1. Home
  2. ISO 27001

ISO 27001 Requirements

ISO/IEC 27001 is an international standard to manage information security. The standard details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Many organizations/corporations across the world leverage ISO 27001 to certify their systems are considered secure and are following best practices. In some circumstances, ISO 27001 is applied beyond terrestrial system elements to include elements within the space segment as well. Therefore, to help bridge the gap between SPARTA countermeasures and ISO 27001 a mapping has been performed. This mapping was performed using NIST’s published mapping between NIST 800-53 rev5 and ISO 270001. According to NIST, “the mapping of SP 800-53 Revision 5 controls to ISO/IEC 27001:2022 requirements and controls reflects whether the implementation of a security control from Special Publication 800-53 satisfies the intent of the mapped security requirement or control from ISO/IEC 27001 and conversely, whether the implementation of a security requirement or security control from ISO/IEC 27001 satisfies the intent of the mapped control from Special Publication 800-53.” There could be gaps or mistakes within the NIST to ISO mappings as this is the as-provided mapping from NIST and the space system context was not considered in this initial mapping. Improvements will be made in future releases of SPARTA and driven by community feedback.

The intent of mapping SPARTA countermeasures to standards like NIST SP 800-53 and ISO 27001 is to provide SPARTA users with additional perspective of the security principle as well as how the SPARTA countermeasure aligns with compliance/regulatory/best practices published by such standards bodies.

ID Name SPARTA Countermeasures NIST Rev 5
4 Context of the Organization
4.1 Understanding the organization and its context CM0088 PM-1
4.2 Understanding the needs and expectations of interested parties CM0088 PM-1
4.3 Determining the scope of the information security management system CM0088 PM-1 PM-9 PM-28
4.4 Information security management system CM0088 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 PM-1 PM-9 PM-30 PM-31
5 Leadership
5.1 Leadership and commitment PM-2 PM-3 PM-29
5.2 Policy CM0088 CM0005 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PS-1 RA-1 SA-1 SC-1 SI-1 SR-1
5.3 Organizational roles, responsibilities, and authorities CM0088 CM0005 CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PM-2 PM-6 PM-29 PS-1 RA-1 SA-1 SC-1 SI-1 SR-1
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General CM0088 PM-1 PM-4 PM-6 PM-9
6.1.2 Information security risk assessment CM0009 CM0020 CM0022 CM0011 CM0018 CM0019 PM-9 PM-28 RA-3
6.1.3 Information security risk treatment CM0011 CM0018 CM0019 CM0005 RA-7
6.2 Information security objectives and planning to achieve them CM0088 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 PM-1 PM-3 PM-4 PM-6 PM-9 PM-28 PM-30 PM-31
7 Support
7.1 Resources PM-3
7.2 Competence PM-13
7.3 Awareness CM0041 CM0052 AT-2 PS-8
7.4 Communication CM0088 CM0005 PM-1 PM-15 PM-28 PM-31
7.5 Documented information
7.5.1 General CM0088 CM0005 CM0020 CM0022 CM0041 CM0052 CM0054 CM0074 CM0075 CM0076 CM0079 CM0081 CM0087 CM0070 CM0006 CM0042 CM0044 CM0043 CM0045 CM0048 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0001 CM0008 CM0007 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 CP-2 IA-1 IR-1 IR-8 MA-1 MP-1 PE-1 PL-1 PL-2 PM-1 PM-4 PM-9 PM-28 PM-30 PM-31 PS-1 RA-1 SA-1 SA-5 SC-1 SI-1 SR-1
7.5.2 Creating and updating CM0088 CM0005 CM0020 CM0022 CM0041 CM0052 CM0054 CM0074 CM0075 CM0076 CM0079 CM0081 CM0087 CM0070 CM0006 CM0042 CM0044 CM0043 CM0045 CM0048 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0001 CM0008 CM0007 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 CP-2 IA-1 IR-1 IR-8 MA-1 MP-1 PE-1 PL-1 PL-2 PM-1 PM-4 PM-9 PM-28 PM-30 PM-31 PS-1 RA-1 SA-1 SA-5 SC-1 SI-1 SR-1
7.5.3 Control of documented information CM0088 CM0005 CM0020 CM0022 CM0041 CM0052 CM0054 CM0074 CM0075 CM0076 CM0079 CM0081 CM0087 CM0070 CM0006 CM0042 CM0044 CM0043 CM0045 CM0048 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0001 CM0008 CM0007 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 CP-2 IA-1 IR-1 IR-8 MA-1 MP-1 PE-1 PL-1 PL-2 PM-1 PM-4 PM-9 PM-28 PM-30 PM-31 PS-1 RA-1 SA-1 SA-5 SC-1 SI-1 SR-1
8 Operation
8.1 Operation planning and control CM0005 CM0072 CM0022 CM0088 CM-3 PL-7 PM-1 SA-1 SA-4
8.2 Information security risk assessment CM0009 CM0020 CM0022 CM0011 CM0018 CM0019 RA-3
8.3 Information security risk treatment CM0089 CM0011 CM0018 CM0019 CM0005 CA-5 PM-4 RA-7
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation CM0052 CM0090 CM0005 CA-7 PM-6 PM-31
9.2 Internal audit
9.2.1 General CM0089 CA-2
9.2.2 Internal audit programme CM0088 CM0089 CM0090 CM0005 CA-1 CA-2 CA-2(1) CA-7(1) PM-31
9.3 Management review
9.3.1 General CM0088 CM0089 CA-1 CA-6 PM-1 PM-29
9.3.2 Management review inputs CM0052 CM0090 CM0005 CM0009 CM0020 CM0022 CM0011 CM0018 CM0019 CA-7 CA-7(3) CA-7(4) PM-4 RA-3
9.3.3 Management review results CM0089 CM0052 CM0090 CM0005 CM0072 CA-5 CA-6 CA-7 CM-3
10 Improvement
10.1 Continual improvement CM0088 CM0005 PM-1 PM-9 PM-31
10.2 Nonconformity and corrective action CM0089 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0011 CM0018 CM0019 CA-5 PL-2 PM-4 PM-30 PM-31 RA-7