With sites in a variety of different countries, the European Space Agency (ESA) is Europe’s gateway to the galaxy. With vast amounts of sensitive information and confidential data, ESA decided to work with NQA to become certified to ISO 27001 to help ensure its most important assets are safe.

1. KEEPING THE
EUROPEAN
SPACE AGENCY
IN ORBIT
With sites in a variety of different countries, the European Space
Agency (ESA) is Europe’s gateway to the galaxy. With vast
amounts of sensitive information and confidential data, ESA
decided to work with NQA to become certified to ISO 27001 to
help ensure its most important assets are safe.

2. “We are extremely proud of our
ISO 27001 certification and it
has already proven to be highly
beneficial to us.”
“ISO 27001
means that
our ISMS
is regularly
assessed by
independent
auditors
and it meets
the highest
international
standards.”
Contact us
NQA, Warwick House, Houghton Hall Park, Houghton Regis, Dunstable, LU5 5ZX, United Kingdom
08000 522424 info@nqa.com www.nqa.com/isms
NEVER STOP IMPROVING
ISO 27001 certification through NQA means that ESA has
achieved its objective of having a robust, clearly defined and
continually improving information security management system
(ISMS).
The European Space Agency (ESA) is an international
organisation with 20 member states. Its mission is to shape
the development of the continent’s space capability and
ensure that investment continues to deliver benefits. By
coordinating the financial and intellectual resources of its
members, it undertakes programmes and activities far
beyond the scope of any single European country therefore
the upmost discretion to its information is required.
Space race
2014 is a milestone year for Europe as it looks back with
pride on 50 years of space cooperation. With over 2,000
employees and an annual budget of over €4bn, ESA’s job
is to draw up the European space programme and carry
it through. Its programmes are designed to find out more
about Earth, its immediate space environment, our solar
system and the universe, as well as to develop satellite-
based technologies and promote European industries.
The latest instalment of ESA’s story is the launch of
Sentinel-1A, a mission that will scan land and oceans using
advanced radar technology to deliver imagery. Part of
Europe’s Copernicus programme, Sentinel-1A was put into
orbit by a Soyuz launch vehicle from Europe’s Spaceport in
Kourou, French Guiana.
Confidentiality and Integrity
ESA already had a mechanism in place to ensure the
security of its data, minimise risk and protect stakeholder
information via its information security management system
(ISMS). In 2009 it decided to formalise this into its overall
Mission Operations Infrastructure (MOI) and in 2011 opted
to work towards ISO 27001 Certification.
ISO 27001 is the international standard for ISMS and with
over 15,000 certificates issued in 117 countries it provides a
framework that ensures only authorised users have access
to information, whilst maintaining its confidentiality and
integrity as well as legal compliance. It helps to protect
against potential security threats including vandalism,
terrorism, fire, misuse, theft and cyber-attack.
After a successful external audit, conducted in April 2013,
ESA’s MOI achieved its goal. Alfio Mantineo, head of the
Directorate of Human Spaceflight and Operations’ (HSO)
Quality & Safety Office at ESA, says, ‘The MOI covers
our entire infrastructure including the operational ground
facilities at ESA’s Space Operations Centre (ESOC) in
Darmstadt, Germany, and our European Space Tracking
(ESTRACK) ground stations in Cebreros and Villafranca
in Spain, where the audit was conducted by NQA. It also
covers the ground data systems for mission and ground
station control, navigation, flight dynamics and test facilities,
as well as the supporting IT and communication systems.’
Systematic approach
ESA has worked closely with NQA since 1999, when it
became certified to ISO 9001, and the two organisations
enjoy a highly productive working relationship.
Asked why ISO 27001 was considered the most suitable
standard for its needs, Mantineo replies, ‘We wanted a more
systematic approach to our ISMS activities. NQA made it
clear that certification would allow us to demonstrate full
compliance with the ESA Security Directives and show
to member states, international partners and industry our
on-going commitment to information security and data
protection.’
ESA’s ISMS is continually modified and improved to remain
fit for purpose. This process of continual improvement is
based upon the Plan, Do, Check, Act structure pioneered
by W Edwards Deming in the 1950s. It is used to ensure that
the hazards and risks associated with ESA’s activities are
systematically identified, assessed, controlled, monitored
and continuously improved.
Stakeholder support
Mantineo’s objective of having a more systematic approach
has been realised and refining the ISMS has simplified the
definition of the organisation’s entire activity structure and
how it is implemented.
He states, ‘It allows us to ensure close coordination and
cooperation across our entire operation and has contributed
to the effectiveness of our business continuity management
system (BCMS) by linking it with ISMS documented
procedures. Our internal stakeholders have also embraced
it and we have conducted a number of campaigns to make
them aware of the importance of what we’re doing in this
area.’
Mission accomplished
ESA has a rigorous, dynamic and continually evolving
approach to information security management, and
Mantineo concludes, ‘Working with the NQA team is a
real pleasure and they have been incredibly supportive
throughout the whole process. We knew that they would
challenge us but that, ultimately, it would help us get to
where we wanted to be. We are extremely proud of our ISO
27001 certification and it has already proven to be highly
beneficial to us.’
CS/ESA/01/SEPT2014