Control Families NIST and ISO

January 1, 2023

Control Families

Control families in information security standards like NIST SP 800-53 and ISO 27001 represent a structured approach to safeguarding critical assets and ensuring the confidentiality, integrity, and availability of sensitive information. These control families are essential for establishing and maintaining robust security practices within an organization.

NIST SP 800-53 Control Families

Control Family	Core Functions	Cybersecurity Framework Components
Access Control (AC)	Manage and restrict access to information systems.	Identification and Authentication (IA), System and Communications Protection (SC)
Audit and Accountability (AU)	Audit system activities and retain audit logs.	Audit and Accountability (AU)
Awareness and Training (AT)	Provide security awareness and training.	Awareness and Training (AT)
Security Assessment and Authorization (CA)	Assess and authorize information systems.	Security Assessment and Authorization (CA)
Configuration Management (CM)	Manage and control system configurations.	Configuration Management (CM)
Contingency Planning (CP)	Plan for, respond to, and recover from incidents.	Contingency Planning (CP)
Identification and Authentication (IA)	Verify the identity of users and devices.	Identification and Authentication (IA)
Incident Response (IR)	Plan, coordinate, and respond to security incidents.	Incident Response (IR)
Maintenance (MA)	Manage system maintenance, including patching.	Maintenance (MA)
Security Assessment (RA)	Conduct security assessments and validate controls.	Security Assessment (RA)
System and Communications Protection (SC)	Secure communication and protect data.	System and Communications Protection (SC)
System and Information Integrity (SI)	Monitor and ensure system integrity.	System and Information Integrity (SI)
Program Management (PM)	Govern and manage the security program.	Program Management (PM)
System and Services Acquisition (SA)	Acquire and procure secure information systems.	System and Services Acquisition (SA)
Security Planning and Policy (PL)	Develop and maintain security policies and plans.	Security Planning and Policy (PL)
Supply Chain Risk Management (SR)	Assess and manage supply chain risks.	Supply Chain Risk Management (SR)
Privacy (PR)	Protect personally identifiable information (PII).	Privacy (PR)
Security Architecture and Engineering (AE)	Develop secure system architecture.	Security Architecture and Engineering (AE)
Testing and Evaluation (TE)	Test and evaluate security controls and systems.	Testing and Evaluation (TE)
Risk Assessment (RA)	Assess and manage information security risks.	Risk Assessment (RA)

ISO 27001 Control Families

Control Family	Core Functions
Information Security Policies	Establish and maintain security policies.
Organization of Information Security	Define roles and responsibilities for security.
Human Resource Security	Manage the security aspects of employees and contractors.
Asset Management	Inventory and classification of information assets.
Access Control	Restrict access to information and systems.
Cryptography	Protect information through encryption and related methods.
Physical and Environmental Security	Secure physical premises and environmental conditions.
Operations Security	Ensure secure day-to-day operations.
Communications Security	Protect information during network and information exchange.
System Acquisition, Development, and Maintenance	Build and maintain secure information systems.
Supplier Relationships	Manage security in supplier and third-party relationships.
Information Security Incident Management	Prepare for and respond to security incidents.
Information Security Aspects of Business Continuity Management	Ensure information security during business continuity.
Compliance	Comply with legal and regulatory requirements.