, Function Category Subcategory CRR Reference RMM Reference Info
Asset Management (AM): The data, personnel, ID.AM-1: Physical devices and systems within AM:G2.Q1 ADM:SG1.SP1 • CCS CSC 1
devices, systems, and facilities that enable the the organization are inventoried (Technology) • COBIT 5 BAI03.04, BAI09.01, BAI09
organization to achieve business purposes are • ISA 62443-2-1:2009 4.2.3.4
identified and managed consistent with their relative • ISA 62443-3-3:2013 SR 7.8
importance to business objectives and the • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
organization’s risk strategy. • NIST SP 800-53 Rev. 4 CM-8
ID.AM-2: Software platforms and applications AM:G2.Q1 ADM:SG1.SP1 • CCS CSC 2
within the organization are inventoried (Technology) • COBIT 5 BAI03.04, BAI09.01, BAI09
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
ID.AM-3: Organizational communication and AM:G2.Q2 ADM:SG1.SP2 • CCS CSC 1
data flows are mapped • COBIT 5 DSS05.02
• ISA 62443-2-1:2009 4.2.3.4
• ISO/IEC 27001:2013 A.13.2.1
• NIST SP 800-53 Rev. 4 AC-4, CA-3,
ID.AM-4: External information systems are AM:G2.Q1 ADM:SG1.SP1 • COBIT 5 APO02.02
catalogued (Technology) • ISO/IEC 27001:2013 A.11.2.6
• NIST SP 500-291 3, 4
• NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-5: Resources (e.g., hardware, devices, AM:G1.Q4 SC:SG2.SP1 • COBIT 5 APO03.03, APO03.04, BAI
data, and software) are prioritized based on • ISA 62443-2-1:2009 4.2.3.6
their classification, criticality, and business • ISO/IEC 27001:2013 A.8.2.1
value • NIST SP 800-34 Rev. 1
• NIST SP 800-53 Rev. 4 CP-2, RA-2,
ID.AM-6: Cybersecurity roles and AM:MIL2.Q3 ADM:GG2.GP7 • COBIT 5 APO01.02, DSS06.03
responsibilities for the entire workforce and third- • ISA 62443-2-1:2009 4.3.2.3.3
party stakeholders (e.g., suppliers, customers, • ISO/IEC 27001:2013 A.6.1.1
partners) are established • NIST SP 800-53 Rev. 4 CP-2, PM-11
Business Environment (BE): The organization’s ID.BE-1: The organization’s role in the supply EDM:G2.Q1 EXD:SG2.SP1 • COBIT 5 APO08.01, APO08.02, APO
mission, objectives, stakeholders, and activities are chain is identified and communicated • ISO/IEC 27001:2013 A.15.2
understood and prioritized; this information is used to • NIST SP 800-53 Rev. 4 CP-2, SA-12
inform cybersecurity roles, responsibilities, and risk
management decisions. ID.BE-2: The organization’s place in critical AM:G1.Q1 EF:SG1.SP1 • COBIT 5 APO02.06, APO03.01
infrastructure and its industry sector is identified • NIST SP 800-53 Rev. 4 PM-8
and communicated
ID.BE-3: Priorities for organizational mission, AM:G1.Q2 EF:SG1.SP3 • COBIT 5 APO02.01, APO02.06, APO
Asset Management (AM): The data, personnel, ID.AM-1: Physical devices and systems within AM:G2.Q1 ADM:SG1.SP1 • CCS CSC 1
devices, systems, and facilities that enable the the organization are inventoried (Technology) • COBIT 5 BAI03.04, BAI09.01, BAI09
organization to achieve business purposes are • ISA 62443-2-1:2009 4.2.3.4
identified and managed consistent with their relative • ISA 62443-3-3:2013 SR 7.8
importance to business objectives and the • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
organization’s risk strategy. • NIST SP 800-53 Rev. 4 CM-8
ID.AM-2: Software platforms and applications AM:G2.Q1 ADM:SG1.SP1 • CCS CSC 2
within the organization are inventoried (Technology) • COBIT 5 BAI03.04, BAI09.01, BAI09
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
ID.AM-3: Organizational communication and AM:G2.Q2 ADM:SG1.SP2 • CCS CSC 1
data flows are mapped • COBIT 5 DSS05.02
• ISA 62443-2-1:2009 4.2.3.4
• ISO/IEC 27001:2013 A.13.2.1
• NIST SP 800-53 Rev. 4 AC-4, CA-3,
ID.AM-4: External information systems are AM:G2.Q1 ADM:SG1.SP1 • COBIT 5 APO02.02
catalogued (Technology) • ISO/IEC 27001:2013 A.11.2.6
• NIST SP 500-291 3, 4
• NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-5: Resources (e.g., hardware, devices, AM:G1.Q4 SC:SG2.SP1 • COBIT 5 APO03.03, APO03.04, BAI
data, and software) are prioritized based on • ISA 62443-2-1:2009 4.2.3.6
their classification, criticality, and business • ISO/IEC 27001:2013 A.8.2.1
value • NIST SP 800-34 Rev. 1
• NIST SP 800-53 Rev. 4 CP-2, RA-2,
ID.AM-6: Cybersecurity roles and AM:MIL2.Q3 ADM:GG2.GP7 • COBIT 5 APO01.02, DSS06.03
responsibilities for the entire workforce and third- • ISA 62443-2-1:2009 4.3.2.3.3
party stakeholders (e.g., suppliers, customers, • ISO/IEC 27001:2013 A.6.1.1
partners) are established • NIST SP 800-53 Rev. 4 CP-2, PM-11
Business Environment (BE): The organization’s ID.BE-1: The organization’s role in the supply EDM:G2.Q1 EXD:SG2.SP1 • COBIT 5 APO08.01, APO08.02, APO
mission, objectives, stakeholders, and activities are chain is identified and communicated • ISO/IEC 27001:2013 A.15.2
understood and prioritized; this information is used to • NIST SP 800-53 Rev. 4 CP-2, SA-12
inform cybersecurity roles, responsibilities, and risk
management decisions. ID.BE-2: The organization’s place in critical AM:G1.Q1 EF:SG1.SP1 • COBIT 5 APO02.06, APO03.01
infrastructure and its industry sector is identified • NIST SP 800-53 Rev. 4 PM-8
and communicated
ID.BE-3: Priorities for organizational mission, AM:G1.Q2 EF:SG1.SP3 • COBIT 5 APO02.01, APO02.06, APO
