This table shows the 28 compliance areas where ISO 27001 and NIST CSF controls overlap. When you mark a control as implemented in either framework, Venvera automatically propagates the status to the equivalent control in the other.
| Compliance Area | ISO 27001 | NIST CSF |
|---|---|---|
| Encryption | A.8.24 | PR.DS-01, PR.DS-02 |
| Key Management | A.8.24 | PR.DS-01 |
| Access Control | A.5.15 | PR.AA-01 |
| Identity Management | A.5.16 | PR.AA-01, PR.AA-03 |
| Authentication & MFA | A.5.17, A.8.5 | PR.AA-03 |
| Access Rights Review | A.5.18 | PR.AA-05 |
| Privileged Access Management | A.8.2 | PR.AA-05 |
| Network Security | A.8.20, A.8.21, A.8.22 | PR.IR-01 |
| Vulnerability Management | A.8.8 | ID.RA-01, PR.PS-01 |
| Logging & Monitoring | A.8.15, A.8.16 | DE.CM-01, DE.AE-02 |
| Incident Management | A.5.24, A.5.25, A.5.26 | RS.MA-01, RS.AN-03 |
| Post-Incident Review | A.5.27 | RS.AN-08 |
| Business Continuity | A.5.29, A.5.30 | RC.RP-01, RC.RP-03 |
| Backup & Restoration | A.8.13 | RC.RP-03 |
| Third-Party Risk Management | A.5.19, A.5.20 | GV.SC-03 |
| Supplier Due Diligence | A.5.21 | GV.SC-06 |
| Supplier Contracts | A.5.20 | GV.SC-05 |
| Supplier Monitoring | A.5.22 | GV.SC-09 |
| Risk Assessment | A.5.7 | ID.RA-03, ID.RA-05 |
| Information Security Policy | A.5.1 | GV.PO-01 |
| Security Awareness & Training | A.6.3 | PR.AT-01 |
| Data Classification | A.5.12, A.8.10, A.8.12 | PR.DS-10 |
| Change Management | A.8.32 | PR.PS-01 |
| Secure Development | A.8.25, A.8.28 | PR.PS-06 |
| Security Testing | A.5.35 | ID.IM-02 |
| Record Keeping | A.8.15 | DE.CM-01 |
| Configuration Management | A.8.9 | PR.PS-01 |
| Malware Protection | A.8.7 | DE.CM-09 |
For details on how propagation works, thresholds, and the auto-mapped badge, see the Cross-Framework Control Propagation overview article.