Control Families Control families in information security standards like NIST SP 800-53 and ISO 27001 represent a structured approach to safeguarding critical assets and ensuring the confidentiality, integrity, and availability of sensitive information. These control families are essential for establishing and maintaining robust security practices within an organization.NIST SP 800-53 Control Families
Control Family | Core Functions | Cybersecurity Framework Components |
|---|---|---|
Access Control (AC) | Manage and restrict access to information systems. | Identification and Authentication (IA), System and Communications Protection (SC) |
Audit and Accountability (AU) | Audit system activities and retain audit logs. | Audit and Accountability (AU) |
Awareness and Training (AT) | Provide security awareness and training. | Awareness and Training (AT) |
Security Assessment and Authorization (CA) | Assess and authorize information systems. | Security Assessment and Authorization (CA) |
Configuration Management (CM) | Manage and control system configurations. | Configuration Management (CM) |
Contingency Planning (CP) | Plan for, respond to, and recover from incidents. | Contingency Planning (CP) |
Identification and Authentication (IA) | Verify the identity of users and devices. | Identification and Authentication (IA) |
Incident Response (IR) | Plan, coordinate, and respond to security incidents. | Incident Response (IR) |
Maintenance (MA) | Manage system maintenance, including patching. | Maintenance (MA) |
Security Assessment (RA) | Conduct security assessments and validate controls. | Security Assessment (RA) |
System and Communications Protection (SC) | Secure communication and protect data. | System and Communications Protection (SC) |
System and Information Integrity (SI) | Monitor and ensure system integrity. | System and Information Integrity (SI) |
Program Management (PM) | Govern and manage the security program. | Program Management (PM) |
System and Services Acquisition (SA) | Acquire and procure secure information systems. | System and Services Acquisition (SA) |
Security Planning and Policy (PL) | Develop and maintain security policies and plans. | Security Planning and Policy (PL) |
Supply Chain Risk Management (SR) | Assess and manage supply chain risks. | Supply Chain Risk Management (SR) |
Privacy (PR) | Protect personally identifiable information (PII). | Privacy (PR) |
Security Architecture and Engineering (AE) | Develop secure system architecture. | Security Architecture and Engineering (AE) |
Testing and Evaluation (TE) | Test and evaluate security controls and systems. | Testing and Evaluation (TE) |
Risk Assessment (RA) | Assess and manage information security risks. | Risk Assessment (RA) |
ISO 27001 Control Families
Control Family | Core Functions |
|---|---|
Information Security Policies | Establish and maintain security policies. |
Organization of Information Security | Define roles and responsibilities for security. |
Human Resource Security | Manage the security aspects of employees and contractors. |
Asset Management | Inventory and classification of information assets. |
Access Control | Restrict access to information and systems. |
Cryptography | Protect information through encryption and related methods. |
Physical and Environmental Security | Secure physical premises and environmental conditions. |
Operations Security | Ensure secure day-to-day operations. |
Communications Security | Protect information during network and information exchange. |
System Acquisition, Development, and Maintenance | Build and maintain secure information systems. |
Supplier Relationships | Manage security in supplier and third-party relationships. |
Information Security Incident Management | Prepare for and respond to security incidents. |
Information Security Aspects of Business Continuity Management | Ensure information security during business continuity. |
Compliance | Comply with legal and regulatory requirements. |