A Taxonomy for Cybersecurity Control Sets

June 23, 2022

A Taxonomy for Cybersecurity Control Sets

A Taxonomy for Cybersecurity Control Sets
To improve capabilities of the business and IT Security implementations, a line-of-sight must be established so that all levels of the organization understand the high-level assessment and are able to reference where a security control is being implemented. A referenced taxonomy of controls permits governance to be aligned with the operational implementation. After an assessment of the controls, the response to risk is recognized, communicated, and accurately referenced in the risk register. Quality input from mapping produces accurate measurements and informative metrics when reporting on the performance of the controls. The cybersecurity taxonomy aligns controls from many sources for efficient and timely coordination within any organization and shared between third parties.


The National Institute for Standards and Technology (NIST) Cyber Security Framework (CSF), described in a document titled Framework for Improving Critical Infrastructure Cybersecurity, is structured with 5 Functions, 23 Categories, and 108 Subcategories. The control descriptions of each category and subcategory provides a general perspective of the requirements for secure business operations. It offers ease of communication throughout an organization with the high-level categorization of controls. The recent revisions and updates among other NIST risk and security publications often refence the CSF as a structure for executive or Tier 1 reporting and decision making for framing and guidance of risk management.

A significant component of the NIST Risk Management Framework (RMF) is the family of controls found in the NIST SP 800–53r5 Security and Privacy Controls for Information Systems and Organizations publication. These controls are segmented into specific requirements within the NIST SP 800–53Ar5 document and can be used to define the remediation required to fulfil the gaps found in the risk analysis of each security control.


For the purposes of this document, when defining the taxonomy of controls, a control catalogue is defined as an accumulation of control IDs from disparate control sets formed to be applicable to an organization. I.e., IT General Controls (ITGC) may be compiled from many security control regulations or contractual agreements to form a list of controls that are specific to an organization’s control catalogue. A control set is a list of controls published by a regulatory body to define their industry’s requirements or to list controls that will advance the security of an intended purpose. Within a control set there are control IDs which provide a reference point for each control. The control descriptions prescribe the standard by which the control will be implemented and measured. One or more control requirements may be itemized within each control description.

CSF Breakdown into an ISCN

The Integrated Security Control Number (ISCN) taxonomy is a layer of abstraction between the high-level categorization of controls and the operational control requirements. Utilizing the NIST SP 800–53r5 and 53Ar5 documents as a foundational reference point, an ISCN creates the structure by which groups of controls are aligned to the CSF.
The ISCN is a numbering system that matches the CSF control IDs and groups control IDs to the CSF. The ISCN has four parts. Using the CSF control ID of PR.AC-4 as an example, the corresponding ISCN is 2.1–4.000. Protect (PR) is the second function in the CSF and is therefore designated as number 2 in the ISCN. Access Controls (AC) is the first category within the PR function and is assigned the number 1. The sub-category (which is the control description) is the same number used in the CSF. The final number of the ISCN is the group to which the control IDs are associated. The principle of least functionality is assigned a group number of 200. The result is the CSF control ID of PR.AC-4 for least functionality represented as 2.1–4.200.
The next CSF category is Awareness Training within the PR function and is sequentially numbered as 2.2–1.000, and so on through each subcategory listing. The control IDs within different control sets are first mapped to the CSF and then provided an ISCN which includes the grouping of the control ID to similar controls from NIST SP 800–53Ar5 and other control standards.
Written in rows and columns the relationship between the CSF and other control sets can be visualized with the ISCN. The example in Figure 1 highlights the categorization and grouping of controls. Beginning with the Access Control (AC) category within the CSF Protect function (PR), the CSF subcategory is separated into the groups of management, least privilege, and separation of duties (PR.AC-4). Each of these groups is numbered as 100, 200, and 300, respectively.

Figure 1: Alignment of controls with the ISCN

The numeric taxonomy of the ISCN brings together the control families found within the NIST SP 800–53r5 control set. The placement of the groups within ISCN mapping to CSF facilitates the direct measurement of the operational controls into an aggregation of a security posture score for the entire enterprise and highlighted within the CSF five security functions. Additional control sets, published by private organizations or a regulatory body, can also be aligned with the CSF and grouped to similar control IDs as identified within the ISCN taxonomy.


All this may seem arcane to average business personnel but the impact to governing cybersecurity risks is significant.
  • 1

    An interface into these controls with the ISCN facilitates ease of use, flexible configuration, and consistent compliance

  • 2

    A referenced taxonomy of controls permits governance to be aligned with the operational implementation creating a line-of-sight from Tier 1 management to the Tier 3 operational activities

  • 3

    The cybersecurity taxonomy aligns controls from many sources for efficient and timely coordination within any organization and shared between third parties

  • 4

    Quality input from mapping with the ISCN produces indexed measurements and informative metrics when reporting on the performance of the controls

  • 5

    Solves an asymmetrical measurement problem when aggregating disparate scores of the security and privacy requirements

  • 6

    Measurements for the controls follow a consistent scaling model

  • 7

    Improves communication of security requirements among organizational units

  • 8

    The response to risk is recognized, communicated, and accurately referenced in the risk register with the ISCN identification

  • 9

    Reduces the redundancy of conducting risk assessments by grouping similar control elements into a single referenced taxonomy

  • 10

    Assignment of an ISCN for controls in policies references multiple published controls sets or the internal ITGC


Consistent security controls are key to an appropriate risk assessment questionnaire, whether they be internal, external or from a third party. Mapping and grouping the control IDs of many security control sets requires a layer of abstraction to assimilate them into a consistent measurement method. Executives need to have confidence that the risk measurements at the operational level are accurately aggregated from many risk assessments throughout an organization. A numbering method to use in this layer of abstraction brings the consistency to the mapping, measurements, and metrics.
The necessity to protect organizations with consistent and integrated security controls will displace the reactionary response to vulnerabilities. It is best to remediate risk with appropriate security control measures rather than misallocating resources in a constant response to cybersecurity attacks. It becomes a good business decision to invest in protecting the organization rather than only reacting to threats.

Kent E Pankratz, MSISA & CISSP

As a Senior Manager and IT Security Analyst at SecurEnds Inc. with over 25 years of IT security experience, Kent seeks to unify control sets and accurately measure the performance of controls. SecurEnds, https://securends.com, provides the cloud software to automate user access reviews, access certifications, entitlement audits, security risk assessments, and compliance controls.