If you’re used to working with a specific ISO 2700 framework control, you can use this guide to identify its corresponding Unified Control.
For more information, and to view other framework control maps, visit Unified Controls FAQ.
ISO 2700 1 & 2 Control | Unified Control |
AC-01-ISO Access Control Policy and Procedures | CTRL-1 Access Control Policy and Procedures |
AC-02-ISO User Account Management | CTRL-1 Access Control Policy and Procedures |
AC-03-ISO Role-based Access Controls (RBAC) | CTRL-23 Role-Based Access Control |
AC-04-ISO Information Flow Enforcement | CTRL-198 Network Segmentation |
AC-05-ISO Separation of Duties | CTRL-65 Separation of Duties |
AC-06-ISO Least Privilege Access | CTRL-23 Role-Based Access Control |
AC-06(02)-ISO Non-privileged Access for Non-security Functions | CTRL-9 Privileged User Accounts |
AC-06(07)-ISO Review of Access Privileges | CTRL-73 Review of User Privileges |
AC-07-ISO Unsuccessful Logon Attempts | CTRL-349 Password-Based Authentication |
AC-08-ISO System Use Notification | CTRL-1130 Guidelines and Support Resources |
AC-09-ISO Previous Logon Notification | CTRL-1130 Guidelines and Support Resources |
AC-11-ISO Device Lock and Session Timeouts | CTRL-91 Session Termination |
AC-17-ISO Remote Access | CTRL-110 Remote Access |
AC-17(02)-ISO Protecting Remote Access | CTRL-190 Change Management and Software Development Life Cycle |
AC-17(02)-ISO Protecting Remote Access | CTRL-110 Remote Access |
AC-18-ISO Wireless Access | CTRL-121 Wireless Network |
AC-19-ISO Access Control for Mobile Devices | CTRL-79 Mobile Device Management |
AC-24-ISO Access Control Decisions | CTRL-16 Access Provisioning |
AT-01-ISO Awareness and Training Policy and Procedures | CTRL-528 Personnel Security Policy and Procedures |
AT-02-ISO Security Awareness and Privacy Training | CTRL-245 Security and Privacy Awareness Training |
AT-03-ISO Role-based Training | CTRL-245 Security and Privacy Awareness Training |
AT-04-ISO Training Records | CTRL-245 Security and Privacy Awareness Training |
AU-01-ISO Audit and Accountability Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
AU-02-ISO Event Logging in IT Systems | CTRL-833 Logging and Monitoring |
AU-03-ISO Informative Log Content | CTRL-833 Logging and Monitoring |
AU-06-ISO Log Review and Reporting | CTRL-833 Logging and Monitoring |
AU-09-ISO Protection of Audit Information | CTRL-833 Logging and Monitoring |
AU-11-ISO Audit Record Retention | CTRL-896 Information Management and Retention |
CA-01-ISO Assessment, Authorization, and Monitoring Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
CA-02-ISO Control Assessments | CTRL-149 Control Assessments |
CA-02(01)-ISO Independent Assessment | CTRL-149 Control Assessments |
CA-03-ISO Third-Party Agreements | CTRL-1129 Third-Party Agreements |
CA-05-ISO Plan of Action and Milestones | CTRL-434 Plan of Action and Milestones Process |
CA-06-ISO Authorization | CTRL-432 Information Security Program Leadership Role |
CA-07-ISO Continuous Monitoring | CTRL-167 Continuous Monitoring |
CA-08-ISO Penetration Testing | CTRL-174 Penetration Testing |
CM-01-ISO Configuration and Change Management Policy and Procedures | CTRL-262 Change Management and Software Development Policy and Procedures |
CM-03-ISO Configuration Change Control | CTRL-190 Change Management and Software Development Life Cycle |
CM-03(02)-ISO Testing, Validation, and Documentation of Changes | CTRL-190 Change Management and Software Development Life Cycle |
CM-04(01)-ISO Separate Test Environments | CTRL-190 Change Management and Software Development Life Cycle |
CM-05-ISO Access Restrictions for Change | CTRL-65 Separation of Duties |
CM-05-ISO Access Restrictions for Change | CTRL-16 Access Provisioning |
CM-06-ISO System Hardening Through Baseline Configurations | CTRL-208 Configuration Management |
CM-07-ISO Least Functionality | CTRL-822 Malicious Code Protection |
CM-08-ISO Asset Inventory | CTRL-435 System Inventory |
CM-10-ISO Software Usage Restrictions | CTRL-235 Software Usage Restrictions |
CP-01-ISO Contingency Planning Policy and Procedures | CTRL-263 Contingency Planning Policy and Procedures |
CP-02-ISO Contingency Plan (BCP/DR) | CTRL-264 Contingency Plan |
CP-02(02)-ISO Capacity Planning | CTRL-266 Capacity Planning |
CP-03-ISO Contingency Training | CTRL-253 Role-Based Training |
CP-04-ISO Contingency Plan (BCP/DR) Testing | CTRL-276 Contingency Plan Testing |
CP-06-ISO Alternate Storage Site | CTRL-283 Alternate Storage Site |
CP-07-ISO Alternate Processing Site | CTRL-306 Redundant Secondary System |
CP-09-ISO Data Backup | CTRL-300 System Backup |
CP-09(01)-ISO System Backup Testing | CTRL-301 System Backup Test |
CP-09(06)-ISO Redundant Secondary System | CTRL-306 Redundant Secondary System |
IA-01-ISO Identification and Authentication Policy and Procedures | CTRL-1 Access Control Policy and Procedures |
IA-02-ISO Internal Users Identification and Authentication | CTRL-319 Identification and Authentication |
IA-03-ISO Device Identification and Authentication | CTRL-319 Identification and Authentication |
IA-04-ISO Identifier Management | CTRL-319 Identification and Authentication |
IA-05-ISO Password Management | CTRL-349 Password-Based Authentication |
IA-06-ISO Authentication Feedback | CTRL-319 Identification and Authentication |
IA-08-ISO External Users Identification and Authentication | CTRL-319 Identification and Authentication |
IR-01-ISO Incident Response Policy and Procedures | CTRL-423 Incident Response Plan |
IR-02-ISO Incident Response Training | CTRL-23 Role-Based Access Control |
IR-04-ISO Incident Handling and Reporting | CTRL-423 Incident Response Plan |
IR-06-ISO Incident Reporting | CTRL-416 Incident Reporting |
IR-08-ISO Incident Response Plan | CTRL-423 Incident Response Plan |
ISO-01-ISO Information Security Management System (ISMS) | CTRL-431 Information Security Policy and Procedures |
ISO-02-ISO Statement of Applicability | CTRL-149 Control Assessments |
ISO-03-ISO Internal Audit | CTRL-149 Control Assessments |
ISO-04-ISO Management Review | CTRL-149 Control Assessments |
MA-01-ISO Maintenance Policy and Procedures | CTRL-468 Maintenance Policy and Procedures |
MA-02-ISO Controlled Maintenance | CTRL-472 Maintenance Tools |
MP-01-ISO Media Protection Policy and Procedures | CTRL-498 Media Protection Policy and Procedures |
MP-02-ISO Media Access | CTRL-499 Media Access |
MP-03-ISO Media Labeling | CTRL-896 Information Management and Retention |
MP-04-ISO Media Storage | CTRL-503 Media Storage |
MP-05-ISO Media Transport | CTRL-506 Media Transport |
MP-06-ISO Media Sanitization | CTRL-511 Media Sanitization and Disposal |
PE-01-ISO Physical and Environmental Policy and Procedures | CTRL-546 Physical and Environmental Protection Policy and Procedures |
PE-02-ISO Physical Access Authorizations | CTRL-551 Physical Access Control |
PE-03-ISO Physical Access Control | CTRL-255 Physical Security Controls |
PE-04-ISO Access Control for Transmission | CTRL-551 Physical Access Control |
PE-05-ISO Access Control for Output Devices | CTRL-551 Physical Access Control |
PE-17-ISO Alternate Work Site | CTRL-596 Alternate Work Site |
PL-01-ISO Planning Policy and Procedures | CTRL-263 Contingency Planning Policy and Procedures |
PL-02-ISO System Security and Privacy Plans | CTRL-431 Information Security Policy and Procedures |
PL-04-ISO Rules of Behavior | CTRL-539 Access Agreements |
PL-07-ISO Concept of Operations | CTRL-643 Risk Assessment Policy and Procedures |
PM-01-ISO Information Security Program Management Policy and Procedures | CTRL-431 Information Security Policy and Procedures |
PM-02-ISO Information Security Program Leadership Role | CTRL-432 Information Security Program Leadership Role |
PM-10-ISO Authorization Process | CTRL-434 Plan of Action and Milestones Process |
PM-13-ISO Security and Privacy Workforce | CTRL-434 Plan of Action and Milestones Process |
PM-14-ISO Testing, Training, and Monitoring | CTRL-245 Security and Privacy Awareness Training |
PM-15-ISO Security and Privacy Groups and Associations | CTRL-447 Security and Privacy Groups and Associations |
PM-31-ISO Continuous Monitoring Strategy | CTRL-167 Continuous Monitoring |
PM-33-ISO Information Security Program Plan | CTRL-431 Information Security Policy and Procedures |
PM-34-ISO Information Security Program Documents | CTRL-431 Information Security Policy and Procedures |
PS-01-ISO Personnel Security Policy and Procedures | CTRL-528 Personnel Security Policy and Procedures |
PS-03-ISO Personnel Screening | CTRL-530 Personnel Screening |
PS-04-ISO Personnel Termination | CTRL-535 Access Termination |
PS-05-ISO Personnel Transfer | CTRL-535 Access Termination |
PS-06-ISO Confidentiality Agreements for Company Personnel | CTRL-539 Access Agreements |
PS-07-ISO External Personnel Security | CTRL-1109 Supplier Assessments and Reviews |
PS-08-ISO Personnel Sanctions | CTRL-544 Personnel Sanctions |
PS-09-ISO Position Descriptions | CTRL-545 Position Descriptions |
PT-01-ISO Privacy Policy and Procedures | CTRL-622 Privacy Policy and Procedures |
PT-02-ISO Authority to Process PII | CTRL-622 Privacy Policy and Procedures |
RA-01-ISO Risk Assessment Policy and Procedures | CTRL-646 Risk Assessment |
RA-01-ISO Risk Assessment Policy and Procedures | CTRL-643 Risk Assessment Policy and Procedures |
RA-02-ISO Security Categorization | CTRL-435 System Inventory |
RA-03-ISO Risk Assessment | CTRL-646 Risk Assessment |
RA-05-ISO Vulnerability Monitoring and Scanning | CTRL-652 Vulnerability Management |
RA-05-ISO Vulnerability Monitoring and Scanning | CTRL-814 System Integrity Policy and Procedures |
RA-07-ISO Risk Response and Remediation | CTRL-646 Risk Assessment |
RA-07-ISO Risk Response and Remediation | CTRL-652 Vulnerability Management |
RA-09-ISO Criticality Analysis | CTRL-190 Change Management and Software Development Life Cycle |
SA-01-ISO System Development Life Cycle (SDLC) Policy and Procedures | CTRL-190 Change Management and Software Development Life Cycle |
SA-01-ISO System Development Life Cycle (SDLC) Policy and Procedures | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-03-ISO System Development Life Cycle | CTRL-190 Change Management and Software Development Life Cycle |
SA-03-ISO System Development Life Cycle | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-03(02)-ISO Use of Live or Operational Data | CTRL-1186 Sensitive Data in Non-Production Environments |
SA-04-ISO Acquisition Process | CTRL-190 Change Management and Software Development Life Cycle |
SA-05-ISO System Documentation | CTRL-431 Information Security Policy and Procedures |
SA-08-ISO Security and Privacy Engineering Principles | CTRL-190 Change Management and Software Development Life Cycle |
SA-09-ISO External System Services | CTRL-1109 Supplier Assessments and Reviews |
SA-10-ISO Developer Configuration Management | CTRL-190 Change Management and Software Development Life Cycle |
SA-11-ISO Developer Testing and Evaluation | CTRL-190 Change Management and Software Development Life Cycle |
SA-15-ISO Development Process, Standards, and Tools | CTRL-190 Change Management and Software Development Life Cycle |
SC-01-ISO System Protection Policy and Procedures | CTRL-932 System Protection Policy and Procedures |
SC-07-ISO Boundary Protection and Firewalls | CTRL-950 Boundary Protection |
SC-07(12)-ISO Host-based Protection | CTRL-950 Boundary Protection |
SC-08-ISO Transmission Confidentiality and Integrity | CTRL-112 Encryption of Data at Rest and in Transit |
SC-12-ISO Cryptographic Key Establishment and Management | CTRL-194 Cryptography Management |
SC-13-ISO Cryptographic Protection | CTRL-194 Cryptography Management |
SC-38-ISO Operations Security | CTRL-190 Change Management and Software Development Life Cycle |
SC-45-ISO System Time Synchronization | CTRL-1063 Synchronization |
SI-01-ISO System Integrity Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
SI-02-ISO Flaw Remediation and Patch Management | CTRL-652 Vulnerability Management |
SI-03-ISO Malware and Endpoint Protection | CTRL-822 Malicious Code Protection |
SI-05-ISO Security Alerts, Advisories, and Directives | CTRL-447 Security and Privacy Groups and Associations |
SI-12-ISO Data Handling, Retention, and Disposal | CTRL-896 Information Management and Retention |
SI-19-ISO De-identification | CTRL-923 Removal of Direct Identifiers |
SR-01-ISO Third-Party Risk Management Policy and Procedures | CTRL-1094 Third-Party Risk Management Policy and Procedures |
SR-02-ISO Third Party Management | CTRL-1094 Third-Party Risk Management Policy and Procedures |
SR-06-ISO Third-Party Risk Assessments | CTRL-1109 Supplier Assessments and Reviews |
Viewing Framework Controls in Thoropass
You can view the framework requirements satisfied by a Unified Control by clicking References on the side panel when viewing the Unified Control.
The IDs and names of all framework controls satisfied by the Unified Control are listed by framework. Click a framework control to view its description.
