ISO 27001:2022 → BSI IT-Grundschutz Mapping

Cross-reference mapping between ISO/IEC 27001:2022 Annex A controls and BSI IT-Grundschutz building blocks.

This page maps ISO/IEC 27001:2022 Annex A controls to BSI IT-Grundschutz building blocks. ISO 27001 is the international standard for information security management systems (ISMS), with 93 controls organized into four themes.

A.5.1 Policies for information security

CON.1 CON.1 Cryptographic Concept CON.10 CON.10 Development of Web Applications IND.1 IND.1 Process Control and Automation Technology ISMS.1 ISMS.1 Security Management NET.1.1 NET.1.1 Network Architecture and Design ORP.1 ORP.1 Organisation ORP.3 ORP.3 Information Security Awareness and Training

A.5.10 Acceptable use of information and other associated assets

APP.1.1 APP.1.1 Office Products APP.6 APP.6 General Software CON.11.1 CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) CON.6 CON.6 Deletion and Destruction INF.11 INF.11 General Vehicle INF.8 INF.8 Home Workplace OPS.1.2.4 OPS.1.2.4 Telework SYS.2.1 SYS.2.1 General Client SYS.3.1 SYS.3.1 Laptops SYS.3.2.1 SYS.3.2.1 General Smartphones and Tablets SYS.3.2.2 SYS.3.2.2 Mobile Device Management (MDM) SYS.3.2.3 SYS.3.2.3 iOS (for Enterprise) SYS.3.2.4 SYS.3.2.4 Android SYS.3.3 SYS.3.3 Mobile Phone SYS.4.3 SYS.4.3 Embedded Systems SYS.4.4 SYS.4.4 General IoT Device SYS.4.5 SYS.4.5 Removable Storage Media

A.5.12 Classification of information

CON.2 CON.2 Data Protection

A.5.13 Labelling of information

CON.2 CON.2 Data Protection

A.5.14 Information transfer

APP.3.1 APP.3.1 Web Applications and Web Services APP.3.3 APP.3.3 File Servers APP.3.4 APP.3.4 Samba APP.3.6 APP.3.6 DNS Server APP.5.2 APP.5.2 Microsoft Exchange and Outlook APP.5.3 APP.5.3 General Email Client and Server APP.5.4 APP.5.4 Unified Communications and Collaboration (UCC) CON.6 CON.6 Deletion and Destruction NET.4.1 NET.4.1 PBX Systems NET.4.2 NET.4.2 VoIP NET.4.3 NET.4.3 Fax Machines and Fax Servers

A.5.15 Access control

APP.2.1 APP.2.1 General Directory Service APP.2.2 APP.2.2 Active Directory Domain Services APP.2.3 APP.2.3 OpenLDAP APP.4.2 APP.4.2 SAP ERP System NET.3.3 NET.3.3 VPN ORP.4 ORP.4 Identity and Access Management

A.5.16 Identity management

APP.2.1 APP.2.1 General Directory Service APP.2.2 APP.2.2 Active Directory Domain Services APP.2.3 APP.2.3 OpenLDAP ORP.4 ORP.4 Identity and Access Management

A.5.17 Authentication information

APP.2.1 APP.2.1 General Directory Service

A.5.18 Access rights

APP.2.1 APP.2.1 General Directory Service APP.2.3 APP.2.3 OpenLDAP ORP.4 ORP.4 Identity and Access Management

A.5.19 Information security in supplier relationships

APP.4.6 APP.4.6 SAP ABAP Programming CON.9 CON.9 Information Exchange OPS.1.2.2 OPS.1.2.2 Archiving OPS.2.2 OPS.2.2 Cloud Use OPS.2.3 OPS.2.3 Use of Outsourcing OPS.3.2 OPS.3.2 Providing Outsourcing

A.5.2 Information security roles and responsibilities

ISMS.1 ISMS.1 Security Management ORP.1 ORP.1 Organisation

A.5.20 Addressing information security within supplier agreements

CON.9 CON.9 Information Exchange OPS.1.2.2 OPS.1.2.2 Archiving OPS.1.2.5 OPS.1.2.5 Remote Maintenance OPS.2.2 OPS.2.2 Cloud Use OPS.2.3 OPS.2.3 Use of Outsourcing OPS.3.2 OPS.3.2 Providing Outsourcing

A.5.21 Managing information security in the ICT supply chain

CON.9 CON.9 Information Exchange OPS.2.2 OPS.2.2 Cloud Use

A.5.22 Monitoring, review and change management of supplier services

CON.9 CON.9 Information Exchange OPS.1.2.5 OPS.1.2.5 Remote Maintenance OPS.2.3 OPS.2.3 Use of Outsourcing OPS.3.2 OPS.3.2 Providing Outsourcing

A.5.23 Information security for use of cloud services

APP.4.4 APP.4.4 Kubernetes OPS.1.2.2 OPS.1.2.2 Archiving OPS.2.2 OPS.2.2 Cloud Use SYS.1.5 SYS.1.5 Virtualization SYS.1.6 SYS.1.6 Containerization

A.5.24 Information security incident management planning and preparation

DER.2.1 DER.2.1 Security Incident Handling

A.5.25 Assessment and decision on information security events

DER.1 DER.1 Detection of Security-Relevant Events DER.2.1 DER.2.1 Security Incident Handling OPS.1.1.3 OPS.1.1.3 Patch and Change Management

A.5.26 Response to information security incidents

DER.1 DER.1 Detection of Security-Relevant Events DER.2.1 DER.2.1 Security Incident Handling DER.2.2 DER.2.2 Precautions for IT Forensics DER.2.3 DER.2.3 Remediation of Extensive Security Incidents DER.4 DER.4 Emergency Management OPS.1.1.5 OPS.1.1.5 Logging

A.5.27 Learning from information security incidents

DER.2.1 DER.2.1 Security Incident Handling DER.2.2 DER.2.2 Precautions for IT Forensics

A.5.28 Collection of evidence

DER.2.2 DER.2.2 Precautions for IT Forensics DER.2.3 DER.2.3 Remediation of Extensive Security Incidents

A.5.29 Information security during disruption

CON.10 CON.10 Development of Web Applications CON.3 CON.3 Data Backup Concept DER.4 DER.4 Emergency Management IND.1 IND.1 Process Control and Automation Technology IND.3.2 IND.3.2 Remote Maintenance in Industrial Environments INF.14 INF.14 Building Automation

A.5.3 Segregation of duties

ORP.1 ORP.1 Organisation

A.5.30 ICT readiness for business continuity

CON.10 CON.10 Development of Web Applications CON.3 CON.3 Data Backup Concept DER.4 DER.4 Emergency Management IND.3.2 IND.3.2 Remote Maintenance in Industrial Environments INF.14 INF.14 Building Automation

A.5.31 Legal, statutory, regulatory and contractual requirements

CON.11.1 CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) ORP.1 ORP.1 Organisation ORP.5 ORP.5 Compliance Management (Requirements Management)

A.5.32 Intellectual property rights

ORP.5 ORP.5 Compliance Management (Requirements Management)

A.5.33 Protection of records

ORP.5 ORP.5 Compliance Management (Requirements Management)

A.5.34 Privacy and protection of personal information

CON.11.1 CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) OPS.1.2.4 OPS.1.2.4 Telework ORP.5 ORP.5 Compliance Management (Requirements Management)

A.5.35 Independent review of information security

DER.3.1 DER.3.1 Audits and Revisions DER.3.2 DER.3.2 Revisions Based on the IS Revision Guide ISMS.1 ISMS.1 Security Management OPS.1.1.7 OPS.1.1.7 System Management OPS.3.2 OPS.3.2 Providing Outsourcing

A.5.36 Compliance with policies, rules and standards for information security

DER.3.1 DER.3.1 Audits and Revisions DER.3.2 DER.3.2 Revisions Based on the IS Revision Guide ISMS.1 ISMS.1 Security Management OPS.1.1.7 OPS.1.1.7 System Management ORP.5 ORP.5 Compliance Management (Requirements Management)

A.5.37 Documented operating procedures

IND.2.1 IND.2.1 General ICS Component OPS.1.1.1 OPS.1.1.1 General IT Operations OPS.1.1.6 OPS.1.1.6 Software Testing and Approvals OPS.1.2.6 OPS.1.2.6 NTP Time Synchronization

A.5.4 Management responsibilities

ISMS.1 ISMS.1 Security Management ORP.1 ORP.1 Organisation

A.5.8 Information security in project management

APP.7 APP.7 Development of Custom Software

A.5.9 Inventory of information and other associated assets

CON.2 CON.2 Data Protection IND.1 IND.1 Process Control and Automation Technology

A.6.1 Screening

ORP.2 ORP.2 Personnel

A.6.2 Terms and conditions of employment

ORP.2 ORP.2 Personnel

A.6.3 Information security awareness, education and training

ORP.3 ORP.3 Information Security Awareness and Training

A.6.4 Disciplinary process

ORP.2 ORP.2 Personnel

A.6.5 Responsibilities after termination or change of employment

ORP.2 ORP.2 Personnel

A.6.6 Confidentiality or non-disclosure agreements

ORP.2 ORP.2 Personnel

A.6.7 Remote working

CON.7 CON.7 Information Security during International Travel INF.9 INF.9 Mobile Workplace NET.2.2 NET.2.2 WLAN Use NET.3.3 NET.3.3 VPN SYS.3.1 SYS.3.1 Laptops

A.7.1 Physical security perimeters

INF.1 INF.1 General Building INF.2 INF.2 Data Center and Server Room INF.5 INF.5 Room and Cabinet for Technical Infrastructure INF.6 INF.6 Storage Media Archive SYS.1.9 SYS.1.9 Terminal Server

A.7.10 Storage media

INF.11 INF.11 General Vehicle

A.7.11 Supporting utilities

INF.12 INF.12 Cabling INF.13 INF.13 Technical Building Management INF.14 INF.14 Building Automation INF.2 INF.2 Data Center and Server Room INF.5 INF.5 Room and Cabinet for Technical Infrastructure

A.7.12 Cabling security

INF.12 INF.12 Cabling INF.13 INF.13 Technical Building Management INF.2 INF.2 Data Center and Server Room

A.7.2 Physical entry

INF.1 INF.1 General Building INF.10 INF.10 Meeting, Event, and Training Rooms INF.2 INF.2 Data Center and Server Room INF.5 INF.5 Room and Cabinet for Technical Infrastructure INF.6 INF.6 Storage Media Archive INF.7 INF.7 Office Workplace

A.7.3 Securing offices, rooms and facilities

INF.1 INF.1 General Building INF.10 INF.10 Meeting, Event, and Training Rooms INF.5 INF.5 Room and Cabinet for Technical Infrastructure INF.7 INF.7 Office Workplace

A.7.4 Physical security monitoring

INF.1 INF.1 General Building

A.7.5 Protecting against physical and environmental threats

INF.1 INF.1 General Building INF.13 INF.13 Technical Building Management INF.14 INF.14 Building Automation INF.2 INF.2 Data Center and Server Room INF.6 INF.6 Storage Media Archive

A.7.6 Working in secure areas

INF.2 INF.2 Data Center and Server Room

A.7.7 Clear desk and clear screen

INF.8 INF.8 Home Workplace INF.9 INF.9 Mobile Workplace

A.7.8 Equipment siting and protection

IND.2.4 IND.2.4 Machine SYS.1.8 SYS.1.8 Storage Solutions SYS.1.9 SYS.1.9 Terminal Server

A.7.9 Security of assets off-premises

INF.10 INF.10 Meeting, Event, and Training Rooms INF.7 INF.7 Office Workplace INF.8 INF.8 Home Workplace INF.9 INF.9 Mobile Workplace SYS.1.1 SYS.1.1 General Server SYS.3.1 SYS.3.1 Laptops SYS.3.2.1 SYS.3.2.1 General Smartphones and Tablets SYS.3.2.2 SYS.3.2.2 Mobile Device Management (MDM) SYS.3.2.4 SYS.3.2.4 Android SYS.3.3 SYS.3.3 Mobile Phone SYS.4.3 SYS.4.3 Embedded Systems SYS.4.5 SYS.4.5 Removable Storage Media

A.8.1 User endpoint devices

SYS.3.2.1 SYS.3.2.1 General Smartphones and Tablets SYS.3.2.2 SYS.3.2.2 Mobile Device Management (MDM) SYS.3.2.3 SYS.3.2.3 iOS (for Enterprise) SYS.3.2.4 SYS.3.2.4 Android SYS.3.3 SYS.3.3 Mobile Phone

A.8.10 Deletion of information

INF.11 INF.11 General Vehicle

A.8.11 Data masking

CON.11.1 CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) OPS.1.2.4 OPS.1.2.4 Telework

A.8.13 Information backup

CON.10 CON.10 Development of Web Applications CON.3 CON.3 Data Backup Concept

A.8.15 Logging

DER.1 DER.1 Detection of Security-Relevant Events DER.2.3 DER.2.3 Remediation of Extensive Security Incidents NET.3.4 NET.3.4 Network Access Control OPS.1.1.3 OPS.1.1.3 Patch and Change Management OPS.1.1.5 OPS.1.1.5 Logging

A.8.16 Monitoring activities

DER.1 DER.1 Detection of Security-Relevant Events DER.2.2 DER.2.2 Precautions for IT Forensics DER.2.3 DER.2.3 Remediation of Extensive Security Incidents NET.3.4 NET.3.4 Network Access Control OPS.1.1.3 OPS.1.1.3 Patch and Change Management OPS.1.1.4 OPS.1.1.4 Protection Against Malware OPS.1.1.5 OPS.1.1.5 Logging

A.8.17 Clock synchronisation

OPS.1.1.3 OPS.1.1.3 Patch and Change Management OPS.1.1.5 OPS.1.1.5 Logging

A.8.19 Installation of software on operational systems

OPS.1.1.1 OPS.1.1.1 General IT Operations OPS.1.1.2 OPS.1.1.2 Proper IT Administration OPS.1.1.4 OPS.1.1.4 Protection Against Malware OPS.1.2.6 OPS.1.2.6 NTP Time Synchronization SYS.1.1 SYS.1.1 General Server

A.8.2 Privileged access rights

APP.1.2 APP.1.2 Web Browsers APP.2.2 APP.2.2 Active Directory Domain Services APP.2.3 APP.2.3 OpenLDAP ORP.4 ORP.4 Identity and Access Management SYS.1.1 SYS.1.1 General Server SYS.1.2.2 SYS.1.2.2 Windows Server 2012 SYS.1.2.3 SYS.1.2.3 Windows Server SYS.1.3 SYS.1.3 Servers Running Linux and Unix SYS.1.7 SYS.1.7 IBM Z

A.8.20 Networks security

CON.7 CON.7 Information Security during International Travel INF.12 INF.12 Cabling INF.13 INF.13 Technical Building Management NET.1.1 NET.1.1 Network Architecture and Design NET.1.2 NET.1.2 Network Management NET.2.1 NET.2.1 WLAN Operation NET.2.2 NET.2.2 WLAN Use NET.3.1 NET.3.1 Routers and Switches NET.3.2 NET.3.2 Firewall NET.3.3 NET.3.3 VPN NET.3.4 NET.3.4 Network Access Control SYS.4.1 SYS.4.1 Printers, Copiers, and Multifunction Devices

A.8.21 Security of network services

APP.3.2 APP.3.2 Web Servers APP.3.3 APP.3.3 File Servers APP.3.6 APP.3.6 DNS Server CON.7 CON.7 Information Security during International Travel IND.2.3 IND.2.3 Sensors and Actuators NET.1.1 NET.1.1 Network Architecture and Design NET.1.2 NET.1.2 Network Management NET.3.1 NET.3.1 Routers and Switches NET.3.2 NET.3.2 Firewall NET.4.1 NET.4.1 PBX Systems NET.4.2 NET.4.2 VoIP NET.4.3 NET.4.3 Fax Machines and Fax Servers SYS.4.1 SYS.4.1 Printers, Copiers, and Multifunction Devices

A.8.22 Segregation of networks

IND.1 IND.1 Process Control and Automation Technology IND.2.1 IND.2.1 General ICS Component IND.2.2 IND.2.2 Programmable Logic Controller (PLC) IND.2.3 IND.2.3 Sensors and Actuators IND.2.7 IND.2.7 Safety Instrumented Systems IND.3.2 IND.3.2 Remote Maintenance in Industrial Environments NET.1.1 NET.1.1 Network Architecture and Design NET.1.2 NET.1.2 Network Management NET.2.1 NET.2.1 WLAN Operation NET.3.1 NET.3.1 Routers and Switches NET.3.2 NET.3.2 Firewall NET.3.4 NET.3.4 Network Access Control OPS.1.2.6 OPS.1.2.6 NTP Time Synchronization SYS.1.2.2 SYS.1.2.2 Windows Server 2012 SYS.1.5 SYS.1.5 Virtualization SYS.1.6 SYS.1.6 Containerization

A.8.23 Web filtering

NET.3.1 NET.3.1 Routers and Switches NET.3.2 NET.3.2 Firewall SYS.1.5 SYS.1.5 Virtualization

A.8.24 Use of cryptography

APP.1.4 APP.1.4 Mobile Applications (Apps) APP.3.4 APP.3.4 Samba CON.1 CON.1 Cryptographic Concept CON.6 CON.6 Deletion and Destruction CON.7 CON.7 Information Security during International Travel NET.2.1 NET.2.1 WLAN Operation NET.2.2 NET.2.2 WLAN Use NET.3.3 NET.3.3 VPN NET.4.1 NET.4.1 PBX Systems NET.4.2 NET.4.2 VoIP NET.4.3 NET.4.3 Fax Machines and Fax Servers

A.8.25 Secure development life cycle

APP.1.1 APP.1.1 Office Products APP.4.3 APP.4.3 Relational Databases APP.4.4 APP.4.4 Kubernetes APP.4.6 APP.4.6 SAP ABAP Programming APP.7 APP.7 Development of Custom Software CON.1 CON.1 Cryptographic Concept CON.8 CON.8 Software Development

A.8.26 Application security requirements

APP.1.1 APP.1.1 Office Products APP.1.2 APP.1.2 Web Browsers APP.1.4 APP.1.4 Mobile Applications (Apps) APP.3.1 APP.3.1 Web Applications and Web Services APP.3.2 APP.3.2 Web Servers APP.3.3 APP.3.3 File Servers APP.3.6 APP.3.6 DNS Server APP.4.2 APP.4.2 SAP ERP System APP.4.3 APP.4.3 Relational Databases APP.4.4 APP.4.4 Kubernetes APP.4.6 APP.4.6 SAP ABAP Programming APP.5.2 APP.5.2 Microsoft Exchange and Outlook APP.5.3 APP.5.3 General Email Client and Server APP.5.4 APP.5.4 Unified Communications and Collaboration (UCC) APP.6 APP.6 General Software APP.7 APP.7 Development of Custom Software CON.8 CON.8 Software Development

A.8.27 Secure system architecture and engineering principles

APP.1.1 APP.1.1 Office Products APP.1.4 APP.1.4 Mobile Applications (Apps) APP.3.1 APP.3.1 Web Applications and Web Services APP.3.2 APP.3.2 Web Servers APP.4.3 APP.4.3 Relational Databases APP.4.4 APP.4.4 Kubernetes CON.8 CON.8 Software Development

A.8.28 Secure coding

APP.3.1 APP.3.1 Web Applications and Web Services APP.4.3 APP.4.3 Relational Databases APP.4.6 APP.4.6 SAP ABAP Programming APP.7 APP.7 Development of Custom Software CON.8 CON.8 Software Development

A.8.29 Security testing in development and acceptance

APP.3.1 APP.3.1 Web Applications and Web Services CON.8 CON.8 Software Development

A.8.3 Information access restriction

APP.1.2 APP.1.2 Web Browsers APP.4.2 APP.4.2 SAP ERP System

A.8.30 Outsourced development

OPS.1.2.5 OPS.1.2.5 Remote Maintenance

A.8.32 Change management

OPS.1.1.1 OPS.1.1.1 General IT Operations OPS.1.1.2 OPS.1.1.2 Proper IT Administration OPS.1.1.6 OPS.1.1.6 Software Testing and Approvals

A.8.34 Protection of information systems during audit testing

DER.3.1 DER.3.1 Audits and Revisions DER.3.2 DER.3.2 Revisions Based on the IS Revision Guide OPS.1.1.7 OPS.1.1.7 System Management

A.8.5 Secure authentication

APP.2.1 APP.2.1 General Directory Service APP.2.2 APP.2.2 Active Directory Domain Services NET.2.1 NET.2.1 WLAN Operation NET.2.2 NET.2.2 WLAN Use ORP.4 ORP.4 Identity and Access Management

A.8.7 Protection against malware

APP.3.3 APP.3.3 File Servers APP.3.4 APP.3.4 Samba APP.5.2 APP.5.2 Microsoft Exchange and Outlook APP.5.3 APP.5.3 General Email Client and Server APP.5.4 APP.5.4 Unified Communications and Collaboration (UCC) APP.6 APP.6 General Software OPS.1.1.4 OPS.1.1.4 Protection Against Malware SYS.2.1 SYS.2.1 General Client SYS.2.2.3 SYS.2.2.3 Clients Running Windows SYS.2.3 SYS.2.3 Clients Running Linux and Unix SYS.2.4 SYS.2.4 Clients Running macOS SYS.2.5 SYS.2.5 Client Virtualization SYS.2.6 SYS.2.6 Virtual Desktop Infrastructure

A.8.8 Management of technical vulnerabilities

A.8.9 Configuration management

APP.4.2 APP.4.2 SAP ERP System IND.2.1 IND.2.1 General ICS Component IND.2.2 IND.2.2 Programmable Logic Controller (PLC) IND.2.3 IND.2.3 Sensors and Actuators IND.2.4 IND.2.4 Machine IND.2.7 IND.2.7 Safety Instrumented Systems IND.3.2 IND.3.2 Remote Maintenance in Industrial Environments NET.1.2 NET.1.2 Network Management OPS.1.1.2 OPS.1.1.2 Proper IT Administration OPS.1.1.6 OPS.1.1.6 Software Testing and Approvals SYS.1.1 SYS.1.1 General Server SYS.1.2.2 SYS.1.2.2 Windows Server 2012 SYS.1.2.3 SYS.1.2.3 Windows Server SYS.1.3 SYS.1.3 Servers Running Linux and Unix SYS.1.5 SYS.1.5 Virtualization SYS.1.6 SYS.1.6 Containerization SYS.1.7 SYS.1.7 IBM Z SYS.1.8 SYS.1.8 Storage Solutions SYS.1.9 SYS.1.9 Terminal Server SYS.2.1 SYS.2.1 General Client SYS.2.2.3 SYS.2.2.3 Clients Running Windows SYS.2.3 SYS.2.3 Clients Running Linux and Unix SYS.2.4 SYS.2.4 Clients Running macOS SYS.2.5 SYS.2.5 Client Virtualization SYS.2.6 SYS.2.6 Virtual Desktop Infrastructure SYS.3.1 SYS.3.1 Laptops SYS.3.2.1 SYS.3.2.1 General Smartphones and Tablets SYS.3.2.2 SYS.3.2.2 Mobile Device Management (MDM) SYS.3.2.3 SYS.3.2.3 iOS (for Enterprise) SYS.3.2.4 SYS.3.2.4 Android SYS.3.3 SYS.3.3 Mobile Phone SYS.4.1 SYS.4.1 Printers, Copiers, and Multifunction Devices SYS.4.3 SYS.4.3 Embedded Systems SYS.4.4 SYS.4.4 General IoT Device SYS.4.5 SYS.4.5 Removable Storage Media

These mappings are provided for reference and do not replace a professional compliance assessment.