2
Architectural Relevance
Control Area
Compliance - Audit
Planning
Compliance - Third
Party Audits
Control ID
CO-01
CO-02
CO-03
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Scope Applicability
Tenant /
Consumer
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
ME 2.1
ME 2.2
PO 9.5
PO 9.6
45 CFR 164.312(b)
DS5.5
ME2.5
ME 3.1
PO 9.6
ME 2.6
DS 2.1
DS 2.4
45 CFR 164.308(b)(1)
45 CFR 164.308 (b)(4)
Clause 4.2.3 e)
Clause 4.2.3b
Clause 5.1 g
Clause 6
A.15.3.1
CA-2
CA-7
PL-6
Clause 4.2.3e
Clause 5.1 g
Clause 5.2.1 d)
Clause 6
A.6.1.8
CA-1
CA-2
CA-6
RA-5
A.6.2.3
A.10.2.1
A.10.2.2
A.10.6.2
CA-3
SA-9
SA-12
SC-7
2.1.2.b
11.2
11.3
6.6
12.1.2.b
2.4
12.8.2
12.8.3
12.8.4
Appendix A
Jericho Forum
NERC CIP
Commandment #1
Commandment #2
Commandment #3
1.2.5
1.2.7
4.2.1
8.2.7
10.2.3
10.2.5
Commandment #1
Commandment #2
Commandment #3
1.2.11
4.2.3
7.2.4
10.2.3
10.2.4
Commandment #1
Commandment #2
Commandment #3
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
S4.1.0
S4.2.0
C2.2.0
(C2.2.0) The system confidentiality and related security
obligations of users and the entitys confidentiality and related
security commitments to users are communicated to authorized
users before the confidential information is provided. This
communication includes, but is not limited to, the following
matters: (see sub-criteria on TSPC tab)
C3.6
(C3.6) The entity has procedures to obtain assurance or
representation that the confidentiality policies of third parties to
whom information is transferred and upon which the entity relies
are in conformity with the entitys defined system confidentiality
and related security policies and that the third party is in
compliance with its policies.
Compliance - Contact /
Authority Maintenance
CO-04
CO-05
CO-06
A.6.1.6
A.6.1.7
ME 3.1
AT-5
IR-6
SI-5
11.1.e
12.5.3
12.9
1.2.7
10.1.1
10.2.4
L1
Commandment #1
Commandment #2
Commandment #3
S4.3.0
CIP-001-1a R3 - R4
x4.4.0
ME 3.1
ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-7
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1
Clause 4.2.1
A.6.1.5
A.7.1.3
A.10.8.2
A.12.4.3
A.15.1.2
SA-6
SA-7
PM-5
L.4
1.2.2
1.2.4
1.2.6
1.2.11
3.2.4
5.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #1
Commandment #2
Commandment #3
DG-01
DG-02
DS5.1
PO 2.3
PO 2.3
DS 11.6
DG-03
PO 2.3
DS 11.6
DG-04
DS 4.1
DS 4.2
DS 4.5
DS 4.9
DS 11.6
A.6.1.3
A.7.1.2
A.15.1.4
CA-2
PM-5
PS-2
RA-2
SA-2
A.7.2.1
RA-2
AC-4
A.7.2.2
A.10.7.1
A.10.7.3
A.10.8.1
02/12/2015
DG-05
DG-06
DS 11.4
45 CFR 164.308(a)(4)(ii)(B)
A.9.2.6
A.10.7.2
9.5
9.6
9.7.1
9.7.2
9.10
D.2.2
CP-2
CP-6
CP-7
CP-8
CP-9
SI-12
AU-11
3.1
3.1.1
3.2
9.9.1
9.5
9.6
10.7
D.2.2.9
3.1.1
9.10
9.10.1
9.10.2
3.1
6.2.1
D.1.3, D.2.2
SA-11
CM-04
1 of 10
9.7.1
9.10
12.3
MP-6
PE-1
A.7.1.3
A.10.1.4
A.12.4.2
A.12.5.1
AC-16
MP-1
MP-3
PE-16
SI-12
SC-9
G.13
Commandment #6
Commandment #10
CIP-003-3 - R4 - R5
x3.1.0
S3.10.0
I.2.18
S2.2.0
S2.3.0
S3.8.0
S3.8.0
C3.14.0
1.2.3
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6
Commandment #9
1.1.2
5.1.0
7.1.2
8.1.0
8.2.5
8.2.6
Commandment #8
Commandment #9
Commandment #10
CIP-003-3 - R4 - R4.1
S3.2.a
5.1.0
5.1.1
5.2.2
8.2.6
Commandment #11
CIP-003-3 - R4.1
A3.3.0
A3.4.0
I3.20.0
I3.21.0
S3.1.0
S3.13.0
Data Governance Ownership /
Stewardship
5.1.0
5.2.3
1.2.6
Commandment #11
Commandment #9
Commandment #10
Commandment #11
CIP-003-3 - R6
C3.5.0
S3.4.0
C3.5.0
S3.4.0
C3.21.0
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
DG-07
DG-08
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
FS-01
FS-02
FS-03
FS-04
Scope Applicability
Tenant /
Consumer
COBIT 4.1
PO 9.1
PO 9.2
PO 9.4
DS 5.7
DS5.7
DS 12.1
DS 12.4
DS 4.9
A.10.6.2
A.12.5.4
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(8)
FS-05
FS-06
FS-07
Policies and procedures shall be established for Proposed v1.1 control revision redacted until
securing and asset management for the use
future revision due to potential mapping impact
and secure disposal of equipment maintained not yet considered:
and used outside the organization's premise.
Policies and procedures governing asset
management shall be established for secure
repurposing of equipment and resources prior
to tenant assignment or jurisdictional transport.
FS-08
Human Resources
Security - Background
Screening
HR-01
Human Resources
Security - Employment
Agreements
HR-02
12.1
12.1.2
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
7.2.1
8.1.0
8.1.1
8.2.1
8.2.2
8.2.5
8.2.6
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Commandment #10
Commandment #11
C3.5.0
S3.4.0
1.2.4
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
Commandment #9
Commandment #10
Commandment #11
S3.1.0
C3.14.0
S1.2.b-c
Jericho Forum
NERC CIP
9.1
9.2
9.3
9.4
8.1.0
8.1.1
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #5
A3.6.0
45 CFR 164.310(a)(1)
45 CFR 164.310(a)(2)(ii)
45 CFR 164.310(b)
45 CFR 164.310 ( c) (New)
A.9.1.1
A.9.1.2
PE-2
PE-3
PE-4
PE-5
PE-6
9.1
8.2.1
8.2.2
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
DS 12.3
A.9.1.1
PE-2
PE-3
PE-6
PE-18
9.1
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
DS 12.2
DS 12.3
A.9.1.1
A.9.1.2
PE-2
PE-3
PE-6
PE-7
PE-8
PE-18
9.1
9.1.1
9.1.2
9.1.3
9.2
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
DS 12.3
A.9.1.6
PE-7
PE-16
PE-18
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
A.9.2.7
A.10.1.2
MA-1
MA-2
PE-16
F.2.18
8.2.5
8.2.6
Commandment #6
Commandment #7
S3.2.f
C3.9.0
Commandment #4
Commandment #5
Commandment #11
S3.4
Commandment #6
Commandment #7
Commandment #8
S3.1.0
C3.14.0
S1.2.b-c
I.2.18
1.2
6.5.5
11.1
11.2
11.3
11.4
A.1
CA-3
RA-2
RA-3
MP-8
PM-9
SI-12
CA-2
PE-1
PE-6
PE-7
PE-8
A.5.1.1
A.9.1.3
A.9.1.5
AC-2
AC-3
AC-4
AC-6
AC-11
AU-13
PE-19
SC-28
SA-8
SI-7
NIST SP800-53 R3
DS 11.6
ISO/IEC 27001-2005
9.8
9.9
45 CFR 164.310 (c )
45 CFR 164.310 (d)(1)
45 CFR 164.310 (d)(2)(i)
A.9.2.5
A.9.2.6
AC-17
MA-1
PE-1
PE-16
PE-17
F.2.18, F.2.19,
A.7.1.1
A.7.1.2
CM-8
PO 7.6
A.8.1.2
9.9.1
12.3.3
12.3.4
PS-2
PS-3
12.7
12.8.3
E.2
12.4
12.8.2
E.3.5
DS 2.1
45 CFR 164.310(a)(1)
45 CFR 164.308(a)(4)(i)
A.6.1.5
A.8.1.3
PL-4
PS-6
PS-7
PO 7.8
A.8.3.1
PS-4
PS-5
G.21
D.1
E.2
C.1
1.2.9
Commandment #2
Commandment #3
Commandment #6
Commandment #9
CIP-004-3 - R2.2
S3.11.0
1.2.9
8.2.6
Commandment #6
Commandment #7
S2.2.0
8.2.2
10.2.5
Commandment #6
Commandment #7
S3.2.d
HR-03
02/12/2015
E.6
S3.8.e
2 of 10
Control ID
IS-01
IS-02
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
X
Scope Applicability
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
R2 DS5.2
R2 DS5.5
45 CFR 164.308(a)(1)(i)
45 CFR 164.308(a)(1)(ii)(B)
45 CFR 164.316(b)(1)(i)
45 CFR 164.308(a)(3)(i) (New)
45 CFR 164.306(a) (New)
Clause 4.2
Clause 5
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.5
A.6.1.6
A.6.1.7
A.6.1.8
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
DS5.1
Clause 5
A.6.1.1
CM-1
PM-1
PM-11
12.1
12.2
A.1, B.1
12.5
C.1
8.2.1
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
Commandment #1
Commandment #2
CIP-001-1a - R1 - R2
CIP-003-3 - R1 - R1.1 - R4
CIP-006-3c R1
x1.2.
Commandment #3
Commandment #6
CIP-003-3 - R1 - R1.1
S1.3.0
Jericho Forum
NERC CIP
IS-03
IS-04
DS5.2
AI2.1
AI2.2
AI3.3
DS2.3
DS11.6
Clause 4.2.1
Clause 5
A.5.1.1
A.8.2.2
A.12.1.1
A.15.2.2
AC-1
AT-1
AU-1
CA-1
CM-1
IA-1
IR-1
MA-1
MP-1
MP-1
PE-1
PL-1
PS-1
SA-1
SC-1
SI-1
12.1
12.2
CM-2
SA-2
SA-4
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
12.1.3
B.1.33. B.1.34,
IS-05
DS 5.2
DS 5.4
Clause 4.2.3 f)
A.5.1.2
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-5
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
SA-1
SC-1
SI-1
IS-06
PO 7.7
A.8.2.3
PL-4
PS-1
PS-8
IS-07
IS-08
IS-09
IS-10
02/12/2015
IS-11
A.11.1.1
A.11.2.1
A.11.2.4
A.11.4.1
A.11.5.2
A.11.6.1
AC-1
IA-1
3.5.1
8.5.1
12.5.4
DS5.4
A.11.2.1
A.11.2.2
A.11.4.1
A 11.4.2
A.11.6.1
AC-3
AC-5
AC-6
IA-2
IA-4
IA-5
IA-8
MA-5
PS-6
SA-7
SI-9
7.1
7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
8.5.1
12.5.4
H.2.4, H.2.5,
DS 5.4
45 CFR 164.308(a)(3)(ii)(C)
ISO/IEC 27001:2005
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.2
AC-2
PS-4
PS-5
8.5.4
8.5.5
E.6.2, E.6.3
DS5.3
DS5.4
A.11.2.4
AC-2
AU-6
PM-10
PS-6
PS-7
PO 7.4
Clause 5.2.2
A.8.2.2
AT-1
AT-2
AT-3
AT-4
3 of 10
L.2
B.2
B.1.5
8.1.0
8.1.1
B.1
H.2
12.6
12.6.1
12.6.2
1.2.6
8.2.1
8.2.7
Commandment #1
Commandment #2
Commandment #3
Commandment #2
Commandment #4
Commandment #5
Commandment #11
S1.1.0
S1.3.0
S2.3.0
S1.1.0
S1.2.0(a- (S1.2.0(a-i)) The entity's security policies include, but may not be
i)
limited to, the following matters:
DS 5.4
B.1
E.4
E.1
1.2.1
8.2.7
10.2.3
Commandment #1
Commandment #2
Commandment #3
10.2.4
Commandment #6
Commandment #7
S3.9
S2.4.0
8.1.0
Commandment #6
Commandment #7
Commandment #8
S3.2.0
8.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Commandment #10
S3.2.0
8.2.1
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 R2.2.3
CIP-007-3 - R5.1.3 -R5.2.1 R5.2.3
S3.2.0
8.2.1
8.2.7
Commandment #6
Commandment #7
Commandment #8
Commandment #10
CIP-004-3 R2.2.2
CIP-007-3 - R5 - R.1.3
S3.2.0
1.2.10
8.2.1
Commandment #3
Commandment #6
CIP-004-3 - R1 - R2 - R2.1
S1.2.k
S2.2.0
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
IS-12
IS-13
IS-14
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
X
IS-15
IS-16
IS-17
IS-18
IS-19
IS-20
IS-21
IS-22
02/12/2015
IS-23
COBIT 4.1
DS5.1
DS5.3
DS5.4
DS5.5
AT-5
SI-5
Clause 5.1 c)
A.6.1.2
A.6.1.3
A.8.1.1
AT-3
PL-4
PM-10
PS-1
PS-6
PS-7
Clause 5.2.2
A.8.2.1
A.8.2.2
A 11.2.4
A.15.2.1
AT-2
AT-3
CA-1
CA-5
CA-6
CA-7
PM-10
12.6.1
12.6.2
C.1.8
E.4
1.1.2
8.2.1
Commandment #6
Commandment #7
Commandment #8
A.10.1.3
AC-1
AC-2
AC-5
AC-6
AU-1
AU-6
SI-1
SI-4
6.4.2
PO 4.6
Clause 5.2.2
A.8.2.2
A.11.3.1
A.11.3.2
AT-2
AT-3
AT-4
PL-4
8.5.7
12.6.1
E.4
Clause 5.2.2
A.8.2.2
A.9.1.5
A.11.3.1
A.11.3.2
A.11.3.3
AC-11
MP-2
MP-3
MP-4
E.4
A.10.6.1
A.10.8.3
A.10.8.4
A.10.9.2
A.10.9.3
A.12.3.1
A.15.1.3
A.15.1.4
AC-18
IA-3
IA-7
SC-7
SC-8
SC-9
SC-13
SC-16
SC-23
SI-8
2.1.1
3.4
3.4.1
4.1
4.1.1
4.2
8.1.1
8.2.1
8.2.5
Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6
SC-12
SC-13
SC-17
SC-28
3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
L.6
8.1.1
8.2.1
8.2.5
AI6.1
AI3.3
DS5.9
CM-3
CM-4
CP-10
RA-5
SA-7
SI-1
SI-2
SI-5
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
G.15.2, I.3
DS5.9
SA-7
SC-5
SI-3
SI-5
SI-7
SI-8
5.1
5.1.1
5.2
G.7
IR-1
IR-2
IR-3
IR-4
IR-5
IR-7
IR-8
12.9
12.9.1
12.9.2
12.9.3
12.9.4
12.9.5
12.9.6
J.1.1, J.1.2
IR-2
IR-6
IR-7
SI-4
SI-5
12.5.2
12.5.3
J.1.1, E.4
DS5.6
DS5.6
A.10.4.1
Clause 4.3.3
A.13.1.1
A.13.2.1
Clause 4.3.3
Clause 5.2.2
A.6.1.3
A.8.2.1
A.8.2.2
A.13.1.1
A.13.1.2
A.13.2.1
4 of 10
S1.2.f
Commandment #6
Commandment #7
Commandment #8
E.1
AICPA
TS Map
NERC CIP
S4.3.0
1.2.9
8.2.1
Jericho Forum
Commandment #1
Commandment #2
Commandment #3
DS 5.4
DS5.8
NIST SP800-53 R3
DS5.8
DS5.10
DS5.11
ISO/IEC 27001-2005
A.6.1.7
Scope Applicability
FedRAMP Security Controls
(Final Release, Jan 2012)
S1.2.f
S2.3.0
S3.2.a
8.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #10
E.1
1.2.10
8.2.1
Commandment #5
Commandment #6
Commandment #7
S2.3.0
E.1
8.2.3
Commandment #5
Commandment #6
Commandment #7
Commandment #11
S3.3.0
S3.4.0
C3.12.0
S3.6.0
S3.4
S3.6.0
S3.4
S3.10.0
I.4
J.1
J.1
E.1
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
CIP-007-3 R5.1.1
AICPA
Trust Service Criteria (SOC 2SM Report)
CIP-003-3 - R4.2
Commandment #9
Commandment #10
Commandment #11
1.2.6
8.2.7
Commandment #4
Commandment #5
8.2.2
Commandment #4
Commandment #5
1.2.4
1.2.7
7.1.2
7.2.2
7.2.4
10.2.1
10.2.4
Commandment #2
Commandment #6
Commandment #8
CIP-007-3 - R6.1
CIP-008-3 - R1
1.2.7
1.2.10
7.1.2
7.2.2
7.2.4
10.2.4
Commandment #2
Commandment #6
Commandment #8
S3.5.0
IS3.7.0
S3.9.0
CIP-003-3 - R4.1
CIP-004-3 R3.3
A2.3.0
C2.3.0
I2.3.0
S2.3.0
S2.4
(S2.4) The process for informing the entity about breaches of the
system security and for submitting complaints is communicated
to authorized users.
C3.6.0
Control ID
IS-24
IS-25
IS-26
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Policies and procedures shall be established for Proposed v1.1 control revision redacted until
the acceptable use of information assets.
future revision due to potential mapping impact
not yet considered:
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
X
Scope Applicability
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
DS5.6
DS 4.9
DS 5.3
Clause 4.3.3
Clause 5.2.2
A.8.2.2
A.8.2.3
A.13.2.3
A.15.1.3
A.13.2.2
AU-6
AU-7
AU-9
AU-11
IR-5
IR-7
IR-8
IR-4
IR-5
IR-8
AC-8
AC-20
PL-4
A.7.1.3
IS-27
IS-28
12.9.6
J.1.2
1.2.7
1.2.10
E.6.4
D.1
5.2.3
7.2.2
8.2.1
8.2.6
G.4
G.11
G.16
G.18
I.3
I.4
3.2.4
4.2.3
7.1.2
7.2.1
7.2.2
8.2.1
8.2.5
A.7.1.1
A.7.1.2
A.8.3.2
PS-4
45 CFR 164.312(e)(1)
45 CFR 164.312(e)(2)(i)
A.7.2.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.9.2
A.15.1.4
AC-14
AC-21
AC-22
IA-8
AU-10
SC-4
SC-8
SC-9
NERC CIP
CIP-004-3 R3.3
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
S2.4.0
C3.15.0
Jericho Forum
1.2.7
B.3
8.1.0
CIP-008-3 - R1.1
Commandment #1
Commandment #2
Commandment #3
S3.9.0
C4.1.0
S1.2
S3.9
S3.4
S3.6
DS 5.10 5.11
2.1.1
4.1
4.1.1
4.2
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
IS-29
IS-30
IS-31
IS-32
IS-33
IS-34
DS 5.7
A.15.3.2
AU-9
AU-11
AU-14
10.5.5
DS5.7
A.10.6.1
A.11.1.1
A.11.4.4
A.11.5.4
CM-7
MA-3
MA-4
MA-5
9.1.2
DS5.10
A.6.2.3
A.10.6.2
SC-20
SC-21
SC-22
SC-23
SC-24
A.7.2.1
A.10.7.1
A.10.7.2
A.10.8.3
A.11.7.1
A.11.7.2
A.15.1.4
AC-17
AC-18
AC-19
MP-2
MP-4
MP-6
Clause 4.3.3
A.12.4.3
A.15.1.3
CM-5
CM-6
A.11.4.1
A 11.4.4
A.11.5.4
AC-5
AC-6
CM-7
SC-3
SC-19
ISO/IEC 27001:2005
Annex A.6.1.5
PL-4
PS-6
SA-9
DS5.11
DS5.5
02/12/2015
LG-01
Utility programs capable of potentially overriding Proposed v1.1 control revision redacted until
system, object, network, virtual machine and
future revision due to potential mapping impact
application controls shall be restricted.
not yet considered:
8.2.1
C.2.6, G.9.9
C.2
Commandment #2
Commandment #5
Commandment #11
CIP-003-3 - R5.2
S3.2.g
Commandment #3
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
CIP-007-3 - R2
S3.2.g
8.2.2
8.2.5
Commandment #6
Commandment #7
Commandment #8
9.7
9.7.2
9.8
9.9
11.1
12.3
1.2.6
3.2.4
8.2.6
All
6.4.1
6.4.2
1.2.6
6.2.1
Commandment #6
Commandment #7
Commandment #9
Commandment #10
7.1.2
H.2.16
12.8.2
12.8.3
12.8.4
C.2.5
C2.2.0
CIP-007-3 - R7.1
S3.4
S3.13.0
DS5.7
Legal - Non-Disclosure
Agreements
5 of 10
1.2.5
Commandment #1
Commandment #5
Commandment #6
Commandment #7
Commandment #6
Commandment #7
Commandment #8
Commandment #9
S4.1.0
Control ID
LG-02
Operations
Management - Policy
OP-01
Operations
Management Documentation
OP-02
Operations
Management Capacity / Resource
Planning
Operations
Management Equipment
Maintenance
OP-03
OP-04
RI-01
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
PaaS
IaaS
Service
Provider
Supplier Relationship
Tenant /
Consumer
X
DS 9
DS 13.1
COBIT 4.1
DS5.11
DS13.1
Scope Applicability
DS 3
A13.3
PO 9.1
02/12/2015
RI-02
RI-03
RI-04
PO 9.4
NIST SP800-53 R3
CA-3
MP-5
PS-7
SA-6
SA-7
SA-9
Clause 5.1
A 8.1.1
A.8.2.1
A 8.2.2
A.10.1.1
CM-2
CM-3
CM-4
CM-5
CM-6
CM-9
MA-4
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12
12.1
12.2
12.3
12.4
G.1.1
Clause 4.3.3
A.10.7.4
CP-9
CP-10
SA-5
SA-10
SA-11
12.1
12.2
12.3
12.4
G.1.1
A.10.3.1
ISO/IEC 27001-2005
A.6.2.3
A10.2.1
A.10.8.2
A.11.4.6
A.11.6.1
A.12.3.1
A.12.5.4
SA-4
AC-4
CA-2
CA-6
PM-9
RA-1
12.1.2
1.2.6
PL-5
RA-2
RA-3
12.1.2
1.2.4
5.2.3
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
F.2.19
A.1, L.1
8.2.1
G.5
MA-2
MA-3
MA-4
MA-5
MA-6
A.9.2.4
L.2
I.1
I.4
1.2.4
1.2.4
1.2.5
Jericho Forum
NERC CIP
Commandment #1
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11
AICPA
Trust Service Criteria (SOC 2SM Report)
S2.2.0
A3.6.0
C3.6.0
S2.3.0
CIP-005-3a - R1.3
CIP-007-3 - R9
Commandment #1
Commandment #2
Commandment #3
Commandment #2
Commandment #5
Commandment #11
AICPA
TS Map
S3.11.0
A.2.1.0
A3.2.0
A4.1.0
CIP-009-3 - R4
PO 9.5
PO 9.6
CA-5
CM-4
Clause 4.2.3
Clause 4.2.4
Clause 4.3.1
Clause 5
Clause 7
A.5.1.2
A.10.1.2
A.10.2.3
A.14.1.2
A.15.2.1
A.15.2.2
CP-2
RA-2
RA-3
6 of 10
12.1.3
I.4
L.2
B.2
G.21
L.2
CIP-009-3 - R1.2
A4.1.0
S3.1
x3.1.0
S3.1
x3.1.0
S4.3.0
S3.1
x3.1.0
CIP-009-3 - R2
Control ID
RI-05
RM-01
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
RM-02
RM-03
02/12/2015
RM-04
RM-05
RS-01
Tenant /
Consumer
Scope Applicability
COBIT 4.1
A.6.2.1
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.4
A16.1
A17.6
PO 8.1
PO 9.1
PO 9.2
DS 4.2
CA-3
MA-4
RA-3
A.6.1.4
A.6.2.1
A.12.1.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.5
A.15.1.3
A.15.1.4
NIST SP800-53 R3
DS 2.3
A12
A16.1
ISO/IEC 27001-2005
CA-1
CM-1
CM-9
PL-1
PL-2
SA-1
SA-3
SA-4
12.8.1
12.8.2
12.8.3
12.8.4
6.3.2
1.1.1
6.3.2
6.4
6.1
A.10.1.4
A.12.5.1
A.12.5.2
CA-1
CA-6
CA-7
CM-2
CM-3
CM-5
CM-6
CM-9
PL-2
PL-5
SI-2
SI-6
SI-7
A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
CM-1
CM-2
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-13
A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SA-12
SA-13
A.10.1.3
A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3
CM-1
CM-2
CM-3
CM-5
CM-7
CM-8
CM-9
SA-6
SA-7
SI-1
SI-3
SI-4
SI-7
CP-1
CP-2
Clause 4.3.2
A.14.1.1
A 14.1.4
Jericho Forum
1.2.6
Commandment #1
Commandment #2
Commandment #3
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
S3.1
x3.1.0
S3.12.0
S3.10.0
S3.13.0
1.2.6
Commandment #1
Commandment #2
Commandment #3
Commandment #11
9.1.0
9.1.1
9.2.1
9.2.2
Commandment #1
Commandment #2
Commandment #3
3.6.7
6.4.5.2
7.1.3
8.5.1
9.1
9.1.2
9.2b
9.3.1
10.5.2
11.5
12.3.1
12.3.3
NERC CIP
7.1.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
C.2
I.1
I.2
I.4
12.9.1
Commandment #1
Commandment #2
Commandment #3
3.2.4
8.2.2
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
Commandment #1
Commandment #2
Commandment #3
CIP-003-3 - R6
A3.16.0
S3.13.0
A3.13.0
C3.16.0
I3.14.0
S3.10.0
S3.13
S3.10.0
S3.13
A3.6.0
S3.5.0
S3.13.0
A3.1.0
A3.3.0
A3.4.0
7 of 10
Resiliency - Impact
Analysis
Resiliency - Business
Continuity Planning
Control ID
RS-02
RS-03
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
RS-05
Resiliency - Equipment
Power Failures
RS-07
Resiliency - Power /
Telecommunications
RS-08
SA-01
SA-02
SA-03
02/12/2015
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
X
Scope Applicability
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
ISO/IEC 27001:2005
A.14.1.2
A 14.1.4
RA-3
K.2
Jericho Forum
Commandment #1
Commandment #2
Commandment #3
AICPA
TS Map
NERC CIP
A3.4.0
RS-04
RS-06
Supplier Relationship
A3.3.0
Resiliency - Business
Continuity Testing
Resiliency - Equipment
Location
Clause 5.1
A.6.1.2
A.14.1.3
A.14.1.4
CP-1
CP-2
CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
PE-17
12.9.1
12.9.3
12.9.4
12.9.6
12.9.2
A.14.1.5
CP-2
CP-3
CP-4
A.9.1.4
A.9.2.1
PE-1
PE-13
PE-14
PE-15
PE-18
A.9.2.1
PE-1
PE-5
PE-14
PE-15
PE-18
Commandment #1
Commandment #2
Commandment #3
9.1.3
9.5
9.6
9.9
9.9.1
Commandment #1
Commandment #2
Commandment #3
F.1
8.2.4
F.1
Commandment #1
Commandment #2
Commandment #3
CIP-004-3 R3.2
Commandment #1
Commandment #2
Commandment #3
A3.1.0
A3.3.0
A3.4.0
A3.3
A3.1.0
A3.2.0
A3.1.0
A3.2.0
A.9.2.2
A.9.2.3
A 9.2.4
CP-8
PE-1
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
F.1
Commandment #1
Commandment #2
Commandment #3
A3.2.0
A.9.2.2
A.9.2.3
PE-1
PE-4
PE-13
F.1
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #9
Commandment #11
A3.2.0
A3.4.0
Commandment #6
Commandment #7
Commandment #8
S3.2.a
S3.2.b
S3.4
AICPA
Trust Service Criteria (SOC 2SM Report)
DS5.3
DS5.4
DS5.11
45 CFR 164.308(a)(5)(ii)(c)
45 CFR 164.308 (a)(5)(ii)(D)
45 CFR 164.312 (a)(2)(i)
45 CFR 164.312 (a)(2)(iii)
45 CFR 164.312 (d)
A.6.2.1
A.6.2.2
A.11.1.1
CA-1
CA-2
CA-5
CA-6
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.3
A.11.2.4
A.11.5.5
AC-1
AC-2
AC-3
AC-11
AU-2
AU-11
IA-1
IA-2
IA-5
IA-6
IA-8
SC-10
8.1
8.2,
8.3
8.4
8.5
10.1,
12.2,
12.3.8
A.10.8.1
A.10.8.2
A.11.1.1
A.11.6.1
A.11.4.6
A.12.3.1
A.12.5.4
A.15.1.4
AC-1
AC-4
SC-1
SC-16
2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c
8.3
10.5.5
11.5
8 of 10
1.2.2
1.2.6
6.2.1
6.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #9
1.1.0
1.2.2
1.2.6
4.2.3
5.2.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1
All
CIP-004-3 R2.2.3
CIP-007-3 - R5.2 - R5.3.1 R5.3.2 - R5.3.3
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
SA-04
SA-05
SA-06
SA-07
Supplier Relationship
Network
Compute
Storage
App
Data
SaaS
PaaS
IaaS
Service
Provider
X`
Scope Applicability
Tenant /
Consumer
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
AI2.4
45 CFR 164.312(e)(2)(i)
DS5.7
A.11.5.6
A.11.6.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.5.2
A.12.5.4
A.12.5.5
A.12.6.1
A.15.2.1
SC-2
SC-3
SC-4
SC-5
SC-6
SC-7
SC-8
SC-9
SC-10
SC-11
SC-12
SC-13
SC-14
SC-17
SC-18
SC-20
SC-21
SC-22
SI-10
SC-23
SI-11
SI-2
SI-3
SI-4
SI-6
SI-7
SI-9
A.10.9.2
A.10.9.3
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1
Jericho Forum
G.16.3, I.3
B.1
1.2.6
Commandment #1
Commandment #10
Commandment #11
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11
NERC CIP
CIP-007-3 - R5.1
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
S3.10.0
S3.10.0
G.16.3, I.3
I.4
1.2.6
Commandment #1
Commandment #9
Commandment #11
CIP-003-3 - R4.2
I3.2.0
I3.3.0
I3.4.0
I3.5.0
S3.4
A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
SC-2
A.11.1.1
A.11.4.1
A.11.4.2
A.11.4.6
A.11.7.1
AC-17
AC-20
IA-1
IA-2
MA-4
B.1
8.2.2
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 R3.1
S3.2.b
A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
SC-7
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
2.2.2
2.2.3
G.2
G.4
G.15
G.16
G.17
G.18
I.3
8.2.5
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R2.2.4
S3.4
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3
S3.4
6.4.1
6.4.2
I.4
SA-08
SA-09
DS5.10
A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4
AC-4
SC-2
SC-3
SC-7
1.1
1.2
1.2.1
1.3
1.4
G.17
SA-10
DS5.5
DS5.7
DS5.8
DS5.10
A.7.1.1
A.7.1.2
A.7.1.3
A.9.2.1
A.9.2.4
A.10.6.1
A.10.6.2
A.10.8.1
A.10.8.3
A.10.8.5
A.10.10.2
A.11.2.1
A.11.4.3
A.11.4.5
A.11.4.6
A.11.4.7
A.12.3.1
A.12.3.2
AC-1
AC-18
CM-6
PE-4
SC-3
SC-7
1.2.3
2.1.1
4.1
4.1.1
11.1
9.1.3
D.1
B.3
F.1
G.4
G.15
G.17
G.18
8.2.5
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3
CIP-007-3 - R6.1
S3.4
SA-11
A.10.8.1
A.11.1.1
A.11.6.2
A.11.4.6
PE-4
SC-4
SC-7
B.1
8.2.5
Commandment #5
Commandment #6
Commandment #7
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3 - R3.2
S3.4
SA-12
A.10.10.1
A.10.10.6
AU-1
AU-8
G.7
G.8
S3.7
02/12/2015
DS5.7
9 of 10
10.4
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
SA-13
Data
SA-14
SA-15
PaaS
IaaS
Supplier Relationship
Service
Provider
Scope Applicability
Tenant /
Consumer
COBIT 4.1
DS5.5
DS5.6
DS9.2
NIST SP800-53 R3
DS5.7
ISO/IEC 27001-2005
A.11.4.3
IA-3
IA-4
A.10.10.1
A.10.10.2
A.10.10.3
A.10.10.4
A.10.10.5
A.11.2.2
A.11.5.4
A.11.6.1
A.13.1.1
A.13.2.3
A.15.2.2
A.15.1.3
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-9
AU-11
AU-12
AU-14
SI-4
A.10.4.2
A.12.2.2
SC-18
10.1
10.2
10.3
10.5
10.6
10.7
11.4
12.5.2
12.9.5
G.20.12, I.2.5
D.1
Jericho Forum
NERC CIP
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8
8.2.1
8.2.2
Commandment #6
Commandment #7
Commandment #11
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
CIP-007-3 - R6.5
AICPA
TS Map
AICPA
Trust Service Criteria (SOC 2SM Report)
S3.2.a
S3.7
S3.4.0
S3.10.0
Copyright 2013 Cloud Security Alliance. All rights reserved. You may download,
store, display on your computer, view, print, and link to the Cloud Security Alliance
Cloud Controls Matrix (CCM) at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix may be used solely for your personal,
informational, non-commercial use; (b) the Cloud Controls Matrix may not be
modified or altered in any way; (c) the Cloud Controls Matrix may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed.
You may quote portions of the Cloud Controls Matrix as permitted by the Fair Use
provisions of the United States Copyright Act, provided that you attribute the portions
to the Cloud Security Alliance Cloud Controls Matrix Version 1.4 (2013). If you are
interested in obtaining a license to this material for other usages not addresses in
the copyright notice, please contact info@cloudsecurityalliance.org.
02/12/2015
10 of 10