Details of the ISO 27001:2013 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the ISO 27001:2013 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the ISO 27001:2013 Regulatory Compliance built-in initiative definition.

This built-in initiative is deployed as part of the ISO 27001:2013 blueprint sample.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Cryptography

Policy on the use of cryptographic controls

ID: ISO 27001:2013 A.10.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Manual, Disabled 1.1.0
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

Key Management

ID: ISO 27001:2013 A.10.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0

Physical And Environmental Security

Physical security perimeter

ID: ISO 27001:2013 A.11.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Physical entry controls

ID: ISO 27001:2013 A.11.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

Securing offices, rooms and facilities

ID: ISO 27001:2013 A.11.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Protecting against external and environmental threats

ID: ISO 27001:2013 A.11.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0

Working in secure areas

ID: ISO 27001:2013 A.11.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Delivering and loading areas

ID: ISO 27001:2013 A.11.1.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Equipment sitting and protection

ID: ISO 27001:2013 A.11.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Supporting utilities

ID: ISO 27001:2013 A.11.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Cabling security

ID: ISO 27001:2013 A.11.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

Equipment maintenance

ID: ISO 27001:2013 A.11.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Manual, Disabled 1.1.0

Removal of assets

ID: ISO 27001:2013 A.11.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Security of equipment and assets off-premises

ID: ISO 27001:2013 A.11.2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Secure disposal or re-use of equipment

ID: ISO 27001:2013 A.11.2.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Unattended user equipment

ID: ISO 27001:2013 A.11.2.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0

Clear desk and clear screen policy

ID: ISO 27001:2013 A.11.2.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

Operations Security

Documented operating procedures

ID: ISO 27001:2013 A.12.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Distribute information system documentation CMA_C1584 - Distribute information system documentation Manual, Disabled 1.1.0
Document customer-defined actions CMA_C1582 - Document customer-defined actions Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Manual, Disabled 1.1.0
Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Manual, Disabled 1.1.0
Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Change management

ID: ISO 27001:2013 A.12.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

Capacity management

ID: ISO 27001:2013 A.12.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0

Separation of development, testing and operational environments

ID: ISO 27001:2013 A.12.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement controls to protect PII CMA_C1839 - Implement controls to protect PII Manual, Disabled 1.1.0
Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Controls against malware

ID: ISO 27001:2013 A.12.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Information backup

ID: ISO 27001:2013 A.12.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Event Logging

ID: ISO 27001:2013 A.12.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1-preview
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Implement methods for consumer requests CMA_0319 - Implement methods for consumer requests Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Publish access procedures in SORNs CMA_C1848 - Publish access procedures in SORNs Manual, Disabled 1.1.0
Publish rules and regulations accessing Privacy Act records CMA_C1847 - Publish rules and regulations accessing Privacy Act records Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Protection of log information

ID: ISO 27001:2013 A.12.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Define the duties of processors CMA_0127 - Define the duties of processors Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0
Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Administrator and operator logs

ID: ISO 27001:2013 A.12.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1-preview
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Clock Synchronization

ID: ISO 27001:2013 A.12.4.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1-preview
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Manual, Disabled 1.1.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Installation of software on operational systems

ID: ISO 27001:2013 A.12.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Management of technical vulnerabilities

ID: ISO 27001:2013 A.12.6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 4.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

Restrictions on software installation

ID: ISO 27001:2013 A.12.6.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Information systems audit controls

ID: ISO 27001:2013 A.12.7.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0

Communications Security

Network controls

ID: ISO 27001:2013 A.13.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Security of network services

ID: ISO 27001:2013 A.13.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

Segregation of networks

ID: ISO 27001:2013 A.13.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

Information transfer policies and procedures

ID: ISO 27001:2013 A.13.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Agreements on information transfer

ID: ISO 27001:2013 A.13.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

Electronic messaging

ID: ISO 27001:2013 A.13.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0

Confidentiality or non-disclosure agreements

ID: ISO 27001:2013 A.13.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

System Acquisition, Development And Maintenance

Information security requirements analysis and specification

ID: ISO 27001:2013 A.14.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0

Securing application services on public networks

ID: ISO 27001:2013 A.14.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

Protecting application services transactions

ID: ISO 27001:2013 A.14.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

Secure development policy

ID: ISO 27001:2013 A.14.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0

System change control procedures

ID: ISO 27001:2013 A.14.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

Technical review of applications after operating platform changes

ID: ISO 27001:2013 A.14.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Restrictions on changes to software packages

ID: ISO 27001:2013 A.14.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

Secure system engineering principles

ID: ISO 27001:2013 A.14.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0

Secure development environment

ID: ISO 27001:2013 A.14.2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Outsourced development

ID: ISO 27001:2013 A.14.2.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0

System security testing

ID: ISO 27001:2013 A.14.2.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0

System acceptance testing

ID: ISO 27001:2013 A.14.2.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0

Protection of test data

ID: ISO 27001:2013 A.14.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Supplier Relationships

Information security policy for supplier relationships

ID: ISO 27001:2013 A.15.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0

Addressing security within supplier agreement

ID: ISO 27001:2013 A.15.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

Information and communication technology supply chain

ID: ISO 27001:2013 A.15.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0

Monitoring and review of supplier services

ID: ISO 27001:2013 A.15.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Managing changes to supplier services

ID: ISO 27001:2013 A.15.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Information Security Incident Management

Responsibilities and procedures

ID: ISO 27001:2013 A.16.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0

Reporting information security events

ID: ISO 27001:2013 A.16.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Reporting information security weaknesses

ID: ISO 27001:2013 A.16.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0

Assessment of and decision on information security events

ID: ISO 27001:2013 A.16.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Response to information security incidents

ID: ISO 27001:2013 A.16.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Learning from information security incidents

ID: ISO 27001:2013 A.16.1.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Collection of evidence

ID: ISO 27001:2013 A.16.1.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Information Security Aspects Of Business Continuity Management

Planning information security continuity

ID: ISO 27001:2013 A.17.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Implementing information security continuity

ID: ISO 27001:2013 A.17.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Manual, Disabled 1.1.1
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0

Verify, review and evaluate information security continuity

ID: ISO 27001:2013 A.17.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Manual, Disabled 1.1.0

Availability of information processing facilities

ID: ISO 27001:2013 A.17.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Compliance

Identification applicable legislation and contractual requirements

ID: ISO 27001:2013 A.18.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Intellectual property rights

ID: ISO 27001:2013 A.18.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

Protection of records

ID: ISO 27001:2013 A.18.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Privacy and protection of personally identifiable information

ID: ISO 27001:2013 A.18.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Regulation of cryptographic controls

ID: ISO 27001:2013 A.18.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0

Independent review of information security

ID: ISO 27001:2013 A.18.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0

Compliance with security policies and standards

ID: ISO 27001:2013 A.18.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Technical compliance review

ID: ISO 27001:2013 A.18.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

Information Security Policies

Policies for information security

ID: ISO 27001:2013 A.5.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Review of the policies for information security

ID: ISO 27001:2013 A.5.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Organization of Information Security

Information security roles and responsibilities

ID: ISO 27001:2013 A.6.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document and implement privacy complaint procedures CMA_0189 - Document and implement privacy complaint procedures Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Manage security state of information systems CMA_C1746 - Manage security state of information systems Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Segregation of Duties

ID: ISO 27001:2013 A.6.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Contact with authorities

ID: ISO 27001:2013 A.6.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0

Contact with special interest groups

ID: ISO 27001:2013 A.6.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Generate internal security alerts CMA_C1704 - Generate internal security alerts Manual, Disabled 1.1.0
Implement security directives CMA_C1706 - Implement security directives Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0

Information security in project management

ID: ISO 27001:2013 A.6.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Mobile device policy

ID: ISO 27001:2013 A.6.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

Teleworking

ID: ISO 27001:2013 A.6.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Human Resources Security

Screening

ID: ISO 27001:2013 A.7.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

Terms and conditions of employment

ID: ISO 27001:2013 A.7.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0

Management responsibilities

ID: ISO 27001:2013 A.7.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0

Information security awareness, education and training

ID: ISO 27001:2013 A.7.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0

Disciplinary process

ID: ISO 27001:2013 A.7.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0

Termination or change of employment responsibilities

ID: ISO 27001:2013 A.7.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Asset Management

Inventory of assets

ID: ISO 27001:2013 A.8.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

Ownership of assets

ID: ISO 27001:2013 A.8.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

Acceptable use of assets

ID: ISO 27001:2013 A.8.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0

Return of assets

ID: ISO 27001:2013 A.8.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Classification of information

ID: ISO 27001:2013 A.8.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0

Labelling of information

ID: ISO 27001:2013 A.8.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Handling of assets

ID: ISO 27001:2013 A.8.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Management of removable media

ID: ISO 27001:2013 A.8.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

Disposal of media

ID: ISO 27001:2013 A.8.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Physical media transfer

ID: ISO 27001:2013 A.8.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Access Control

Access control policy

ID: ISO 27001:2013 A.9.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0

Access to networks and network services

ID: ISO 27001:2013 A.9.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.0.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 3.0.0
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.0.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

User registration and de-registration

ID: ISO 27001:2013 A.9.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

User access provisioning

ID: ISO 27001:2013 A.9.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0

Management of privileged access rights

ID: ISO 27001:2013 A.9.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Management of secret authentication information of users

ID: ISO 27001:2013 A.9.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.0.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Review of user access rights

ID: ISO 27001:2013 A.9.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0

Removal or adjustment of access rights

ID: ISO 27001:2013 A.9.2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0

Use of secret authentication information

ID: ISO 27001:2013 A.9.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Information access restriction

ID: ISO 27001:2013 A.9.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Secure log-on procedures

ID: ISO 27001:2013 A.9.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0
Reveal error messages CMA_C1725 - Reveal error messages Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0

Password management system

ID: ISO 27001:2013 A.9.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.0.0
Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters AuditIfNotExists, Disabled 2.0.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Use of privileged utility programs

ID: ISO 27001:2013 A.9.4.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Access control to program source code

ID: ISO 27001:2013 A.9.4.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Improvement

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

Context of the organization

Determining the scope of the information security management system

ID: ISO 27001:2013 C.4.3.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Determining the scope of the information security management system

ID: ISO 27001:2013 C.4.3.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Determining the scope of the information security management system

ID: ISO 27001:2013 C.4.3.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Manual, Disabled 1.1.0
Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Manual, Disabled 1.1.0
Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Manual, Disabled 1.1.0
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

Information security management system

ID: ISO 27001:2013 C.4.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Leadership

Leadership and commitment

ID: ISO 27001:2013 C.5.1.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Manual, Disabled 1.1.0
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Manual, Disabled 1.1.0
Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Define performance metrics CMA_0124 - Define performance metrics Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Manual, Disabled 1.1.0
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled