S.No.

ISO 27001 COB

Control Control Name
Number Control
Number

1 A.5.1 Policies for information security EDM01

Information security roles

2 A.5.2 and responsibilities
3 A.5.3 Segregation of duties

4 A.5.4 Management responsibilities APO01

5 A.5.5 Contact with authorities
6 A.5.6 Contact with special interest groups
7 A.5.7 Threat intelligence

Information security in
8 A.5.8 project management

Inventory of information
9 A.5.9 and other associated assets BAI09

Acceptable use of information

10 A.5.10 and other associated assets
11 A.5.11 Return of assets
12 A.5.12 Classification of information
13 A.5.13 Labelling of information
14 A.5.14 Information transfer

15 A.5.15 Access control DSS05

16 A.5.16 Identity management
17 A.5.17 Authentication information
18 A.5.18 Access rights

Information security in
19 A.5.19 supplier relationships

Addressing information security

20 A.5.20 within supplier agreements

Managing information security

21 A.5.21 in the ICT supply chain
 Monitoring, review, and
change management of
22 A.5.22 supplier services

Information security for

23 A.5.23 use of cloud services

Information security incident

management planning and
24 A.5.24 preparation DSS02

Assessment and decision

25 A.5.25 on information security events

Response to information
26 A.5.26 security incidents

Learning from information

27 A.5.27 security incidents
28 A.5.28 Collection of evidence
29 A.5.29 Information security during disruption

30 A.5.30 ICT readiness for business continuity DSS04

Identification of legal, statutory,

regulatory, and contractual
31 A.5.31 requirements
32 A.5.32 Intellectual property rights
33 A.5.33 Protection of records

Privacy and protection of personally

34 A.5.34 identifiable information (PII) APO13

Independent review of information

35 A.5.35 security MEA03

Compliance with policies and

36 A.5.36 standards for information security

37 A.5.37 Documented operating procedures

38 A.6.1 Screening
39 A.6.2 Terms and conditions of employment
 Information security awareness,
40 A.6.3 education, and training BAI08.01
41 A.6.4 Disciplinary process

Responsibilities after termination

42 A.6.5 or change of employment

Confidentiality or non-disclosure
43 A.6.6 agreements
44 A.6.7 Remote working
45 A.6.8 Information security event reporting

46 A.7.1 Physical security perimeter

47 A.7.2 Physical entry controls
48 A.7.3 Securing offices, rooms, and facilities
49 A.7.4 Physical security monitoring

Protecting against physical

50 A.7.5 and environmental threats
51 A.7.6 Working in secure areas
52 A.7.7 Clear desk and clear screen
53 A.7.8 Equipment siting and protection
54 A.7.9 Security of assets off-premises
55 A.7.10 Storage media
56 A.7.11 Supporting utilities
57 A.7.12 Cabling security
58 A.7.13 Equipment maintenance
59 A.7.14 Secure disposal or re-use of equipment
60 A.8.1 User endpoint devices
61 A.8.2 Privileged access rights
62 A.8.3 Information access restriction
63 A.8.4 Access to source code
64 A.8.5 Secure authentication
65 A.8.6 Capacity management

66 A.8.7 Protection against malware DSS05.02

Management of technical
67 A.8.8 vulnerabilities DSS05.07
68 A.8.9 Configuration management
69 A.8.10 Information deletion
70 A.8.11 Data masking
71 A.8.12 Data leakage prevention

72 A.8.13 Information backup DSS04.02

Redundancy of information
73 A.8.14 processing facilities

74 A.8.15 Logging

75 A.8.16 Monitoring activities DSS01.05

76 A.8.17 Clock synchronization
77 A.8.18 Use of privileged utility programs

Installation of software on
78 A.8.19 operational systems
79 A.8.20 Network controls
80 A.8.21 Security of network services
81 A.8.22 Segregation in networks
82 A.8.23 Web filtering
83 A.8.24 Use of cryptography

84 A.8.25 Secure development lifecycle BAI03.05

85 A.8.26 Application security requirements

Secure system architecture and

86 A.8.27 engineering principles
87 A.8.28 Secure coding

Security testing in development

88 A.8.29 and acceptance
89 A.8.30 Outsourced development

Separation of development, test

90 A.8.31 and production environments

91 A.8.32 Change management BAI06

92 A.8.33 Test information

Protection of information systems

93 A.8.34 during audit and testing

94 EDM02
95 EDM03
96 EDM04
97 EDM 05
 98 APO02
99 APO03
100 APO04
101 APO05
102 APO06
103 APO07
104 APO08
105 APO09
106 APO10
107 APO11
108 APO12
109 APO14
110 BAI01
111 BAI02
112 BAI04
113 BAI05
114 BAI06
115 BAI07
116 BAI10
117 BAI11
118 DSS03
119 DSS06
120 MEA01
121 MEA02
122 MEA04

123

124

125

126
127
128
129
130

131
 132

133

134

135

136
137
138

139
140
141
142
143

144
145
146
147
148
149

150

151
]
152

153

154

155
156

157

158

159

160

161

162

163

164

165

166

167

168

170

171

172
 Comarison of ISO 27001 and COB

Aspect ISO/IEC 27001

Information
Security
Management
Purpose System (ISMS)

Focused on
information
security
(confidentiality
, integrity,
Scope availability)

International
standard
Control c Framework Type (certifiable)
 Security risk
management,
controls,
Primary Focus compliance

4 Themes
(Organizational
, People,
Physical,
Technological)
Structure and 93 controls

Central and
Risk Management mandatory

Organizations
can be certified
(ISO-accredited
certification
Certification bodies)

Limited
governance
Governance Focus focus

ISO 27002
provides
detailed
Implementation Guidance guidance
 Control-based
with some
Process Orientation processes

Emphasizes
auditing and
continuous
improvement
Auditing & Monitoring (PDCA model)

Security
officers, risk
managers, IT
compliance
Target Audience teams

Establishes a
robust,
certifiable
security
Key Benefit baseline
CONCLUSION

ISO/IEC 27001 is ideal for organizations

needing a security certification
and structured approach to information
security.

COBIT is ideal for organizations looking to

establish
IT governance and align IT with business
goals.

Together, they provide a comprehensive approach:

Use ISO/IEC 27001 to manage

information security risks.

Use COBIT to govern and align IT

processes with
organizational strategy.
 COBIT NIST CSF
Control
Control Name Number Control Name

Ensure Governance Framework Policies are established

setting and maintenance GV.PO and communicated

Manage the IT Management Roles and responsibilities are

Framework GV.RR coordinated and aligned

Physical devices and systems

Managed assets ID.AM are inventoried

Manage security services(Manage

User Identity and Logical Access) PR.AC Access Control
Manage Service Requests and Response plans are in place
Incidents RS.MI for incidents

Information Protection
PR.IP Processes and Procedures

RS.AN Incident Analysis

Recovery plans are executed

Manage Continuity RC.IM during or after an incident

Privacy requirements are

Manage Security GV.PR identified and managed

Monitor, Evaluate and Assess

Compliance with External
Requirements
 Awareness and training
Managed knowledge PR.AT are provided

Malicious code protection

Protect against malware PR.PS mechanisms are used

Manage vulnerabilities and Vulnerabilities are identified

threats DE.AE and managed
Maintain Continuity, Availability Data is backed up and
and Recoverability PR.DS protected

Monitor IT infrastructure DE.CM Systems are monitored

Secure development lifecycle

Build Solutions PR.DS is implemented

Configuration changes are

Manage IT Changes PR.CM managed

Ensured benefits delivery

Ensured risk optimization
Ensured resource optimisation
Ensure Stakeholder engagement
Managed Strategy
Managed enterprise architecture
Nabaged innovation
Manage Portfolio
Manage Budget and Costs
Manage Human Resources
Manage Relationships
Manage Service Agreements
Manage Suppliers
Manage Quality
Manage Risk
Managed Data
Manage Programs and Projects
Manage Requirements Definition
Manage Availability and Capacity
Manage Organizational Change Enablement
Manage Changes
Manage Change Acceptance and Transitioning
Manage Configuration
Managed Projects
Manage Problems
Manage Business Process Controls
Monitor, Evaluate, and Assess Performance and Conformance
Monitor, Evaluate, and Assess Performance and Conformance
Managed assurance

Business Environment

ID.BE

Expectations of stakeholders
GV.OC and contractual requirementd

cybersecurity risk management

GV.OV strategy

Cybersecurity Supply Chain

GV.SC RIsk Management
ID.RA Risk Assessment
ID.IM Improvement
PR.IR Technology infrastructure resilience
DE.CM Continuous Nonitoring

Incident recovery plan

RC.RP execution
RC.CO Incident Recovery Communication

ID.GV Governance

Risk Management Strategy

ID.RM

PR.AC Access Control

Risk Management Strategy

GV.RM
GV.IM Improvement
ID.GV Governance

Risk Management Strategy

ID.RM
ID.SC Supply Chain Risk Management
PR.MA Maintenance
PR.PT Protective Technology
DE.DP Detection Processes

Response Planning

RS.RP
RS.CO Communications
RS.IM Improvements
RC.RP Recovery Planning
RC.CO Communications
01 and COBIT Comparison of ISO 27001 and NIST

COBIT Feature/Area

IT Governance and Management

Framework Structure

Covers the entire IT governance

lifecycle Purpose

Best-practice framework (not

certifiable) Control Groupings
IT alignment with business goals,
value delivery, and performance Risk Management

5 Domains (EDM, APO, BAI, DSS,

MEA) and 40 Objectives Governance Focus

Included but as part of broader

governance Flexibility

No formal certification, but uses

capability and maturity models Mapping

Strong governance component

(especially in EDM domain) CONCLUSION

ISO/IEC 27000 series is globally

accepted and certifiable—great for
international compliance.

NIST is highly detailed, flexible, and

focused on U.S. federal
requirements, but widely respected
globally.

Together, they provide a strong

synergy:

Use ISO 27001 for structured

security governance.

Use NIST SP 800-53 or CSF for

detailed control implementation
and technical depth.
Design & Implementation Guide
available
 Comparison of ITIL
andISO27001

Process-heavy, includes process

reference model Aspect

Includes performance monitoring,

metrics, and continuous
improvement Focus

CIOs, IT managers, auditors, business

stakeholders Objective

Enables enterprise-level IT
governance and strategic alignment Framework Type

Structure
Governance & Risk

Security Perspective

Incident Management

Service Continuity

Asset Management

Implementation Guidance

Certification
CONCLUSION

ITIL helps manage IT services efficiently, with some se

ISO/IEC 27001 is focused on systematic management

They complement each other:

Use ISO 27001 for strong security governance.

Use ITIL for delivering and supporting IT services tha

Conclusion

ISO/IEC 27001 is ideal for organizations needing a sec

COBIT is ideal for organizations looking to establish IT

Together, they provide a comprehensive approach:

Use ISO/IEC 27001 to manage information security r

Use COBIT to govern and align IT processes with org

 ITIL v4 CERT-In
Control Control
Number Control Name Number

Information Security
5.1.3 Management csm.1

csm.13

5.1.6 Organizational Change Management csm.3

5.2.6 IT Asset Management csm.6

csm.19
Access Management pro.2

pro.20
 pro.19

5.2.5 Incident Management pro.16, res.2

det.9

5.2.12 Service Continuity Management rec.1

csm.16

Information Security Management

5.1.3 / Risk Management csm.9

csm.17

csm.2

imp.2
 Workforce and Talent
5.1.14 Management pro.14

pro.1

det.6

csm.7
det.7
det.8

Information Security Management

5.1.10 / Risk Management pro.4

5.2.8 Problem Management pro.11

 pro.17

IT Asset Management /
Service Continuity
5.2.12 Management pro.18

det.1

Monitoring and Event

5.2.7 Management det.4

det.5

Software Development
5.3.3 and Management pro.0

5.2.4 Change Enablement

res.6
res.7

rec.3
 res.8

imp.1

imp.4

imp.5

imp.3

Architecture Management

Continual Improvement

Knowledge Management

Management & Reporting

Portfolio Management

Project Management

Relationship Management
 Strategy Management

Supplier Management

Availability Management

Business Analysis

Capacity and Performance Management

Release Management

Service Catalogue Management

Service Configuration Management

Service Design

Service Desk

Service Level Management

Service Request Management

Service Validation and Testing

Deployment Management

Infrastructure and Platform Management csm.4

pro.15
pro.21

pro.3

pro.5

pro.6
pro.7

pro.8

pro.10

pro.12

pro,.13
csm.8

csm.10

csm.11

csm.12

csm.14

csm.15

csm.18

csm.19

det.2
det.3
 res.1

res.3
res.4

res.5

res.9

res.10
res.11

rec.2

1 and NIST

ISO/IEC
27001 NIST CSF 2.0

Management
system +
controls Framework with core functions

Certification,
compliance Risk-based improvement roadmap

93 controls in
4 themes 106 subcategories in 6 functions
Central to
planning Embedded across all functions

Leadership &
planning
clauses Dedicated "Govern" function in 2.0

Formal and
prescriptive Flexible and outcome-based

Can be
mapped to
NIST CSF Official crosswalks exist
 ITIL
(Information
Technology
Infrastructur ISO/IEC 27001 (Information Security
e Library) Management System)

IT Service
Management
(ITSM) Information Security Management (ISMS)

Deliver high-
quality IT
services
aligned with
business Protect confidentiality, integrity, and availability of
needs information

Best-practice
framework
(not
certifiable by
itself) International standard (certifiable)

Service
lifecycle:
Service
Strategy,
Design,
Transition,
Operation,
and Continual 4 control themes and 93 controls in Annex A
Improvement (Organizational, People, Physical, Technical)
Covers
governance
and risk
lightly
through
service
continuity
and
availability Strong emphasis on risk management and
management governance

Includes
security
management
as a process
within service
design and Security is the primary focus across the whole
operations management system

Detailed
process for
managing IT
service Control for managing information security
incidents incidents (A.16)

IT Service
Continuity
Management
(SCM) Information Security Continuity (A.17)

Service Asset
and
Configuration
Management
(SACM) Asset management (A.5 and A.8)

Detailed
guidance
through
practices and
roles Guidance through ISO 27002

No direct
certification
for ITIL;
organizations
certify in ISO
20000 Organizations can certify to ISO/IEC 27001
 vices efficiently, with some security elements.

d on systematic management of information security risks.

ong security governance.

and supporting IT services that include those security controls.

or organizations needing a security certification and structured approach to information security.

zations looking to establish IT governance and align IT with business goals.

a comprehensive approach:

manage information security risks.

nd align IT processes with organizational strategy.

 CERT-In

Control Name

rganisation Information Security Policy

and Audit Process is defined and
established

Information/cyber security roles &

responsibilities are defined and
informed and trained upon

Commitment of Senior Management is

ensured

Components (Hardware, software,

systems, applications, networking
components) of the organisation
information infrastructure are inventoried

Access Control - Administrative, Physical

and Technical controls and their control
model have been identified

Mapping and Securing Supply Chain

including baseline compliance by vendors
Change Control policy and practices are
defined and implemented

BCP and Disaster management plan are

tested periodically and continuity of
security controls is tested.
Incident Response Plan is implemented

Detected incidents are analysed

technically to determine cause, impact,
attacker methodology

Recovery Plan is defined and implemented

Cyber security management approach

addresses any legal, regulatory, sector
specific compliance related to cyber
security and same is adhered to by the
organisation

Risk Management approach is effective

and aligned to business process

Compliance to Audit Reports is

ensured by the Management

Frameworks, standards, and/or best

practices are adopted for cyber security.

Lesson learnt and improvement plans are

documented and commitment of
management is ensured
Role based Cyber security Training and
awareness programs are conducted
periodically for all employee and
associated external entities

Physical security controls to critical assets

are implemented and managed

Physical security controls are monitored for possible cyber security incidents

Threats, Vulnerabilities, likelihoods, and impacts are identified

Adequate resources for log and alert analysis are available and role & responsibilities are clearly defined
Synchronisation with singular time source

Controls for Malware Protections are

implemented and effectiveness is ensured.

Vulnerability Assessment (VA) and

implementation of corrective actions are
done by the organization on continuous
basis (VA by internal team as well as
empanelled Third-Party)
Data protection (-in-transit, -at-rest)
controls are implemented effectively

Data retention and destruction policies

are defined and implemented

Scope, mechanism, and frequency of log

collection defined and implemented

Monitoring of accounts and access is implemented

Network Monitoring is implemented

Secure software development lifecycle is

ensured (in-house as well as outsourced)

Communication mechanism with stakeholders and agencies is clearly defined for incident resolution
Contact details of Ministries, stakeholders,
vendors and agencies like NCIIPC & CERTIn for
incident resolutions are up to date
and documented

Recovery plan incorporate lesson

learned from crisis/incident
Incident/abuse reporting channel and
mechanism is defined and implemented

Lesson Learnt from incidents and cyber

exercises are incorporated in response
plan

Organisation cyber security posture is

improved as compared to last reference
point (last assessment, last year, etc.)

Organisation performance improved in

successive cyber security exercises
and trainings

CCMP and incident handling procedures/

response plan are improved and updated
Components of the infrastructure are
identified and prioritised based on the
criticality

Content of cyber security trainings is

appropriate
Secure Disposal of IT Equipment

Remote access and teleworking are

controlled

Vulnerability and Patch Management

process is implemented effectively

Controls for Removable media and

BYOD/BYOT are implemented
Wireless network security controls are
implemented

Secure configuration for hardware,

software, Industrial control systems,
network components and applications are
implemented and managed

Perimeter security devices like Firewall,

IDS/IPS, network monitoring, etc. are
deployed in the organization and they are
monitored on continuous basis.

Defining scope of Penetration Testing

Exercises and ensuring its periodic
conduct

Periodic Participation of organisation in

national/ sectoral/ organisational Cyber
Security Exercises
Cyber Security Risks are identified

Risk Treatment Plan is established and

accepted/residual risks is in tune with
criticality of related function

Critical Functions Continuity Plan

/Business Continuity Plan is established

Critical Functions continuity Plan /Business

Continuity Plan address resiliency of
minimum-security controls are defined
and implemented

Adequate manpower and resources for

cyber security function is defined and
provisioned

Cyber Security Crisis Management Plan is

developed, implemented, and exercised
upon by the organisation

Data is identified, labelled and its owner,

custodians and users are made aware and
responsible

Access Control - Administrative, Physical

and Technical controls and their control
model have been identified

Mechanisms for regularly analysing the

alert/log data collected from different
security devices
Daily Log analysis of the critical services
Cyber Crisis Management Plan in line with
National Cyber Crisis Management Plan is
prepared and established.

Roles and responsibilities for Incident

Response are clearly defined.
Incident Escalation matrix is defined.

Communication mechanism within

Organisation is clearly defined for incident
resolution

Information sharing mechanism with

external entities are clearly defined and
implemented

Incidents are recorded and investigated in

terms of impact, vulnerability exploited or
attempted to exploit, attacker
methodology and attack source
Incidents are contained and mitigated

Resources are available for recovery of

critical functions
mation security.