COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1 


COBIT Mapping NIST   Download (Member Only, 707K)
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the COBIT - Implementation Knowledge Center community
Knowledge Center  Visit the COBIT - Use it Effectively Knowledge Center community

This document contains a detailed mapping of NIST SP800-53 Rev 1 with COBIT 4.1 and also contains the classification of the standards discussed in this paper as presented in the overview document COBIT® Mapping:  Overview of International IT Guidance, 2nd Edition.

A brief overview of the standards mapped against each other in this document follows:

  • COBIT–Originally released as an IT process and control framework linking IT to business requirements, it was initially used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 1998, COBIT was used more frequently as a management framework, providing management tools such as metrics and maturity models to complement the control framework. With the release of COBIT 4.0 in 2005, it became a more complete IT governance framework. Incremental updates to COBIT 4.0 were made in 2007; they can be seen as a fine-tuning of the framework, not fundamental changes. The current version is COBIT 4.1.
  • NIST SP800-53 Rev 1–The application of the security controls defined in NIST SP800-53 Rev 1 represents the current state-of-the practice safeguards and countermeasures for US federal information systems. The 17 areas represent a broad-based, balanced information security programme that addresses the management, operational, and technical aspects of protecting US federal information and information systems.

NIST SP800-53 is a security-related technical standard issued by NIST. It is one of NIST’s SP800-series of reports ‘providing research, guidelines, and outreach efforts in information systems security, and its collaborative activities with industry, government, and academic organizations’. Although this is a US federal government standard, it is applicable for all organisations interacting with the US federal government. More important, the standards included in NIST are good security practices for all organisations and therefore need to be looked at and used from that perspective.

NIST SP800-53 Rev 1 is presented in numbered, outline form. The security controls in the security control catalogue are organised in a tree-like structure. The first tier separates into three general classes of security controls:

  • Technical–Direct controls primarily implemented and executed by the information system through mechanisms contained in hardware, software or firmware components of the system
  • Managerial–Indirect controls that focus on the management of risk and the management of information systems security
  • Operational–Direct controls that are primarily implemented and executed by people (as opposed to systems)

These are then broken into a total of 17 control families corresponding to these three classes. Controls have a reference statement, expanded guidance and control enhancements for environments where the risk suggests a more controlled environment. References provided are at the level of detail of the reference statement.