S.no.

Control ISO 27001

No. Name

A.5.1- policies for

information security
A.5.2- information
security roles and
responsibility
A.5.3-Segregation of
duties
A.5.4-Management
responsibilities C
A.5.5-Contact with
authorities
A.5.6-Contact with
special interest
groups
A.5.7-Threat
intelligence
A.5.1 to
1 Access Control A.5.8-Information
A.5.13
security in project
management
A.5.9-Inventory of
information and other
assets
A.5.10-Acceptable use
of information
A.5.11-Return of assets
A.5.12-Classification of
information
A.5.13-Labelling of
information
A.5.15- Access control
A.5.18- access rights
A.8.3-Information
access restriction
 A.5.24-Information
security incident
manageme
A.5.25- Assessment and
decision on information
A5.24 to security events,
2 Incident Response
A5.27 A.5.26-Response to
information security
incidents,
A.5.27-Learning from
information security
incidents

6.1.1-Actions to address
risks and opportunities
6.1.2- Information
3 Risk Management 6.1.1, 6.1.2, 6.1
security risk assessment
6.1.3-Information
security risk treatment
 A.5.9-Inventory of
information and
other associated assets
A.5.9,
A.5.10-Acceptable use
A.5.10,
of information assets
4 Asset Management A.5.11,A.7.1,A
A.5.11- return of assets
.7.9
A.7.1- Physical security
perimeters
A.7.9- Security of assets
off-premises

A.8.32-Change
Management
A.5.22- Monitoring,
5 Change ManagementA.8.32, A.5.22
review and change
management of
supplier services

A.8.15- Logging
6 Logging and MonitorA.8.15. A.8.16 A.8.16- monitoring
activities
 A.6.1-Screening
A.6.2-Terms and
conditions of
employment
A.6.3-Information
security awareness,
education and training
A.6.4-Disciplinary
process
7 Human Resources A.6.1,A.6.2,A.6
A.6.5-Responsibilities
after termination
or change of
employment
A.6.6-Confidentiality or
non-disclosure
A.6.7-Remote working
A.6.8-Information
security event reportin
8 Third Party Management
 Business Continuity
ICT readiness for
9 & Disaster
business continuity
Management

9.1- Monitoring,
measurement, analysis
10 Monitoring, Audit a 9.1, 9.2
and evaluation
9.2-Internal audit
 ,

NIST(CSF 2) ITIL v4 CERT-In

No. Name No. Name No. Name

PR.AA-01: Identities and credentials are

issued, managed, verified, revoked, and
audited for authorized devices, users, and
processes.
PR.AA-02: Physical access to assets is
managed and protected.
PR.AA-03: Remote access is managed.
PR.AA-04: Access permissions and
authorizations are managed, incorporating
PR.AA-01 to
the principles of least privilege and AC-1 to AC-Access Control Policy and Procedu
PR.AA-06
separation of duties.
PR.AA-05: Network integrity is protected,
incorporating network segregation where
appropriate.
PR.AA-06: Access to systems and assets is
managed through a comprehensive access
control strategy.
 Incident Management- RS.MA
Incident Analysis-RS.AN
RS.MA, Incident Response Reporting and
RS.AN, Communication- RS.CO IR1 to IR 8 Preparation, Detection & analysis
RS.CO,RS.MI Incident Mitigation- RS.MI
Incident Recovery Plan Execution --RC.RP
Incident Recovery Communication -RC.CO

GV.RM-Risk Management Strategy

GV.RM, ID.RA
ID.RA-Risk Assessment RA1 to RA5 Categorization, assessment, man
ID.IM
ID.IM- Improvement
 ID.AM-01: Inventories of hardware
managed by the organization are
maintained.
support.expressbadging.com
+1
csf.tools
+1

ID.AM-02: Inventories of software,

services, and systems managed by the
organization are maintained.
csf.tools
+1
support.expressbadging.com
ID.AM-01, +1
ID.AM-02,
ID.AM-03, ID.AM-03: Representations of the
ID.AM(ID.Ainventory, data flows and , owners
ID.AM-04, organization’s authorized network
ID.AM-05, communication and internal and external
ID.AM-07 network data flows are maintained.
support.expressbadging.com

ID.AM-04: Inventories of services provided

by suppliers are maintained.
support.expressbadging.com

ID.AM-05: Assets are prioritized based on

classification, criticality, resources, and
impact on the mission

ID.AM-07: Inventories of data and

corresponding metadata for designated
data types are maintained

Configuration change control processes

PR.IP-03 are in place CM-3, CM-4Configuration Change Control, Impa

Detect (DE) Function – Continuous

Monitoring (DE.CM) Category
DE.CM and
PR.PS
Protect (PR) Function –
Platform Security (PR.PS) Category
 GV.RR-04: Cybersecurity is included in
human
GV.RR-04
resources practices (e.g., deprovisioning,
personnel screening).
 GV.SC-03: Integrate cybersecurity supply
chain risk management into broader
cybersecurity and enterprise risk
management, including risk assessment
and improvement processes.
UpGuard
+1
blog.riskrecon.com
+1

GV.SC-04: Identify and prioritize suppliers

based on their criticality to organizational
operations.
AuditBoard
GV.SC-01,
GV.SC-02 GV.SC-05: Establish, prioritize, and
GV.SC-03, integrate requirements to address
GV.SC-04 cybersecurity risks in supply chains into
GV.SC- contracts and other agreements with
05,GV.SC-06 suppliers and relevant third parties.
GV.SC- UpGuard
07,GV.SC-08
GV.SC- GV.SC-06: Perform planning and due
09,GV.SC-10 diligence to reduce risks before entering
into formal relationships with suppliers or
other third parties.
UpGuard

GV.SC-07: Understand, record, prioritize,

assess, respond to, and monitor risks
posed by suppliers, their products and
services, and other third parties
throughout the relationship.
UpGuard

GV.SC-08: Include relevant suppliers and

other third parties in incident planning,
response, and recovery activities.
 Recovery Planning (RC.RP)-Recovery
processes and procedures are executed
and maintained to ensure timely
restoration of systems or assets affected
by cybersecurity incidents.
RC.RP,
Improvements (RC.IM)- Recovery planning
RC.IM,
and processes are improved by
RC.CO
incorporating lessons learned into future
activities.
Communications (RC.CO)-Restoration
activities are coordinated with internal and
external parties, such as coordinating
centers, Internet Service Providers, owners
of attacking systems, victims, other CSIRTs,
and vendors.
 COBIT 5
No. Name

APO13 - Managed Security: Focuses on

policies, identity, and access management.

DSS05 - Managed Security Services:

Focuses on operational aspects and
monitoring.
APO13, DSS
BAI09 - Managed Assets: Ensures asset
protection through controlled access.

MEA03 - Managed Compliance: Ensures

adherence to legal and regulatory access
requirements.
 DSS02 Managed Service Requests and
Incidents
DSS02,DSS0DSS03 Managed Problems
DSS04 Managed Continuity
APO13 Managed Security

APO12.01 - Collect Data

APO12.02 - Analyze Risk
APO12.03 - Maintain a Risk Profile
Document
APO12.01, APO12.04 - Articulate Risk
APO12.05 - Define Risk Management Action
Portfolio .
APO12.06 - Respond to Risk
APO12.07 - Monitor Risk
 BAI09.01 - Identify Assets
BAI09.02 - Manage Asset Life Cycle
BAI09.03 - Optimize Asset Costs
BAI09 BAI09.04 - Safeguard Assets
BAI09.05 - Monitor Asset Performance
BAI09.06 - Dispose of Assets

BAI06.01 - Evaluate, Prioritize, and

Authorize Change Requests
BAI06.02 - Manage Emergency Changes
BAI06 BAI06.03 - Track and Report Change Status
BAI06.04 - Close and Document the Change
BAI06.05 - Review and Report on
Completed Changes

DSS01 Managed Operations

DSS05 Managed Security Services
MEA01 Managed Performance and
DSS01,DSS
Conformance Monitoring
MEA03 Managed Compliance with External
Requirements
 APO07.01 - Establish a Workforce Plan
APO07.02 - Identify Critical IT Roles
APO07.03 - Maintain Workforce
Competencies
APO07.04 - Manage Workforce
APO07 Performance
APO07.05 - Maintain Employee
Engagement
APO07.06 - Manage Contracted Staff
APO07.07 - Monitor and Improve
Workforce Management
 APO10 - Managed Vendors
Purpose: To ensure that third-party services
APO10
meet business requirements, comply with
policies, and deliver value.
 DSS04 - Managed Continuity
DSS04 Purpose: Establish and maintain plans to
respond to potential disruptions.

MEA01- Managed Performance and

Conformance Monitoring
MEA01,
MEA02- Managed System of Internal
MEA02,
Control
MEA03,
MEA03- Managed Compliance with
MEA04
External Requirements.
MEA04 Managed Assurance