or protection of assets used for procurement and supply of such products or services.
such contracts and results of risk management.
‐ The organization formulates, manages and improves security measurement rules to evaluate procurement or supply of products or
services, including the following.
　‐ Target for measurement
　‐ Method and frequency of reporting on measures taken
　‐ Measures to be taken when measures are not implemented
‐ The organization checks means of detecting (or preventing) falsifications and leakages during shipments and whether or not the IoT
devices and software being delivered have been operated without authorization.
　‐ Goods: security courier, protection seal, etc.
　‐ Digital transfer: encryption, hash of the entire transmitted data, etc.
A.15.2 A.15.2.1 Organizations shall regularly monitor, ‐ The organization, in reference to security measure criteria regarding supply chain, prepares and provides to potential partners tender
Supplier service delivery Monitoring and review review and audit supplier service delivery. documents such as ITT (Invitation To Tender) and RFP (Request For Proposal). Especially, it is advisable that the following items be
included in the tender documents.
management of supplier services
　1） Specifications of products or services to be procured
Formulate the standard of security measures 　2） Security requirements that the supplie should comply with during the supply period of the products or services
relevant to the supply chain in consideration of the 　3） Service levels and the indices to comply with during the supply period of the products or services
CPS.SC-1 business life cycle, and agree on contents with the Advanced 　4） Penalties that the purchaser may impopse if the supplier breach security requirements
business partners after clarifying the scope of the 　5） Confidentiality clauses to protect the data transmitted during the supplier selection process, the systems, etc.
‐ The organization prepares procedures for continuously monitoring the conditions in the business partners’ compliance with the
responsibilities.
security management measures.
‐ To take precautions against cases where a security incident in a business partner impacts the organization, in a written contract, clarify
where responsibility lies between the external business operator and the organization, and describe the compensation for a damage to
the organization for which the external business operator is responsible.

D-3-35
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization adopts an automatic mechanism integrating review, analysis, and report that supports the investigation and
addresses procedures for deviation or signs of deviation from contract matters.
‐ The organization uses a mechanism that allows it to list and check whether obligatory matters stipulated in the contract are fulfilled,
matters which are concerned with security management of the organization and security functions implemented in the products and
H‐Advanced services that will be delivered, especially for important clients and reconsigned organizations.
‐ State of compliance with security management measures of the external service provider is regularly checked by external audits and
field surveys conducted by the outsourcer.
Conduct regular assessments through auditing, ‐ The important business partners and if possible their re‐contractors etc. investigate whether there is any sign of attack related or any
test results, or other checks of relevant parties fact of information leakage, and regularly report the result to the organization.
CPS.SC-6
such as business partners to ensure they are ‐ The organization checks whether requirements that are prescribed in the contract with the client can be audited on the system.
fulfilling their contractual obligations. ‐ The information system provides a function that allows for audit records to be created for events defined above that can be audited
on the system.
‐ The organization shall be able to maintain consistency in security audits with other organizations that require information on the audit.
Advanced ‐ The organization regularly reviews and analyzes audit records that are made manually or automatically by the system, and checks
whether there is any deviation or sign of deviation from contract matters.
‐ State of compliance with security management measures of the external service provider is regularly checked by internal audits that
are conducted by the client using a checklist.

‐ The organization documents the policy and procedure relating to establishing and implementing a connection designed for remote
Conduct remote maintenance of the IoT devices Advanced
maintenance, and implements the connection in accordance with the policy and procedure.
‐ The organization provides authentication required for network access that it specifies when remote maintenance is carried out. It also
and servers while granting approvals and
CPS.MA-2 ensures that the session and network connection are terminated when the remote maintenance is complete.
recording logs so that unauthorized access can be ‐ The organization develops and agrees to an implementation plan for remote maintenance before carrying out the maintenance, and
prevented. Basic checks the results of the maintenance done.
‐ The organization keeps the records of remote maintenance done.
‐ The organization requires its provider of external information system services to make clear the functions, ports, and protocols
H‐Advanced needed for the use of the services, along with other services.
‐ The organization monitors whether the matters made clear as stated above are observed.
‐ The organization documents its security requirements for the staff from its external service provider and system developer, and
includes the requirements in the agreement.
‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have
authorizations for its system are transferred or when their employment terminates.
‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of
Advanced relevant information about operations, the importance of its business systems and processes, and re‐assessed risks.
Monitor communication with external service
‐ The organization monitors whether its external service provider and system developer complies with the requirements.
CPS.CM-5 providers so that potential security events can be
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any
detected properly. unauthorized access by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the
appropriate system administrator.
‐ The organization requires its provider of external information system services and system developer to draw up and introduce security
requirements such as those related to the following in accordance with the rules which the organization is subject to or which apply to
the provider and developer.
Basic
　‐ Adequate security measures to take (e.g., measures that deserve ISMS Certification)
　‐ Proper management of data in operation
　‐ Proper data erasure when the use of the services ends
A.15.2.2 Changes to the provision of services by ‐ The organization requires its provider of external information system services to make clear the functions, ports, and protocols
Managing changes to suppliers, including maintaining and H‐Advanced needed for the use of the services, along with other services.
‐ The organization monitors whether the matters made clear as stated above are observed.
supplier services improving existing information security
‐ The organization documents its security requirements for the staff from its external service provider and system developer, and
policies, procedures and controls, shall be
includes the requirements in the agreement.
managed, taking account of the criticality ‐ The organization requires its external service provider and system developer to contact it when any of its staff members who have
Monitor communication with external service
of business information, systems and authorizations for its system are transferred or when their employment terminates.
CPS.CM-5 providers so that potential security events can be
processes involved and re-assessment of ‐ It is desirable that the organization should manage changes to services offered by its external service provider, taking account of
detected properly.
risks. Advanced relevant information about operations, the importance of its business systems and processes, and re‐assessed risks.
‐ The organization monitors whether its external service provider and system developer complies with the requirements.
‐ The organization monitors access to its system by its external service provider and system developer in order to detect any
unauthorized access by these external businesses that results from an action or failure to act.
‐ The organization reports the results of the monitoring of activities by its external service provider and system developer to the
appropriate system administrator.

D-3-36
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.16 A.16.1 A.16.1.1 Management responsibilities and ‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident
Information security Management of Responsibilities and procedures shall be established to ensure responses between the organization and other organizations that are concerned with the supply chain.
‐ The organization adjusts the incident response process of an external service provider that contains important features in order to
incident management information security procedures a quick, effective and orderly response to
continue its business, as well as adjusting the organization’s incident response process to meet the incident response requirements.
incidents and information security incidents. H‐Advanced ‐ The organization interlinks information regarding threats and vulnerabilities with how individual security incidents have been handled
improvements so as to improve its understanding of the situations.

[Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development
processes, developers, distribution processes, and warehouse facilities.
As part of the security operation process, define ‐ The organization determines an alternative processing site in case the availability of its primary processing site has been compromised
the procedure and the division of roles with regard by a security incident.
CPS.RP-2
to cooperative relations with relevant parties such ‐ The organization sets forth in the service agreement that if its primary processing function becomes unavailable, certain operations
as partners, and implement the process. are moved to resume at the alternative processing site within the recovery time objective that the organization specifies in order to
ensure that it continues to perform its critical missions and operational functions.
Advanced
‐ The organization designates an alternative processing site away from its primary processing site in order to mitigate the vulnerability
to the same threats.
‐ The organization prepares internal resources for incident handling assistance (e.g., help desk; CSIRT). These resources offer advice and
support related to security incident handling and reporting for system users of the information system and industrial control system,
and are an integral part of organizational ability to handle incidents.
‐ If any security incident that requires handling is found, report it promptly to relevant organizations such as IPA and JPCERT/CC in order
Basic to receive advice about providing assistance in handling, identifying how the incident has occurred, analyzing the tactic, and preventing
any recurrence.
A.16.1.2 Information security events shall be ‐ The organization prepares a procedure to continuously monitor whether the security requirements from the contractee are complied
Reporting information reported through appropriate H‐Advanced with by the staff of the contractor, and to enable notification to the organization's personnel in charge in the case where irregular
behavior is found.
security events management channels as quickly as Formulate and manage security requirements ‐ The organization trains the staff on information security aspects of supplier relationships to particularly ensure that the handling of
possible. applicable to members of other relevant confidential information is correctly understood.
Advanced
CPS.SC-5 organizations, such as business partners, who are ‐ The organization regularly confirms that it complies with the security requirements from the contractee in conducting the contracted
engaged in operations outsourced from the work.
organization. ‐ The organization identifies and evaluates the staff who access, disclose or change the data related to the contracted work that should
not be disclosed or changed such as confidential data or intellectual property.
Basic
‐ After the contract with the contractor is finished, the organization immediately terminates the rights that are temporarily granted to
the personnel of the contractor such as access rights to its facilities.
‐ The organization includes contents regarding what to do to detect, analyze, contain, reduce, and recover from incidents in its security
operation manual.
Advanced 　‐ Keep a record of all incidents and how they have been handled.
　‐ Decide whether the organization should report the fact to any external organization of an incident that has occurred and how it has
been handled.'
‐ The organization develops and manages a process of security operation it should follow when a security incident arises that it must
Develop and implement previously the procedure address. It is advisable to include contents such as the following in the process:
of response after detecting incidents (securith 　‐ Response procedure for the person who received the incident report
　‐ Instructions and orders, and how to prioritize actions in an emergency;
operation process) that includes the response of
CPS.RP-1 　‐ Incident response;
Organization, People, Componens, System to 　‐ Incident impact assessment and damage analysis;
identify the content of response, priority, and 　‐ Information gathering, selecting information that the organization needs;
Basic
scope of response taken after an incident occurs. 　‐ Communication and announcement to relevant internal personnel;
　‐ Communication with relevant external organizations;
‐ The system (especially, industrial control system) shuts down, issues an alert to the administrator, or takes other fail‐safe actions if any
abnormality (e.g., malfunction) occurs in IoT devices or servers.

[Reference] “SP 800‐61 rev.1" (NIST, 2008) is available for reference to determine the process for handling security incidents that have
arisen.
‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident
responses between the organization and other organizations that are concerned with the supply chain.
‐ The organization adjusts the incident response process of an external service provider that contains important features in order to
continue its business, as well as adjusting the organization’s incident response process to meet the incident response requirements.
H‐Advanced ‐ The organization interlinks information regarding threats and vulnerabilities with how individual security incidents have been handled
so as to improve its understanding of the situations.

[Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development
processes, developers, distribution processes, and warehouse facilities.
As part of the security operation process, define ‐ The organization determines an alternative processing site in case the availability of its primary processing site has been compromised
the procedure and the division of roles with regard by a security incident.
CPS.RP-2
to cooperative relations with relevant parties such ‐ The organization sets forth in the service agreement that if its primary processing function becomes unavailable, certain operations
as partners, and implement the process. are moved to resume at the alternative processing site within the recovery time objective that the organization specifies in order to
ensure that it continues to perform its critical missions and operational functions.
Advanced
‐ The organization designates an alternative processing site away from its primary processing site in order to mitigate the vulnerability
to the same threats.
‐ The organization prepares internal resources for incident handling assistance (e.g., help desk; CSIRT). These resources offer advice and
support related to security incident handling and reporting for system users of the information system and industrial control system,
and are an integral part of organizational ability to handle incidents.
‐ If any security incident that requires handling is found, report it promptly to relevant organizations such as IPA and JPCERT/CC in order
Basic to receive advice about providing assistance in handling, identifying how the incident has occurred, analyzing the tactic, and preventing
any recurrence.

D-3-37
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.16.1.3 Employees and contractors using the H‐Advanced
‐ The organization uses an automated mechanism designed to help track security incidents and collect and analyze information about
Reporting information organizationʼs information systems and threats and vulnerability related to incidents, so that it applies the findings to classification (triage) of security incidents.
‐ The organization classifies security incidents, taking into account the recovery time objectives for the systems, the order of priority in
security weaknesses services shall be required to note and
recovery, and metrics in the process of its security operation.
report any observed or suspected ‐ The organization tracks and documents security incidents that may affect it. “SP 800‐61 rev.1” lists the following as examples of points
information security weaknesses in of view that may be taken when an organization documents a security incident.
systems or services. 　　‐ The present state of the incident
Advanced 　　‐ Overview of the incident
　　‐ The course of action the organization has taken to deal with the incident
Categorize and store information regarding the 　　‐ Other contact information of relevant personnel (e.g., the system owner, system administrator)
detected security incidents by the size of security- 　　‐ List of proof collected during the investigation
CPS.AN-3
related impact, penetration vector, and other 　　‐ Comments by the staff in charge of dealing with the incident
factors. 　　‐ Next steps
‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations
considered to be important. In addition, identify and prioritize important resources (relevant parties, People, Components, Data,
System, etc.) and functions from the viewpoint of business continuity.
* Similar measures are described in CPS.AM‐6 and CPS.BE‐2.
Basic ‐ The organization specifies incidents that must be reported, considering the level of the impact the security event has.

[Reference] For example, the following document is available for reference when an organization decides on a measure of the severity
of the impact of a security incident.
　‐ “SP 800‐61 rev.1” (NIST, 2008) Prioritization of the 3.2.6 Incident
A.16.1.4 Information security events shall be ‐ The organization determines its core business that must continue/recover before any other operations in prior and identifies and
Assessment of and assessed and it shall be decided if they are prioritizes important resources (other relevant organizations, employees, items, data, systems, etc.) and functions vital for continuing
H‐Advanced applicable businesses.　* CPS.AM‐6 and CPS.BE‐2 include examples of similar measures.
decision on information to be classified as information security
‐ The organization uses an automated mechanism designed to help track security events and collect and analyze information about
security events incidents. threats and vulnerability related to incidents, so that it applies the findings to classification (triage) of security events.
Specify the criteria to determine the risk degree of ‐ The organization classifies security events, taking into account the recovery time objectives for the systems, the order of priority in
CPS.AE-5 Advanced
security events. recovery, and metrics in the process of its security operation.
‐ The organization specifies security events that must be reported, considering the level of the impact the security event has.

Basic [Reference] For example, the following document is available for reference when an organization decides on a measure of the severity
of the impact of a security event.
　‐ “SP 800‐61 rev.1” (NIST, 2008) Prioritization of the 3.2.6 Incident
‐ The organization uses an automated mechanism designed to help track security incidents and collect and analyze information about
H‐Advanced
threats and vulnerability related to incidents, so that it applies the findings to classification (triage) of security incidents.
‐ The organization classifies security incidents, taking into account the recovery time objectives for the systems, the order of priority in
recovery, and metrics in the process of its security operation.
‐ The organization tracks and documents security incidents that may affect it. “SP 800‐61 rev.1” lists the following as examples of points
of view that may be taken when an organization documents a security incident.
　　‐ The present state of the incident
Advanced 　　‐ Overview of the incident
　　‐ The course of action the organization has taken to deal with the incident
Categorize and store information regarding the 　　‐ Other contact information of relevant personnel (e.g., the system owner, system administrator)
detected security incidents by the size of security- 　　‐ List of proof collected during the investigation
CPS.AN-3
related impact, penetration vector, and other 　　‐ Comments by the staff in charge of dealing with the incident
factors. 　　‐ Next steps
‐ The organization should identify in advance the core businesses that should be continued and restored in priority, and the operations
considered to be important. In addition, identify and prioritize important resources (relevant parties, People, Components, Data,
System, etc.) and functions from the viewpoint of business continuity.
* Similar measures are described in CPS.AM‐6 and CPS.BE‐2.
Basic ‐ The organization specifies incidents that must be reported, considering the level of the impact the security event has.

[Reference] For example, the following document is available for reference when an organization decides on a measure of the severity
of the impact of a security incident.
　‐ “SP 800‐61 rev.1” (NIST, 2008) Prioritization of the 3.2.6 Incident
A.16.1.5 Information security incidents shall be ‐ The organization prepares a procedure to continuously monitor whether the security requirements from the contractee are complied
Response to information responded to in accordance with the H‐Advanced with by the staff of the contractor, and to enable notification to the organization's personnel in charge in the case where irregular
behavior is found.
security incidents documented procedures. Formulate and manage security requirements ‐ The organization trains the staff on information security aspects of supplier relationships to particularly ensure that the handling of
applicable to members of other relevant confidential information is correctly understood.
Advanced
CPS.SC-5 organizations, such as business partners, who are ‐ The organization regularly confirms that it complies with the security requirements from the contractee in conducting the contracted
engaged in operations outsourced from the work.
organization. ‐ The organization identifies and evaluates the staff who access, disclose or change the data related to the contracted work that should
not be disclosed or changed such as confidential data or intellectual property.
Basic
‐ After the contract with the contractor is finished, the organization immediately terminates the rights that are temporarily granted to
the personnel of the contractor such as access rights to its facilities.

D-3-38
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization efficiently analyzes audit logs collected through 24‐h, 365‐day security monitoring by using an automated analysis
tool.
‐ It is desirable for the organization to include not only its conventional IT environment but also its control system and IoT devices in the
scope of security monitoring.
H‐Advanced ‐ It is desirable for the organization to regularly evaluate the maturity of its security measure organizations in order to continue
improving its security‐related operations, including security monitoring and the ways incidents are handled.

[Reference] For example, SIM3 (Security Incident Management Maturity Model) is available as metrics for the evaluation of security
organizations (SOC/CSIRT).
Appoint a chief security officer, establish a security ‐ The organization refers to risk assessment results and, considering the following angles, establishes what to monitor and what to
include in correlation analysis.
management team (SOC/CSIRT), and prepare a
CPS.AE-2 　‐ The scope of systems to monitor
system within the organization to detect, analyze,
　‐ Which device logs should be collected for analysis (see CPS.AE‐3)
and respond to security events. ‐ The organization regularly reviews audit logs collected through monitoring.
‐ The organization continues to collect and manage information about assets, device configurations, and network configurations in
order to evaluate its security status.
Advanced
‐ The organization examines the results of correlation analysis and other data to accurately detect security events that must be
addressed and take action in accordance with the security operation process. See CPS.RP‐1 for details of the process.
‐ The organization regularly reports the state of organizational and system security to the chief security officer or other appropriate
staff members. It is desirable that the regular report should include the following shown below:
　‐ Results of log analysis (e.g., the number of incidents handled; summaries of typical incidents that have been handled; threats that
have emerged; issues in monitoring);
　‐ Policy for future improvements in monitoring.
‐ If the information system and the industrial control system receive any invalid data, they operate as stated in an expected manner in
H‐Advanced
conformity with the purpose of the organization and system.
‐ The organization includes contents regarding what to do to detect, analyze, contain, reduce, and recover from incidents in its security
operation manual.
Advanced 　‐ Keep a record of all incidents and how they have been handled.
　‐ Decide whether the organization should report the fact to any external organization of an incident that has occurred and how it has
been handled.'
Develop and implement previously the procedure ‐ The organization develops and manages a process of security operation it should follow when a security incident arises that it must
of response after detecting incidents (securith address. It is advisable to include contents such as the following in the process:
　‐ Response procedure for the person who received the incident report
operation process) that includes the response of
CPS.RP-1 　‐ Instructions and orders, and how to prioritize actions in an emergency;
Organization, People, Componens, System to 　‐ Incident response;
identify the content of response, priority, and 　‐ Incident impact assessment and damage analysis;
scope of response taken after an incident occurs. 　‐ Information gathering, selecting information that the organization needs;
Basic
　‐ Communication and announcement to relevant internal personnel;
　‐ Communication with relevant external organizations;
‐ The system (especially, industrial control system) shuts down, issues an alert to the administrator, or takes other fail‐safe actions if any
abnormality (e.g., malfunction) occurs in IoT devices or servers.

[Reference] “SP 800‐61 rev.1" (NIST, 2008) is available for reference to determine the process for handling security incidents that have
arisen.
‐ The organization uses an automated mechanism for assisting with the process of security incident handling.
‐ The organization interlinks information regarding threats and vulnerabilities with how individual security incidents have been handled
so as to improve its understanding of the situations.

H‐Advanced [Reference] As examples of information expected to be useful in reducing the impact of an incident being handled and in recovery from
the incident, “Six Ws on cybersecurity information sharing for enhancing SOC/CSIRT Version 1.0” (ISOG‐J, 2018) lists the following:
　‐ Configuration requirements for security products and related systems to block any attacks;
Take measures to minimize security-related 　‐ How to disable attacks (e.g., patching; changing setups);
CPS.MI-1 damages and mitigate the impacts caused by such 　‐ How to recover a damaged system;
incident. ‐ The organization (or its members) takes courses of action to reduce security incidents (e.g., shutting down the system; cutting off the
system from a wired/wireless network; cutting off a modem cable; disabling certain functions) in accordance with prescribed
procedures.

Basic
[Reference] Courses of action to reduce the impact of a security incident may vary according to the nature of the incident (e.g.,
according to the threat that has emerged, such as a denial‐of‐service attack, malware infection, or unauthorized access). For example, It
is advisable to refer to “SP 800‐61 rev.1" (NIST, 2008) for detailed information about courses of action to reduce the impact of an
incident.
A.16.1.6 Knowledge gained from analysing and H‐Advanced ‐ The organization has its security assessed by a third party.
Learning from resolving information security incidents ‐ The organization draws up a security assessment plan before the assessment is carried out that includes the following so as to ensure
information security shall be used to reduce the likelihood or Assess the lessons learned from security incident
that its security is assessed properly and systematically:
　‐ Security measures for assessment;
incidents impact of future incidents. response and the results of monitoring, Advanced
　‐ Assessment procedures for measuring the effectiveness of security measures;
CPS.IP-7 measuring, and evaluating internal and external 　‐ Settings and mechanisms for carrying out the security assessment;
attacks, and improve the processes of protecting 　‐ Methods of putting together the results of the security assessment and applications of the results.
the assets. ‐ The organization regularly evaluates whether its security measures have achieved expected results (i.e., security assessment) and
reports the conclusions to the chief security officer, in addition to the evaluation of whether the measures are correctly implemented
Basic
and managed.
‐ The organization makes improvements on its security measures based on the results of the security assessment.
‐ The organization prepares a setting through an automated mechanism at just the right time that enables it and its appropriate
H‐Advanced partners to interactively share new information about data protection technologies or information about the effectiveness of the
Share information regarding the effectiveness of protection technologies.
CPS.IP-8 data protection technologies with appropriate
Advanced
‐ The organization prepares a setting that enables it to share new information about data protection technologies or information about
partners. the effectiveness of the protection technologies with its partners at just the right time.
‐ The organization prepares a setting that enables it to acquire new information about data protection technologies or information
Basic
about the effectiveness of the protection technologies from its appropriate partners.

D-3-39
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization creates and tunes detection rules based on various information as sources in order to improve its detection ability.
　‐ Developing the rules of correlation analysis
　‐ Developing own signature of IPSs or IDSs
H‐Advanced 　‐ Developing the organization’s own black list
‐ The organization/system analyzes the patterns of its system’s communication and security alerts to create and use a profile that
summarizes typical patterns of communication and security alerts, thereby tuning its efforts to reduce the numbers of false detections
and false negatives.
‐ The organization prepares and manages a procedure for regularly reporting the state of organizational and system security to its
appropriate staff members (e.g., management). It is desirable that the organization should define the reporting as an occasion for
becoming aware of the latest threats or threats to remaining risks so that the organization acts to enhance its security.
Continuously improve the process of detecting
CPS.DP-4 ‐ For example, if alerts such as those shown below are issued and there is a sign of increasing security risks, raise the level of the system’
security events. s monitoring activities based on information from reliable sources.　* The list below is an excerpt from “Six Ws on cybersecurity
information sharing for enhancing SOC/CSIRT Version 1.0” (ISOG‐J, 2018).
　・ Characteristics of the attack
Advanced
　　➢ Form of the attack; contents of relevant communications
　　➢ Core attack code
　・ Traces of the attack
　　➢ Contents of the damaged communications
　　➢ Logs that remain in the server or the hands of clients
　　➢ Other characteristics that remain in the server or the hands of clients
　・Detected names in the security products
‐ It is desirable for the information system to adopt an automatic mechanism for quantifying and monitoring the form, scale, and cost of
H‐Advanced
a security incident that has occurred.
‐ It is advisable to use information about threats and vulnerability acquired from security incident assessment for the purpose of
identifying incidents that may recur or have a major impact.
‐ Incorporate the lessons learned from the experience of handling of security incidents into the business continuity plan or emergency
response plan and the education or training, thereby making necessary changes. NIST SP 800‐61 shows the following as examples of
Review the lessons learned from the responses to points of view that may be taken when selecting the lessons.
CPS.IM-1 security incidents, and continuously improve the 　‐ Exactly when and what happened;
security operation process. Basic 　‐ How well the staff and management handled the incident; ‐ Whether they followed documented procedures; ‐ Whether that was
appropriate;
　‐ What information was immediately needed;
　‐ Whether any steps or actions might have hindered recovery;
　‐ What different actions the staff and management would take if the same incident recurred;
　‐ What corrective measures would prevent the occurrence of similar incidents in the future;
　‐ What additional tools and resources would be needed to detect, analyze, and reduce incidents in the future.
A.16.1.7 The organization shall define and apply H‐Advanced ‐ The information system provides a procedure for processing an audit record regarding critical security incidents.
Collection of evidence procedures for the identification, ‐ The organization establishes procedures for identifying, collecting, acquiring, and saving proof according to the medium, device, and
collection, acquisition and preservation of the state of the device (e.g., whether it is switched on or off).
‐ It is desirable that the organization should retain the following evidence after the occurrence of any serious security incident:
information, which can serve as evidence. Implement digital forensics upon the occurrence of
CPS.AN-2 Advanced 　‐ Identification data (e.g., the location of the incident, date and time of the occurrence, serial numbers on the items, host name, MAC
the security incident. address, IP address);
　‐ The titles and names of the people who have collected and processed the evidence; their contact information;
　‐ Date and time the evidence was saved.
Basic ‐ The organization establishes and manages procedures for identifying, collecting, acquiring, and saving data that may serve as proof.
A.17 A.17.1 A.17.1.1 The organization shall determine its ‐ The organization will establish a system of business continuity in emergency for information systems, industrial control systems and
Information security Information security Planning information requirements for information security and managers of related processes. This system defines the priority of the system for recovering operation when an event occurs that
Include security incidents in the business causes interruption in business continuity.
aspects of business continuity security continuity the continuity of information security
continuity plan or emergency response plan that ‐ The organization develops and manages a business continuity plan or an emergency response plan specifically for security incidents
continuity management management in adverse situations, e.g. CPS.RP-3 Advanced
outlines the action plans and response procedures with certain characteristics, such as that the damage the incident inflicts is less obvious than that caused by a disaster, making it difficult
during a crisis or disaster. to specify when the business continuity plan should be carried out, or that identifying the cause of the incident has high priority.
to take in case of natural disasters.
‐ The organization ensures that the business continuity plan or emergency response plan it develops specifically for security incidents
goes along with the organization‐wide policy on business continuity.
‐ The organization provides an overview of a security incident for relevant external entities including business partners and end users,
Take appropriate measures on goods (products) Advanced
and collects detailed information about damage inflicted by the incident.
‐ The organization coordinates actions related to recovery and post‐incident processing with relevant external entities involved in the
whose quality is expected to be affected by some
CPS.RP-4 supply chain. It is advisable to identify the items for handling in accordance with the approaches included in CPS.AM‐2 and CPS.AM‐3.
reasons, including its production facility damaged ‐ The organization considers stating what to do with items produced after the incident in the business continuity plan or emergency
by the occurrence of the security incident. Basic response plan, taking into account the type of the organization’s business. Note that the business continuity plan or emergency
response plan may not be for security incidents.
A.17.1.2 The organization shall establish, ‐ The organization assumes the course of action for security incidents of the supply chain and prepares a procedure that adjusts incident
Implementing document, implement and maintain responses between the organization and other organizations that are concerned with the supply chain.
‐ The organization adjusts the incident response process of an external service provider that contains important features in order to
information security processes, procedures and controls to
continue its business, as well as adjusting the organization’s incident response process to meet the incident response requirements.
continuity ensure the required level of continuity for H‐Advanced ‐ The organization interlinks information regarding threats and vulnerabilities with how individual security incidents have been handled
information security during an adverse so as to improve its understanding of the situations.
situation.
As part of the security operation process, define [Reference] Violations in the security incidents of supply chain include violations on system components, IT products, development
processes, developers, distribution processes, and warehouse facilities.
the procedure and the division of roles with regard
CPS.RP-2 ‐ The organization determines an alternative processing site in case the availability of its primary processing site has been compromised
to cooperative relations with relevant parties such
by a security incident.
as partners, and implement the process. ‐ The organization sets forth in the service agreement that if its primary processing function becomes unavailable, certain operations
are moved to resume at the alternative processing site within the recovery time objective that the organization specifies in order to
ensure that it continues to perform its critical missions and operational functions.
Advanced
‐ The organization designates an alternative processing site away from its primary processing site in order to mitigate the vulnerability
to the same threats.
‐ The organization prepares internal resources for incident handling assistance (e.g., help desk; CSIRT). These resources offer advice and
support related to security incident handling and reporting for system users of the information system and industrial control system,
and are an integral part of organizational ability to handle incidents.

D-3-40
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
‐ The organization provides an overview of a security incident for relevant external entities including the regulatory authorities, business
Include the item in the business continuity plan or Advanced
partners, and end users, and collects detailed information about damage inflicted by the incident.
‐ The organization coordinates actions related to recovery and post‐incident processing with relevant external entities involved in the
emergency response plan to the effect that the
supply chain. An example of these actions is recalling items produced when a security incident in the production system has occurred.
CPS.CO-3 details of the recovery activities shall be
‐ The organization specifies roles and responsibilities taken when any security incident that may affect it occurs, along with the
communicated to the internal and external personnel who are assigned to these roles and responsibilities and their contact information.
stakeholders, executives, and management. Basic
‐ The organization provides an overview of a security incident and an explanation about damage inflicted by the incident for the
personnel responsible for decision‐making associated with business continuity in order to ensure that the right decision is made.
A.17.1.3 The organization shall verify the
Verify, review and established and implemented information Review the lessons learned from the responses to ‐ The organization makes sure that the procedures for business continuity and the functions of relevant measures go along with the
evaluate information security continuity controls at regular security incidents, and continuously improve the business continuity policy for higher positions.
CPS.IM-2 Basic
security continuity intervals in order to ensure that they are business continuity plan or emergency response ‐ The organization incorporates the lessons learned from the experience of handling of security incidents into the business continuity
plan. plan or emergency response plan and the education or training, thereby making necessary changes.
valid and effective during adverse
situations.
A.17.2 A.17.2.1 Information processing facilities shall be ‐ The information system and industrial control system manage spare storage space, bandwidth, and other spares (People,
Redundancies Availability of implemented with redundancy sufficient to Components, System) and minimize the impact of service denial attacks that send a large amount of information. For example, if
services provided by an attacked system can not be stopped due to maintaining the level of availability, etc., in order to continue
information processing meet availability requirements.
important functions, it is necessary to take the following measures.
facilities 　‐ Automatic or manual migration to standby system
Secure sufficient resources (e.g., People, 　‐ Automatic or manual segregation of system components attacked by adversal actor
Advanced
‐ In order to ensure that required system performance is satisfied, use of resources must be monitored and adjusted. In addition,
Components, system) for components and
CPS.DS-6 storage capacity and performance required in the future must be pre‐estimated.
systems, and protect assets property to minimize ‐ The organization shall:
bad effects under cyber attack (e.g., DoS attack). (a) Use a monitoring tool which the organization specifies in order to find signs of service jamming attacks on the information system.
(b) Monitor resources of information system and industrial control system identified by the organization and judge whether sufficient
resource is secured to prevent effective service jamming attacks.
‐ By implementing the security measures which the organization decides on, the information system and the industrial control system
Basic minimize the impact or protect from the impact of service denial attacks which the organization specifies, or from attacks on references
to sources of these information, while performing a fallback operation
‐ The organization prepares short‐term uninterrupted power supply which supports the switching of the information system to an
Advanced
Carry out periodic quality checks, prepare standby alternative power source that can be used for a long period of time when the primary power source is lost.
devices and uninterruptible power supplies, ‐ In order to ensure that required performance of an information system and an industrial control system is satisfied, use of resources
must be monitored and adjusted. In addition, storage capacity and performance that are required in the future are pre‐estimated.
CPS.DS-7 provide redundancy, detect failures, conduct
‐ The organization protects devices from power outages and other failures that are attributable to malfunctions in the support utility.
replacement work, and update software for IoT Basic
‐ The organization protects communication cables and power cables that transmit data or that support information service from
devices, communication devices, circuits, etc. interception, interference, and harm.
‐ The organization properly maintaines devices to ensure continuous availability and integrity.
A.18 A.18.1 A.18.1.1 All relevant legislative statutory, Formulate internal rules considering domestic and ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context
Compliance Compliance with legal Identification of regulatory, contractual requirements and foreign laws, including the Act on the Protection of of security as well as the organization’s effort to fulfill these requirements, document them, and maintain those documents at their
and contractual applicable legislation the organizationʼs approach to meet these Personal Information and Unfair Competition
latest.
requirements and contractual requirements shall be explicitly identified, CPS.GV-2 Prevention Act, as well as industry guidelines, and Basic
‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements.
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of
requirements documented and kept up to date for each review and revise the rules on a continuing and business.
information system and the organization. timely basis in accordance with any changes in ‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all
relevant laws, regulations, and industry guidelines. related countries.

Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each

laws and arrangements regarding handling of data system and each organization and the organization’s activities to satisfy these requirements, and update them to the latest.
shared only by relevant organizations, develop ‐ The organization classifies its data appropriately according to the classification of the identified rules.
CPS.GV-3 Basic
data classification methods based on each ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of
requirement, and properly classify and protect data the identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data
in the organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
throughout the whole life cycle.
‐ The organization sees if any legal system, industry standards, or agreements with customers that are related to monitoring services
Detect security events in the monitoring process,
exist and, if any do, learn what constraints are imposed.
CPS.DP-2 in compliance with applicable local regulations, Basic
‐ The organization conducts monitoring in accordance with the rules learned above to detect any security events.
directives, industry standards, and other rules. ‐ The organization regularly reviews its monitoring activities to make sure that they conform to the rules.
A.18.1.2 Appropriate procedures shall be Formulate internal rules considering domestic and ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context
Intellectual property implemented to ensure compliance with foreign laws, including the Act on the Protection of of security as well as the organization’s effort to fulfill these requirements, document them, and maintain those documents at their
rights legislative, regulatory and contractual Personal Information and Unfair Competition
latest.
‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements.
requirements related to intellectual CPS.GV-2 Prevention Act, as well as industry guidelines, and Basic
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of
property rights and use of proprietary review and revise the rules on a continuing and business.
software products. timely basis in accordance with any changes in ‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all
relevant laws, regulations, and industry guidelines. related countries.

Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each

laws and arrangements regarding handling of data system and each organization and the organization’s activities to satisfy these requirements, and update them to the latest.
shared only by relevant organizations, develop ‐ The organization classifies its data appropriately according to the classification of the identified rules.
CPS.GV-3 Basic
data classification methods based on each ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of
requirement, and properly classify and protect data the identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data
in the organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
throughout the whole life cycle.

D-3-41
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.18.1.3 Records shall be protected from loss, Formulate internal rules considering domestic and ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context
Protection of records destruction, falsification, unauthorized foreign laws, including the Act on the Protection of of security as well as the organization’s effort to fulfill these requirements, document them, and maintain those documents at their
access and unauthorized release, in Personal Information and Unfair Competition
latest.
‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements.
accordance with legislatory, regulatory, CPS.GV-2 Prevention Act, as well as industry guidelines, and Basic
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of
contractual and business requirements. review and revise the rules on a continuing and business.
timely basis in accordance with any changes in ‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all
relevant laws, regulations, and industry guidelines. related countries.

Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each

laws and arrangements regarding handling of data system and each organization and the organization’s activities to satisfy these requirements, and update them to the latest.
shared only by relevant organizations, develop ‐ The organization classifies its data appropriately according to the classification of the identified rules.
CPS.GV-3 Basic
data classification methods based on each ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of
requirement, and properly classify and protect data the identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data
in the organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
throughout the whole life cycle.

‐ The organization uses a trail storage system with the following features to flexibly fulfill the needs of clients and other related
organizations, such as a third‐party auditing institution, on a real‐time basis.
H‐Advanced 　‐ Eligibility of the subject audit trail for the contract matter can be verified quickly.
　‐ Only authorized entities such as clients and outsourced auditing agencies can access the system.
Collect and securely store data proving that the 　‐ Stored data has reliable trails such as time stamps and electronic signatures.
organization is fulfilling its contractual obligations ‐ The organization takes measures so that those records among the audit records generated by the system that are acquired over a long
CPS.SC-8 with other relevant parties or individuals, and period of time can be obtained with certainty.
prepare them for disclosure as needed within ‐ In order to protect audit records from the following threats, it is desirable for the system to apply access control with high granularity
Advanced to the items and systems in which audit records are stored.
appropriate limits.
　‐ Change format of recorded message
　‐ Change or delete log file
　‐ Exceed storage space of log file medium
Basic ‐ The organization preserves audit records for an appropriate period of time so as to satisfy the requirements of laws and regulations.
‐ The organization confirms the trustworthiness of the medium and integrity of the information by regularly testing the backup
Perform a periodical system backup and testing of H‐Advanced
information.
CPS.IP-4 components (e.g., IoT devices, communication
‐ The organization backs up their system documents according to the prescribed timing and frequency.
devices, and circuits). Advanced
‐ The organization protects the confidentiality, integrity, and availability of the information backed up on the storage base.
A.18.1.4 Privacy and protection of personally
Formulate internal rules considering domestic and ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context
Privacy and protection identifiable information shall be ensured as
foreign laws, including the Act on the Protection of of security as well as the organization’s effort to fulfill these requirements, document them, and maintain those documents at their
of personally identifiable required in relevant legislation and latest.
Personal Information and Unfair Competition
information regulation where applicable. ‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements.
CPS.GV-2 Prevention Act, as well as industry guidelines, and Basic
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of
review and revise the rules on a continuing and business.
timely basis in accordance with any changes in ‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all
relevant laws, regulations, and industry guidelines. related countries.

Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each

laws and arrangements regarding handling of data system and each organization and the organization’s activities to satisfy these requirements, and update them to the latest.
shared only by relevant organizations, develop ‐ The organization classifies its data appropriately according to the classification of the identified rules.
CPS.GV-3 Basic
data classification methods based on each ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of
requirement, and properly classify and protect data the identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data
in the organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
throughout the whole life cycle.

A.18.1.5 Cryptographic controls shall be used in

Formulate internal rules considering domestic and ‐ Within the organization’s business activities, clearly identify all related laws, regulations, and contractual requirements in the context
Regulation of compliance with all relevant agreements,
foreign laws, including the Act on the Protection of of security as well as the organization’s effort to fulfill these requirements, document them, and maintain those documents at their
cryptographic controls legislation and regulations. latest.
Personal Information and Unfair Competition
‐ The organization defines and documents detailed management measures and details of responsibilities to satisfy the requirements.
CPS.GV-2 Prevention Act, as well as industry guidelines, and Basic
‐ The controller identifies all laws and regulations which are applied to each organization to satisfy requirements related to the type of
review and revise the rules on a continuing and business.
timely basis in accordance with any changes in ‐ When the organization operates businesses in other countries, the controller considers to comply with the laws and regulations in all
relevant laws, regulations, and industry guidelines. related countries.

Understand the level of data protection required by ‐ The organization identifies and documents all legal requirements and contract requirements related to data protection for each

laws and arrangements regarding handling of data system and each organization and the organization’s activities to satisfy these requirements, and update them to the latest.
shared only by relevant organizations, develop ‐ The organization classifies its data appropriately according to the classification of the identified rules.
CPS.GV-3 Basic
data classification methods based on each ‐ The organization takes measures for systems, components, etc., handling the applicable data in accordance with the requirements of
requirement, and properly classify and protect data the identified rules. When the implementation of a measure is considered difficult, measures such as tokenization of an applicable data
in the organization may be considered. (e.g., tokenization of card information due to the Installment Sales Law)
throughout the whole life cycle.
A.18.2 A.18.2.1 The organizationʼs approach to managing H‐Advanced ‐ The organization has its security assessed by a third party.
Information security Independent review of information security and its ‐ The organization draws up a security assessment plan before the assessment is carried out that includes the following so as to ensure
reviews information security implementation (i.e. control objectives, Assess the lessons learned from security incident
that its security is assessed properly and systematically:
　‐ Security measures for assessment;
controls, policies, processes and response and the results of monitoring, Advanced
　‐ Assessment procedures for measuring the effectiveness of security measures;
procedures for information security) shall CPS.IP-7 measuring, and evaluating internal and external 　‐ Settings and mechanisms for carrying out the security assessment;
be reviewed independently at planned attacks, and improve the processes of protecting 　‐ Methods of putting together the results of the security assessment and applications of the results.
intervals or when significant changes the assets. ‐ The organization regularly evaluates whether its security measures have achieved expected results (i.e., security assessment) and
occur. reports the conclusions to the chief security officer, in addition to the evaluation of whether the measures are correctly implemented
Basic
and managed.
‐ The organization makes improvements on its security measures based on the results of the security assessment.

D-3-42
Appendix D.3 - Mapping ISO/IEC 27001 to CPSF

ISO/IEC 27001:2013 Annex A Cyber/Physical Security Framework

Measure
Security Controls ID Controls Measure Requirement Example of Security Measures
Requirement ID
A.18.2.2 Managers shall regularly review the ‐ When developing a new device or a new component which may have an impact on a physical space such as components of an
Compliance with compliance of information processing and industrial control system, the organization collects/analyzes accident case studies of conventional products and others to identify
safety‐related hazards.
security policies and procedures within their area of
‐ The organization analyzes a situation where a hazard leads to harm and identifies the possibility of occurrence and the severity of the
standards responsibility with the appropriate security H‐Advanced
harm to estimate a possible risk especially regarding an industrial control system. At the time, it is desirable to check whether there is
policies, standards and any other security any hazard caused by a security issue.
requirements. ‐ The organization updates the risk assessment if there is a significant change in the industrial control system or the environment in
which it operates, or the other change that affects the security state of the industrial control system.
‐ The organization updates a risk assessment when there is a big change in a system or an environment where a system is running
(including identification of a new threat or vulnerability) or when any situation which impacts the security status of a system occurs.
- Conduct risk assessments regularly to check if
‐ When planning/designing a new system using an IoT device, the organization identifies existing assets and assets to be protected in
the security rules for managing the components the system to be implemented and organizes security measures according to use and configuration of the system. When handling a
are effective and applicable to the components for Advanced
component or a system with a long life cycle and a component or a system requiring availability, consideration in security measures at a
implementation. phase before designing is especially important.
CPS.RA-4
- Check the presence of unacceptable known ‐ When considering security measures applied to purchased products and services, the organization makes sure that the levels of
security risks, including safety hazards, from the measures correspond to the importance of such products and services.

planning and design phase of an IoT device and ‐ The organization defines a security risk assessment process and applies it periodically (e.g., once a year).

　‐ Establish and maintain security risk criteria.
systems incorporating IoT devices.
　‐ Identify security risks in the following way.
　　1) Clarify the target of analysis.
　　2) Identify incidents (including changes in circumstances) and their causes.
　‐ Analyze security risks in the following way.
Basic
　　1) Evaluate possible results when the above identified risks occur.
　　2) Evaluate the possibility of the actual occurrence of the above identified risks.
　‐ Refer to the risk criteria, determine a risk level, and prioritize the risk.
‐ The organization documents and stores the information security risk assessment process.

[Reference] An “asset‐based” method and a “business damage‐based” method are known as security risk assessment methods.
A.18.2.3 Information systems shall be regularly ‐ When developing a new device or a new component which may have an impact on a physical space such as components of an
Technical compliance reviewed for compliance with the industrial control system, the organization collects/analyzes accident case studies of conventional products and others to identify
safety‐related hazards.
review organizationʼs information security policies
‐ The organization analyzes a situation where a hazard leads to harm and identifies the possibility of occurrence and the severity of the
and standards. H‐Advanced
harm to estimate a possible risk especially regarding an industrial control system. At the time, it is desirable to check whether there is
any hazard caused by a security issue.
‐ The organization updates the risk assessment if there is a significant change in the industrial control system or the environment in
which it operates, or the other change that affects the security state of the industrial control system.
‐ The organization updates a risk assessment when there is a big change in a system or an environment where a system is running
(including identification of a new threat or vulnerability) or when any situation which impacts the security status of a system occurs.
- Conduct risk assessments regularly to check if
‐ When planning/designing a new system using an IoT device, the organization identifies existing assets and assets to be protected in
the security rules for managing the components the system to be implemented and organizes security measures according to use and configuration of the system. When handling a
are effective and applicable to the components for Advanced
component or a system with a long life cycle and a component or a system requiring availability, consideration in security measures at a
implementation. phase before designing is especially important.
CPS.RA-4
- Check the presence of unacceptable known ‐ When considering security measures applied to purchased products and services, the organization makes sure that the levels of
security risks, including safety hazards, from the measures correspond to the importance of such products and services.

planning and design phase of an IoT device and ‐ The organization defines a security risk assessment process and applies it periodically (e.g., once a year).

　‐ Establish and maintain security risk criteria.
systems incorporating IoT devices.
　‐ Identify security risks in the following way.
　　1) Clarify the target of analysis.
　　2) Identify incidents (including changes in circumstances) and their causes.
　‐ Analyze security risks in the following way.
Basic
　　1) Evaluate possible results when the above identified risks occur.
　　2) Evaluate the possibility of the actual occurrence of the above identified risks.
　‐ Refer to the risk criteria, determine a risk level, and prioritize the risk.
‐ The organization documents and stores the information security risk assessment process.

[Reference] An “asset‐based” method and a “business damage‐based” method are known as security risk assessment methods.

D-3-43
Appendix E: Glossary

（1） Actuator
<Internet of Things> IoT device that changes one or more properties of a
physical entity in response to a valid input. [ISO/IEC 20924:2018]

（2） Anti-tampering devices

Device with an anti-tamper property. When used with devices, “anti-tamper” is
used to describe that it is difficult to read or falsify the internal structure or
stored data of the device.

（3） Audit
Systematic, independent and documented process for obtaining audit evidence
and evaluating it objectively to determine the extent to which the audit criteria
are fulfilled. [ISO/IEC 27000:2018]

（4） Authentication
Provision of assurance that a claimed characteristic of an entity is correct.
[ISO/IEC 27000:2018]

（5） Authenticity
Property that an entity is what it claims to be. [ISO/IEC 27000:2018]

（6） Availability
Property of being accessible and usable on demand by an authorized entity.
[ISO/IEC 27000:2018]

（7） Basis of trustworthiness

Point of view to ensure trustworthiness.

（8） Biometric authentication

Authentication method which identifies person by physical characteristics such
as finger patterns, hand vein patterns, iris patterns or voiceprints.

E-1
（9） CC (Common Criteria)
Framework to evaluate if products and systems related to information
technology are appropriately designed and properly implemented in terms of
security. These criteria are defined as the international standard ISO/IEC
15408.

（10） Chief Security Officer

Person who has the highest responsibility in the operation and control of the
security management systems in an organization.

（11） Confidentiality
Property that information is not made available or disclosed to unauthorized
individuals, entities, or processes. [ISO/IEC 27000:2018]

（12） CSIRT (Computer Security Incident Response Team)

A capability set up for the purpose of assisting in responding to computer
security-related incidents; also called a Computer Incident Response Team
(CIRT) or a CIRC (Computer Incident Response Center, Computer Incident
Response Capability). [NIST SP 800-61 Rev.2]

（13） CSMS (Cyber Security Management System)

Management system of the cyber security designed for industrial automation
and its control systems. The requirements are defined in the international
standard IEC62443-2-1.

（14） Cyberattack
Attempt to destroy, expose, alter, disable, steal or gain unauthorized access to
or make unauthorized use of an asset. [ISO/IEC 27000:2018]

（15） Cybersecurity
To prevent the leak or falsification of electronic data as well as the malfunction
of IT or control systems against expected behavior.

（16） Cyberspace
Virtual space in computer systems or networks. It uses digital data to create
value.

E-2
（17） Digital certificate
Data which certifies that the public key for digital signature analysis is
authentic, and issued by a certification authority (CA).

（18） EDSA (Embedded Device Security Assurance) certification

Certification program related to security assurance for control devices. EDSA is
developed and operated by the ISA Security Compliance Institute (ISCI) based
on IEC 62443-4-2. The program evaluates the security on three aspects, namely,
security at each phase of software development, implemented security features,
and communication robustness test.

（19） Entity
Thing (physical or non-physical) having a distinct existence. [ISO/IEC 15459-
3:2014]

（20） Firewall
Software, devices or systems installed at the border between a certain
computer/network and external network in order to protect the internal
network from external attack by relaying and monitoring the internal/external
communication.

（21） Functional safety

Part of the overall safety of EUC (controlled devices) and EUC control systems
that depend on the normal functions of E/E/PE
(electric/electronic/programmable electronic) safety systems and other risk
mitigation measures. [IEC 61508-4 Ed.2]

（22） Harm
Injury or damage to the health of people, or damage to property or the
environment. [ISO/IEC Guide 51:2014]

（23） Hazard
Potential source of harm. [IEC 61508-4:2010]

E-3
（24） Hash function
Function which maps strings of bits of variable (but usually upper bounded)
length to fixed-length strings of bits, satisfying the following two properties:
— for a given output, it is computationally infeasible to find an input which
maps to this output;
— for a given input, it is computationally infeasible to find a second input
which maps to the same output. [ISO/IEC 10118-1:2016]

（25） Hash value

String of bits which is the output of a hash-function. [ISO/IEC 27037:2012]

（26） Identifier
Information that unambiguously distinguishes one entity from other entities
in a given identity context. [ISO/IEC 20924:2018]

（27） IDS (Intrusion Detection System)

System which monitors the external communication conducted by a server or
network and alerts its controllers via e-mail when detecting unauthorized
access (such as attack or intrusion attempt).

（28） Industrial control system

An information system used to control industrial processes such as
manufacturing, product handling, production, and distribution. Industrial
control systems include supervisory control and data acquisition (SCADA)
systems used to control geographically dispersed assets, as well as distributed
control systems (DCSs) and smaller control systems using programmable logic
controllers to control localized processes. [NIST SP 800-53 Rev.4]

（29） Integrity
Property of accuracy and completeness. [ISO/IEC 27000:2018]

（30） IoT (Internet of Things)

Infrastructure of interconnected entities, people, systems and information
resources together with services which processes and reacts to information from
the physical space and cyberspace. [partly changes the definition in ISO/IEC
20924:2018]

E-4
（31） IoT device
Entity of an IoT system that interacts and communicates with the physical
space through sensing or actuating.
NOTE: An IoT device can be a sensor or an actuator. [partly changes the
definition in ISO/IEC 20924:2018]

（32） IPS (Intrusion Prevention System)

System which monitors the external communication conducted by a server or
network and prevents attack by detecting unauthorized access (such as attack
or intrusion attempt).

（33） ISMS (Information Security Management System)

Framework to operate a system by determining the required security level,
establishing a plan and distributing resources through its own risk assessment
in order to manage an organization. The requirements are defined in the
international standard ISO/IEC 27001.

（34） ITSMS (IT Service Management System)

Framework designed for IT service providers to maintain or improve their
service quality by managing their services based on the PDCA cycle. The
requirements are defined in international standard ISO/IEC 20000-1.

（35） Malware
Software or firmware intended to perform an unauthorized process that will
have adverse impact on the confidentiality, integrity, or availability of an
information system. A virus, worm, Trojan horse, or other code-based entity that
infects a host. Spyware and some forms of adware are also examples of
malicious code. [NIST SP 800-53 Rev.4]

（36） Multifactor authentication

Authentication using two or more different factors to achieve authentication.
Factors include: (i) something you know (e.g., password/PIN); (ii) something you
have (e.g., cryptographic identification device, token); or (iii) something you are
(e.g., biometric). See Authenticator. [NIST SP 800-53 Rev.4]

E-5
（37） Multi-stakeholder process
Process in which three or more stakeholders have meetings to have discussions
on an equal footing, thereby understanding each other for consensus building
in order to solve a problem that could not be solved by one or two stakeholder(s).
[Cabinet Office of Japan]

（38） Mutual authentication

One of the authentication methods, in which two parties authenticate with each
other.

（39） Objective
Result to be achieved. [ISO/IEC 27000:2018]

（40） Physical Space

The real world. Expression to distinguish between cyberspace and world
composed of substances.

（41） Private key

Secret key in the public-private key cryptosystem, a pair of different keys is
used for the encryption and decryption. The private key is the one not released
to the public.

（42） Process
Set of interrelated or interacting logical or physical activities which transforms
inputs into outputs.

（43） Protocol
Predetermined mass of rules and steps for parties, so that more than one party
can smoothly transmit signals, data and information with one another.

E-6
（44） Public key
Key of an entity's asymmetric key pair, which can be made public.
NOTE: In the case of an asymmetric signature system the public key defines
the verification transformation. In the case of an asymmetric encipherment
system the public key defines the encipherment transformation. A key that is
'publicly known' is not necessarily globally available. The key can only be
available to all members of a pre-specified group. [ISO/IEC 19790:2012]

（45） Redundancy
Existence of a means in addition to the means which would be sufficient for a
functional unit to perform a required function or for data to represent
information. [ISO/IEC 2382:2015]

（46） Resilience
The ability of an information system to continue to: (i) operate under adverse
conditions or stress, even if in a degraded or debilitated state, while maintaining
essential operational capabilities; and (ii) recover to an effective operational
posture in a time frame consistent with mission needs. [NIST SP 800-53 Rev.4]

（47） Risk
Effect of uncertainty on objectives. [ISO/IEC 27000:2018]

（48） Risk management

Coordinated activities to direct and control an organization with regard to risk.
[ISO 31000:2018]

（49） Risk source

Element which alone or in combination has the potential to give rise to risk.
[ISO 31000:2018]

（50） Safety
State of being protected from recognized hazards that are likely to cause harm.
[ISO/IEC Guide 51:2014]

E-7
（51） Security-by-design
To introduce the measures (e.g. threat analysis, security architecture, external
specification analysis and privacy impact assessment) to ensure security at the
planning and designing stages for a device or system.

（52） Security event

Identified occurrence of a system, service or network state indicating a possible
breach of security policy or failure of controls, or a previously unknown situation
that can be security relevant.

（53） Security incident

Single or a series of unwanted or unexpected security events that have a
significant probability of compromising business operations and threatening
information security.

（54） Security measure organization (SOC/CSIRT)

Structure which continuously collects and analyzes the vulnerability
information in or out of an organization in order to determine the appropriate
scope and priority of measures against a security incident to be monitored.
Security measure organization includes organizations and functions such as
SOC and CSIRT. [Six Ws on cybersecurity information sharing for enhancing
SOC/CSIRT Version 1.0 (ISOG-J, 2018)]

（55） Security operation process

Document which specifies the prompt preventive measures beforehand against
the security incidents to be detected.

（56） Security policy

Top management’s intentions and direction formally expressed regarding
security of the organization, and rules to take security measures based on such
intentions and direction.

（57） Security risk

Possibility of some effects on the objectives of the organization, relevant parties
such as partners, or the whole society caused by the malfunctions related to
security.

E-8
（58） Security rule
What defines the details on the measures against possible security risks
clarifying each scope and priority.

（59） Sensor
<Internet of Things> IoT device that measures one or more properties of one or
more physical entities and outputs digital data that can be transmitted over a
network. [ISO/IEC 20924:2018]

（60） Service
Output of an organization with at least one activity necessarily performed
between the organization and the customer. [ISO 9000:2015]

（61） Service Provider

A provider of basic services or value-added services for operation of a network -
generally refers to public carriers and other commercial enterprises. [NIST IR
4734]

（62） SOC (Security Operation Center)

A team composed primarily of security analysts organized to detect, analyze,
respond to, report on, and prevent cybersecurity incidents. [RFC 2350, CNSS
Instruction No. 4009]

（63） Stakeholder
Person or organization that can affect, be affected by, or perceive itself to be
affected by a decision or activity. [ISO/IEC 27000:2018]

（64） Supplier
Organization or an individual that enters into agreement with the acquirer for
the supply of a product or service. [ISO/IEC 27036-1:2014]

E-9
（65） Supply chain
Linked set of resources and processes between multiple tiers of developers that
begins with the sourcing of products and services and extends through the
design, development, manufacturing, processing, handling, and delivery of
products and services to the acquirer. [ISO 28001:2007, NIST SP 800-53 Rev.4]

（66） Threat
Potential cause of an unwanted incident, which can result in harm to a system
or organization. [ISO/IEC 27000:2018]

（67） Time-stamp
Time variant parameter which denotes a point in time with respect to a common
time reference. [ISO/IEC 18014-1:2008]

（68） Trust
Degree to which a user or other stakeholder has confidence that a product or
system will behave as intended. [ISO/IEC 25010:2011]

（69） Trustworthiness
Property of deserving trust or confidence. In the context of IoT, property of
deserving trust or confidence within the entire lifecycle of an Internet of Things
implementation to ensure security, privacy, safety, reliability and resiliency.
[ISO/IEC 20924:2018]

（70） Vulnerability
Weakness of an asset or control (3.14) that can be exploited by one or more
threats. [ISO/IEC 27000:2018]

（71） Vulnerability remediation plan

A plan to perform the remediation of one or more threats or vulnerabilities
facing an organization’s systems. The plan typically includes options to remove
threats and vulnerabilities and priorities for performing the remediation. [NIST
SP 800-40 Ver.2.0]

E-10