NIST Cybersecurity Framework to SOC 2 Mapping

The organizational mission is understood and informs cybersecurity risk management

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

A cybersecurity risk management policy is established and enforced

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Risk management objectives are established and agreed to by organizational stakeholders

Risk appetite and risk tolerance statements are established, communicated, and maintained

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Strategic direction that describes appropriate risk response options is established and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions

Organizational leadership is responsible and accountable for cybersecurity risk

Cybersecurity roles, responsibilities, and authorities are established and enforced

Adequate resources are allocated to cybersecurity commensurate with risk

A cybersecurity supply chain risk management program is established

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Supply chain risk management is integrated into enterprise risk management processes

Changes and exceptions are managed, assessed for risk impact, and tracked

Commitment to integrity and ethical values is demonstrated

Board or equivalent body oversees security risk

Organizational structure and authority for security is defined

Controls are deployed through policies and procedures

The estimated impact and scope of adverse events are understood

Information on adverse events is provided to authorized staff and tools

Incidents are declared when adverse events meet the defined criteria

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Relevant suppliers are included in incident planning, response, and recovery activities

Incident response plans and cybersecurity plans are established, maintained, and improved

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Public updates on the incident and ongoing recovery are shared using approved methods and messaging

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

Forensics are performed

Execute the incident response plan in coordination with relevant third parties

Incidents are contained

Incidents are eradicated

Detected security incidents are evaluated and classified

Security incidents are responded to and contained

Incidents are recovered from and resumption of operations is documented

External service provider activities and services are monitored to detect potentially adverse events

A cybersecurity supply chain risk management program is established

Supply chain risk management plans include provisions for activities after a supplier relationship ends

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Supply chain risk management is integrated into enterprise risk management processes

Suppliers are known and prioritized by criticality

Cybersecurity requirements are integrated into contracts with suppliers

Due diligence is performed before entering into supplier relationships

Risks from suppliers are assessed, monitored, and responded to throughout the relationship

Relevant suppliers are included in incident planning, response, and recovery activities

Supply chain security practices are monitored throughout the technology product and service life cycle

Critical suppliers are assessed prior to acquisition

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Third-party vendor risk is assessed and managed

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Risk management objectives are established and agreed to by organizational stakeholders

Risk appetite and risk tolerance statements are established, communicated, and maintained

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Strategic direction that describes appropriate risk response options is established and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions

Supply chain risk management is integrated into enterprise risk management processes

Changes and exceptions are managed, assessed for risk impact, and tracked

Risk mitigation strategies are identified and implemented

Networks and network services are monitored to detect adverse events

Monitoring for unauthorized personnel, connections, devices, and software is performed

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Log records are generated and made available for continuous monitoring

Capacity is managed to ensure system availability

Relevant security information is obtained and used

Security controls are evaluated on an ongoing basis

Control deficiencies are identified, evaluated, and communicated

Anomalies and security events are detected and monitored

The physical environment is monitored to detect potential cybersecurity events

Identities and credentials are managed for authorized users and devices

Identities are proofed and bound to credentials based on the context of interactions

Logical access security measures restrict access to assets

Access credentials are issued with appropriate authorization

Role-based access is used and reviewed periodically

Physical access to facilities and systems is restricted

Information is correlated from multiple sources

Alert thresholds are established

Networks and network services are monitored to detect adverse events

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Log records are generated and made available for continuous monitoring

Anomalies and security events are detected and monitored

Internal and external threats to the organization are identified and recorded

Board or equivalent body oversees security risk

Security objectives are defined to enable risk identification

Security risks are identified and analyzed

Fraud risk is identified and assessed

Significant changes are assessed for security impact

Networks and network services are monitored to detect adverse events

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Log records are generated and made available for continuous monitoring

Relevant security information is obtained and used

Anomalies and security events are detected and monitored

Malicious code is detected

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Installation and execution of unauthorized software are prevented

Incidents are contained

Controls protect against malicious software

External service provider activities and services are monitored to detect potentially adverse events

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Inventories of services provided by suppliers are maintained

Third-party vendor risk is assessed and managed

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

A cybersecurity risk management policy is established and enforced

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Security controls are evaluated on an ongoing basis

Backups of data are created, protected, maintained, and tested

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations

Select, scope, prioritize, and perform recovery actions

Re-establish critical mission functions and cybersecurity services

Recovery procedures restore system availability after disruptions

Execute the recovery plan once the incident response process initiates recovery

The integrity of restored assets is verified, the asset is deemed secure, and normal operating status is confirmed

The end of incident recovery is declared based on criteria, and incident-related documentation is completed

Recovery procedures restore system availability after disruptions

Incidents are recovered from and resumption of operations is documented

Incidents are declared when adverse events meet the defined criteria

Improvements are identified from security tests and exercises

Incident response plans and cybersecurity plans are established, maintained, and improved

Security incidents are responded to and contained

Vulnerability scans are performed

Improvements are identified from evaluations

Incidents are eradicated

Control deficiencies are identified, evaluated, and communicated

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

Board or equivalent body oversees security risk

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Risk information is used to understand inherent risk and prioritize responses

Risk mitigation strategies are identified and implemented

Organizational leadership is responsible and accountable for cybersecurity risk

Cybersecurity roles, responsibilities, and authorities are established and enforced

Organizational structure and authority for security is defined

Accountability for security performance is enforced

Cybersecurity requirements are integrated into contracts with suppliers

The impact of the incident is understood

Internal and external stakeholders are notified of incidents in a timely manner

Security information is communicated to external parties

Supply chain security practices are monitored throughout the technology product and service life cycle

The hardware and firmware of platforms are managed

The software of platforms is managed, including operating systems and applications

General controls over technology are selected and developed

Adequate resource capacity to ensure availability is maintained

Capacity is managed to ensure system availability

Environmental and infrastructure protections support system availability

Recovery procedures restore system availability after disruptions

The end of incident recovery is declared based on criteria, and incident-related documentation is completed

Security information is communicated internally

Control activities are selected and developed to mitigate risks

Controls are deployed through policies and procedures

Potentially adverse events are analyzed to better understand associated activities

Triage and validate incident reports

Detected security incidents are evaluated and classified

The estimated impact and scope of adverse events are understood

The impact of the incident is understood

Significant changes are assessed for security impact

The estimated impact and scope of adverse events are understood

The impact of the incident is understood

Security objectives are defined to enable risk identification

Personnel activity and technology usage are monitored to detect potentially adverse events

Cybersecurity is included in human resources practices

Fraud risk is identified and assessed

Vulnerability scans are performed

Vulnerabilities in assets are identified, validated, and recorded

Vulnerability management identifies and remediates security flaws

Vulnerability scans are performed

Vulnerabilities in assets are identified, validated, and recorded

Vulnerability management identifies and remediates security flaws

Vulnerability scans are performed

Vulnerabilities in assets are identified, validated, and recorded

Vulnerability management identifies and remediates security flaws

A cybersecurity risk management policy is established and enforced

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Commitment to integrity and ethical values is demonstrated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

Security information is communicated internally

Security information is communicated to external parties

Cybersecurity is included in human resources practices

Identities and credentials are managed for authorized users and devices

Access is removed or modified when no longer required

Assets are prioritized based on classification, criticality, and mission impact

Inventories of data and corresponding metadata for designated data types are maintained

Detected security incidents are evaluated and classified

Internal and external threats to the organization are identified and recorded

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Security risks are identified and analyzed

Risk responses are chosen, prioritized, planned, tracked, and communicated

Control activities are selected and developed to mitigate risks

Risk mitigation strategies are identified and implemented

Changes and exceptions are managed, assessed for risk impact, and tracked

Significant changes are assessed for security impact

Changes to infrastructure and software are authorized and managed

Identities are proofed and bound to credentials based on the context of interactions

Users, services, and hardware are authenticated

Logical access security measures restrict access to assets

Identities are proofed and bound to credentials based on the context of interactions

Users, services, and hardware are authenticated

Logical access security measures restrict access to assets

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Logical access security measures restrict access to assets

Role-based access is used and reviewed periodically

Physical access to assets is managed, monitored, and enforced commensurate with risk

Technology assets are protected from environmental threats

Physical access to facilities and systems is restricted

The confidentiality, integrity, and availability of data-at-rest are protected

The confidentiality, integrity, and availability of data-in-transit are protected

Sensitive data is protected during transmission and storage

Data are destroyed according to policy when no longer needed

Internal and external stakeholders are notified of incidents in a timely manner

Confidential information is disposed of securely

Technology assets are protected from environmental threats

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations

Environmental and infrastructure protections support system availability

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Public updates on the incident and ongoing recovery are shared using approved methods and messaging

Security information is communicated to external parties

Apply the criteria for initiating incident recovery

Incidents are contained

Security incidents are responded to and contained

A baseline of network operations and expected data flows is established and managed

Anomalies and security events are detected and monitored

Networks and network services are monitored to detect adverse events

Relevant security information is obtained and used

Malicious code is detected

Controls protect against malicious software

Malicious code is detected

Controls protect against malicious software

Vulnerability scans are performed

Vulnerability management identifies and remediates security flaws

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

Accountability for security performance is enforced

A cybersecurity risk management policy is established and enforced

Accountability for security performance is enforced

Risk management objectives are established and agreed to by organizational stakeholders

Security objectives are defined to enable risk identification

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Control deficiencies are identified, evaluated, and communicated

Cybersecurity roles, responsibilities, and authorities are established and enforced

Organizational structure and authority for security is defined

Cybersecurity is included in human resources practices

Accountability for security performance is enforced

Cybersecurity is included in human resources practices

Access credentials are issued with appropriate authorization

Relevant suppliers are included in incident planning, response, and recovery activities

Security objectives are defined to enable risk identification

Identities and credentials are managed for authorized users and devices

Access credentials are issued with appropriate authorization

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Role-based access is used and reviewed periodically

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Role-based access is used and reviewed periodically

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

Commitment to competence in security is demonstrated

The confidentiality, integrity, and availability of data-in-transit are protected

Sensitive data is protected during transmission and storage

Backups of data are created, protected, maintained, and tested

Recovery procedures restore system availability after disruptions

Networks and environments are protected from unauthorized logical access

Logical access security measures protect against external threats

Networks and environments are protected from unauthorized logical access

Logical access security measures protect against external threats

Mechanisms are implemented to achieve resilience requirements in normal and adverse situations

Environmental and infrastructure protections support system availability

Adequate resource capacity to ensure availability is maintained

Capacity is managed to ensure system availability

Secure software development practices are integrated and their security is evaluated

Changes to infrastructure and software are authorized and managed

The end of incident recovery is declared based on criteria, and incident-related documentation is completed

Incidents are recovered from and resumption of operations is documented

The impact of the incident is understood

Confidential information is identified and protected