Security Compliance Navigator

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.

Identify (ID)

Protect (PR)

Detect (DE)

Respond (RS)

Recover (RC)

Identify (ID) Function Controls

Control ID	Control Description	Status	Last Assessment
ID.AM-1	Physical devices and systems within the organization are inventoried	Implemented	Apr 15, 2025
ID.AM-2	Software platforms and applications within the organization are inventoried	Implemented	Apr 15, 2025
ID.AM-3	Organizational communication and data flows are mapped	Partially Implemented	Apr 15, 2025
ID.AM-4	External information systems are catalogued	Partially Implemented	Apr 15, 2025
ID.AM-5	Resources are prioritized based on their classification, criticality, and business value	Not Implemented	Apr 15, 2025
ID.AM-6	Cybersecurity roles and responsibilities are established for the entire workforce and third-party stakeholders	Implemented	Apr 15, 2025
ID.BE-1	The organization's role in the supply chain is identified and communicated	Implemented	Apr 15, 2025
ID.BE-2	The organization's place in critical infrastructure and its industry sector is identified and communicated	Not Applicable	Apr 15, 2025
ID.BE-3	Priorities for organizational mission, objectives, and activities are established and communicated	Implemented	Apr 15, 2025
ID.GV-1	Organizational cybersecurity policy is established and communicated	Implemented	Apr 15, 2025

ID.AM-1

Physical devices and systems within the organization are inventoried

Framework

NIST Cybersecurity Framework v1.1

Function

Identify (ID)

Description

This control focuses on maintaining a comprehensive inventory of all physical devices and systems that exist within the organization's environment. This includes workstations, servers, network devices, IoT devices, and other technology assets.

A complete asset inventory is foundational to effective cybersecurity as it establishes visibility and enables proper management of the organization's technology footprint. Organizations cannot secure what they don't know exists.

Implementation Guidance

Asset Discovery & Inventory

Deploy automated discovery tools to scan the network and identify connected devices

Establish formal processes for documenting and registering new hardware

Include asset attributes such as owner, location, purpose, and criticality

Implement and enforce asset tagging procedures

Maintenance & Verification

Conduct periodic physical verification of assets against inventory records

Establish procedures for handling discrepancies between recorded and actual inventory

Define processes for updating inventory when devices are introduced or removed

Implement automated monitoring to detect unauthorized devices

Tools & Technologies

Asset Management Systems (e.g., ServiceNow, Ivanti)

Network scanning tools (e.g., Nmap, Qualys)

Network Access Control (NAC) solutions

Configuration Management Databases (CMDB)

Related Controls

Mapping to Other Frameworks

ISO 27001:2013

A.8.1.1, A.8.1.2

CIS Controls v8

Control 1, Control 2

COBIT 5

BAI09.01, BAI09.02

PCI DSS v4.0

Requirement 9.9, 11.2

References

NIST Cybersecurity Framework Documentation

NIST SP 800-53 Rev. 5 - CM-8: System Component Inventory

CIS Controls v8 Implementation Guide

Assessment & Notes

Implementation Status

Assessment Date

Assessment Notes

Evidence References

ISO 27001

ISO/IEC 27001 is an international standard for managing information security. It provides a systematic approach to managing sensitive company information so that it remains secure. It includes requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).

A5: Information Security Policies

A6: Organization of Information Security

A7: Human Resource Security

A8: Asset Management

A9: Access Control

More Controls...

A5: Information Security Policies

Control ID	Control Description	Status	Last Assessment
A.5.1.1	Policies for information security	Implemented	Apr 10, 2025
A.5.1.2	Review of the policies for information security	Implemented	Apr 10, 2025

CIS Controls

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices.

Basic (IG1)

Foundational (IG2)

Organizational (IG3)

Basic Controls (Implementation Group 1)

Control ID	Control Description	Status	Last Assessment
CIS 1	Inventory and Control of Hardware Assets	Implemented	Mar 25, 2025
CIS 2	Inventory and Control of Software Assets	Implemented	Mar 25, 2025
CIS 3	Data Protection	Partially Implemented	Mar 25, 2025
CIS 4	Secure Configuration of Enterprise Assets and Software	Partially Implemented	Mar 25, 2025
CIS 5	Account Management	Implemented	Mar 25, 2025
CIS 5	Account Management	Implemented	Mar 25, 2025
CIS 6	Access Control Management	Implemented	Mar 25, 2025

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.

Requirement 1: Network Security

Requirement 2: System Security

Requirement 3: Protect Data

Requirement 4: Encryption

More Requirements...

Requirement 1: Install and maintain network security controls

Control ID	Control Description	Status	Last Assessment
1.1	Processes and mechanisms for network security controls are defined and understood	Implemented	Mar 15, 2025
1.2	Network security controls are defined and implemented	Implemented	Mar 15, 2025
1.3	Network access to and from the cardholder data environment is restricted	Partially Implemented	Mar 15, 2025
1.4	Network connections between trusted and untrusted networks are controlled	Implemented	Mar 15, 2025
1.5	Risks to the cardholder data environment are identified and addressed	Partially Implemented	Mar 15, 2025

Framework Comparison

This section provides a comparison between different security frameworks, allowing you to understand how controls map across frameworks and identify overlaps to streamline compliance efforts.

Control Mapping Matrix

Security Domain	NIST CSF	ISO 27001:2013	CIS Controls v8	PCI DSS v4.0
Asset Management	ID.AM-1, ID.AM-2, ID.AM-4, ID.AM-5	A.8.1.1, A.8.1.2, A.8.1.3, A.8.2.1	Control 1, Control 2	Req 9.9, Req 11.2, Req 12.10.1
Access Control	PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4	A.9.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.5, A.9.2.6	Control 5, Control 6	Req 7.1, Req 7.2, Req 7.3, Req 8.1, Req 8.2, Req 8.3
Network Security	PR.AC-5, PR.PT-4, DE.CM-1	A.13.1.1, A.13.1.2, A.13.1.3	Control 12, Control 13	Req 1.1, Req 1.2, Req 1.3, Req 1.4, Req 1.5
Data Protection	PR.DS-1, PR.DS-2, PR.DS-5	A.8.2.3, A.10.1.1, A.18.1.3, A.18.1.4	Control 3	Req 3.1, Req 3.2, Req 3.3, Req 3.4, Req 3.5, Req 3.6, Req 3.7
Security Assessment	ID.RA-1, ID.RA-2, ID.RA-3, DE.CM-8	A.12.6.1, A.18.2.1, A.18.2.2, A.18.2.3	Control 7, Control 10	Req 6.5, Req 11.1, Req 11.3, Req 11.4
Security Awareness	PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5	A.7.2.2, A.7.2.3	Control 14	Req 12.6, Req 12.6.1, Req 12.6.2
Incident Response	RS.RP-1, RS.CO-1, RS.CO-2, RS.AN-1, RS.MI-1, RS.MI-2	A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5	Control 17, Control 19	Req 12.10, Req 12.10.1, Req 12.10.2, Req 12.10.3, Req 12.10.4, Req 12.10.5

Implementation Status Across Frameworks

[Implementation Status Comparison Chart would appear here]

Gap Analysis

[Gap Analysis Visualization would appear here]