ISO/IEC 27001 provides a head start to implementing NIST SP 800-171A. This guide crosswalks work done under ISO/IEC 27001 into NIST SP 800-171A. The crosswalk resource enables mapping Annex A controls to NIST assessment objectives. The crosswalk accommodates both 2013 and 2022 versions of ISO/IEC 27001. We developed this resource with help from Dr. Robert Jenkins of QBE. In this blog we will discuss:

• Overview of the ISO and NIST Frameworks

• Key Differences and Similarities

• Steps to Transition from ISO 27001 to NIST SP 800-171

• Mapping ISO 27001 Controls to NIST SP 800-171 Requirements

The NIST SP 800-171 Rev 2 mapping to ISO 27001 in Appendix D provides a foundation for this crosswalk. Unfortunately, this mapping only relates ISO 27001:2013 controls to NIST security requirements. Mapping the 320 assessment objectives from NIST SP 800-171A required further considerations. We also incorporated updates from new Annex A controls under ISO 27001:2022. 

The NIST SP 800-171 Rev 2 mapping to ISO 27001 in Appendix D provided a foundation for this crosswalk. The NIST mapping only relates SP 800-171 security requirements to ISO 27001:2013. We also incorporated new controls from Annex A of ISO 27001:2022. We used the NIST SP 800-53 to ISO/IEC 27001 informative reference and our own NIST SP 800-53 to SP 800-171 crosswalk. We refined the crosswalks to detail relationships using the 320 NIST assessment objectives.

NIST IR 8477 highlights the importance of identifying the nature of conceptual relationships. We opted to assess the semantic relationship using a Set Theory Relationship Mapping. Our crosswalk categorizes the type and strength of each identified relationship. We designed the crosswalk to provide flexibility in amending these relationships as needed.

Two organizations combined to publish the original ISO/IEC 27001 in 2005. ISO stands for the International Organization for Standardization. IEC stands for the International Electrotechnical Commission. The standard was first updated in 2013 and more recently in 2022. It helps select adequate and proportionate security controls to protect information assets. Certification under ISO/IEC 27001 provides assurances to interested parties. A wide range of organizations and government agencies have adopted ISO/IEC 27001.

The National Institute of Standards and Technology (NIST) published SP 800-171 in 2015. NIST updated this standard to Revision 1 in 2016 and Revision 2 in 2020.  NIST published Revision 3 in May of 2024. This publication identifies requirements for protecting controlled unclassified information (CUI) in nonfederal systems.

The Defense Federal Acquisition Regulation Supplement (DFARS) has driven the applicability of these requirements. The DFARS 252.204-7012 clause outlines adequate security and cyber incident reporting requirements.

These requirements apply when:

• Information systems process, store, or transmit covered defense information, or

• Performance of the contract involves operationally critical support.

This DFARS clause specifies the version of SP 800-171 in effect at the time of the solicitation. However, in 2024, the DoD issued a class deviation keeping Revision 2 as the standard for now. Some experts believe the cybersecurity maturity model certification (CMMC) will follow Revision 2.

Both sets of requirements direct organizations to delineate a system boundary. In both examples, the boundary surrounds the information you intend to protect.  NIST SP 800-171 requires a description of the system boundary in the system security plan.  ISO/IEC 27001 requires defining the scope within the information security management system.

ISO/IEC 27001 has broad applicability.  Any organization can use it to build an information security management system. The controls address protecting the confidentiality, integrity, and availability of information and systems. NIST SP 800-171 has a more narrow focus. NIST tailored the requirements to protect the confidentiality of CUI within non-federal systems.

NIST SP 800-171 is prescriptive while ISO/IEC 27001 uses a risk-based approach. Risk-based approaches involve prioritizing risk based on severity. This involves identifying assets, threats, and vulnerabilities to determine a threat likelihood. Risk assessments pair threat likelihoods with impact assessments of potential security incidents. Organizations may transfer, avoid, accept, or mitigate risk using a risk treatment plan. Annex A provides a list of controls to select from as you build a risk treatment plan.

ISO/IEC 27001 requires a comprehensive set of documentation. This includes an ISMS policy, risk assessment and treatment process, and various procedures. NIST SP 800-171 requires a System Security Plan (SSP) and a Plan of Action and Milestones (POAMs). An SSP details the implementation of security requirements. POAMs detail actionable steps the organization will take to meet unmet requirements. The NIST assessment guide also references many policies and procedures. 

In light of their differences, ISO/IEC 27001 will speed up your compliance towards NIST SP 800-171. Here is a four-step transition process to consider:

Our ISO/IEC 27001 Crosswalk to NIST SP 800-171A will help you complete the gap assessment. The Instructions tab outlines the five steps to complete this crosswalk.

Step 1 requires you to determine the most recent implementation of ISO/IEC 27001. The drop-down provides two options: ISO 27001:2013 and ISO 27001:2022. The value selected within this field will inform the formulas in Step 5. 

Step 2 requires you to navigate to the relevant tab based on your selection in Step 1. Use column E to narrate the ISO/IEC control implementation.  We’ve grayed out the implementation statement on controls that don’t map to NIST.

Step 3 identifies the main technology components of the NIST system authorization boundary. Populating this table will enable you to leverage a built-in applicability matrix. System components will appear next to the applicable NIST requirements. This ensures consideration of the applicable scope when incorporating the ISO implementation.

Step 4 allows practitioners to edit the relationship between standards. Each row on the NIST Crosswalk sheet identifies a relationship. The relationship direction is from ISO/IEC to NIST. Unhide and populate all columns for any new relationships identified. To change any existing relationship, edit the type or strength values as needed.

Step 5 is the manual review. The manual review tab presents NIST objectives and their corresponding text. Relevant components appear next to the NIST text to provide context and applicability. The related ISO/IEC 2013 control appears next to the type of relationship. The narrow column is color-coded to relay the strength of the relationship. Next to the colored cell is the implementation statement relevant to the ISO/IEC controls.

Each row on this sheet represents a relationship. Rows may duplicate NIST objectives that map to more than one ISO/IEC controls. The purpose of the manual review is to write narratives that meet the NIST objectives. The related ISO/IEC implementation statements relay what is already in place.

In the example shown below, 3.14.6(a) maps to two corresponding ISO/IEC controls. The relationship to A.13.1.1 is a strong intersection. The relationship to A.8.16.1 is equal. Row 8 is blank in columns G and I indicating a duplicated NIST objective in the row above. Row 8 is also grayed out in columns O and P to show the narrative for 3.14.6(a) belongs in cell P7. 

The practitioner uses the related statements to write a narrative that best addresses 3.14.6(a) in P7.

Organizations should build a plan of action and relate milestones to close any gaps. Gaps may exist at the objective level.  For example, failing to use multi-factor authentication (MFA) for non-privileged users. Gaps may also exist at the scope level. For example, not having MFA for privileged accounts on the CrowdStrike SIEM.

The Office of Management and Budget memo M-02-01 specifies relevant POA&M fields.

These fields include:

• Type of Weakness

• Responsible Individual

• Estimated Funding Required

• Scheduled Completion Date

• Key Milestones & Completion Dates

• Milestone Changes

• Source of the Weakness

• Status

These fields align well with the CMMC Assessment Process (CAP):

• Weakness tied to a specific practice

• Severity of weakness

• Scope of each weakness

• Proposed mitigation 

• Estimated costs for remediation

• Records of mitigation status; 

• A risk assessment of the deficiency

Organizations assessing objectives as met  by NIST SP 800-171A should consider the following:

• Have we satisfied the practice for all applicable components of the authorization boundary?

• Have we written the implementation statement into the SSP? 

• Have we considered the three assessment methods:

• Examine: have we identified relevant artifacts?

• Interview: are relevant staff aware of relevant policies and procedures?

• Test: have we exercised activities or mechanisms to compare actual and expected behaviors?

You should strive to write implementation statements at the objective level. We detailed the process for writing a system security plan in a previous blog. We also provided a template to use based on the FedRAMP Moderate template.

Annex A control from ISO/IEC 27001:2012 maps to 120 (out of 320) assessment objectives from NIST SP 800-171A. We identified 163 relationships between ISO/IEC 27001:2022 and NIST SP 800-171A. Some NIST SP 800-171A objectives map to more than one ISO/IEC 27001 control. There are 18 relationships derived from new controls in ISO/IEC 27001:2022.

There is value in crosswalking work done under ISO/IEC 27001 into NIST SP 800-171. Practitioners should exercise caution when interpreting Appendix D from NIST SP 800-171. Mapped ISO/IEC controls may fall short of satisfying related NIST requirements. Our enhanced mapping suggests that relationships center around moderate intersections of concepts. Our GRC platform can import ISO/IEC 27001 work and align narratives to NIST requirements. QBE can help you close gaps in your security program.