2 followers Follow

UCF, 27001 & NIST CSF

I've been using UCF to understand the various state level requirements for data security & breach response. I included the NIST CSF in my controls since that is our security framework. The idea was to know where we have gaps in our policies & standards in comparison to the state requirements.

Since NIST CSF anchors to 27001 Appendix A I included that in my spreadsheet as well, but now am puzzled.

Why are there gaps between the NIST CSF and 27001? What I mean is there are parts of the CSF clearly linked to 27001 but my UCF product doesn't show them consistently.

For example: 00689-Establish and maintain an Information Technology inventory with asset discovery audit trails.

It correctly links to ISO 27001 A.8.1.1 but not to NIST CSF ID.AM-1: Physical devices and systems within the organization are inventoried.

Why is this?

David Elfering Answered

Please sign in to leave a comment.

1 comment


In this case, ID.AM-1 maps to 00691 (Establish and maintain a hardware asset inventory.) which is a child of 00689.  The citation for ISO 27001 A.8.1.1 is just to establish an inventory for all identified assets.  That is a general citation, while the one in the NIST document is more specific.  They could both be mapped to the same control, but in this case, when there is a more specific control that a citation can be mapped to, we will map it to the more specific control.  

I hope this helps.  If not, please respond and we will give more explanation.

Erwin Rydell

Lead Mapper

Erwin Rydell 0 votes