ISO 27001 Requirements

ISO/IEC 27001 is an international standard to manage information security. The standard details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Many organizations/corporations across the world leverage ISO 27001 to certify their systems are considered secure and are following best practices. In some circumstances, ISO 27001 is applied beyond terrestrial system elements to include elements within the space segment as well. Therefore, to help bridge the gap between SPARTA countermeasures and ISO 27001 a mapping has been performed. This mapping was performed using NIST’s published mapping between NIST 800-53 rev5 and ISO 270001. According to NIST, “the mapping of SP 800-53 Revision 5 controls to ISO/IEC 27001:2022 requirements and controls reflects whether the implementation of a security control from Special Publication 800-53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800-53.” There could be gaps or mistakes within the NIST to ISO mappings as this is the as-provided mapping from NIST and the space system context was not considered in this initial mapping. Improvements will be made in future releases of SPARTA and driven by community feedback.

The intent of mapping SPARTA countermeasures to standards like NIST SP 800-53 and ISO 27001 is to provide SPARTA users with additional perspective of the security principle as well as how the SPARTA countermeasure aligns with compliance/regulatory/best practices published by such standards bodies.

ID			Name	SPARTA Countermeasures	NIST Rev 5
4			Context of the Organization	None	None
	4.1		Understanding the organization and its context	None	PM-1
	4.2		Understanding the needs and expectations of interested parties	None	PM-1
	4.3		Determining the scope of the information security management system	None	PM-1 \| PM-9 \| PM-28
	4.4		Information security management system	CM0022 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0005	PM-1 \| PM-9 \| PM-30 \| PM-31
5			Leadership	None	None
	5.1		Leadership and commitment	None	PM-2 \| PM-3 \| PM-29
	5.2		Policy	CM0005 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PM-1 \| PS-1 \| RA-1 \| SA-1 \| SC-1 \| SI-1 \| SR-1
	5.3		Organizational roles, responsibilities, and authorities	CM0005 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PM-1 \| PM-2 \| PM-6 \| PM-29 \| PS-1 \| RA-1 \| SA-1 \| SC-1 \| SI-1 \| SR-1
6			Planning	None	None
	6.1		Actions to address risks and opportunities	None	None
		6.1.1	General	None	PM-1 \| PM-4 \| PM-6 \| PM-9
		6.1.2	Information security risk assessment	None	PM-9 \| PM-28 \| RA-3
		6.1.3	Information security risk treatment	CM0005	RA-7
	6.2		Information security objectives and planning to achieve them	CM0022 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0005	PM-1 \| PM-3 \| PM-4 \| PM-6 \| PM-9 \| PM-28 \| PM-30 \| PM-31
7			Support	None	None
	7.1		Resources	None	PM-3
	7.2		Competence	None	PM-13
	7.3		Awareness	CM0041 \| CM0052	AT-2 \| PS-8
	7.4		Communication	CM0005	PM-1 \| PM-15 \| PM-28 \| PM-31
	7.5		Documented information	None	None
		7.5.1	General	CM0005 \| CM0022 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0001 \| CM0008 \| CM0007	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| CP-2 \| IA-1 \| IR-1 \| IR-8 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PL-2 \| PM-1 \| PM-4 \| PM-9 \| PM-28 \| PM-30 \| PM-31 \| PS-1 \| RA-1 \| SA-1 \| SA-5 \| SC-1 \| SI-1 \| SR-1
		7.5.2	Creating and updating	CM0005 \| CM0022 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0001 \| CM0008 \| CM0007	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| CP-2 \| IA-1 \| IR-1 \| IR-8 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PL-2 \| PM-1 \| PM-4 \| PM-9 \| PM-28 \| PM-30 \| PM-31 \| PS-1 \| RA-1 \| SA-1 \| SA-5 \| SC-1 \| SI-1 \| SR-1
		7.5.3	Control of documented information	CM0005 \| CM0022 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0001 \| CM0008 \| CM0007	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| CP-2 \| IA-1 \| IR-1 \| IR-8 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PL-2 \| PM-1 \| PM-4 \| PM-9 \| PM-28 \| PM-30 \| PM-31 \| PS-1 \| RA-1 \| SA-1 \| SA-5 \| SC-1 \| SI-1 \| SR-1
8			Operation	None	None
	8.1		Operation planning and control	CM0005	CM-3 \| PL-7 \| PM-1 \| SA-1 \| SA-4
	8.2		Information security risk assessment	None	RA-3
	8.3		Information security risk treatment	CM0005	CA-5 \| PM-4 \| RA-7
9			Performance evaluation	None	None
	9.1		Monitoring, measurement, analysis and evaluation	CM0052 \| CM0005	CA-7 \| PM-6 \| PM-31
	9.2		Internal audit	None	None
		9.2.1	General	None	CA-2
		9.2.2	Internal audit programme	CM0005	CA-1 \| CA-2 \| CA-2(1) \| CA-7(1) \| PM-31
	9.3		Management review	None	None
		9.3.1	General	None	CA-1 \| CA-6 \| PM-1 \| PM-29
		9.3.2	Management review inputs	CM0052 \| CM0005	CA-7 \| CA-7(3) \| CA-7(4) \| PM-4 \| RA-3
		9.3.3	Management review results	CM0052 \| CM0005	CA-5 \| CA-6 \| CA-7 \| CM-3
10			Improvement	None	None
	10.1		Continual improvement	CM0005	PM-1 \| PM-9 \| PM-31
	10.2		Nonconformity and corrective action	CM0022 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0005	CA-5 \| PL-2 \| PM-4 \| PM-30 \| PM-31 \| RA-7