I am building an easily searchable database of risks and controls, covering Cybersecurity and IT (potentially AI also if time permits). Since I am working on this in my spare time, it might take a while to complete.
In the meantime, I will be sharing individual documents which (hopefully) is as useful.
NIST CSF 2.0 to ISO27001:2022 Annex A (unofficial) mapping
There is no official mappings released by either NIST or ISO for their most popular publications: NIST CSF 2.0 and ISO/IEC 27001:2022. So, I went through a circuitous route connecting the two via the older CSF 1.1 which had an ISO mapping.
The following file contains mapping between the NIST CSF 2.0 subcategories and the ISO/IEC 27001:2022 Annex A controls.
This is an “unofficial” mapping so use it as a reference, rather than a definitive source. Once either of the organization comes up with an official version, I plan to update this file. The mapping is also limited to the Annex A controls.
If you notice any errors or if you have ideas on how to map to the Clauses, please reach out to me. I am happy to include your suggestions.
While I was working on the file, a friend told me that another organization – Razil.io – already published mapping of the two documents. You can download their mapping sheet from the link below:
https://www.razil.io/post/nist-csf-2-0-to-iso-27001-2022-annexure-a-mapping