7. Reference Library Cross-framework

The workbook has five sheets and covers all 93 ISO 27001:2022 Annex A controls:

Sheet 1 — Control Mapping (the main reference): All 93 controls in Annex A order, grouped by the four categories (Organisational, People, Physical, Technological). Each row shows the NIST 800-171 control reference(s), the NIST family, any CMMC Level 1 practice(s), the Cyber Essentials domain, a DEFSTAN 05-138 area reference, the compliance tier (colour-coded green/blue/purple), and a concrete implementation note for your Confluence page. Green cells in the CMMC column flag one of the 17 Level 1 practices; yellow cells flag a Cyber Essentials domain hit.

Sheet 2 — CMMC Level 1: All 17 practices from FAR 52.204-21 with the exact clause reference, NIST 800-171 control number, and the ISO 27001 Annex A controls they map back to. Note that Awareness and Training (3.2.1/3.2.2) are not in Level 1 — they appear at CMMC Level 2 only.

Sheet 3 — Cyber Essentials: The five technical domains expanded with specific control requirements (e.g. 14-day critical patching SLA, daily AV signature updates), mapped back to ISO 27001 Annex A and NIST 800-171 families.

Sheet 4 — NIST 800-171 Families: All 14 control families with control counts and cross-references, useful for gap analysis against a NIST assessment scope.

Sheet 5 — How to Use: Usage guidance including the note that DEFSTAN 05-138 references use domain/area labels with P1/P2 profile indicators rather than exact clause numbers, since the full standard is a restricted MOD document.

To use this in Confluence, attach the workbook to your Reference Library page and cross-reference each ISO control ID in the relevant control page label — for example, label your Access Control procedure page with iso-5.15, cmmc-ac-l1, and ce-uac so it surfaces correctly in space searches and Scroll Content Manager filters.