Introduction
The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks.
The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.
Here is the link: https://www.cisecurity.org/controls/cis-controls-list/
Many companies use this controls list already, but also require to map their CIS security controls to ISO27001, for various reasons.
Implementing security controls with regards to the NIS directive, is one of them, eg when you’re implementing OT…
ISO27001 controls mapping
For that purpose the CIS provided a XLS mapping between the CIS controls and ISO27001.
You can download the sheet from the CIS website: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a
Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)
Alternatively, it’s available from the CIS Workbench community at: https://workbench.cisecurity.org/files/2329 (registration might be needed to access the download)
FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping.
And after review, a new version (1.1) with updates has been published on the CIS workbench.
Direct download for version 1.1 available at: https://workbench.cisecurity.org/files/2329/download/3615
Still some gaps
You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.
But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)
But the license for use of the CIS controls mapping does not allow redistribution of modified materials…
Disclaimer (the small print)
Here’s the License from the mapping file:
Their work (quote) “is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”
So I CANNOT distribute the XLS as modified material (Why not?).
Extending the mapping
If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:
| CIS section | Coverage | ISO27001 Control |
| 2.2 | = | A.12.5.1 |
| 2.5 | = | A.8.1.1 |
| 2.8 | small subset | A.12.5.1 |
| 2.10 | small superset | A.9.4.1/A.8.2 |
| 3.1 | small subset | A.12.6.1 |
| 3.2 | small subset | A.12.6.1 |
| 3.4 | small subset | A.12.6.1 |
| 3.5 | small subset | A.12.6.1 |
| 3.6 | small subset | A.12.6.1 |
| 4.1 | small superset | A.8.1.1/A.9.2.3 |
| 6.5 | small subset | A.12.4.1 |
| 6.6 | small subset | A.12.4.1 |
| 6.8 | small subset | A.12.4.1 |
| 7.3 | small subset | A.12.2.1 |
| 7.5 | small superset | A.8./A.13.1.1 |
| 7.6 | small subset | A.13.1.1 |
| 8.3 | small subset | A12.2.1 |
| 9.5 | small subset | A.13.1.1 |
| 10.2 | small subset | A.12.3.1 |
| 10.5 | = | A.12.3.1 |
| 11.1 | small subset | A.13.1.1 |
| 11.2 | small subset | A.13.1.1 |
| 11.6 | small subset | A.13.1.1 |
| 12.1 | small subset | A.13.1.1 |
| 12.5 | small subset | A.13.1.1 |
| 12.10 | small subset | A.13.1.1 |
| 13.2 | small subset | A.11.2.5 |
| 14.7 | small subset | A.8.2.3 |
| 16.2 | small subset | A.9.3.1 |
| 16.3 | small subset | A.9.3.1 |
| 16.9 | small subset | A.9.2.1 |
| 16.10 | small subset | A.9.2.1 |
| 16.12 | = | A.12.4.1 |
| 16.13 | = | A.12.4.1 |
| 17.1 | = | Clause 7.2 |
| 18.3 | = | A.12.5.1 |
| 18.4 | = | A.12.5.1 |
| 18.7 | = | A.14.2.9 |
| 18.10 | small subset | A.14.2.5 |
| 18.11 | small subset | A.14.2.5 |
| 19.3 | small subset | A16.1.1 |
| 19.6 | small subset | A16.1.2 |
| 19.7 | small subset | A16.1.1 |
| 19.8 | small subset | A16.1.4 |
| 20.1 | small subset | A18.2.3 |
| 20.2 | small subset | A18.2.3 |
| 20.3 | small subset | A18.2.3 |
| 20.4 | small subset | A18.2.3 |
| 20.5 | small subset | A18.2.3 |
| 20.6 | small subset | A18.2.3 |
| 20.7 | small subset | A18.2.3 |
| 20.8 | small subset | A18.2.3 |
Planning for ISO Certification using CIS Controls?
When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.
And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls.
CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer.
If you compare both systems in a table the story gets clear:
The “red” areas require extra work to make it ISO27001 compliant.
And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.
Identity Underground 