ISO 27001 Controls

ISO/IEC 27001 is an international standard to manage information security. The standard details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Many organizations/corporations across the world leverage ISO 27001 to certify their systems are considered secure and are following best practices. In some circumstances, ISO 27001 is applied to the ground system, the spacecraft, etc. Therefore, to help bridge the gap between SPARTA countermeasures and ISO 27001 a mapping has been performed. This mapping was performed using NIST’s published mapping between NIST 800-53 rev5 and ISO 270001. According to NIST, “the mapping of SP 800-53 Revision 5 controls to ISO/IEC 27001:2022 requirements and controls reflects whether the implementation of a security control from Special Publication 800-53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800-53.”

The intent of mapping SPARTA countermeasures to standards like NIST 800-53 and ISO 27001 is to provide SPARTA users with additional information of the security principle as well as how the SPARTA countermeasure aligns with compliance/regulatory/best practices published by NIST and/or ISO.

ID		Name	SPARTA Countermeasures	NIST Rev 5
A.5		Organizational controls	None	None
	A.5.1	Policies for information security	CM0005 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PM-1 \| PS-1 \| RA-1 \| SA-1 \| SC-1 \| SI-1 \| SR-1
	A.5.2	Information security roles and responsibilities	CM0005 \| CM0004 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CM-9 \| CP-1 \| CP-2 \| IA-1 \| IR-1 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PM-1 \| PM-2 \| PM-10 \| PM-29 \| PS-1 \| PS-7 \| PS-9 \| RA-1 \| SA-1 \| SA-3 \| SA-9 \| SC-1 \| SI-1 \| SR-1
	A.5.3	Segregation of duties	None	AC-5
	A.5.4	Management responsibilities	CM0005 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PL-4 \| PM-1 \| PM-18 \| PS-1 \| PS-6 \| PS-7 \| PT-1 \| RA-1 \| SA-1 \| SA-9 \| SC-1 \| SI-1 \| SR-1
	A.5.5	Contact with authorities	CM0005	IR-6
	A.5.6	Contact with special interest groups	CM0005	PM-15 \| SI-5
	A.5.7	Threat intelligence	CM0009 \| CM0005 \| CM0052 \| CM0032	PM-16 \| PM-16(1) \| RA-10
	A.5.8	Information security in project management	CM0005 \| CM0004 \| CM0017	PL-2 \| PL-7 \| PL-8 \| SA-3 \| SA-4 \| SA-9 \| SA-15
	A.5.9	Inventory of information and other associated assets	CM0012 \| CM0005	CM-8
	A.5.10	Acceptable use of information and other associated assets	CM0005 \| CM0052 \| CM0049 \| CM0006	MP-2 \| MP-4 \| MP-5 \| MP-6 \| MP-7 \| PE-16 \| PE-18 \| PE-20 \| PL-4 \| SC-8 \| SC-28
	A.5.11	Return of assets	CM0052	PS-4 \| PS-5
	A.5.12	Classification of information	None	RA-2
	A.5.13	Labelling of information	CM0005	MP-3 \| PE-22
	A.5.14	Information transfer	CM0050 \| CM0005 \| CM0038 \| CM0052 \| CM0002 \| CM0033 \| CM0055 \| CM0034 \| CM0049 \| CM0006	AC-4 \| AC-17 \| AC-18 \| AC-19 \| AC-20 \| CA-3 \| PE-17 \| SA-9 \| SC-7 \| SC-8 \| SC-15
	A.5.15	Access control	CM0005 \| CM0055 \| CM0052 \| CM0039 \| CM0038	AC-1 \| AC-3 \| AC-6
	A.5.16	Identity management	CM0005 \| CM0052 \| CM0031 \| CM0033 \| CM0002 \| CM0035	AC-2 \| IA-2 \| IA-4 \| IA-5 \| IA-8
	A.5.17	Authentication information	CM0002 \| CM0005 \| CM0035	IA-5
	A.5.18	Access rights	CM0005	AC-2
	A.5.19	Information security in supplier relationships	CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0005	SR-1 \| SR-2
	A.5.20	Addressing information security within supplier agreements	CM0005 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0025	SA-4 \| SR-2 \| SR-3 \| SR-5
	A.5.21	Managing information security in the information and communication technology (ICT) supply chain	CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004 \| CM0005 \| CM0025	SR-2 \| SR-3 \| SR-4 \| SR-5
	A.5.22	Monitoring, review and change management of supplier services	CM0022 \| CM0004 \| CM0005 \| CM0025 \| CM0001	RA-9 \| SA-9 \| SR-6 \| SR-7
	A.5.23	Information security for use of cloud services	CM0005 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028 \| CM0004	SA-1 \| SA-4 \| SA-9 \| SA-9(3) \| SR-5
	A.5.24	Information security incident management planning and preparation	None	IR-8
	A.5.25	Assessment and decision on information security events	CM0052 \| CM0005 \| CM0032 \| CM0044	AU-6 \| IR-4
	A.5.26	Response to information security events	CM0052 \| CM0005 \| CM0032 \| CM0044	IR-4
	A.5.27	Learning from information security incidents	CM0052 \| CM0005 \| CM0032 \| CM0044	IR-4
	A.5.28	Collection of evidence	CM0005	AU-10(3) \| AU-11
	A.5.29	Information security during disruption	CM0005 \| CM0029 \| CM0056 \| CM0032 \| CM0044	CP-2 \| CP-4 \| CP-6 \| CP-7 \| CP-8 \| CP-9 \| CP-10 \| CP-11 \| CP-13
	A.5.30	ICT readiness for business continuity	CM0022 \| CM0004 \| CM0005	CA-2 \| CP-2(1) \| CP-2(8) \| CP-4 \| CP-4(1)
	A.5.31	Legal, statutory, regulatory and contractual requirements	CM0005 \| CM0002 \| CM0033 \| CM0050 \| CM0006 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MP-1 \| PE-1 \| PL-1 \| PM-1 \| PS-1 \| RA-1 \| SA-1 \| SC-1 \| SC-13 \| SI-1 \| SR-1
	A.5.32	Intellectual property rights	None	CM-10
	A.5.33	Protection of records	CM0055 \| CM0005 \| CM0032 \| CM0056 \| CM0002 \| CM0049	AC-3 \| AU-9 \| CP-9 \| SC-8(1) \| SC-28(1)
	A.5.34	Privacy and protection of personal identifiable information (PII)	None	None
	A.5.35	Independent review of information security	None	CA-2(1)
	A.5.36	Compliance with policies, rules and standards for information security	CM0005 \| CM0052 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CA-2 \| CA-7 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MP-1 \| PE-1 \| PL-1 \| PM-1 \| PS-1 \| RA-1 \| SA-1 \| SC-1 \| SI-1 \| SR-1
	A.5.37	Documented operating procedures	CM0005 \| CM0001 \| CM0008 \| CM0007 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0004	AC-1 \| AT-1 \| AU-1 \| CA-1 \| CM-1 \| CP-1 \| IA-1 \| IR-1 \| MA-1 \| MP-1 \| PE-1 \| PL-1 \| PS-1 \| RA-1 \| SA-1 \| SA-5 \| SC-1 \| SI-1 \| SR-1
A.6		People controls	None	None
	A.6.1	Screening	CM0052	PS-3 \| SA-21
	A.6.2	Terms and conditions of employment	None	PL-4 \| PS-6
	A.6.3	Information security awareness, education, and training	CM0041 \| CM0052 \| CM0005	AT-2 \| AT-3 \| CP-3 \| IR-2 \| PM-13
	A.6.4	Disciplinary process	CM0052	PS-8
	A.6.5	Responsibilities after termination or change of employment	CM0052	PS-4 \| PS-5
	A.6.6	Confidentiality or non-disclosure agreements	None	PS-6
	A.6.7	Remote working	CM0005	AC-17 \| PE-17
	A.6.8	Information security event reporting	CM0052 \| CM0005 \| CM0004 \| CM0010	AU-6 \| IR-6 \| SI-2
A.7		Physical Controls	None	None
	A.7.1	Physical security perimeters	CM0054 \| CM0053	PE-3
	A.7.2	Physical entry	CM0052 \| CM0053 \| CM0054	PE-2 \| PE-3 \| PE-4 \| PE-5 \| PE-16
	A.7.3	Securing offices, rooms and facilities	CM0054 \| CM0053	PE-3 \| PE-5
	A.7.4	Physical security monitoring	CM0005 \| CM0054 \| CM0053	AU-6(6) \| PE-3 \| PE-3(3) \| PE-6 \| PE-6(1) \| PE-6(4)
	A.7.5	Protecting against physical and environmental threats	CM0003 \| CM0062 \| CM0057 \| CM0058 \| CM0059 \| CM0060 \| CM0061 \| CM0063 \| CM0064	CP-6 \| CP-7 \| PE-9 \| PE-13 \| PE-14 \| PE-15 \| PE-18 \| PE-19 \| PE-23
	A.7.6	Working in secure areas	None	None
	A.7.7	Clear desk and clear screen	CM0005	AC-11 \| MP-2 \| MP-4 \| PE-5
	A.7.8	Equipment siting and protection	CM0003 \| CM0062 \| CM0057 \| CM0058 \| CM0059 \| CM0060 \| CM0061 \| CM0063 \| CM0064	PE-9 \| PE-13 \| PE-14 \| PE-15 \| PE-18 \| PE-19 \| PE-23
	A.7.9	Security of assets off-premises	CM0005	AC-19 \| AC-20 \| MP-5 \| PE-17
	A.7.10	Storage media	CM0005 \| CM0052	MA-2 \| MP-2 \| MP-4 \| MP-5 \| MP-6 \| MP-7 \| PE-16
	A.7.11	Supporting utilities	CM0005 \| CM0029	CP-8 \| PE-9 \| PE-10 \| PE-11 \| PE-12 \| PE-14 \| PE-15
	A.7.12	Cabling security	None	PE-4 \| PE-9
	A.7.13	Equipment maintenance	CM0005	MA-2 \| MA-6
	A.7.14	Secure disposal or re-use of equipment	CM0005	MP-6
A.8		Technological controls	None	None
	A.8.1	User end point devices	CM0005	AC-11 \| AC-17 \| AC-18 \| AC-19 \| CP-2
	A.8.2	Privileged access rights	CM0005 \| CM0055 \| CM0052 \| CM0039 \| CM0038	AC-2 \| AC-3 \| AC-6 \| CA-2 \| CM-5
	A.8.3	Information access restriction	CM0055 \| CM0005	AC-3 \| AC-24 \| CM-5
	A.8.4	Access to source code	CM0055 \| CM0005 \| CM0001 \| CM0008 \| CM0052 \| CM0049 \| CM0004 \| CM0007 \| CM0035	AC-3 \| AC-3(11) \| CM-5
	A.8.5	Secure authentication	CM0005	AC-7 \| AC-8 \| AC-9 \| IA-6
	A.8.6	Capacity management	CM0005 \| CM0032	AU-4 \| CP-2(2) \| SC-5(2)
	A.8.7	Protection against malware	CM0041 \| CM0052 \| CM0005	AT-2 \| SI-3
	A.8.8	Management of technical vulnerabilities	CM0008 \| CM0004 \| CM0011 \| CM0013 \| CM0016 \| CM0019 \| CM0005 \| CM0010	RA-3 \| RA-5 \| SI-2
	A.8.9	Configuration management	CM0005 \| CM0004 \| CM0010 \| CM0023 \| CM0012	CM-1 \| CM-2 \| CM-2(3) \| CM-3 \| CM-3(7) \| CM-3(8) \| CM-4 \| CM-5 \| CM-6 \| CM-8 \| CM-9 \| CM-9(1) \| SA-10
	A.8.10	Information deletion	CM0001 \| CM0040 \| CM0005	AC-4(25) \| AC-7(2) \| MA-2 \| MA-3(3) \| MA-4(3) \| MP-4 \| MP-6 \| MP-6(1) \| SI-21
	A.8.11	Data masking	CM0001 \| CM0040 \| CM0050 \| CM0005 \| CM0002	AC-4(23) \| SI-19(4)
	A.8.12	Data leakage prevention	CM0052 \| CM0053 \| CM0003 \| CM0062 \| CM0057 \| CM0058 \| CM0059 \| CM0060 \| CM0061 \| CM0063 \| CM0064 \| CM0005	AU-13 \| PE-3(2) \| PE-19 \| SC-7(10) \| SI-20
	A.8.13	Information backup	CM0005 \| CM0056	CP-9
	A.8.14	Redundancy of information processing facilities	None	CP-6 \| CP-7
	A.8.15	Logging	CM0005 \| CM0032 \| CM0052	AU-2 \| AU-3 \| AU-6 \| AU-9 \| AU-11 \| AU-12 \| AU-14
	A.8.16	Monitoring activities	CM0055 \| CM0005 \| CM0002 \| CM0034 \| CM0052 \| CM0033 \| CM0032 \| CM0066 \| CM0067 \| CM0068	AC-2(12) \| AC-17(1) \| AU-13 \| IR-4(13) \| MA-4(1) \| PE-6 \| PE-6(3) \| SC-7 \| SI-4 \| SI-4(4) \| SI-4(13) \| SI-4(16)
	A.8.17	Clock synchronization	CM0005 \| CM0032	AU-8
	A.8.18	Use of privileged utility programs	CM0055 \| CM0005 \| CM0052 \| CM0039 \| CM0038	AC-3 \| AC-6
	A.8.19	Installation of software on operational systems	CM0039 \| CM0047 \| CM0005 \| CM0069	CM-5 \| CM-7 \| CM-7(4) \| CM-7(5) \| CM-11
	A.8.20	Networks security	CM0055 \| CM0005 \| CM0052 \| CM0002 \| CM0033 \| CM0034 \| CM0049 \| CM0006 \| CM0036	AC-3 \| AC-18 \| AC-20 \| SC-7 \| SC-8 \| SC-10
	A.8.21	Security of network services	CM0005	CA-3 \| SA-9
	A.8.22	Segregation of networks	CM0050 \| CM0005 \| CM0038 \| CM0052 \| CM0002 \| CM0033 \| CM0055 \| CM0034	AC-4 \| SC-7
	A.8.23	Web filtering	CM0050 \| CM0005 \| CM0038 \| CM0052 \| CM0002 \| CM0033 \| CM0055 \| CM0034	AC-4 \| SC-7 \| SC-7(8)
	A.8.24	Use of cryptography	CM0002 \| CM0030 \| CM0005 \| CM0033 \| CM0050 \| CM0006	SC-12 \| SC-13 \| SC-17
	A.8.25	Secure development life cycle	CM0004 \| CM0005 \| CM0017	SA-3 \| SA-15 \| SA-17
	A.8.26	Application security requirements	CM0052 \| CM0002 \| CM0033 \| CM0055 \| CM0005 \| CM0034 \| CM0049 \| CM0006 \| CM0050	SC-7 \| SC-8 \| SC-13
	A.8.27	Secure system architecture and engineering principles	CM0005	SA-8 \| SA-17
	A.8.28	Secure coding	CM0004 \| CM0005 \| CM0023 \| CM0016 \| CM0019	SA-4(3) \| SA-8 \| SA-10 \| SA-11(1) \| SA-15(5)
	A.8.29	Security testing in development and acceptance	CM0005 \| CM0004 \| CM0024 \| CM0025 \| CM0026 \| CM0027 \| CM0028	SA-4 \| SA-11 \| SR-5(2)
	A.8.30	Outsourced development	CM0005 \| CM0004 \| CM0023 \| CM0022 \| CM0024 \| CM0026 \| CM0027 \| CM0028 \| CM0025	SA-4 \| SA-10 \| SA-11 \| SR-2 \| SR-4
	A.8.31	Separation of development, test and production environments	CM0004 \| CM0010 \| CM0005	CM-4(1) \| CM-5 \| SA-3
	A.8.32	Change management	CM0005 \| CM0004 \| CM0023 \| CM0010	CM-3 \| SA-10 \| SI-2
	A.8.33	Test information	CM0001 \| CM0004 \| CM0005	SA-3(2)
	A.8.34	Protection of information systems during audit testing	None	None