Module 4: Compliance & Integration

Mapping to NERC CIP

18 min
+75 XP

Mapping to NERC CIP

NERC CIP (Critical Infrastructure Protection) standards are mandatory for North American bulk electric system operators. ISO 27019 can help achieve NERC CIP compliance while building a comprehensive security program.

NERC CIP Overview

13 mandatory and enforceable standards covering:

  • CIP-002: Asset identification and categorization
  • CIP-003: Security management controls
  • CIP-004: Personnel and training
  • CIP-005: Electronic security perimeters
  • CIP-006: Physical security
  • CIP-007: System security management
  • CIP-008: Incident reporting and response
  • CIP-009: Recovery plans
  • CIP-010: Configuration and vulnerability management
  • CIP-011: Information protection
  • CIP-012: Communications between control centers
  • CIP-013: Supply chain risk management
  • CIP-014: Physical security (transmission)

Enforcement: Violations can result in penalties up to $1 million per day per violation.

Applicability: Bulk Electric System (BES) operators in North America

Key NERC CIP to ISO 27019 Mappings

CIP-002: BES Cyber System Categorization

Requirement: Identify and categorize critical cyber assets ISO 27019 Mapping:

  • Asset inventory processes (Lesson 3.1)
  • Criticality assessment methodology
  • Risk-based categorization

How ISO 27019 Helps: Provides comprehensive asset inventory approach extending beyond BES to all OT

CIP-003: Security Management Controls

Requirement: Security policies, leadership, delegation of authority ISO 27019 Mapping:

  • Information security governance
  • OT security policy development
  • Security organization structure
  • Management commitment

How ISO 27019 Helps: Provides framework for comprehensive OT security program beyond minimum CIP requirements

CIP-004: Personnel & Training

Requirement: Background checks, training, access provisioning/revocation ISO 27019 Mapping:

  • HR security controls
  • Security awareness and training programs
  • Access provisioning and deprovisioning procedures

How ISO 27019 Helps: Extends to all OT personnel, not just those with BES access

CIP-005: Electronic Security Perimeter(s)

Requirement: Define boundaries, access control, monitoring of ESP ISO 27019 Mapping:

  • Network segmentation (Lesson 2.2)
  • Boundary protection with firewalls
  • DMZ architecture
  • Remote access security (Lesson 2.3)

How ISO 27019 Helps: Provides defense-in-depth beyond perimeter, includes Purdue model guidance

CIP-006: Physical Security

Requirement: Physical access controls to critical cyber assets ISO 27019 Mapping:

  • Physical security controls
  • Integration of physical and logical access
  • Visitor management
  • Monitoring and logging

How ISO 27019 Helps: Integrates physical and cyber security for comprehensive protection

CIP-007: System Security Management

Requirement: Ports and services, patch management, malware prevention, security event monitoring ISO 27019 Mapping:

  • Patch management (Lesson 2.5)
  • Malware protection (Lesson 2.4)
  • System hardening
  • Logging and monitoring

How ISO 27019 Helps: Provides practical guidance for OT-specific implementation challenges

CIP-008: Incident Reporting and Response

Requirement: Incident response plan, testing, reporting ISO 27019 Mapping:

  • OT incident response procedures (Lesson 3.4)
  • Severity classification
  • Reporting templates and timelines
  • Testing and exercises

How ISO 27019 Helps: Provides broader incident response framework including safety integration

CIP-009: Recovery Plans

Requirement: Backup and restore procedures, testing ISO 27019 Mapping:

  • Business continuity for OT
  • Backup and recovery procedures
  • Testing requirements

How ISO 27019 Helps: Addresses recovery while maintaining safety

CIP-010: Configuration Change Management and Vulnerability Assessments

Requirement: Baseline configurations, change control, vulnerability assessments, patches ISO 27019 Mapping:

  • Configuration management
  • Change control processes
  • Vulnerability assessment adapted for OT
  • Risk-based patching

How ISO 27019 Helps: Provides flexibility for operational constraints

CIP-011: Information Protection

Requirement: Protect BES cyber system information ISO 27019 Mapping:

  • Data classification and handling
  • Information protection controls
  • Secure disposal

How ISO 27019 Helps: Extends to all sensitive OT information

CIP-013: Supply Chain Risk Management

Requirement: Plan for supply chain cybersecurity risks ISO 27019 Mapping:

  • Vendor security requirements
  • Procurement security controls
  • Third-party risk assessment

How ISO 27019 Helps: Comprehensive vendor and supply chain security program

ISO 27019 Beyond NERC CIP

ISO 27019 provides broader coverage:

Additional Systems:

  • Distribution systems (not covered by CIP)
  • Generation below BES thresholds
  • Supporting IT systems
  • Smart grid and DER

Additional Controls:

  • Detailed OT-specific technical guidance
  • Safety system integration
  • International best practices
  • Risk-based flexibility

Benefits of ISO 27019 + NERC CIP:

  • NERC CIP provides compliance baseline
  • ISO 27019 enhances overall security posture
  • Demonstrates due diligence beyond minimum requirements
  • Framework for continuous improvement
  • Alignment with international standards

Compliance Strategy

Using ISO 27019 for NERC CIP Compliance

  1. Map Requirements: Create mapping matrix showing ISO 27019 controls → NERC CIP requirements
  2. Implement ISO 27019: Build comprehensive OT security program using ISO 27019 guidance
  3. Document Alignment: Show how ISO 27019 implementation satisfies NERC CIP requirements
  4. Maintain Evidence: Collect documentation meeting both frameworks
  5. Unified Audits: Prepare for both NERC CIP audits and ISO 27001 certification

Compliance Matrix Template

For each NERC CIP requirement document:

  • NERC CIP standard and requirement number
  • Requirement description
  • Applicable ISO 27019 guidance sections
  • Implementation details specific to your organization
  • Evidence location (documents, systems, logs)
  • Responsible party/role
  • Compliance status and date verified

Practical Considerations

NERC CIP is Prescriptive: Specific requirements that must be met exactly as written

ISO 27019 is Risk-Based: Flexible implementation based on risk assessment and operational context

Strategy: Use NERC CIP as minimum mandatory requirements, use ISO 27019 for risk-based enhancements

Example:

  • NERC CIP requires patches within 35 days for high/critical vulnerabilities
  • ISO 27019 allows risk-based approach with compensating controls
  • Implementation: Meet NERC CIP 35-day requirement for BES cyber systems, use ISO 27019 risk approach for non-BES OT systems

Next Lesson: Preparing for security audits and assessments.

Complete this lesson

Earn +75 XP and progress to the next lesson

Previous

Integration with ISO 27001

Next

Audit Preparation