Which NIST Special Publication outlines necessary controls for audits of information systems used for certification?

NIST Special Publication 800-53 is the appropriate document when discussing necessary controls for audits of information systems used for certification. This publication provides a comprehensive framework for selecting and specifying security controls for information systems that can be used by federal agencies and others to manage risk and meet compliance requirements.

The controls specified in NIST 800-53 encompass a wide range of security and privacy measures that are crucial for establishing a secure operating environment, including aspects that directly relate to auditing. The publication emphasizes the importance of ensuring that the implemented security controls are continually assessed and evaluated through audits, ensuring that information systems operate securely and conform to established security policies.

The other options do not focus specifically on the controls necessary for audits of information systems. For instance, NIST 800-84 pertains to the guidelines for the testing and assessment of security controls but does not detail the controls themselves, while NIST 800-61 is focused more on incident handling rather than on audit controls or certification requirements. ISO standard 15408, known as the Common Criteria, relates primarily to the evaluation of security properties in IT products and systems but does not serve as a guideline specifically for audit controls.