ISO 27001 Controls

ISO/IEC 27001 is an international standard to manage information security. The standard details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Many organizations/corporations across the world leverage ISO 27001 to certify their systems are considered secure and are following best practices. In some circumstances, ISO 27001 is applied to the ground system, the spacecraft, etc. Therefore, to help bridge the gap between SPARTA countermeasures and ISO 27001 a mapping has been performed. This mapping was performed using NIST’s published mapping between NIST 800-53 rev5 and ISO 270001. According to NIST, “the mapping of SP 800-53 Revision 5 controls to ISO/IEC 27001:2022 requirements and controls reflects whether the implementation of a security control from Special Publication 800-53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800-53.”

The intent of mapping SPARTA countermeasures to standards like NIST 800-53 and ISO 27001 is to provide SPARTA users with additional information of the security principle as well as how the SPARTA countermeasure aligns with compliance/regulatory/best practices published by NIST and/or ISO.

ID Name SPARTA Countermeasures NIST Rev 5
A.5 Organizational controls
A.5.1 Policies for information security CM0005 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PS-1 RA-1 SA-1 SC-1 SI-1 SR-1
A.5.2 Information security roles and responsibilities CM0005 CM0004 CM0022 CM0024 CM0026 CM0027 CM0028 AC-1 AT-1 AU-1 CA-1 CM-1 CM-9 CP-1 CP-2 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PM-2 PM-10 PM-29 PS-1 PS-7 PS-9 RA-1 SA-1 SA-3 SA-9 SC-1 SI-1 SR-1
A.5.3 Segregation of duties AC-5
A.5.4 Management responsibilities CM0005 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PL-4 PM-1 PM-18 PS-1 PS-6 PS-7 PT-1 RA-1 SA-1 SA-9 SC-1 SI-1 SR-1
A.5.5 Contact with authorities CM0005 IR-6
A.5.6 Contact with special interest groups CM0005 PM-15 SI-5
A.5.7 Threat intelligence CM0009 CM0005 CM0052 CM0032 PM-16 PM-16(1) RA-10
A.5.8 Information security in project management CM0005 CM0004 CM0017 PL-2 PL-7 PL-8 SA-3 SA-4 SA-9 SA-15
A.5.9 Inventory of information and other associated assets CM0012 CM0005 CM-8
A.5.10 Acceptable use of information and other associated assets CM0005 CM0052 CM0049 CM0006 CM0071 MP-2 MP-4 MP-5 MP-6 MP-7 PE-16 PE-18 PE-20 PL-4 SC-8 SC-28
A.5.11 Return of assets CM0052 PS-4 PS-5
A.5.12 Classification of information RA-2
A.5.13 Labelling of information CM0005 MP-3 PE-22
A.5.14 Information transfer CM0050 CM0005 CM0038 CM0052 CM0002 CM0033 CM0055 CM0034 CM0049 CM0006 CM0071 AC-4 AC-17 AC-18 AC-19 AC-20 CA-3 PE-17 SA-9 SC-7 SC-8 SC-15
A.5.15 Access control CM0005 CM0055 CM0052 CM0039 CM0038 AC-1 AC-3 AC-6
A.5.16 Identity management CM0005 CM0052 CM0031 CM0033 CM0002 CM0035 AC-2 IA-2 IA-4 IA-5 IA-8
A.5.17 Authentication information CM0002 CM0005 CM0035 IA-5
A.5.18 Access rights CM0005 AC-2
A.5.19 Information security in supplier relationships CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 SR-1 SR-2
A.5.20 Addressing information security within supplier agreements CM0005 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0025 SA-4 SR-2 SR-3 SR-5
A.5.21 Managing information security in the information and communication technology (ICT) supply chain CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 CM0025 SR-2 SR-3 SR-4 SR-5
A.5.22 Monitoring, review and change management of supplier services CM0022 CM0004 CM0005 CM0025 CM0001 RA-9 SA-9 SR-6 SR-7
A.5.23 Information security for use of cloud services CM0005 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 SA-1 SA-4 SA-9 SA-9(3) SR-5
A.5.24 Information security incident management planning and preparation IR-8
A.5.25 Assessment and decision on information security events CM0052 CM0005 CM0032 CM0044 AU-6 IR-4
A.5.26 Response to information security events CM0052 CM0005 CM0032 CM0044 IR-4
A.5.27 Learning from information security incidents CM0052 CM0005 CM0032 CM0044 IR-4
A.5.28 Collection of evidence CM0005 AU-10(3) AU-11
A.5.29 Information security during disruption CM0005 CM0029 CM0056 CM0032 CM0044 CM0072 CP-2 CP-4 CP-6 CP-7 CP-8 CP-9 CP-10 CP-11 CP-13
A.5.30 ICT readiness for business continuity CM0022 CM0004 CM0005 CA-2 CP-2(1) CP-2(8) CP-4 CP-4(1)
A.5.31 Legal, statutory, regulatory and contractual requirements CM0005 CM0002 CM0033 CM0050 CM0006 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MP-1 PE-1 PL-1 PM-1 PS-1 RA-1 SA-1 SC-1 SC-13 SI-1 SR-1
A.5.32 Intellectual property rights CM-10
A.5.33 Protection of records CM0055 CM0005 CM0032 CM0056 CM0002 CM0049 AC-3 AU-9 CP-9 SC-8(1) SC-28(1)
A.5.34 Privacy and protection of personal identifiable information (PII)
A.5.35 Independent review of information security CA-2(1)
A.5.36 Compliance with policies, rules and standards for information security CM0005 CM0052 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CA-2 CA-7 CM-1 CP-1 IA-1 IR-1 MP-1 PE-1 PL-1 PM-1 PS-1 RA-1 SA-1 SC-1 SI-1 SR-1
A.5.37 Documented operating procedures CM0005 CM0001 CM0008 CM0007 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PS-1 RA-1 SA-1 SA-5 SC-1 SI-1 SR-1
A.6 People controls
A.6.1 Screening CM0052 PS-3 SA-21
A.6.2 Terms and conditions of employment PL-4 PS-6
A.6.3 Information security awareness, education, and training CM0041 CM0052 CM0005 AT-2 AT-3 CP-3 IR-2 PM-13
A.6.4 Disciplinary process CM0052 PS-8
A.6.5 Responsibilities after termination or change of employment CM0052 PS-4 PS-5
A.6.6 Confidentiality or non-disclosure agreements PS-6
A.6.7 Remote working CM0005 AC-17 PE-17
A.6.8 Information security event reporting CM0052 CM0005 CM0004 CM0010 CM0072 AU-6 IR-6 SI-2
A.7 Physical Controls
A.7.1 Physical security perimeters CM0054 CM0053 PE-3
A.7.2 Physical entry CM0052 CM0053 CM0054 CM0071 PE-2 PE-3 PE-4 PE-5 PE-16
A.7.3 Securing offices, rooms and facilities CM0054 CM0053 PE-3 PE-5
A.7.4 Physical security monitoring CM0005 CM0054 CM0053 AU-6(6) PE-3 PE-3(3) PE-6 PE-6(1) PE-6(4)
A.7.5 Protecting against physical and environmental threats CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 CP-6 CP-7 PE-9 PE-13 PE-14 PE-15 PE-18 PE-19 PE-23
A.7.6 Working in secure areas
A.7.7 Clear desk and clear screen CM0005 AC-11 MP-2 MP-4 PE-5
A.7.8 Equipment siting and protection CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 PE-9 PE-13 PE-14 PE-15 PE-18 PE-19 PE-23
A.7.9 Security of assets off-premises CM0005 AC-19 AC-20 MP-5 PE-17
A.7.10 Storage media CM0005 CM0052 MA-2 MP-2 MP-4 MP-5 MP-6 MP-7 PE-16
A.7.11 Supporting utilities CM0005 CM0029 CP-8 PE-9 PE-10 PE-11 PE-12 PE-14 PE-15
A.7.12 Cabling security CM0071 PE-4 PE-9
A.7.13 Equipment maintenance CM0005 MA-2 MA-6
A.7.14 Secure disposal or re-use of equipment CM0005 MP-6
A.8 Technological controls
A.8.1 User end point devices CM0005 AC-11 AC-17 AC-18 AC-19 CP-2
A.8.2 Privileged access rights CM0005 CM0055 CM0052 CM0039 CM0038 CM0023 AC-2 AC-3 AC-6 CA-2 CM-5
A.8.3 Information access restriction CM0055 CM0005 CM0023 AC-3 AC-24 CM-5
A.8.4 Access to source code CM0055 CM0005 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0023 AC-3 AC-3(11) CM-5
A.8.5 Secure authentication CM0005 AC-7 AC-8 AC-9 IA-6
A.8.6 Capacity management CM0005 CM0032 AU-4 CP-2(2) SC-5(2)
A.8.7 Protection against malware CM0041 CM0052 CM0027 CM0011 CM0018 CM0005 CM0032 AT-2 SI-3
A.8.8 Management of technical vulnerabilities CM0008 CM0004 CM0011 CM0013 CM0016 CM0019 CM0005 CM0010 CM0072 RA-3 RA-5 SI-2
A.8.9 Configuration management CM0005 CM0072 CM0004 CM0010 CM0023 CM0012 CM-1 CM-2 CM-2(3) CM-3 CM-3(7) CM-3(8) CM-4 CM-5 CM-6 CM-8 CM-9 CM-9(1) SA-10
A.8.10 Information deletion CM0001 CM0040 CM0005 AC-4(25) AC-7(2) MA-2 MA-3(3) MA-4(3) MP-4 MP-6 MP-6(1) SI-21
A.8.11 Data masking CM0001 CM0040 CM0050 CM0005 CM0002 AC-4(23) SI-19(4)
A.8.12 Data leakage prevention CM0052 CM0053 CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 CM0002 CM0005 CM0032 AU-13 PE-3(2) PE-19 SC-7(10) SI-20
A.8.13 Information backup CM0005 CM0056 CP-9
A.8.14 Redundancy of information processing facilities CP-6 CP-7
A.8.15 Logging CM0005 CM0032 CM0052 AU-2 AU-3 AU-6 AU-9 AU-11 AU-12 AU-14
A.8.16 Monitoring activities CM0055 CM0005 CM0002 CM0034 CM0052 CM0033 CM0032 CM0066 CM0067 CM0068 AC-2(12) AC-17(1) AU-13 IR-4(13) MA-4(1) PE-6 PE-6(3) SC-7 SI-4 SI-4(4) SI-4(13) SI-4(16)
A.8.17 Clock synchronization CM0005 CM0032 AU-8
A.8.18 Use of privileged utility programs CM0055 CM0005 CM0052 CM0039 CM0038 AC-3 AC-6
A.8.19 Installation of software on operational systems CM0023 CM0039 CM0047 CM0005 CM0010 CM0069 CM-5 CM-7 CM-7(4) CM-7(5) CM-11
A.8.20 Networks security CM0055 CM0005 CM0052 CM0002 CM0033 CM0034 CM0049 CM0006 CM0071 CM0036 AC-3 AC-18 AC-20 SC-7 SC-8 SC-10
A.8.21 Security of network services CM0005 CA-3 SA-9
A.8.22 Segregation of networks CM0050 CM0005 CM0038 CM0052 CM0002 CM0033 CM0055 CM0034 AC-4 SC-7
A.8.23 Web filtering CM0050 CM0005 CM0038 CM0052 CM0002 CM0033 CM0055 CM0034 AC-4 SC-7 SC-7(8)
A.8.24 Use of cryptography CM0002 CM0030 CM0005 CM0033 CM0050 CM0006 SC-12 SC-13 SC-17
A.8.25 Secure development life cycle CM0004 CM0005 CM0017 SA-3 SA-15 SA-17
A.8.26 Application security requirements CM0052 CM0002 CM0033 CM0055 CM0005 CM0034 CM0049 CM0006 CM0071 CM0050 SC-7 SC-8 SC-13
A.8.27 Secure system architecture and engineering principles CM0005 SA-8 SA-17
A.8.28 Secure coding CM0004 CM0005 CM0023 CM0016 CM0019 SA-4(3) SA-8 SA-10 SA-11(1) SA-15(5)
A.8.29 Security testing in development and acceptance CM0005 CM0004 CM0024 CM0025 CM0026 CM0027 CM0028 SA-4 SA-11 SR-5(2)
A.8.30 Outsourced development CM0005 CM0004 CM0023 CM0022 CM0024 CM0026 CM0027 CM0028 CM0025 SA-4 SA-10 SA-11 SR-2 SR-4
A.8.31 Separation of development, test and production environments CM0004 CM0010 CM0023 CM0005 CM-4(1) CM-5 SA-3
A.8.32 Change management CM0005 CM0072 CM0004 CM0023 CM0010 CM-3 SA-10 SI-2
A.8.33 Test information CM0001 CM0004 CM0005 SA-3(2)
A.8.34 Protection of information systems during audit testing