Run an ISO 27001 ISMS and a NIST CSF program in parallel and you hit the same wall every time. Which Annex A.8 control satisfies which CSF subcategory, and how do you avoid auditing the same evidence twice? This is the crosswalk I use during ISMS reviews — with a weighted Sankey view of all 34 technological controls and a downloadable PDF you can hand to your auditor.
Why this mapping matters
ISO 27001:2022 reorganized Annex A into four themes — organizational, people, physical, and technological. Annex A.8 (technological) is where most of your evidence lives. NIST CSF, meanwhile, is structured by outcome (Identify, Protect, Detect, Respond, Recover). They are not 1-to-1, and pretending they are produces sloppy audit reports.
Audit insight
Auditors don't reject your control just because the framework label is different. They reject it when the evidence doesn't show the outcome. Map to outcomes, not to labels.
The visual: Annex A.8 → CSF v2.0
Below is a weighted Sankey of 20 representative A.8 controls flowing into the six CSF v2.0 Functions (CSF v2.0 added GOVERN). Band thickness is the contribution weight — most A.8 controls land squarely in PROTECT, with meaningful spillover into DETECT for monitoring-adjacent controls and into RECOVER for backup. PROTECT carries the heaviest aggregate weight, which is exactly why a CSF program leaning on Annex A.8 alone tends to under-invest in RESPOND and GOVERN.
Band thickness reflects the contribution weight of each Annex A.8 control to a NIST CSF v2.0 Function. PROTECT carries the heaviest aggregate weight.
How to read it
Each left band is one A.8 control; the bands split by weight to the CSF Functions they primarily satisfy. Where a band fades into two colors, the control is genuinely dual-purpose (e.g., A.8.16 Monitoring → DETECT + RESPOND).
Download the full crosswalk (PDF)
The PDF below contains the full mapping for all 34 Annex A.8 controls, with primary/secondary CSF Functions, the most relevant CSF v2.0 subcategories, and notes on how to evidence each one. Free to share with attribution.
ISO 27001 Annex A.8 ↔ NIST CSF v2.0 — full mapping
All 34 technological controls mapped to CSF v2.0 Functions and key subcategories. By Rudy Prasetiya — blog.rudyprasetiya.com.
iso-27001-a8-nist-csf-mapping.pdf · Download PDF →
The crosswalk
| Annex A.8 control | Primary CSF function | CSF subcategory | Typical evidence |
|---|---|---|---|
| A.8.2 Privileged access rights | Protect | PR.AC-4 | PAM session logs, access reviews |
| A.8.7 Protection against malware | Protect / Detect | PR.PT-1, DE.CM-4 | EDR coverage report, signature update logs |
| A.8.16 Monitoring activities | Detect | DE.CM-1, DE.CM-7 | SIEM use cases, alert tuning evidence |
| A.8.24 Use of cryptography | Protect | PR.DS-1, PR.DS-2 | Key inventory, KMS rotation logs |
| A.8.28 Secure coding | Protect | PR.IP-2 | SAST/DAST results, secure code training records |
Deep dive: five controls auditors actually scrutinise
A.8.2 Privileged access rights → PR.AA-05
ISO wants you to demonstrate that privileged rights are allocated, restricted, and reviewed on a defined cadence. CSF PR.AA-05 is broader: it asks for access permissions, entitlements, and authorizations to be defined, managed, enforced, and reviewed under least privilege and separation of duties. The overlap is operational — but the evidence required differs in shape.
| Evidence artefact | Satisfies ISO A.8.2 | Satisfies CSF PR.AA-05 | Gap risk |
|---|---|---|---|
| PAM vault inventory (CyberArk / HashiCorp / Delinea) | Yes — design | Partial | No proof of operating effectiveness |
| Quarterly privileged access review with sign-off | Yes — operating | Yes | Reviewer must be independent of grantor |
| JIT elevation logs with approver + ticket | Yes — operating | Yes — strong | Tie to change ticket or fail SoD |
| Break-glass account usage report | Yes | Yes | Must show zero or fully-justified use |
Common audit finding
Reviews are performed but the reviewer is the same person who provisioned the account. That is a segregation-of-duties failure under both frameworks regardless of how clean the PAM vault looks.
A.8.16 Monitoring activities → DE.CM-01 / DE.AE-02
This is the most common interface between an ISMS audit and a SOC review. ISO A.8.16 requires networks, systems, and applications to be monitored for anomalous behaviour. CSF DE.CM-01 calls for networks and network services to be monitored to find potentially adverse events; DE.AE-02 demands those events be analysed to characterise them.
id: UC-AUTH-001
title: Impossible travel for privileged accounts
frameworks:
iso27001: ["A.8.16", "A.8.2"]
nist_csf: ["DE.CM-01", "DE.AE-02", "PR.AA-05"]
mitre_attack: ["T1078.004"]
source: AzureAD SignInLogs
logic: |
Two successful sign-ins for the same UPN from
geoIPs >800km apart within <2h, where account is
member of group ‘Privileged-Tier0’.
severity: High
response_runbook: RB-IR-014
last_tested: 2026-04-15 # purple-team replay
tuning_log: ./tuning/UC-AUTH-001.mdAudit insight
A use-case spec like this single-handedly evidences design (mapping), operation (last_tested date), and continuous improvement (tuning_log). One artefact, three CSF subcategories, two ISO controls.
A.8.24 Use of cryptography → PR.DS-01 / PR.DS-02
ISO requires a topic-specific policy on cryptography plus implementation across the lifecycle of keys. CSF PR.DS-01 covers data-at-rest confidentiality and integrity; PR.DS-02 covers data-in-transit. The audit-grade evidence is a key inventory that joins to a rotation log and a usage telemetry feed.
-- Find KMS keys whose rotation interval exceeds policy (90d)
SELECT k.key_id,
k.alias,
k.created_at,
MAX(r.rotated_at) AS last_rotation,
DATE_PART('day', NOW() - MAX(r.rotated_at)) AS days_since
FROM kms_keys k
LEFT JOIN kms_rotation_log r USING (key_id)
WHERE k.state = 'Enabled'
GROUP BY k.key_id, k.alias, k.created_at
HAVING DATE_PART('day', NOW() - MAX(r.rotated_at)) > 90
ORDER BY days_since DESC;Best practice
Tag every cryptographic key with the data classification it protects. When the auditor asks ‘how do you know this key protects regulated data?’, the tag is the answer — and it makes the PR.DS-01 narrative trivial.
A.8.8 Technical vulnerability mgmt → ID.RA-01 / ID.RA-06
ISO A.8.8 is squarely about timely identification, evaluation, and treatment. CSF moved vulnerability management firmly under IDENTIFY in v2.0 (ID.RA-01: vulnerabilities in assets are identified, validated, and recorded; ID.RA-06: risk responses are chosen, prioritized, planned, tracked, and communicated). Both demand SLA-driven remediation tied to risk.
| CVSS band | Internet-facing SLA | Internal SLA | Evidence |
|---|---|---|---|
| Critical (9.0+) | 72 hours | 14 days | Patch ticket + scanner re-confirm |
| High (7.0–8.9) | 14 days | 30 days | Patch ticket OR risk acceptance |
| Medium (4.0–6.9) | 30 days | 90 days | Roadmap entry |
| Low (<4.0) | Best effort | Best effort | Logged |
A.8.28 Secure coding → PR.PS-06
CSF v2.0 collapsed several PR.IP / PR.DS subcategories into PR.PS-06: secure software development practices are integrated, and their performance is monitored throughout the SDLC. ISO A.8.28 expects the same — but ISO auditors will additionally trace it back to A.6.3 awareness training and A.5.37 documented operating procedures.
Evidence triplet that satisfies both
(1) SAST/DAST trend showing month-over-month finding reduction; (2) developer training completion + assessment scores tied to the same population; (3) at least one merged PR rejected by the security gate, with the reviewer’s comment preserved.
How to evidence it once, satisfy both
Build your evidence library indexed by control objective, not by framework. A single SIEM alert tuning report can support A.8.16, DE.CM-1, and CIS Control 8 simultaneously — but only if the report explicitly states which detections it tunes and the risk it addresses.
Best practice
Tag every evidence artifact with: (1) the risk it addresses, (2) the controls it supports across all frameworks in scope, (3) the period it covers. This single discipline cuts audit prep time roughly in half.
Common gaps auditors flag
- Privileged access reviews performed but not approved by control owner.
- Cryptographic inventory missing third-party-managed keys.
- SIEM use cases mapped to MITRE ATT&CK but never tested with purple-team exercises.
- Secure-coding training completed but no link to actual SAST findings reduction.
Risk
If you cannot prove the *operating effectiveness* of A.8.16 monitoring with at least one closed incident or tuned alert in the audit period, expect a finding — even if the SIEM is fully deployed.
Rudy Prasetiya
IT GRC, cybersecurity & audit practitioner. Writes about controls that actually hold.
