Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Control Templates: NIST CSF 2.0 and ISO 27001:2022

Overview

UpGuard’s NIST CSF 2.0 and ISO 27001:2022 control templates leverage UpGuard’s library of 500+ checks to help you understand how a vendor aligns with their respective standards. 

Both templates overwrite Security Profile’s standard organization system and instead use either NIST CSF functions, categories, subcategories, and language or ISO 27001 categories, controls, and language. Our goal is to make it easy for you:

  • To see content organized in the corresponding framework’s context. 
  • See how checks are assigned to the framework’s categories and subcategories or controls.
  • See how the vendor is aligning to NIST CSF or ISO 27001 standards (i.e. whether controls are fully, partially, or not implemented or if evidence is missing). 

💡Enable the NIST CSF 2.0 and ISO 27001 control templates so that you and your team can start using them. 

Template methodology

Most cybersecurity frameworks do not provide specific and/or exact details on how to meet the requirements or recommendations. To provide a standardized method for validating alignment, we developed a library of 500+ checks. Each check is an applicable measure or data point. We then map those checks to the selected framework to give you a way to measure your vendor’s alignment while still leveraging a standardized system. 

With the mapping in place, Security Profile is able to operate as it normally does: by referencing evidence to determine if a check is implemented (or not).

What this means for you:

  • NIST CSF 2.0 defines high-level outcomes (Subcategories) and is not prescriptive, it details what to achieve, not how. This mapping translates high-level objectives into actionable, technical validation.
  • ISO 27001 specifies requirements for a formal Information Security Management System (ISMS). It details how to systematically manage, monitor, maintain, and improve information security, using Annex A as a comprehensive catalogue of reference controls to be applied based on risk. Security Profile’s mapping translates these controls into actionable, technical validation.

💡A check may apply to more than one control in Security Profile. When this happens, you will see the check appear under all applicable controls. It is the same check, just referenced in various places. Updating the check’s status changes it everywhere it appears. 

Recommended evidence 

To determine if a check is passed, UpGuard’s AI looks for specific citations in evidence. That means that the best evidence, for Security Profile, is evidence that includes specific descriptions around how security controls are implemented.

Evidence specific to NIST CSF and ISO 27001:

  • NIST CSF assessments: recommended if available. 
  • ISO 27001 Statements of Applicability (SoA): can be good evidence if there are specific descriptions about how controls are met. Because there isn’t a standard format or mandate on how to produce SoA’s, their usability as evidence can vary greatly. While one vendor’s SoA may be excellent evidence, another vendor’s may not be; it will depend on how specific and detailed the SoA is. 

Read more about evidence mapping on Security Profile.