Details of the ISO 27001:2013 Regulatory Compliance built-in initiative
Article 11/04/2024
4 contributors
Feedback
In this article
Cryptography
Physical And Environmental Security
Operations Security
Communications Security
System Acquisition, Development And Maintenance
Supplier Relationships
Information Security Incident Management
Information Security Aspects Of Business Continuity Management
Compliance
Information Security Policies
Organization of Information Security
Human Resources Security
Asset Management
Access Control
Improvement
Context of the organization
Leadership
Planning
Support
Operation
Performance Evaluation
Next steps
Show 18 more
The following article details how the Azure Policy Regulatory Compliance built-in initiative
definition maps to compliance domains and controls in ISO 27001:2013.
For more information about this compliance standard, see
ISO 27001:2013 . To understand
Ownership , review the policy type and
Shared responsibility in the cloud .
The following mappings are to the ISO 27001:2013 controls. Many of the controls
are implemented with an Azure Policy initiative definition. To review the complete
initiative definition, open Policy in the Azure portal and select the Definitions page.
Then, find and select the ISO 27001:2013 Regulatory Compliance built-in
initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions.
These policies may help you assess compliance with the
control; however, there often is not a one-to-one or complete match between a control and one or
more policies. As such, Compliant in Azure Policy refers only to the policy definitions
themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
addition, the compliance standard includes controls that aren't addressed by any Azure Policy
definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
overall compliance status. The associations between compliance domains, controls, and Azure Policy
definitions for this compliance standard may change over time. To view the change history, see the
GitHub Commit History .
Policy on the use of cryptographic controls
ID : ISO 27001:2013 A.10.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
Audit Windows machines that do not store passwords using reversible encryption
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not store passwords using reversible encryption
AuditIfNotExists, Disabled
2.0.0
Automation account variables should be encrypted
It is important to enable encryption of Automation account variable assets when storing sensitive data
Audit, Deny, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol .
deployIfNotExists
1.2.0
Document and distribute a privacy policy
CMA_0188 - Document and distribute a privacy policy
Manual, Disabled
1.1.0
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Implement privacy notice delivery methods
CMA_0324 - Implement privacy notice delivery methods
Manual, Disabled
1.1.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Provide privacy notice
CMA_0414 - Provide privacy notice
Manual, Disabled
1.1.0
Restrict communications
CMA_0449 - Restrict communications
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed
Audit, Deny, Disabled
1.1.0
Transparent Data Encryption on SQL databases should be enabled
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements
AuditIfNotExists, Disabled
2.0.0
ID : ISO 27001:2013 A.10.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Define organizational requirements for cryptographic key management
CMA_0123 - Define organizational requirements for cryptographic key management
Manual, Disabled
1.1.0
Determine assertion requirements
CMA_0136 - Determine assertion requirements
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Establish a password policy
CMA_0256 - Establish a password policy
Manual, Disabled
1.1.0
Identify actions allowed without authentication
CMA_0295 - Identify actions allowed without authentication
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Implement parameters for memorized secret verifiers
CMA_0321 - Implement parameters for memorized secret verifiers
Manual, Disabled
1.1.0
Issue public key certificates
CMA_0347 - Issue public key certificates
Manual, Disabled
1.1.0
Manage symmetric cryptographic keys
CMA_0367 - Manage symmetric cryptographic keys
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Restrict access to private keys
CMA_0445 - Restrict access to private keys
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Terminate customer controlled account credentials
CMA_C1022 - Terminate customer controlled account credentials
Manual, Disabled
1.1.0
Physical And Environmental Security
Physical security perimeter
ID : ISO 27001:2013 A.11.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Establish and maintain an asset inventory
CMA_0266 - Establish and maintain an asset inventory
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Install an alarm system
CMA_0338 - Install an alarm system
Manual, Disabled
1.1.0
Manage a secure surveillance camera system
CMA_0354 - Manage a secure surveillance camera system
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.11.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Designate personnel to supervise unauthorized maintenance activities
CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities
Manual, Disabled
1.1.0
Establish and maintain an asset inventory
CMA_0266 - Establish and maintain an asset inventory
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Maintain list of authorized remote maintenance personnel
CMA_C1420 - Maintain list of authorized remote maintenance personnel
Manual, Disabled
1.1.0
Manage maintenance personnel
CMA_C1421 - Manage maintenance personnel
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Securing offices, rooms and facilities
ID : ISO 27001:2013 A.11.1.3
Ownership : Shared
Expand table
Protecting against external and environmental threats
ID : ISO 27001:2013 A.11.1.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Create separate alternate and primary storage sites
CMA_C1269 - Create separate alternate and primary storage sites
Manual, Disabled
1.1.0
Ensure alternate storage site safeguards are equivalent to primary site
CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site
Manual, Disabled
1.1.0
Ensure information system fails in known state
CMA_C1662 - Ensure information system fails in known state
Manual, Disabled
1.1.0
Establish alternate storage site to store and retrieve backup information
CMA_C1267 - Establish alternate storage site to store and retrieve backup information
Manual, Disabled
1.1.0
Establish an alternate processing site
CMA_0262 - Establish an alternate processing site
Manual, Disabled
1.1.0
Identify and mitigate potential issues at alternate storage site
CMA_C1271 - Identify and mitigate potential issues at alternate storage site
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Install an alarm system
CMA_0338 - Install an alarm system
Manual, Disabled
1.1.0
Plan for continuance of essential business functions
CMA_C1255 - Plan for continuance of essential business functions
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.11.1.5
Ownership : Shared
Expand table
Delivering and loading areas
ID : ISO 27001:2013 A.11.1.6
Ownership : Shared
Expand table
Equipment sitting and protection
ID : ISO 27001:2013 A.11.2.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.11.2.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.11.2.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.11.2.4
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.11.2.5
Ownership : Shared
Expand table
Security of equipment and assets off-premises
ID : ISO 27001:2013 A.11.2.6
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define mobile device requirements
CMA_0122 - Define mobile device requirements
Manual, Disabled
1.1.0
Ensure security safeguards not needed when the individuals return
CMA_C1183 - Ensure security safeguards not needed when the individuals return
Manual, Disabled
1.1.0
Establish terms and conditions for accessing resources
CMA_C1076 - Establish terms and conditions for accessing resources
Manual, Disabled
1.1.0
Establish terms and conditions for processing resources
CMA_C1077 - Establish terms and conditions for processing resources
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Manage the transportation of assets
CMA_0370 - Manage the transportation of assets
Manual, Disabled
1.1.0
Not allow for information systems to accompany with individuals
CMA_C1182 - Not allow for information systems to accompany with individuals
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Verify security controls for external information systems
CMA_0541 - Verify security controls for external information systems
Manual, Disabled
1.1.0
Secure disposal or re-use of equipment
ID : ISO 27001:2013 A.11.2.7
Ownership : Shared
Expand table
Unattended user equipment
ID : ISO 27001:2013 A.11.2.8
Ownership : Shared
Expand table
Clear desk and clear screen policy
ID : ISO 27001:2013 A.11.2.9
Ownership : Shared
Expand table
Documented operating procedures
ID : ISO 27001:2013 A.12.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Distribute information system documentation
CMA_C1584 - Distribute information system documentation
Manual, Disabled
1.1.0
Document customer-defined actions
CMA_C1582 - Document customer-defined actions
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Obtain Admin documentation
CMA_C1580 - Obtain Admin documentation
Manual, Disabled
1.1.0
Obtain user security function documentation
CMA_C1581 - Obtain user security function documentation
Manual, Disabled
1.1.0
Protect administrator and user documentation
CMA_C1583 - Protect administrator and user documentation
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Install an alarm system
CMA_0338 - Install an alarm system
Manual, Disabled
1.1.0
Manage nonlocal maintenance and diagnostic activities
CMA_0364 - Manage nonlocal maintenance and diagnostic activities
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.1.3
Ownership : Shared
Expand table
Separation of development, testing and operational environments
ID : ISO 27001:2013 A.12.1.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Ensure there are no unencrypted static authenticators
CMA_C1340 - Ensure there are no unencrypted static authenticators
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Implement controls to protect PII
CMA_C1839 - Implement controls to protect PII
Manual, Disabled
1.1.0
Incorporate security and data privacy practices in research processing
CMA_0331 - Incorporate security and data privacy practices in research processing
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Control maintenance and repair activities
CMA_0080 - Control maintenance and repair activities
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Manage nonlocal maintenance and diagnostic activities
CMA_0364 - Manage nonlocal maintenance and diagnostic activities
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.3.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Create separate alternate and primary storage sites
CMA_C1269 - Create separate alternate and primary storage sites
Manual, Disabled
1.1.0
Ensure information system fails in known state
CMA_C1662 - Ensure information system fails in known state
Manual, Disabled
1.1.0
Establish an alternate processing site
CMA_0262 - Establish an alternate processing site
Manual, Disabled
1.1.0
Establish backup policies and procedures
CMA_0268 - Establish backup policies and procedures
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Implement transaction based recovery
CMA_C1296 - Implement transaction based recovery
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Plan for continuance of essential business functions
CMA_C1255 - Plan for continuance of essential business functions
Manual, Disabled
1.1.0
Separately store backup information
CMA_C1293 - Separately store backup information
Manual, Disabled
1.1.0
Transfer backup information to an alternate storage site
CMA_C1294 - Transfer backup information to an alternate storage site
Manual, Disabled
1.1.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.4.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images
Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.
AuditIfNotExists, Disabled
2.0.1-preview
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Alert personnel of information spillage
CMA_0007 - Alert personnel of information spillage
Manual, Disabled
1.1.0
Audit diagnostic setting for selected resource types
Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.
AuditIfNotExists
2.0.1
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Auditing on SQL server should be enabled
Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.
AuditIfNotExists, Disabled
2.0.0
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Check for privacy and security compliance before establishing internal connections
CMA_0053 - Check for privacy and security compliance before establishing internal connections
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Configure Azure Audit capabilities
CMA_C1108 - Configure Azure Audit capabilities
Manual, Disabled
1.1.1
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Dependency agent should be enabled for listed virtual machine images
Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.
AuditIfNotExists, Disabled
2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images
Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.
AuditIfNotExists, Disabled
2.0.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Discover any indicators of compromise
CMA_C1702 - Discover any indicators of compromise
Manual, Disabled
1.1.0
Document the legal basis for processing personal information
CMA_0206 - Document the legal basis for processing personal information
Manual, Disabled
1.1.0
Enforce and audit access restrictions
CMA_C1203 - Enforce and audit access restrictions
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Implement methods for consumer requests
CMA_0319 - Implement methods for consumer requests
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images
Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.
AuditIfNotExists, Disabled
2.0.1
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Obtain legal opinion for monitoring system activities
CMA_C1688 - Obtain legal opinion for monitoring system activities
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Provide monitoring information as needed
CMA_C1689 - Provide monitoring information as needed
Manual, Disabled
1.1.0
Publish access procedures in SORNs
CMA_C1848 - Publish access procedures in SORNs
Manual, Disabled
1.1.0
Publish rules and regulations accessing Privacy Act records
CMA_C1847 - Publish rules and regulations accessing Privacy Act records
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review and update the events defined in AU-02
CMA_C1106 - Review and update the events defined in AU-02
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review changes for any unauthorized changes
CMA_C1204 - Review changes for any unauthorized changes
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.4.2
Ownership : Shared
Expand table
Administrator and operator logs
ID : ISO 27001:2013 A.12.4.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images
Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.
AuditIfNotExists, Disabled
2.0.1-preview
Audit diagnostic setting for selected resource types
Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.
AuditIfNotExists
2.0.1
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Auditing on SQL server should be enabled
Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.
AuditIfNotExists, Disabled
2.0.0
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Check for privacy and security compliance before establishing internal connections
CMA_0053 - Check for privacy and security compliance before establishing internal connections
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Dependency agent should be enabled for listed virtual machine images
Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.
AuditIfNotExists, Disabled
2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images
Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.
AuditIfNotExists, Disabled
2.0.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Enable dual or joint authorization
CMA_0226 - Enable dual or joint authorization
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images
Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.
AuditIfNotExists, Disabled
2.0.1
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Obtain legal opinion for monitoring system activities
CMA_C1688 - Obtain legal opinion for monitoring system activities
Manual, Disabled
1.1.0
Protect audit information
CMA_0401 - Protect audit information
Manual, Disabled
1.1.0
Provide monitoring information as needed
CMA_C1689 - Provide monitoring information as needed
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.4.4
Ownership : Shared
Expand table
Installation of software on operational systems
ID : ISO 27001:2013 A.12.5.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Govern compliance of cloud service providers
CMA_0290 - Govern compliance of cloud service providers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
Management of technical vulnerabilities
ID : ISO 27001:2013 A.12.6.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.
AuditIfNotExists, Disabled
3.0.0
Conduct Risk Assessment
CMA_C1543 - Conduct Risk Assessment
Manual, Disabled
1.1.0
Conduct risk assessment and distribute its results
CMA_C1544 - Conduct risk assessment and distribute its results
Manual, Disabled
1.1.0
Conduct risk assessment and document its results
CMA_C1542 - Conduct risk assessment and document its results
Manual, Disabled
1.1.0
Incorporate flaw remediation into configuration management
CMA_C1671 - Incorporate flaw remediation into configuration management
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Select additional testing for security control assessments
CMA_C1149 - Select additional testing for security control assessments
Manual, Disabled
1.1.0
SQL databases should have vulnerability findings resolved
Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.
AuditIfNotExists, Disabled
4.1.0
Vulnerabilities in security configuration on your machines should be remediated
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.1.0
Restrictions on software installation
ID : ISO 27001:2013 A.12.6.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Govern compliance of cloud service providers
CMA_0290 - Govern compliance of cloud service providers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.12.7.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.13.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
All network ports should be restricted on network security groups associated to your virtual machine
Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.
AuditIfNotExists, Disabled
3.0.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Document and implement wireless access guidelines
CMA_0190 - Document and implement wireless access guidelines
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Employ boundary protection to isolate information systems
CMA_C1639 - Employ boundary protection to isolate information systems
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Establish terms and conditions for accessing resources
CMA_C1076 - Establish terms and conditions for accessing resources
Manual, Disabled
1.1.0
Establish terms and conditions for processing resources
CMA_C1077 - Establish terms and conditions for processing resources
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Prevent split tunneling for remote devices
CMA_C1632 - Prevent split tunneling for remote devices
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Protect wireless access
CMA_0411 - Protect wireless access
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Reauthenticate or terminate a user session
CMA_0421 - Reauthenticate or terminate a user session
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Separate user and information system management functionality
CMA_0493 - Separate user and information system management functionality
Manual, Disabled
1.1.0
Storage accounts should restrict network access
Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges
Audit, Deny, Disabled
1.1.1
Use dedicated machines for administrative tasks
CMA_0527 - Use dedicated machines for administrative tasks
Manual, Disabled
1.1.0
Verify security controls for external information systems
CMA_0541 - Verify security controls for external information systems
Manual, Disabled
1.1.0
Security of network services
ID : ISO 27001:2013 A.13.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Establish electronic signature and certificate requirements
CMA_0271 - Establish electronic signature and certificate requirements
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Prevent split tunneling for remote devices
CMA_C1632 - Prevent split tunneling for remote devices
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Require interconnection security agreements
CMA_C1151 - Require interconnection security agreements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Update interconnection security agreements
CMA_0519 - Update interconnection security agreements
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.13.1.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Employ boundary protection to isolate information systems
CMA_C1639 - Employ boundary protection to isolate information systems
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Information flow control using security policy filters
CMA_C1029 - Information flow control using security policy filters
Manual, Disabled
1.1.0
Prevent split tunneling for remote devices
CMA_C1632 - Prevent split tunneling for remote devices
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Separate user and information system management functionality
CMA_0493 - Separate user and information system management functionality
Manual, Disabled
1.1.0
Use dedicated machines for administrative tasks
CMA_0527 - Use dedicated machines for administrative tasks
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.13.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Define mobile device requirements
CMA_0122 - Define mobile device requirements
Manual, Disabled
1.1.0
Document and implement wireless access guidelines
CMA_0190 - Document and implement wireless access guidelines
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Establish terms and conditions for accessing resources
CMA_C1076 - Establish terms and conditions for accessing resources
Manual, Disabled
1.1.0
Establish terms and conditions for processing resources
CMA_C1077 - Establish terms and conditions for processing resources
Manual, Disabled
1.1.0
Explicitly notify use of collaborative computing devices
CMA_C1649 - Explicitly notify use of collaborative computing devices
Manual, Disabled
1.1.1
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Information flow control using security policy filters
CMA_C1029 - Information flow control using security policy filters
Manual, Disabled
1.1.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Prohibit remote activation of collaborative computing devices
CMA_C1648 - Prohibit remote activation of collaborative computing devices
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Protect wireless access
CMA_0411 - Protect wireless access
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Require interconnection security agreements
CMA_C1151 - Require interconnection security agreements
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Update interconnection security agreements
CMA_0519 - Update interconnection security agreements
Manual, Disabled
1.1.0
Verify security controls for external information systems
CMA_0541 - Verify security controls for external information systems
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.13.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Identify external service providers
CMA_C1591 - Identify external service providers
Manual, Disabled
1.1.0
Implement privacy notice delivery methods
CMA_0324 - Implement privacy notice delivery methods
Manual, Disabled
1.1.0
Obtain consent prior to collection or processing of personal data
CMA_0385 - Obtain consent prior to collection or processing of personal data
Manual, Disabled
1.1.0
Provide privacy notice
CMA_0414 - Provide privacy notice
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Require interconnection security agreements
CMA_C1151 - Require interconnection security agreements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Update interconnection security agreements
CMA_0519 - Update interconnection security agreements
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.13.2.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Confidentiality or non-disclosure agreements
ID : ISO 27001:2013 A.13.2.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Document organizational access agreements
CMA_0192 - Document organizational access agreements
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Ensure access agreements are signed or resigned timely
CMA_C1528 - Ensure access agreements are signed or resigned timely
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Require users to sign access agreement
CMA_0440 - Require users to sign access agreement
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update organizational access agreements
CMA_0520 - Update organizational access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
System Acquisition, Development And Maintenance
ID : ISO 27001:2013 A.14.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define information security roles and responsibilities
CMA_C1565 - Define information security roles and responsibilities
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop a concept of operations (CONOPS)
CMA_0141 - Develop a concept of operations (CONOPS)
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Develop SSP that meets criteria
CMA_C1492 - Develop SSP that meets criteria
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Identify external service providers
CMA_C1591 - Identify external service providers
Manual, Disabled
1.1.0
Identify individuals with security roles and responsibilities
CMA_C1566 - Identify individuals with security roles and responsibilities
Manual, Disabled
1.1.1
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Integrate risk management process into SDLC
CMA_C1567 - Integrate risk management process into SDLC
Manual, Disabled
1.1.0
Review and update the information security architecture
CMA_C1504 - Review and update the information security architecture
Manual, Disabled
1.1.0
Review development process, standards and tools
CMA_C1610 - Review development process, standards and tools
Manual, Disabled
1.1.0
Securing application services on public networks
ID : ISO 27001:2013 A.14.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Information flow control using security policy filters
CMA_C1029 - Information flow control using security policy filters
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
Protecting application services transactions
ID : ISO 27001:2013 A.14.1.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Employ boundary protection to isolate information systems
CMA_C1639 - Employ boundary protection to isolate information systems
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Information flow control using security policy filters
CMA_C1029 - Information flow control using security policy filters
Manual, Disabled
1.1.0
Prevent split tunneling for remote devices
CMA_C1632 - Prevent split tunneling for remote devices
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Separate user and information system management functionality
CMA_0493 - Separate user and information system management functionality
Manual, Disabled
1.1.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
Use dedicated machines for administrative tasks
CMA_0527 - Use dedicated machines for administrative tasks
Manual, Disabled
1.1.0
Secure development policy
ID : ISO 27001:2013 A.14.2.1
Ownership : Shared
Expand table
System change control procedures
ID : ISO 27001:2013 A.14.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Incorporate flaw remediation into configuration management
CMA_C1671 - Incorporate flaw remediation into configuration management
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.14.2.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Incorporate flaw remediation into configuration management
CMA_C1671 - Incorporate flaw remediation into configuration management
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Restrictions on changes to software packages
ID : ISO 27001:2013 A.14.2.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
Secure system engineering principles
ID : ISO 27001:2013 A.14.2.5
Ownership : Shared
Expand table
Secure development environment
ID : ISO 27001:2013 A.14.2.6
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Define information security roles and responsibilities
CMA_C1565 - Define information security roles and responsibilities
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Identify individuals with security roles and responsibilities
CMA_C1566 - Identify individuals with security roles and responsibilities
Manual, Disabled
1.1.1
Integrate risk management process into SDLC
CMA_C1567 - Integrate risk management process into SDLC
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.14.2.7
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Assess risk in third party relationships
CMA_0014 - Assess risk in third party relationships
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Define requirements for supplying goods and services
CMA_0126 - Define requirements for supplying goods and services
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Establish policies for supply chain risk management
CMA_0275 - Establish policies for supply chain risk management
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
Require developers to produce evidence of security assessment plan execution
CMA_C1602 - Require developers to produce evidence of security assessment plan execution
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.14.2.8
Ownership : Shared
Expand table
System acceptance testing
ID : ISO 27001:2013 A.14.2.9
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign an authorizing official (AO)
CMA_C1158 - Assign an authorizing official (AO)
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Ensure resources are authorized
CMA_C1159 - Ensure resources are authorized
Manual, Disabled
1.1.0
Ensure there are no unencrypted static authenticators
CMA_C1340 - Ensure there are no unencrypted static authenticators
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.14.3.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Ensure there are no unencrypted static authenticators
CMA_C1340 - Ensure there are no unencrypted static authenticators
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.15.1.1
Ownership : Shared
Expand table
Addressing security within supplier agreement
ID : ISO 27001:2013 A.15.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess risk in third party relationships
CMA_0014 - Assess risk in third party relationships
Manual, Disabled
1.1.0
Check for privacy and security compliance before establishing internal connections
CMA_0053 - Check for privacy and security compliance before establishing internal connections
Manual, Disabled
1.1.0
Define requirements for supplying goods and services
CMA_0126 - Define requirements for supplying goods and services
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Establish policies for supply chain risk management
CMA_0275 - Establish policies for supply chain risk management
Manual, Disabled
1.1.0
Identify external service providers
CMA_C1591 - Identify external service providers
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.15.1.3
Ownership : Shared
Expand table
Monitoring and review of supplier services
ID : ISO 27001:2013 A.15.2.1
Ownership : Shared
Expand table
Managing changes to supplier services
ID : ISO 27001:2013 A.15.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Responsibilities and procedures
ID : ISO 27001:2013 A.16.1.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.16.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Report atypical behavior of user accounts
CMA_C1025 - Report atypical behavior of user accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.16.1.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.16.1.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Report atypical behavior of user accounts
CMA_C1025 - Report atypical behavior of user accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.16.1.5
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Report atypical behavior of user accounts
CMA_C1025 - Report atypical behavior of user accounts
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.16.1.6
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Discover any indicators of compromise
CMA_C1702 - Discover any indicators of compromise
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Report atypical behavior of user accounts
CMA_C1025 - Report atypical behavior of user accounts
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.16.1.7
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.17.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Communicate contingency plan changes
CMA_C1249 - Communicate contingency plan changes
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop and document a business continuity and disaster recovery plan
CMA_0146 - Develop and document a business continuity and disaster recovery plan
Manual, Disabled
1.1.0
Develop contingency plan
CMA_C1244 - Develop contingency plan
Manual, Disabled
1.1.0
Develop contingency planning policies and procedures
CMA_0156 - Develop contingency planning policies and procedures
Manual, Disabled
1.1.0
Distribute policies and procedures
CMA_0185 - Distribute policies and procedures
Manual, Disabled
1.1.0
Plan for resumption of essential business functions
CMA_C1253 - Plan for resumption of essential business functions
Manual, Disabled
1.1.0
Resume all mission and business functions
CMA_C1254 - Resume all mission and business functions
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review contingency plan
CMA_C1247 - Review contingency plan
Manual, Disabled
1.1.0
Update contingency plan
CMA_C1248 - Update contingency plan
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.17.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Communicate contingency plan changes
CMA_C1249 - Communicate contingency plan changes
Manual, Disabled
1.1.0
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Create separate alternate and primary storage sites
CMA_C1269 - Create separate alternate and primary storage sites
Manual, Disabled
1.1.0
Develop contingency plan
CMA_C1244 - Develop contingency plan
Manual, Disabled
1.1.0
Ensure alternate storage site safeguards are equivalent to primary site
CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site
Manual, Disabled
1.1.0
Ensure information system fails in known state
CMA_C1662 - Ensure information system fails in known state
Manual, Disabled
1.1.0
Establish alternate storage site to store and retrieve backup information
CMA_C1267 - Establish alternate storage site to store and retrieve backup information
Manual, Disabled
1.1.0
Establish an alternate processing site
CMA_0262 - Establish an alternate processing site
Manual, Disabled
1.1.0
Establish backup policies and procedures
CMA_0268 - Establish backup policies and procedures
Manual, Disabled
1.1.0
Establish requirements for internet service providers
CMA_0278 - Establish requirements for internet service providers
Manual, Disabled
1.1.0
Identify and mitigate potential issues at alternate storage site
CMA_C1271 - Identify and mitigate potential issues at alternate storage site
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Implement transaction based recovery
CMA_C1296 - Implement transaction based recovery
Manual, Disabled
1.1.0
Plan for continuance of essential business functions
CMA_C1255 - Plan for continuance of essential business functions
Manual, Disabled
1.1.0
Plan for resumption of essential business functions
CMA_C1253 - Plan for resumption of essential business functions
Manual, Disabled
1.1.0
Recover and reconstitute resources after any disruption
CMA_C1295 - Recover and reconstitute resources after any disruption
Manual, Disabled
1.1.1
Resume all mission and business functions
CMA_C1254 - Resume all mission and business functions
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.17.1.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.17.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Communicate contingency plan changes
CMA_C1249 - Communicate contingency plan changes
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Create separate alternate and primary storage sites
CMA_C1269 - Create separate alternate and primary storage sites
Manual, Disabled
1.1.0
Develop and document a business continuity and disaster recovery plan
CMA_0146 - Develop and document a business continuity and disaster recovery plan
Manual, Disabled
1.1.0
Develop contingency plan
CMA_C1244 - Develop contingency plan
Manual, Disabled
1.1.0
Develop contingency planning policies and procedures
CMA_0156 - Develop contingency planning policies and procedures
Manual, Disabled
1.1.0
Distribute policies and procedures
CMA_0185 - Distribute policies and procedures
Manual, Disabled
1.1.0
Ensure alternate storage site safeguards are equivalent to primary site
CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site
Manual, Disabled
1.1.0
Ensure information system fails in known state
CMA_C1662 - Ensure information system fails in known state
Manual, Disabled
1.1.0
Establish alternate storage site to store and retrieve backup information
CMA_C1267 - Establish alternate storage site to store and retrieve backup information
Manual, Disabled
1.1.0
Establish an alternate processing site
CMA_0262 - Establish an alternate processing site
Manual, Disabled
1.1.0
Identify and mitigate potential issues at alternate storage site
CMA_C1271 - Identify and mitigate potential issues at alternate storage site
Manual, Disabled
1.1.0
Plan for continuance of essential business functions
CMA_C1255 - Plan for continuance of essential business functions
Manual, Disabled
1.1.0
Plan for resumption of essential business functions
CMA_C1253 - Plan for resumption of essential business functions
Manual, Disabled
1.1.0
Resume all mission and business functions
CMA_C1254 - Resume all mission and business functions
Manual, Disabled
1.1.0
Review contingency plan
CMA_C1247 - Review contingency plan
Manual, Disabled
1.1.0
Update contingency plan
CMA_C1248 - Update contingency plan
Manual, Disabled
1.1.0
Identification applicable legislation and contractual requirements
ID : ISO 27001:2013 A.18.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Protect the information security program plan
CMA_C1732 - Protect the information security program plan
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
Intellectual property rights
ID : ISO 27001:2013 A.18.1.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.18.1.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Enable dual or joint authorization
CMA_0226 - Enable dual or joint authorization
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Ensure information system fails in known state
CMA_C1662 - Ensure information system fails in known state
Manual, Disabled
1.1.0
Establish backup policies and procedures
CMA_0268 - Establish backup policies and procedures
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Implement transaction based recovery
CMA_C1296 - Implement transaction based recovery
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Protect audit information
CMA_0401 - Protect audit information
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.18.1.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Manage compliance activities
CMA_0358 - Manage compliance activities
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Regulation of cryptographic controls
ID : ISO 27001:2013 A.18.1.5
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.18.2.1
Ownership : Shared
Expand table
Compliance with security policies and standards
ID : ISO 27001:2013 A.18.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess Security Controls
CMA_C1145 - Assess Security Controls
Manual, Disabled
1.1.0
Check for privacy and security compliance before establishing internal connections
CMA_0053 - Check for privacy and security compliance before establishing internal connections
Manual, Disabled
1.1.0
Configure detection whitelist
CMA_0068 - Configure detection whitelist
Manual, Disabled
1.1.0
Deliver security assessment results
CMA_C1147 - Deliver security assessment results
Manual, Disabled
1.1.0
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Develop security assessment plan
CMA_C1144 - Develop security assessment plan
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Produce Security Assessment report
CMA_C1146 - Produce Security Assessment report
Manual, Disabled
1.1.0
Protect the information security program plan
CMA_C1732 - Protect the information security program plan
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Turn on sensors for endpoint security solution
CMA_0514 - Turn on sensors for endpoint security solution
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
Technical compliance review
ID : ISO 27001:2013 A.18.2.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.5.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish privacy requirements for contractors and service providers
CMA_C1810 - Establish privacy requirements for contractors and service providers
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Manage compliance activities
CMA_0358 - Manage compliance activities
Manual, Disabled
1.1.0
Protect the information security program plan
CMA_C1732 - Protect the information security program plan
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.5.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Protect the information security program plan
CMA_C1732 - Protect the information security program plan
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.6.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Appoint a senior information security officer
CMA_C1733 - Appoint a senior information security officer
Manual, Disabled
1.1.0
Communicate contingency plan changes
CMA_C1249 - Communicate contingency plan changes
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Create configuration plan protection
CMA_C1233 - Create configuration plan protection
Manual, Disabled
1.1.0
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Define information security roles and responsibilities
CMA_C1565 - Define information security roles and responsibilities
Manual, Disabled
1.1.0
Designate individuals to fulfill specific roles and responsibilities
CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop and document a business continuity and disaster recovery plan
CMA_0146 - Develop and document a business continuity and disaster recovery plan
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Develop contingency plan
CMA_C1244 - Develop contingency plan
Manual, Disabled
1.1.0
Develop contingency planning policies and procedures
CMA_0156 - Develop contingency planning policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Distribute policies and procedures
CMA_0185 - Distribute policies and procedures
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document and implement privacy complaint procedures
CMA_0189 - Document and implement privacy complaint procedures
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Document third-party personnel security requirements
CMA_C1531 - Document third-party personnel security requirements
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Ensure privacy program information is publicly available
CMA_C1867 - Ensure privacy program information is publicly available
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Establish third-party personnel security requirements
CMA_C1529 - Establish third-party personnel security requirements
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Identify individuals with security roles and responsibilities
CMA_C1566 - Identify individuals with security roles and responsibilities
Manual, Disabled
1.1.1
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Integrate risk management process into SDLC
CMA_C1567 - Integrate risk management process into SDLC
Manual, Disabled
1.1.0
Manage security state of information systems
CMA_C1746 - Manage security state of information systems
Manual, Disabled
1.1.0
Monitor third-party provider compliance
CMA_C1533 - Monitor third-party provider compliance
Manual, Disabled
1.1.0
Plan for resumption of essential business functions
CMA_C1253 - Plan for resumption of essential business functions
Manual, Disabled
1.1.0
Protect the information security program plan
CMA_C1732 - Protect the information security program plan
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Require notification of third-party personnel transfer or termination
CMA_C1532 - Require notification of third-party personnel transfer or termination
Manual, Disabled
1.1.0
Require third-party providers to comply with personnel security policies and procedures
CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures
Manual, Disabled
1.1.0
Resume all mission and business functions
CMA_C1254 - Resume all mission and business functions
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Review contingency plan
CMA_C1247 - Review contingency plan
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Update contingency plan
CMA_C1248 - Update contingency plan
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.6.1.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.6.1.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.6.1.4
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.6.1.5
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Align business objectives and IT goals
CMA_0008 - Align business objectives and IT goals
Manual, Disabled
1.1.0
Allocate resources in determining information system requirements
CMA_C1561 - Allocate resources in determining information system requirements
Manual, Disabled
1.1.0
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Define information security roles and responsibilities
CMA_C1565 - Define information security roles and responsibilities
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Establish a discrete line item in budgeting documentation
CMA_C1563 - Establish a discrete line item in budgeting documentation
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Govern the allocation of resources
CMA_0293 - Govern the allocation of resources
Manual, Disabled
1.1.0
Identify individuals with security roles and responsibilities
CMA_C1566 - Identify individuals with security roles and responsibilities
Manual, Disabled
1.1.1
Integrate risk management process into SDLC
CMA_C1567 - Integrate risk management process into SDLC
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Review development process, standards and tools
CMA_C1610 - Review development process, standards and tools
Manual, Disabled
1.1.0
Secure commitment from leadership
CMA_0489 - Secure commitment from leadership
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.6.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Define mobile device requirements
CMA_0122 - Define mobile device requirements
Manual, Disabled
1.1.0
Document and implement wireless access guidelines
CMA_0190 - Document and implement wireless access guidelines
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect wireless access
CMA_0411 - Protect wireless access
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.6.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.7.1.1
Ownership : Shared
Expand table
Terms and conditions of employment
ID : ISO 27001:2013 A.7.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document organizational access agreements
CMA_0192 - Document organizational access agreements
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Ensure access agreements are signed or resigned timely
CMA_C1528 - Ensure access agreements are signed or resigned timely
Manual, Disabled
1.1.0
Ensure privacy program information is publicly available
CMA_C1867 - Ensure privacy program information is publicly available
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Implement privacy notice delivery methods
CMA_0324 - Implement privacy notice delivery methods
Manual, Disabled
1.1.0
Obtain consent prior to collection or processing of personal data
CMA_0385 - Obtain consent prior to collection or processing of personal data
Manual, Disabled
1.1.0
Provide privacy notice
CMA_0414 - Provide privacy notice
Manual, Disabled
1.1.0
Require users to sign access agreement
CMA_0440 - Require users to sign access agreement
Manual, Disabled
1.1.0
Update organizational access agreements
CMA_0520 - Update organizational access agreements
Manual, Disabled
1.1.0
Management responsibilities
ID : ISO 27001:2013 A.7.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document organizational access agreements
CMA_0192 - Document organizational access agreements
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Document third-party personnel security requirements
CMA_C1531 - Document third-party personnel security requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Ensure access agreements are signed or resigned timely
CMA_C1528 - Ensure access agreements are signed or resigned timely
Manual, Disabled
1.1.0
Establish third-party personnel security requirements
CMA_C1529 - Establish third-party personnel security requirements
Manual, Disabled
1.1.0
Monitor third-party provider compliance
CMA_C1533 - Monitor third-party provider compliance
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Require notification of third-party personnel transfer or termination
CMA_C1532 - Require notification of third-party personnel transfer or termination
Manual, Disabled
1.1.0
Require third-party providers to comply with personnel security policies and procedures
CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures
Manual, Disabled
1.1.0
Require users to sign access agreement
CMA_0440 - Require users to sign access agreement
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Update organizational access agreements
CMA_0520 - Update organizational access agreements
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.7.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Employ automated training environment
CMA_C1357 - Employ automated training environment
Manual, Disabled
1.1.0
Establish information security workforce development and improvement program
CMA_C1752 - Establish information security workforce development and improvement program
Manual, Disabled
1.1.0
Monitor security and privacy training completion
CMA_0379 - Monitor security and privacy training completion
Manual, Disabled
1.1.0
Provide contingency training
CMA_0412 - Provide contingency training
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
Provide periodic role-based security training
CMA_C1095 - Provide periodic role-based security training
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide role-based security training
CMA_C1094 - Provide role-based security training
Manual, Disabled
1.1.0
Provide security training before providing access
CMA_0418 - Provide security training before providing access
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Retain training records
CMA_0456 - Retain training records
Manual, Disabled
1.1.0
Train personnel on disclosure of nonpublic information
CMA_C1084 - Train personnel on disclosure of nonpublic information
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.7.2.3
Ownership : Shared
Expand table
Termination or change of employment responsibilities
ID : ISO 27001:2013 A.7.3.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.1.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.1.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.1.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.1.4
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.2.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.8.2.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Control use of portable storage devices
CMA_0083 - Control use of portable storage devices
Manual, Disabled
1.1.0
Define requirements for managing assets
CMA_0125 - Define requirements for managing assets
Manual, Disabled
1.1.0
Employ a media sanitization mechanism
CMA_0208 - Employ a media sanitization mechanism
Manual, Disabled
1.1.0
Establish a data leakage management procedure
CMA_0255 - Establish a data leakage management procedure
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Manage the transportation of assets
CMA_0370 - Manage the transportation of assets
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Protect special information
CMA_0409 - Protect special information
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
Restrict media use
CMA_0450 - Restrict media use
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.8.3.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.3.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.8.3.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 A.9.1.1
Ownership : Shared
Expand table
Access to networks and network services
ID : ISO 27001:2013 A.9.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Audit Linux machines that allow remote connections from accounts without passwords
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords
AuditIfNotExists, Disabled
3.1.0
Audit Linux machines that have accounts without passwords
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Linux machines that have accounts without passwords
AuditIfNotExists, Disabled
3.1.0
Audit VMs that do not use managed disks
This policy audits VMs that do not use managed disks
audit
1.0.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol .
deployIfNotExists
3.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enable detection of network devices
CMA_0220 - Enable detection of network devices
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Establish electronic signature and certificate requirements
CMA_0271 - Establish electronic signature and certificate requirements
Manual, Disabled
1.1.0
Identify actions allowed without authentication
CMA_0295 - Identify actions allowed without authentication
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
User registration and de-registration
ID : ISO 27001:2013 A.9.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Assign system identifiers
CMA_0018 - Assign system identifiers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Enable detection of network devices
CMA_0220 - Enable detection of network devices
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Establish authenticator types and processes
CMA_0267 - Establish authenticator types and processes
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Establish procedures for initial authenticator distribution
CMA_0276 - Establish procedures for initial authenticator distribution
Manual, Disabled
1.1.0
Identify actions allowed without authentication
CMA_0295 - Identify actions allowed without authentication
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Implement training for protecting authenticators
CMA_0329 - Implement training for protecting authenticators
Manual, Disabled
1.1.0
Manage authenticator lifetime and reuse
CMA_0355 - Manage authenticator lifetime and reuse
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Prevent identifier reuse for the defined time period
CMA_C1314 - Prevent identifier reuse for the defined time period
Manual, Disabled
1.1.0
Refresh authenticators
CMA_0425 - Refresh authenticators
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review and reevaluate privileges
CMA_C1207 - Review and reevaluate privileges
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.9.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Limit privileges to make changes in production environment
CMA_C1206 - Limit privileges to make changes in production environment
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review and reevaluate privileges
CMA_C1207 - Review and reevaluate privileges
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Management of privileged access rights
ID : ISO 27001:2013 A.9.2.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Accounts with write permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers
Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services
AuditIfNotExists, Disabled
1.0.0
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit usage of custom RBAC roles
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit, Disabled
1.0.1
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Guest accounts with owner permissions on Azure resources should be removed
External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Guest accounts with write permissions on Azure resources should be removed
External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Limit privileges to make changes in production environment
CMA_C1206 - Limit privileges to make changes in production environment
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review and reevaluate privileges
CMA_C1207 - Review and reevaluate privileges
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication
Audit usage of client authentication only via Azure Active Directory in Service Fabric
Audit, Deny, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.9.2.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Accounts with read permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Accounts with write permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644
AuditIfNotExists, Disabled
3.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol .
deployIfNotExists
3.1.0
Disable authenticators upon termination
CMA_0169 - Disable authenticators upon termination
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Establish a password policy
CMA_0256 - Establish a password policy
Manual, Disabled
1.1.0
Establish authenticator types and processes
CMA_0267 - Establish authenticator types and processes
Manual, Disabled
1.1.0
Establish procedures for initial authenticator distribution
CMA_0276 - Establish procedures for initial authenticator distribution
Manual, Disabled
1.1.0
Implement parameters for memorized secret verifiers
CMA_0321 - Implement parameters for memorized secret verifiers
Manual, Disabled
1.1.0
Implement training for protecting authenticators
CMA_0329 - Implement training for protecting authenticators
Manual, Disabled
1.1.0
Manage authenticator lifetime and reuse
CMA_0355 - Manage authenticator lifetime and reuse
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Refresh authenticators
CMA_0425 - Refresh authenticators
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
Review of user access rights
ID : ISO 27001:2013 A.9.2.5
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Blocked accounts with owner permissions on Azure resources should be removed
Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.
AuditIfNotExists, Disabled
1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed
Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.
AuditIfNotExists, Disabled
1.0.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Guest accounts with owner permissions on Azure resources should be removed
External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Guest accounts with write permissions on Azure resources should be removed
External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Reassign or remove user privileges as needed
CMA_C1040 - Reassign or remove user privileges as needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review and reevaluate privileges
CMA_C1207 - Review and reevaluate privileges
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Review user privileges
CMA_C1039 - Review user privileges
Manual, Disabled
1.1.0
Removal or adjustment of access rights
ID : ISO 27001:2013 A.9.2.6
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Blocked accounts with owner permissions on Azure resources should be removed
Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.
AuditIfNotExists, Disabled
1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed
Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.
AuditIfNotExists, Disabled
1.0.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Initiate transfer or reassignment actions
CMA_0333 - Initiate transfer or reassignment actions
Manual, Disabled
1.1.0
Modify access authorizations upon personnel transfer
CMA_0374 - Modify access authorizations upon personnel transfer
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Notify upon termination or transfer
CMA_0381 - Notify upon termination or transfer
Manual, Disabled
1.1.0
Reevaluate access upon personnel transfer
CMA_0424 - Reevaluate access upon personnel transfer
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review and reevaluate privileges
CMA_C1207 - Review and reevaluate privileges
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.9.3.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Disable authenticators upon termination
CMA_0169 - Disable authenticators upon termination
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Establish a password policy
CMA_0256 - Establish a password policy
Manual, Disabled
1.1.0
Establish authenticator types and processes
CMA_0267 - Establish authenticator types and processes
Manual, Disabled
1.1.0
Establish procedures for initial authenticator distribution
CMA_0276 - Establish procedures for initial authenticator distribution
Manual, Disabled
1.1.0
Implement parameters for memorized secret verifiers
CMA_0321 - Implement parameters for memorized secret verifiers
Manual, Disabled
1.1.0
Implement training for protecting authenticators
CMA_0329 - Implement training for protecting authenticators
Manual, Disabled
1.1.0
Manage authenticator lifetime and reuse
CMA_0355 - Manage authenticator lifetime and reuse
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Refresh authenticators
CMA_0425 - Refresh authenticators
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Terminate customer controlled account credentials
CMA_C1022 - Terminate customer controlled account credentials
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.9.4.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Limit privileges to make changes in production environment
CMA_C1206 - Limit privileges to make changes in production environment
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
ID : ISO 27001:2013 A.9.4.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Accounts with read permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Accounts with write permissions on Azure resources should be MFA enabled
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
AuditIfNotExists, Disabled
1.0.0
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Enable detection of network devices
CMA_0220 - Enable detection of network devices
Manual, Disabled
1.1.0
Enforce a limit of consecutive failed login attempts
CMA_C1044 - Enforce a limit of consecutive failed login attempts
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Establish electronic signature and certificate requirements
CMA_0271 - Establish electronic signature and certificate requirements
Manual, Disabled
1.1.0
Generate error messages
CMA_C1724 - Generate error messages
Manual, Disabled
1.1.0
Identify actions allowed without authentication
CMA_0295 - Identify actions allowed without authentication
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Obscure feedback information during authentication process
CMA_C1344 - Obscure feedback information during authentication process
Manual, Disabled
1.1.0
Reveal error messages
CMA_C1725 - Reveal error messages
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
Terminate user session automatically
CMA_C1054 - Terminate user session automatically
Manual, Disabled
1.1.0
Password management system
ID : ISO 27001:2013 A.9.4.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24
AuditIfNotExists, Disabled
2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days
AuditIfNotExists, Disabled
2.1.0
Audit Windows machines that do not have the minimum password age set to specified number of days
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day
AuditIfNotExists, Disabled
2.1.0
Audit Windows machines that do not have the password complexity setting enabled
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not have the password complexity setting enabled
AuditIfNotExists, Disabled
2.0.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters
AuditIfNotExists, Disabled
2.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol .
deployIfNotExists
1.2.0
Disable authenticators upon termination
CMA_0169 - Disable authenticators upon termination
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Establish a password policy
CMA_0256 - Establish a password policy
Manual, Disabled
1.1.0
Establish authenticator types and processes
CMA_0267 - Establish authenticator types and processes
Manual, Disabled
1.1.0
Establish procedures for initial authenticator distribution
CMA_0276 - Establish procedures for initial authenticator distribution
Manual, Disabled
1.1.0
Implement parameters for memorized secret verifiers
CMA_0321 - Implement parameters for memorized secret verifiers
Manual, Disabled
1.1.0
Implement training for protecting authenticators
CMA_0329 - Implement training for protecting authenticators
Manual, Disabled
1.1.0
Manage authenticator lifetime and reuse
CMA_0355 - Manage authenticator lifetime and reuse
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Refresh authenticators
CMA_0425 - Refresh authenticators
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
Use of privileged utility programs
ID : ISO 27001:2013 A.9.4.4
Ownership : Shared
Expand table
Access control to program source code
ID : ISO 27001:2013 A.9.4.5
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Limit privileges to make changes in production environment
CMA_C1206 - Limit privileges to make changes in production environment
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.10.1.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Update POA&M items
CMA_C1157 - Update POA&M items
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.10.1.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Update POA&M items
CMA_C1157 - Update POA&M items
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.10.1.f
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.10.1.g
Ownership : Shared
Expand table
Context of the organization
ID : ISO 27001:2013 C.4.3.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.4.3.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.4.3.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Align business objectives and IT goals
CMA_0008 - Align business objectives and IT goals
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop SSP that meets criteria
CMA_C1492 - Develop SSP that meets criteria
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Employ business case to record the resources required
CMA_C1735 - Employ business case to record the resources required
Manual, Disabled
1.1.0
Ensure capital planning and investment requests include necessary resources
CMA_C1734 - Ensure capital planning and investment requests include necessary resources
Manual, Disabled
1.1.0
Establish privacy requirements for contractors and service providers
CMA_C1810 - Establish privacy requirements for contractors and service providers
Manual, Disabled
1.1.0
Govern the allocation of resources
CMA_0293 - Govern the allocation of resources
Manual, Disabled
1.1.0
Secure commitment from leadership
CMA_0489 - Secure commitment from leadership
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.4.4
Ownership : Shared
Expand table
Leadership and commitment
ID : ISO 27001:2013 C.5.1.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Appoint a senior information security officer
CMA_C1733 - Appoint a senior information security officer
Manual, Disabled
1.1.0
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
Leadership and commitment
ID : ISO 27001:2013 C.5.1.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Appoint a senior information security officer
CMA_C1733 - Appoint a senior information security officer
Manual, Disabled
1.1.0
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
Leadership and commitment
ID : ISO 27001:2013 C.5.1.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Align business objectives and IT goals
CMA_0008 - Align business objectives and IT goals
Manual, Disabled
1.1.0
Allocate resources in determining information system requirements
CMA_C1561 - Allocate resources in determining information system requirements
Manual, Disabled
1.1.0
Appoint a senior information security officer
CMA_C1733 - Appoint a senior information security officer
Manual, Disabled
1.1.0
Employ business case to record the resources required
CMA_C1735 - Employ business case to record the resources required
Manual, Disabled
1.1.0
Ensure capital planning and investment requests include necessary resources
CMA_C1734 - Ensure capital planning and investment requests include necessary resources
Manual, Disabled
1.1.0
Ensure privacy program information is publicly available
CMA_C1867 - Ensure privacy program information is publicly available
Manual, Disabled
1.1.0
Establish a discrete line item in budgeting documentation
CMA_C1563 - Establish a discrete line item in budgeting documentation
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Govern the allocation of resources
CMA_0293 - Govern the allocation of resources
Manual, Disabled
1.1.0
Secure commitment from leadership
CMA_0489 - Secure commitment from leadership
Manual, Disabled
1.1.0
Leadership and commitment
ID : ISO 27001:2013 C.5.1.d
Ownership : Shared
Expand table
Leadership and commitment
ID : ISO 27001:2013 C.5.1.e
Ownership : Shared
Expand table
Leadership and commitment
ID : ISO 27001:2013 C.5.1.f
Ownership : Shared
Expand table
Leadership and commitment
ID : ISO 27001:2013 C.5.1.g
Ownership : Shared
Expand table
Leadership and commitment
ID : ISO 27001:2013 C.5.1.h
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.5.2.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.5.2.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.5.2.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.5.2.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop access control policies and procedures
CMA_0144 - Develop access control policies and procedures
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.5.2.e
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.5.2.f
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.5.2.g
Ownership : Shared
Expand table
Organizational roles, responsibilities and authorities
ID : ISO 27001:2013 C.5.3.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.1.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.1.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.1.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.1.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.1.e.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.1.e.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.a.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.a.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.c.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.c.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.d.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.d.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.d.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.e.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.2.e.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.3.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.6.1.3.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.6.1.3.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.6.1.3.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.6.1.3.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.6.1.3.f
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.6.2.e
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.2.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.2.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.2.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.2.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.3.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.3.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.3.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.4.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.4.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.4.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.4.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.4.e
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.2.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.3.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.3.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.3.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.3.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.3.e
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.7.5.3.f
Ownership : Shared
Expand table
Operational planning and control
ID : ISO 27001:2013 C.8.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Update POA&M items
CMA_C1157 - Update POA&M items
Manual, Disabled
1.1.0
ID : ISO 27001:2013 C.8.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.8.3
Ownership : Shared
Expand table
Monitoring, measurement, analysis and evaluation
ID : ISO 27001:2013 C.9.1.a
Ownership : Shared
Expand table
Monitoring, measurement, analysis and evaluation
ID : ISO 27001:2013 C.9.1.b
Ownership : Shared
Expand table
Monitoring, measurement, analysis and evaluation
ID : ISO 27001:2013 C.9.1.c
Ownership : Shared
Expand table
Monitoring, measurement, analysis and evaluation
ID : ISO 27001:2013 C.9.1.d
Ownership : Shared
Expand table
Monitoring, measurement, analysis and evaluation
ID : ISO 27001:2013 C.9.1.e
Ownership : Shared
Expand table
Monitoring, measurement, analysis and evaluation
ID : ISO 27001:2013 C.9.1.f
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.a.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.a.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.c
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.e
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.f
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.2.g
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.a
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.b
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.c.1
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.c.2
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.c.3
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.c.4
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.d
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.e
Ownership : Shared
Expand table
ID : ISO 27001:2013 C.9.3.f
Ownership : Shared
Expand table
Additional articles about Azure Policy: