Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Informative References: What are they, and how are they used?

This online learning module builds upon the introductory material presented in the Components of the Framework module and provides readers with a deeper look at Informative References and how an organization may use them.

An Introduction to Informative References

The Informative References are a part of the Framework Core.  They are more detailed technical references that are meant to provide organizations with a starting point for implementing practices to achieve the Framework's desired outcomes described in the associated Subcategory.   The image below provides an example of what the Informative References look like using the Business Environment Category.

Subcategories 1.1

Each subcategory includes several Informative References, however, they should not be viewed as a checklist that must be completed to implement the subcategory outcome. Organizations can use some, none, or all the Informative References to inform the activities they undertake to achieve the outcome described by the Subcategory.

Informative References Included in the Framework Core

Through the early Requests for Information (RFIs) and Framework Workshops, NIST considered a large compendium of standards, guidance, and publications consisting of over 450 items. Ultimately, six of these were selected to become informative references included in the Framework Core due to being broad references which were widely recognized, and had a large adoption rate.

The chart below lists each Informative References included in the Core and provides a link to the associated website/document .

Informative Reference Link
NIST SP 800-53 Rev. 4 nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
ISO/IEC 27001:2013 iso.org/standard/54534.html
COBIT 5 isaca.org/cobit/pages/default.aspx
CIS CSC cisecurity.org/controls/
ISA 62443-2-1:2009 isa.org/templates/one-column.aspx?pageid=111294&productId=116731
ISA 62443-3-3:2013 isa.org/templates/one-column.aspx?pageid=111294&productId=116785

Additional Informative References

With the release of the Cybersecurity Framework v1.1, NIST is establishing the Online Informative Reference Program. By linking to and spreading awareness of additional Informative References, organizations will have a more robust set of tools to achieve Framework Core outcomes.

Here is  the full Catalog of Informative References, or to learn more about submitting your own Informative Reference mapping see the Reference Submission page.

Use of Informative References is non-compulsory for Framework implementation. Organizations have the flexibility to mix and match Informative References as best suits their needs. They may use all, some, none, or even choose to map additional practices not included in the Informative References catalog.

For example, a healthcare organization who organizes their existing controls around NIST 800-53 and is seeking to become ISO compliant may choose to use the ISO/IEC 27001 and the NIST 800-53 mappings included in the Framework Core along with the mapping for HITRUST from the larger Informative References catalog that applies specifically to healthcare organizations.

Created April 12, 2018, Updated March 16, 2023