ISO 27001 Meets NIST CSF: Integration

Two Languages for the Same Program

Every security leader I know has had this conversation: the CFO wants a NIST Cybersecurity Framework scorecard for the board deck, the ISO 27001 lead auditor wants Annex A evidence next month, and the engineering team is tired of being interviewed for both. The programs end up duplicated — two risk registers, two control libraries, two sets of training materials — when they should be a single ISMS spoken in two languages.

The 2022 revision of ISO/IEC 27001 and the 2024 release of NIST CSF 2.0 make integration easier than ever. ISO 27001:2022 consolidated Annex A from 114 controls to 93, organized into four themes (Organizational, People, Physical, Technological). NIST CSF 2.0 added a sixth function — GOVERN — that maps onto ISO's leadership and planning clauses almost one-to-one. This post walks through how I wire them together.

The Structural Alignment

Start with the frameworks' native structure. ISO 27001 has ten clauses (4 through 10 contain auditable requirements) plus Annex A controls. NIST CSF 2.0 has six Functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER), each broken into Categories and Subcategories.

• Clause 4 (Context of the organization) and Clause 5 (Leadership) align with CSF's GV.OC (Organizational Context) and GV.RR (Roles, Responsibilities, and Authorities). If you have an ISO 27001 scope statement, a context-of-organization document, and a signed Information Security Policy, you have CSF GOVERN evidence.
• Clause 6 (Planning) maps to GV.RM (Risk Management Strategy) and GV.PO (Policies, Processes, and Procedures). The risk treatment plan required by 6.1.3 is the same artifact that satisfies GV.RM-01 through GV.RM-07.
• Clause 8 (Operation) and Annex A cover everything in IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. The Statement of Applicability is the spine.
• Clause 9 (Performance Evaluation) and Clause 10 (Improvement) correspond to GV.OV (Oversight) and ID.IM (Improvement). Internal audit reports, management review minutes, and nonconformity logs satisfy both sides.

The insight is that ISO's clauses are process-heavy, while CSF is outcome-oriented. They fit together because processes produce outcomes; the same meeting minutes serve both.

Annex A to CSF Subcategory Mapping

ISO published an official mapping in the 27002:2022 guidance — not to CSF specifically, but to control objectives. CSF 2.0's informative references include ISO 27001:2022. The crosswalk I use covers the most common control families:

• A.5.1 (Policies for information security) ↔ GV.PO-01. Published, approved, and communicated information security policy.
• A.5.7 (Threat intelligence) ↔ ID.RA-02 and ID.RA-03. Documented threat-intelligence sources and processes to identify risk.
• A.5.19 through A.5.23 (Supplier relationships) ↔ GV.SC (Cybersecurity Supply Chain Risk Management). This is the newest, most important area. CSF 2.0 elevated supply chain to a full Category under GOVERN; ISO 27001:2022 added A.5.23 specifically for cloud services.
• A.8.8 (Management of technical vulnerabilities) ↔ ID.RA-01, PR.PS-02, DE.CM-09. Vulnerability scanning, patching, and continuous monitoring.
• A.8.25 (Secure development lifecycle) and A.8.28 (Secure coding) ↔ PR.PS-06 (secure software development practices). The only area where both frameworks explicitly acknowledge SSDF-style practice.
• A.8.34 (Protection of information systems during audit testing) ↔ PR.IP-07 equivalent in CSF 1.1 or GV.OV-03 in CSF 2.0.

A full crosswalk runs 93 rows for Annex A and perhaps 110 for CSF subcategories. Most commercial GRC tools now ship a pre-built version; what matters is that your ISMS points at the mapping rather than maintaining two copies.

GOVERN Changes the Calculation

CSF 2.0's GOVERN function is where integration pays off most. In CSF 1.1, governance was scattered across IDENTIFY categories. In 2.0, GV is peer to the five operational functions, and it contains categories that look exactly like ISO 27001 clauses:

• GV.OC (Organizational Context) — ISO 4.1, 4.2.
• GV.RR (Roles, Responsibilities, and Authorities) — ISO 5.3 and A.5.2.
• GV.PO (Policy) — ISO 5.2 and A.5.1.
• GV.OV (Oversight) — ISO 9.3 (management review).
• GV.RM (Risk Management Strategy) — ISO 6.1.
• GV.SC (Supply Chain Risk Management) — ISO A.5.19-A.5.23.

If an organization is ISO 27001:2022 certified and tracks internal audits, management reviews, and the SoA, it already satisfies most of CSF GV. The board-level scorecard writes itself.

Supply Chain: The Newest Common Ground

The area where both frameworks added the most substance in recent revisions is supply chain. ISO added A.5.19 (information security in supplier relationships), A.5.20 (addressing information security within supplier agreements), A.5.21 (managing information security in the ICT supply chain), A.5.22 (monitoring, review and change management of supplier services), and A.5.23 (information security for use of cloud services).

CSF 2.0's GV.SC category contains ten Subcategories covering strategy, risk assessment, supplier relationship management, and continuous monitoring. The mapping is near-perfect:

• GV.SC-01 (supply chain risk management program established) ↔ A.5.19.
• GV.SC-04 (suppliers known and prioritized) ↔ A.5.21.
• GV.SC-05 (requirements to address cybersecurity risks in supply chain) ↔ A.5.20.
• GV.SC-07 (risks posed by suppliers and their products and services) ↔ A.5.22.
• GV.SC-09 (supply chain security practices integrated into cybersecurity and ERM programs) ↔ ISO Clause 6.1.2.
• GV.SC-10 (cybersecurity supply chain risk management plans include provisions for end-of-product-life) ↔ A.5.22 change management.

In practice, this means your supplier register, contract clauses, and third-party risk assessment satisfy both frameworks at once — provided the assessment captures the software-specific concerns that SBOM-driven tools now surface.

Audit Cycle Integration

I run the integrated cycle like this. The ISO 27001 Stage 2 audit and surveillance audits drive the calendar; CSF scoring happens on the same evidence set. Internal audit covers both — ISO 9.2 internal audit reports carry dual control-mapping references. Management review (9.3) functions as the CSF GOVERN oversight checkpoint. The SoA is the source of truth; CSF target-profile gaps feed the continual-improvement backlog under ISO Clause 10.

The single ISMS Risk Register supports both. Each risk has an ISO Annex A reference and a CSF Subcategory reference. Risk treatment plans produce evidence once.

How Safeguard Helps

Safeguard maintains the supplier and component inventory that GV.SC-04 and A.5.21 both require, with SBOM-level depth. Each third-party component carries vulnerability status, license posture, and provenance metadata — the same record that serves the ISO Statement of Applicability also populates the CSF supply chain profile. Scheduled compliance reports emit ISO-labeled and CSF-labeled views of the same underlying evidence, so the lead auditor and the CISO's board deck pull from one source. Policy gates block merges on supply-chain findings that map to both A.8.8 and PR.PS-02, keeping the integrated ISMS enforced rather than documented.