ISO 27001 Annex A — Complete Reference with NIST 800-171 and DEFSTAN 05-138 Mapping
ISO 27002:2022 restructured Annex A from 14 domains and 114 controls (2013 edition) to 4 control groups and 93 controls. This reference covers every control, its NIST 800-171 Rev 2 mapping, and its DEFSTAN 05-138 profile alignment, with overlap significance rated for each.
The 2022 restructure — what changed and why it matters for multi-framework compliance
ISO 27002:2022 did not simply rename the 2013 controls. It added 11 entirely new controls (addressing threat intelligence, cloud security, ICT supply chain, data leakage prevention, and others), merged several overlapping controls, and reorganised everything into four groups that reflect how modern security programmes are structured rather than how they were documented in 2005.
The four groups are:
Group 5 — Organisational controls (37 controls): Policies, governance, supplier relationships, incident management, compliance — the "why and who" of security.
Group 6 — People controls (8 controls): HR security throughout the employment lifecycle — the "human risk" layer.
Group 7 — Physical controls (14 controls): Physical security of facilities, equipment, and media — the "where" of security.
Group 8 — Technological controls (34 controls): Technical security measures for systems, networks, and data — the "how" of security.
For multi-framework compliance, the critical insight is that NIST 800-171's 14 families map most heavily onto Groups 5 and 8, with some coverage in Groups 6 and 7. DEFSTAN 05-138's profile structure maps quite directly — Profile 0 covers mostly Group 7 and parts of Groups 5 and 8; Profile 1 adds the bulk of Groups 5 and 6; Profile 2 covers the more technical parts of Group 8.
Overlap significance rating
For each control, the overlap with NIST 800-171 and DEFSTAN is rated:
●●● High overlap — this control and the NIST/DEFSTAN requirement address the same operational question; evidence produced for one directly satisfies the other
●●○ Moderate overlap — the control and the NIST/DEFSTAN requirement are related but scope or depth differs; evidence partially overlaps
●○○ Light overlap — the control provides supporting context for NIST/DEFSTAN but the requirements are addressed differently
○○○ Minimal or no overlap — the control is primarily an ISO 27001 construct with limited NIST/DEFSTAN equivalent
Group 5 — Organisational Controls (37 controls)
5.1 through 5.37
| Control | Name | NIST 800-171 mapping | DEFSTAN 05-138 | NIST overlap | DEFSTAN overlap | Notes |
|---|---|---|---|---|---|---|
| 5.1 | Policies for information security | 3.12.4 (SSP — policy context) | P0 — all profiles require documented security policy | ●●○ | ●●● | The information security policy is the top-level document that all NIST SSP content and DEFSTAN compliance rests on |
| 5.2 | Information security roles and responsibilities | 3.12.4 (SSP — role assignments) | P1 — named CISO required | ●●○ | ●●● | DEFSTAN P1 explicitly requires a named responsible individual; NIST requires role assignment in the SSP |
| 5.3 | Segregation of duties | 3.1.4 (separate duties of individuals) | P2 — §Access | ●●● | ●●○ | NIST 3.1.4 is a direct implementation requirement; DEFSTAN P2 requires it for financial and privileged functions |
| 5.4 | Management responsibilities | 3.12.3 (monitor and maintain ISMS — management ownership) | P1 §Governance | ●○○ | ●●○ | Management responsibility is implied throughout NIST; DEFSTAN P1 requires documented governance accountability |
| 5.5 | Contact with authorities | 3.6.2 (incident reporting to authorities — DFARS/ICO) | P1 §Incident Management | ●●○ | ●●● | DFARS §252.204-7012 reporting to DoD and DEFSTAN 24-hour notification requirement are both expressed through this control |
| 5.6 | Contact with special interest groups | 3.14.3 (monitor security alerts and advisories) | P2 §Governance | ●●○ | ●○○ | NCSC Early Warning, CISP, and CISA KEV subscriptions satisfy this control and 3.14.3 simultaneously |
| 5.7 | Threat intelligence | 3.14.3 (monitor alerts and advisories) | P2 §Audit and Monitoring | ●●● | ●●○ | New in 2022. NIST 3.14.3 is the direct operational implementation — advisory review logs satisfy both |
| 5.8 | Information security in project management | 3.12.1 (assess security controls) · 3.4.4 (security impact analysis) | P2 §Config Mgmt | ●●○ | ●●○ | The SIA (Security Impact Assessment) in the change management process directly implements this |
| 5.9 | Inventory of information and other associated assets | 3.4.1 (establish and maintain component inventory) | P1 §Config Mgmt | ●●● | ●●● | EV-D22 (asset register) satisfies ISO 27001 A.5.9, NIST 3.4.1, and DEFSTAN P1 inventory requirement simultaneously |
| 5.10 | Acceptable use of information and other assets | 3.1.1 (limit access to authorised users) · 3.1.2 (limit transactions to authorised users) | P0 §Access (supporting) | ●●○ | ●●○ | The Acceptable Use Policy operationalises this control and provides the human-layer enforcement for 3.1.1 and 3.1.2 |
| 5.11 | Return of assets | 3.9.2 (protect CUI following personnel actions) | P1 §Personnel | ●●○ | ●●○ | The leaver checklist (EV-D04) — specifically the property return section — satisfies this alongside 3.9.2 |
| 5.12 | Classification of information | 3.8.1 (protect system media) · 3.8.4 (mark media with necessary CUI markings) | P1 §Data Handling | ●●○ | ●●● | CUI classification scheme maps to ISO 27001 classification tiers; DEFSTAN OFFICIAL/OFFICIAL-SENSITIVE classification is a direct expression of this control |
| 5.13 | Labelling of information | 3.8.4 (mark media with necessary CUI markings) | P2 §Data Handling | ●●● | ●●● | Physical and electronic CUI marking requirements satisfy 5.13, 3.8.4, and DEFSTAN P2 data marking requirements |
| 5.14 | Information transfer | 3.1.3 (control the flow of CUI) · 3.13.8 (implement cryptographic mechanisms) | P2 §Boundary · P2 §Cryptography | ●●● | ●●○ | CUI transfer controls — secure file transfer, encrypted email, DLP — satisfy 5.14 and 3.1.3 together |
| 5.15 | Access control | 3.1.1, 3.1.2 (access limited to authorised users and transactions) | P0 §Access | ●●● | ●●● | Access control policy is the policy-level expression of the entire NIST AC family (3.1.1–3.1.22) and DEFSTAN P0 §Access |
| 5.16 | Identity management | 3.5.1 (identify users, processes, and devices) · 3.5.5 (identifier management) · 3.5.6 (manage identifiers) | P0 §Identification | ●●● | ●●● | Named accounts, identifier lifecycle management, and no-shared-accounts requirement all map here |
| 5.17 | Authentication information | 3.5.7 (enforce minimum password complexity) · 3.5.8 (prohibit reuse) · 3.5.9 (allow temp passwords) · 3.5.10 (store and transmit cryptographically protected) · 3.5.11 (obscure feedback) | P0–P2 §Identification | ●●● | ●●● | FGPP settings, password history, complexity requirements — evidence at EV-D19 satisfies all three frameworks for this control |
| 5.18 | Access rights | 3.1.1, 3.1.2, 3.1.3 (access control enforcement) | P1 §Access | ●●● | ●●● | JML process (EV-D03/D04) and access reviews (EV-D01/D02) satisfy 5.18, multiple NIST 3.1.x controls, and DEFSTAN P1 |
| 5.19 | Information security in supplier relationships | 3.12.1 (supporting — supplier security assessment) | P2 §Supplier Security | ●○○ | ●●○ | NIST has no explicit supplier security control at the family level; DEFSTAN P2 requires supply chain assurance |
| 5.20 | Addressing security within supplier agreements | 3.12.1 (supporting) | P2 §Supplier Security | ●○○ | ●●● | DEFSTAN P2 requires contractual security obligations on sub-contractors with OFFICIAL access |
| 5.21 | Managing security in ICT supply chain | 3.12.1 (supporting) | P2 §Supplier Security | ●○○ | ●●○ | New in 2022. Focuses on hardware and software supply chain integrity — relevant to CMMC supply chain risk but no direct NIST 800-171 control |
| 5.22 | Monitoring and review of supplier services | 3.12.3 (monitor security controls — supplier component) | P2 §Supplier Security | ●○○ | ●●○ | Annual supplier review feeds the risk assessment |
| 5.23 | Information security for use of cloud services | 3.1.20 (verify and control connections to external systems) · 3.13.1 (protect communications at boundaries) | P2 §Boundary (cloud) | ●●○ | ●●○ | New in 2022. Cloud security group controls (AWS/Azure) satisfy 5.23 and the boundary controls simultaneously |
| 5.24 | Information security incident management planning | 3.6.1 (establish incident handling capability) | P1 §Incident Management | ●●● | ●●● | The IRP (EV-D11) satisfies 5.24, NIST 3.6.1, and DEFSTAN P1 documented incident procedure requirement |
| 5.25 | Assessment and decision on information security events | 3.6.2 (track, document, report, and correct) | P1 §Incident Management | ●●● | ●●○ | Incident classification scheme (Class 1–4) implements this control |
| 5.26 | Response to information security incidents | 3.6.2 (track, document, report, correct) | P1 §Incident Management | ●●● | ●●● | Incident records (EV-D12) satisfy 5.26, 3.6.2, and DEFSTAN P1 incident documentation requirement |
| 5.27 | Learning from information security incidents | 3.6.2 (document and correct — includes PIR) | P2 §Incident Management | ●●● | ●●● | Post-incident reviews (EV-D13) satisfy 5.27, 3.6.2, and DEFSTAN P2 annual lessons-learned requirement |
| 5.28 | Collection of evidence | 3.6.2 (retain records of incidents) | P1–P2 §Incident Management | ●●● | ●●○ | Evidence preservation procedure in the IRP and EV-D12 evidence section |
| 5.29 | Information security during disruption | 3.6.1 (supporting — BCM integration with IR) | P2 §BCM (implied) | ●○○ | ●○○ | BCP (OP-05) satisfies 5.29; minimal direct NIST mapping |
| 5.30 | ICT readiness for business continuity | 3.6.1 (supporting) | P2 §BCM (implied) | ●○○ | ●○○ | DR procedures and RTO/RPO definitions satisfy 5.30 |
| 5.31 | Legal, statutory, regulatory, and contractual requirements | 3.12.4 (SSP — regulatory context) | P0 — all profiles | ●○○ | ●●● | DEFSTAN compliance is itself a contractual requirement under this control; DFARS is the regulatory requirement |
| 5.32 | Intellectual property rights | No direct NIST mapping | Not a DEFSTAN domain | ○○○ | ○○○ | ISO 27001-specific; primarily a legal and procurement concern |
| 5.33 | Protection of records | 3.12.4 (SSP — documented information maintenance) | P1 (general governance) | ●○○ | ●○○ | Evidence retention periods across the EV series satisfy this control |
| 5.34 | Privacy and protection of PII | No direct NIST 800-171 mapping (CUI includes some PII) | P2 (data handling — overlap) | ●○○ | ●○○ | UK GDPR is the primary driver; NIST has CUI/PII overlap for some CUI categories |
| 5.35 | Independent review of information security | 3.12.1 (periodically assess security controls) | P2 §Governance | ●●● | ●●● | Annual internal assessment (EV-A02) and triennial C3PAO assessment satisfy 5.35 and NIST 3.12.1 and DEFSTAN P2 governance review |
| 5.36 | Compliance with policies, rules, and standards | 3.12.2 (POA&M) · 3.12.3 (monitor controls) | P2 §Governance | ●●● | ●●○ | Continuous monitoring programme (EV-F series) satisfies 5.36 and NIST 3.12.2/3.12.3 |
| 5.37 | Documented operating procedures | 3.4.1 (baselines) · 3.4.3 (change procedures) | P1 §Config Mgmt | ●●● | ●●● | BL-[PLATFORM] baseline documents and OP-01 through OP-05 procedures satisfy 5.37, NIST 3.4.x, and DEFSTAN P1 |
Group 6 — People Controls (8 controls)
6.1 through 6.8
| Control | Name | NIST 800-171 mapping | DEFSTAN 05-138 | NIST overlap | DEFSTAN overlap | Notes |
|---|---|---|---|---|---|---|
| 6.1 | Screening | 3.9.1 (screen individuals prior to authorising access) | P1 §Personnel — BPSS minimum; P2 — SC/DV clearance | ●●● | ●●● | EV-B02 (BPSS screening register) satisfies 6.1, NIST 3.9.1, and DEFSTAN P1 §Personnel screening requirement. The date relationship (screening date must precede provisioning date) is tested by all three frameworks |
| 6.2 | Terms and conditions of employment | 3.9.1 (supporting — contractual obligation) | P1 §Personnel | ●●○ | ●●○ | Security schedule in employment contract establishes the enforceable obligation that other controls rest on |
| 6.3 | Information security awareness, education and training | 3.2.1 (ensure awareness) · 3.2.2 (ensure training) · 3.2.3 (insider threat awareness) | P1 §Personnel (awareness) · P2 §Personnel (role-specific) | ●●● | ●●● | EV-B05 (awareness training) and EV-B06 (role-specific training) satisfy 6.3, all three NIST 3.2.x controls, DEFSTAN P1 awareness, and DEFSTAN P2 role-specific requirements simultaneously |
| 6.4 | Disciplinary process | 3.9.2 (supporting — enforcement mechanism) | P1 §Personnel | ●○○ | ●●○ | The disciplinary framework is the enforcement backstop for all behavioural controls |
| 6.5 | Responsibilities after termination or change of employment | 3.9.2 (protect CUI following personnel actions) | P0 §Access (account lifecycle) | ●●● | ●●● | EV-D04 (leaver checklist) satisfies 6.5, NIST 3.9.2, and DEFSTAN P0 account lifecycle requirement |
| 6.6 | Confidentiality or non-disclosure agreements | 3.9.2 (supporting — confidentiality obligation) | P1 §Personnel | ●●○ | ●●● | NDAs (EV-B09) satisfy 6.6 and DEFSTAN contractor confidentiality requirements |
| 6.7 | Remote working | 3.1.12 (monitor remote access sessions) · 3.1.14 (route via managed access control points) · 3.1.20 (verify external connections) | P1 §Access (remote access VPN) | ●●● | ●●○ | VPN requirement, device management for remote access, and the Working From Home guidance page together satisfy 6.7 and the NIST remote access cluster |
| 6.8 | Information security event reporting | 3.6.1 (establish incident handling capability — including reporting by users) | P1 §Incident Management | ●●● | ●●○ | All-staff incident reporting guidance (User Guidance Hub) and the IRP user section satisfy 6.8 and NIST 3.6.1's reporting obligation |
Group 7 — Physical Controls (14 controls)
7.1 through 7.14
| Control | Name | NIST 800-171 mapping | DEFSTAN 05-138 | NIST overlap | DEFSTAN overlap | Notes |
|---|---|---|---|---|---|---|
| 7.1 | Physical security perimeters | 3.10.1 (limit physical access to authorised individuals) | P0 §Physical — boundary protection | ●●● | ●●● | The zone model (Zone 1/2/3) and ACS directly implement 7.1, NIST PE.L1-3.10.1, and DEFSTAN P0 physical boundary requirement |
| 7.2 | Physical entry | 3.10.2 (protect and monitor the physical facility) | P0 §Physical — controlled entry | ●●● | ●●● | ACS card readers, PIN pads, and the Zone 3 access list satisfy 7.2, NIST 3.10.2, and DEFSTAN P0 |
| 7.3 | Securing offices, rooms and facilities | 3.10.1 (limit physical access) | P0 §Physical | ●●○ | ●●○ | Zone 3 (server room) security — locked racks, secure storage, restricted access — implements this |
| 7.4 | Physical security monitoring | 3.10.2 (protect and monitor the physical facility) | P0 §Physical — CCTV | ●●● | ●●● | CCTV system (EV-D29) satisfies 7.4, NIST 3.10.2, and DEFSTAN P0 CCTV requirement |
| 7.5 | Protecting against physical and environmental threats | 3.10.1 (supporting — environmental controls) | P1 §Physical (environmental) | ●○○ | ●○○ | Environmental monitoring (temperature, humidity, flood detection in server room) |
| 7.6 | Working in secure areas | 3.10.1 (limit access — behaviour within secure areas) | P1 §Physical | ●●○ | ●●○ | Secure area access rules and the prohibition on unsupervised non-cleared contractor access |
| 7.7 | Clear desk and clear screen | 3.1.10 (use session lock — the screen component) | P0 §Access (supporting) | ●●○ | ●●○ | Screen lock policy (15-minute inactivity) and clear desk guidance in the User Guidance Hub |
| 7.8 | Equipment siting and protection | 3.10.1 (supporting — physical protection of systems) | P0 §Physical | ●○○ | ●●○ | Server rack security, cable management, and power protection in Zone 3 |
| 7.9 | Security of assets off-premises | 3.10.5 (implement safeguards for CUI at alternative work sites) · 3.1.19 (encrypt CUI on mobile devices) | P1 §Physical (off-site) | ●●● | ●●● | Full Disk Encryption requirement for mobile devices and the travel security guidance satisfy 7.9, NIST 3.10.5, 3.1.19, and DEFSTAN P1 off-site asset protection |
| 7.10 | Storage media | 3.8.1 (protect system media containing CUI) · 3.8.2 (limit access to CUI on media) · 3.8.5 (control access to media containing CUI) | P1 §Physical · P2 §Data Handling | ●●● | ●●● | Media register (EV-D22) satisfies 7.10, multiple NIST 3.8.x controls, and DEFSTAN media accountability requirements |
| 7.11 | Supporting utilities | 3.10.1 (supporting — power continuity for CUI systems) | P1 §Physical | ●○○ | ●○○ | UPS, generator, and power conditioning for server room |
| 7.12 | Cabling security | 3.10.1 (supporting — physical network protection) | P1 §Physical | ●○○ | ●○○ | Structured cabling in conduit; switch room access control |
| 7.13 | Equipment maintenance | 3.7.1 (perform maintenance on systems) · 3.7.2 (provide controls for maintenance tools) · 3.7.6 (supervise maintenance activities) | P1 §Maintenance | ●●● | ●●● | EV-D24 (contractor/maintenance records) satisfies 7.13, NIST 3.7.x maintenance family, and DEFSTAN P1 maintenance supervision requirement |
| 7.14 | Secure disposal or re-use of equipment | 3.8.3 (sanitise or destroy media before disposal — CMMC L1) | P1 §Physical — sanitisation | ●●● | ●●● | EV-D25 (destruction certificates) and EV-D26 (sanitisation log) satisfy 7.14, MP.L1-3.8.3 (highest-priority CMMC L1 in this family), and DEFSTAN P1 disposal requirement. Note DEFSTAN requires per-asset serial numbers on certificates — this is tested |
Group 8 — Technological Controls (34 controls)
8.1 through 8.34
| Control | Name | NIST 800-171 mapping | DEFSTAN 05-138 | NIST overlap | DEFSTAN overlap | Notes |
|---|---|---|---|---|---|---|
| 8.1 | User endpoint devices | 3.1.18 (control mobile device connections) · 3.1.19 (encrypt CUI on mobile) · 3.4.1 (baseline configs) | P1 §Config Mgmt | ●●● | ●●● | MDM configuration, BL-WIN11/BL-MAC baselines, and FDE requirement satisfy 8.1 across all three frameworks |
| 8.2 | Privileged access rights | 3.1.5 (employ least privilege) · 3.1.6 (use non-privileged accounts for non-security functions) · 3.1.7 (prevent non-privileged users from executing privileged functions) | P2 §Access | ●●● | ●●○ | Dual-account model (firstname.lastname + adm-accounts), PAM, and EV-D01 quarterly privileged review satisfy 8.2 and NIST 3.1.5–3.1.7 |
| 8.3 | Information access restriction | 3.1.2 (limit system access to types of transactions authorised) · 3.1.3 (control the flow of CUI) | P1 §Access | ●●● | ●●● | RBAC implementation, CUI group membership, and need-to-know enforcement |
| 8.4 | Access to source code | 3.1.5 (least privilege — source code context) | P2 §Config Mgmt | ●○○ | ●○○ | Repository access controls; relevant only to organisations with software development in scope |
| 8.5 | Secure authentication | 3.5.2 (authenticate before access) · 3.5.3 (use MFA) · 3.5.4 (employ replay-resistant mechanisms) · 3.5.11 (obscure feedback) | P0 §Identification · P2 §Access | ●●● | ●●● | Conditional Access policies (CA-001 through CA-004) and FIDO2 for privileged accounts directly implement 8.5, NIST 3.5.2–3.5.4, and DEFSTAN identification requirements |
| 8.6 | Capacity management | 3.12.3 (monitor and maintain controls — capacity component) | P2 (implied) | ●○○ | ●○○ | SIEM storage health (EV-F06) is the primary implementation |
| 8.7 | Protection against malware | 3.14.2 (provide malware protection) · 3.14.4 (update mechanisms) · 3.14.5 (periodic and real-time scans) | P1 §Malware | ●●● | ●●● | EV-D32 (AV coverage report) satisfies 8.7, all three CMMC L1 malware practices, and DEFSTAN P1 §Malware. One of the densest multi-framework overlaps in the entire standard |
| 8.8 | Management of technical vulnerabilities | 3.14.1 (identify, report, correct flaws — CMMC L1) · 3.11.2 (scan for vulnerabilities) · 3.11.3 (remediate per risk assessment) | P1 §Patching · P2 §Vulnerability Mgmt | ●●● | ●●● | EV-D06 (scans), EV-D07 (patch register), EV-D08 (exceptions) satisfy 8.8, NIST 3.14.1/3.11.2/3.11.3, and DEFSTAN P1 patching requirement. The SLA clock from vendor release date applies identically under all three frameworks |
| 8.9 | Configuration management | 3.4.1 (establish system inventory) · 3.4.2 (establish and enforce security configuration settings) | P1 §Config Mgmt | ●●● | ●●● | BL-[PLATFORM] baselines, CIS-CAT Pro audits (EV-D20), and the asset register (EV-D22) satisfy 8.9 comprehensively |
| 8.10 | Information deletion | 3.8.3 (sanitise or destroy media) | P1 §Physical (data deletion) | ●●● | ●●● | Media sanitisation procedures in FC-07 and EV-D26 satisfy 8.10 and NIST 3.8.3 |
| 8.11 | Data masking | 3.1.3 (control CUI flow — masking as one mechanism) | P2 (implied in data handling) | ●○○ | ●○○ | Primarily relevant to database environments; test data management and PII pseudonymisation |
| 8.12 | Data leakage prevention | 3.13.4 (prevent unauthorised information transfer) | P2 §Boundary | ●●● | ●●● | DLP deployment on email gateway and web proxy satisfies 8.12 and NIST 3.13.4. New in 2022 ISO — the DLP evidence (EV-F05) is now specifically mapped |
| 8.13 | Information backup | 3.8.9 (protect backup CUI) | P2 §Data Handling | ●●● | ●●○ | EV-D27 (backup logs) and EV-D28 (restoration tests) satisfy 8.13 and NIST 3.8.9 |
| 8.14 | Redundancy of information processing facilities | 3.6.1 (supporting — BCM/DR component) | P2 (implied) | ●○○ | ●○○ | HA configurations, failover DR procedures |
| 8.15 | Logging | 3.3.1 (create and retain system audit logs) · 3.3.2 (ensure individual accountability) | P2 §Audit and Monitoring | ●●● | ●●● | SIEM log source configuration (OP-03), WEF configuration, and EV-F06 (SIEM health) satisfy 8.15, NIST 3.3.1/3.3.2, and DEFSTAN P2 audit logging requirement |
| 8.16 | Monitoring activities | 3.14.3 (monitor security alerts) · 3.14.6 (monitor for attacks) · 3.14.7 (identify unauthorised use) | P2 §Audit and Monitoring | ●●● | ●●● | EV-F01 (monthly SIEM log review) is the primary evidence satisfying 8.16 and the three NIST monitoring controls simultaneously |
| 8.17 | Clock synchronisation | 3.3.7 (provide capability to correlate and audit across systems — requires NTP) | P2 §Audit (implied — NTP is prerequisite) | ●●● | ●●● | NTP hierarchy (chrony, Zone 4 stratum 1) and the NTP section of EV-F06 satisfy 8.17 and NIST 3.3.7 |
| 8.18 | Use of privileged utility programs | 3.4.9 (control and monitor user-installed software — utilities specifically) | P2 §Config Mgmt | ●●● | ●●○ | WDAC/AppLocker policy restricting utility execution on CUI servers |
| 8.19 | Installation of software on operational systems | 3.4.6 (implement least functionality) · 3.4.7 (restrict program execution) · 3.4.8 (deny by exception) · 3.4.9 (control user-installed software) | P2 §Config Mgmt | ●●● | ●●● | Approved software list, software restriction GPO/MDM, and MDM-enforced software management satisfy 8.19 and NIST 3.4.6–3.4.9 |
| 8.20 | Networks security | 3.13.1 (monitor, control, and protect communications at boundaries — CMMC L1) · 3.1.20 (verify external connections — CMMC L1) | P0 §Boundary · P1 §Boundary | ●●● | ●●● | The zone model, firewall configuration, and EV-F03 (rule review) satisfy 8.20, CMMC L1 practices SC.L1-3.13.1 and AC.L1-3.1.20, and DEFSTAN P0 boundary requirement. Dense three-framework overlap |
| 8.21 | Security of network services | 3.13.1 (protect communications) · 3.1.20 (external connections) | P1 §Boundary | ●●● | ●●○ | Network service agreements and the external connection register (EV-D19) |
| 8.22 | Segregation of networks | 3.13.2 (employ architectural designs for CUI systems) · 3.13.3 (prevent remote devices from simultaneously connecting) | P1 §Boundary · P2 §Architecture | ●●● | ●●● | VLAN separation and the zone model directly implement 8.22, NIST 3.13.2/3.13.3, and DEFSTAN P1 network segmentation requirement |
| 8.23 | Web filtering | 3.14.6 (monitor for attacks — web-based threats) | P2 §Boundary | ●●● | ●●○ | Web proxy URL category blocking and DNS filtering implement 8.23 and the web-based component of NIST 3.14.6 |
| 8.24 | Use of cryptography | 3.13.8 (implement cryptographic mechanisms) · 3.13.10 (establish and manage cryptographic keys) · 3.13.11 (employ FIPS-validated cryptography) · 3.13.15 (protect authenticity of communications) · 3.13.16 (protect CUI at rest) | P2 §Cryptography | ●●● | ●●● | EV-D31 (annual encryption audit with FIPS certificate numbers) is the primary evidence satisfying 8.24 and five NIST SC controls. The FIPS validation requirement (3.13.11) is the most commonly missed — requires CMVP certificate numbers, not just algorithm names |
| 8.25 | Secure development lifecycle | 3.4.4 (analyse security impact — development context) | P2 §Config Mgmt | ●●○ | ●○○ | Relevant to organisations with in-scope software development |
| 8.26 | Application security requirements | 3.13.9 (terminate network sessions after period of inactivity) · 3.13.14 (control and monitor the use of VoIP) | P2 §Boundary | ●●○ | ●○○ | Session timeout configuration and VoIP security baseline |
| 8.27 | Secure system architecture and engineering principles | 3.13.2 (employ architectural designs) | P2 §Architecture | ●●○ | ●●○ | Security architecture reviews (AT-SC-ARC) and the SSP architecture description |
| 8.28 | Secure coding | 3.4.4 (security impact analysis — code changes) | P2 §Config Mgmt | ●○○ | ●○○ | SAST/DAST tooling; primarily relevant to development organisations |
| 8.29 | Security testing in development and acceptance | 3.4.4 (security impact analysis — testing component) | P2 §Config Mgmt | ●○○ | ●○○ | UAT security gates in the change management process |
| 8.30 | Outsourced development | 3.12.1 (supporting — supplier security in development context) | P2 §Supplier Security | ●○○ | ●○○ | Applicable to organisations using external development suppliers |
| 8.31 | Separation of development, testing and production environments | 3.4.5 (define, document, approve, and enforce physical and logical access restrictions) | P2 §Config Mgmt | ●●○ | ●●○ | Dev/test/prod separation and the access restrictions preventing cross-environment access |
| 8.32 | Change management | 3.4.3 (track, review, approve, and log changes) · 3.4.4 (analyse security impact of changes) | P1 §Config Mgmt · P2 §Config Mgmt | ●●● | ●●● | EV-D21 (RFC change records with SIA) satisfies 8.32, NIST 3.4.3/3.4.4, and DEFSTAN P1/P2 change management requirements |
| 8.33 | Test information | 3.4.5 (access restrictions for change — test data context) | P2 §Config Mgmt | ●○○ | ●○○ | Production data not used in test environments; test data masking |
| 8.34 | Protection of information systems during audit testing | 3.12.1 (assess security controls — audit controls themselves) | P2 §Governance | ●●○ | ●○○ | Vulnerability scanning and penetration testing scope agreements; scanner access credentials managed via PAM |
The controls where all three frameworks converge most heavily
These are the twelve controls where ISO 27001, NIST 800-171, and DEFSTAN 05-138 are asking the same operational question, and where a single well-designed evidence item satisfies all three simultaneously. These twelve controls represent the highest-leverage investment in evidence production.
| Annex A control | Why all three converge | NIST 800-171 controls | DEFSTAN profile | Primary evidence |
|---|---|---|---|---|
| 8.7 — Protection against malware | All three frameworks have mandatory AV requirements at baseline level (CMMC L1, CE, DEFSTAN P0/P1). The evidence format is nearly identical across frameworks. | 3.14.2, 3.14.4, 3.14.5 | P0–P1 §Malware | EV-D32 monthly coverage report |
| 8.8 — Management of technical vulnerabilities | All three frameworks require documented patch management with SLA from vendor release date. The SLA requirement and EOL prohibition are explicit in all three. | 3.14.1, 3.11.2, 3.11.3 | P0–P2 §Patching | EV-D06, EV-D07, EV-D08 |
| 8.15 — Logging | NIST 3.3.1 requires audit logs; DEFSTAN P2 requires audit logging for OFFICIAL systems; ISO 27001 requires logging as part of monitoring. All three require log retention and SIEM correlation. | 3.3.1, 3.3.2, 3.3.7 | P2 §Audit | SIEM configuration, EV-F06 |
| 8.16 — Monitoring activities | NIST 3.14.6/3.14.7 and DEFSTAN P2 §Audit and Monitoring both require active monitoring with human review of outputs. Monthly SIEM log review satisfies all three. | 3.14.3, 3.14.6, 3.14.7 | P2 §Audit and Monitoring | EV-F01 monthly log review |
| 8.20 — Networks security | The firewall requirement is the most universal baseline control across all five frameworks in scope. Cyber Essentials and DEFSTAN P0 both list it as the first technical control. | 3.13.1, 3.1.20 | P0–P1 §Boundary | EV-F03 rule review, firewall config |
| 8.22 — Segregation of networks | Zone model directly implements NIST 3.13.2/3.13.3 and DEFSTAN P1 network segmentation. The DMZ requirement (SC.L1-3.13.5) sits here. | 3.13.2, 3.13.3 | P1 §Boundary | Network architecture diagram, VLAN config |
| 8.24 — Use of cryptography | FIPS-validated cryptography (NIST 3.13.11) is a CMMC requirement; DEFSTAN P2 requires government-approved crypto for OFFICIAL data; ISO 27001 A.8.24 requires a cryptographic policy and key management. | 3.13.8, 3.13.10, 3.13.11, 3.13.15, 3.13.16 | P2 §Cryptography | EV-D31 encryption audit with FIPS certificate numbers |
| 5.16 — Identity management | Named accounts, identifier lifecycle, and no-shared-accounts requirements are mandatory at CMMC L1, CE, and DEFSTAN P0. All three test this first. | 3.5.1, 3.5.5, 3.5.6 | P0 §Identification | EV-D03 JML log, EV-D01 quarterly review |
| 5.17 — Authentication information | Password policy requirements are explicit and measurable in all three. The 16-character minimum, history count, and lockout threshold are tested directly. | 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11 | P0–P1 §Identification | EV-D19 FGPP settings, EV-D05 MFA report |
| 7.14 — Secure disposal of equipment | Media sanitisation is a CMMC Level 1 practice (MP.L1-3.8.3), a CE Plus verification item, and a DEFSTAN P1 requirement with specific per-asset certificate requirements. | 3.8.3 | P1 §Physical — sanitisation | EV-D25 destruction certificates, EV-D26 sanitisation log |
| 6.1 — Screening | Pre-employment screening is required by NIST 3.9.1, DEFSTAN P1 (BPSS minimum), and tested by all assessors via the date relationship between screening completion and account provisioning. | 3.9.1 | P1 §Personnel — BPSS | EV-B02 screening register, EV-D03 JML log date cross-check |
| 8.9 — Configuration management | Hardened configuration baselines are required by all five frameworks. CE and DEFSTAN P0 test directly. NIST 3.4.1/3.4.2 require documented and enforced baselines. | 3.4.1, 3.4.2 | P0–P2 §Secure Config | BL-[PLATFORM] baseline docs, EV-D20 quarterly config audit |
Controls unique to ISO 27001 — minimal NIST or DEFSTAN overlap
These nine controls are primarily ISO 27001 governance constructs. They are important for certification purposes but produce little evidence that serves NIST or DEFSTAN compliance.
| Control | Name | Why minimal NIST/DEFSTAN overlap |
|---|---|---|
| 5.4 | Management responsibilities | NIST implies management ownership but has no specific control; DEFSTAN P1 governance comes close but is less prescriptive |
| 5.32 | Intellectual property rights | A legal and licensing control; no NIST 800-171 equivalent; not a DEFSTAN domain |
| 5.34 | Privacy and protection of PII | UK GDPR is the primary driver; NIST 800-171 addresses only CUI; DEFSTAN does not address PII directly |
| 8.4 | Access to source code | Relevant only to development organisations; no NIST equivalent specifically for source code |
| 8.11 | Data masking | Database and test environment concern; minimal NIST mapping |
| 8.25 | Secure development lifecycle | Development-specific; no NIST 800-171 control explicitly addresses SDLC |
| 8.28 | Secure coding | Development-specific; NIST has no secure coding control |
| 8.30 | Outsourced development | Development-specific supplier control |
| 8.33 | Test information | Test data management; no direct NIST equivalent |
New controls introduced in ISO 27002:2022 — where they sit relative to NIST and DEFSTAN
Eleven controls are entirely new in the 2022 edition. For organisations that certified under the 2013 standard, these represent gaps to be addressed before recertification.
| New control | Name | NIST 800-171 equivalent | DEFSTAN equivalent | Practical implication |
|---|---|---|---|---|
| 5.7 | Threat intelligence | 3.14.3 (monitor security alerts and advisories) | P2 §Audit and Monitoring | Advisory review log (CISA KEV, NCSC, MSUG) satisfies all three — this is the most immediately actionable new control for multi-framework organisations |
| 5.23 | Information security for use of cloud services | 3.1.20 (external connections) · 3.13.1 (boundary controls) | P2 §Boundary (cloud) | Cloud security group configuration and CSPM tools satisfy this |
| 5.30 | ICT readiness for business continuity | No direct NIST equivalent | P2 (implied) | BCM/DR procedures address this |
| 7.4 | Physical security monitoring | 3.10.2 (protect and monitor physical facility) | P0 §Physical | CCTV programme (EV-D29) — this new control creates explicit evidence requirement |
| 8.9 | Configuration management | 3.4.1, 3.4.2 | P1–P2 §Config Mgmt | Previously covered under old A.12.1 and A.14.2; now a standalone control with clearer evidence requirements |
| 8.10 | Information deletion | 3.8.3 (sanitise or destroy media) | P1 §Physical | Data deletion at end-of-retention and media sanitisation |
| 8.11 | Data masking | Minimal | Minimal | Test data management |
| 8.12 | Data leakage prevention | 3.13.4 (prevent unauthorised information transfer) | P2 §Boundary | EV-F05 (DLP alert review) now has an explicit Annex A control to satisfy |
| 8.16 | Monitoring activities | 3.14.3, 3.14.6, 3.14.7 | P2 §Audit and Monitoring | EV-F01 monthly SIEM review — previously implied under old A.12.4; now explicit |
| 8.23 | Web filtering | 3.14.6 (monitor for web-based attacks) | P2 §Boundary | Web proxy URL filtering and DNS filtering — the EV-F04 proxy review section |
| 8.28 | Secure coding | Minimal | Minimal | Development-specific; SAST/DAST tooling |
DEFSTAN profile coverage across the four groups
For reference, this maps each DEFSTAN profile's requirements onto the ISO 27002:2022 group structure. An organisation delivering at Profile 2 must address all four groups substantively.
Profile 0 (baseline — OFFICIAL tier): Primarily Group 7 (physical — 7.1, 7.2, 7.4) and parts of Group 8 (8.7 malware, 8.8 patching, 8.9 secure configuration, 8.20 network security) and Group 5 (5.1 policy, 5.16/5.17 identity and authentication)
Profile 1 (standard — most OFFICIAL-SENSITIVE): Adds: most of Group 5 (5.2, 5.5, 5.9, 5.24–5.28, 5.35, 5.37), most of Group 6 (6.1, 6.2, 6.3, 6.5, 6.6), Group 7 completion (7.13, 7.14), and Group 8 additions (8.13, 8.15, 8.32)
Profile 2 (enhanced — higher-sensitivity work): Adds: Group 8 technical controls (8.2, 8.12, 8.16, 8.17, 8.22, 8.24), Group 5 governance additions (5.7, 5.19–5.23), and the deeper operational controls (8.8 vulnerability scanning programme, 8.34 audit testing protection)
Quick-reference mapping summary
For the most common assessment preparation question — "which Annex A controls do I need to evidence most urgently for a combined ISO 27001 / CMMC / DEFSTAN assessment?" — the answer is the twelve high-overlap controls listed above, plus the five Annex A controls that map to CMMC Level 1 practices:
| CMMC Level 1 practice | Annex A control | Control name |
|---|---|---|
| AC.L1-3.1.1 | 5.15 / 5.16 | Access control / Identity management |
| AC.L1-3.1.2 | 8.3 | Information access restriction |
| AC.L1-3.1.20 | 8.20 / 8.21 | Networks security / Security of network services |
| IA.L1-3.5.1 | 5.16 | Identity management |
| IA.L1-3.5.2 | 8.5 | Secure authentication |
| SI.L1-3.14.1 | 8.8 | Management of technical vulnerabilities |
| SI.L1-3.14.2 | 8.7 | Protection against malware |
| SI.L1-3.14.4 | 8.7 | Protection against malware |
| SI.L1-3.14.5 | 8.7 | Protection against malware |
| PE.L1-3.10.1 | 7.1 / 7.2 | Physical security perimeters / Physical entry |
| PE.L1-3.10.2 | 7.4 | Physical security monitoring |
| PE.L1-3.10.3 | 7.2 | Physical entry |
| MP.L1-3.8.3 | 7.14 | Secure disposal or re-use of equipment |
| PE.L1-3.10.5 | 7.9 | Security of assets off-premises |
| AC.L1-3.1.22 | 5.12 / 5.13 | Classification / Labelling |
| SC.L1-3.13.1 | 8.20 | Networks security |
| SC.L1-3.13.5 | 8.22 | Segregation of networks |
These seventeen CMMC Level 1 practices map to just eleven Annex A controls. A defence supplier maintaining solid evidence across those eleven controls is simultaneously addressing the majority of CMMC Level 1, the most-tested Cyber Essentials requirements, and DEFSTAN Profile 0 — which is precisely why the Fundamental Controls section of this ISMS space (FC-01 through FC-05) is structured the way it is.