Edit

Share via


ISM Controls and multifactor authentication Maturity Levels

This table outlines the ISM controls related to multifactor authentication.

ISM control Sep 2024 Maturity Level Control Measure
ISM-0109 3 Event logs from workstations are analyzed in a timely manner to detect cyber security events. Out of scope for this guide.
ISM-0123 2, 3 Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. Out of scope for this guide.
ISM-0140 2, 3 Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered. Out of scope for this guide.
ISM-0974 2, 3 Multifactor authentication is used to authenticate unprivileged users of systems. Create conditional access policy requiring multifactor authentication.
ISM-1173 2, 3 Multifactor authentication is used to authenticate privileged users of systems. Create conditional access policy requiring multifactor authentication.
ISM-1228 2, 3 Cyber security events are analyzed in a timely manner to identify cyber security incidents. Out of scope for this guide.
ISM-1401 1, 2, 3 Multifactor authentication uses either: something users have and something users know, or something users have that be unlocked with something users know or are. Create conditional access policy requiring multifactor authentication.
ISM-1504 1, 2, 3 Multifactor authentication is used to authenticate users to their organization’s online services that process, store, or communicate their organization’s sensitive data. Create conditional access policy requiring multifactor authentication.
ISM-1505 3 Multifactor authentication is used to authenticate users of data repositories. Create conditional access policy requiring multifactor authentication.
ISM-1679 1, 2, 3 Multifactor authentication is used to authenticate users to third-party online services that process, store, or communicate their organization’s sensitive data. Create conditional access policy requiring multifactor authentication.
ISM-1680 1, 2, 3 Multifactor authentication (where available) is used to authenticate users to third-party online services that process, store, or communicate their organization’s nonsensitive data. Create conditional access policy requiring multifactor authentication.
ISM-1681 1, 2, 3 Multifactor authentication is used to authenticate customers to online customer services that process, store, or communicate sensitive customer data. Nonorganizational users (External ID for customers) are outside of the scope of this document. Microsoft Entra ID supports organizational users, which include employees and guest identities (B2B users)
ISM-1682 2, 3 Multifactor authentication used for authenticating users of systems is phishing-resistant. Create conditional access policy requiring multifactor authentication and requiring a phishing resistant authentication strength.
ISM-1683 2, 3 Successful and unsuccessful multifactor authentication events are centrally logged. Verify authentication events are being logged in the Microsoft Entra sign-in logs.
ISM-1815 2, 3 Event logs are protected from unauthorized modification and deletion. Access controls in place to prevent authorized updates.
ISM-1819 2, 3 Following the identification of a cyber security incident, the cyber security incident response plan is enacted. Out of scope for this guide.
ISM-1872 2, 3 Multifactor authentication used for authenticating users of online services is phishing-resistant. Create conditional access policy requiring multifactor authentication and requiring a phishing resistant authentication strength.
ISM-1873 2 Multifactor authentication used for authenticating customers of online customer services provides a phishing-resistant option. Nonorganizational users (External ID for customers) are outside of the scope of this document. Microsoft Entra ID supports organizational users, which include employees and guest identities (B2B users)
ISM-1874 3 Multifactor authentication used for authenticating customers of online customer services is phishing-resistant. Nonorganizational users (External ID for customers) are outside of the scope of this document. Microsoft Entra ID supports organizational users, which include employees and guest identities (B2B users)
ISM-1892 1, 2, 3 Multifactor authentication is used to authenticate users to their organization’s online customer services that process, store, or communicate their organization’s sensitive customer data. Create conditional access policy requiring multifactor authentication.
ISM-1893 1, 2, 3 Multifactor authentication is used to authenticate users to third-party online customer services that process, store, or communicate their organization’s sensitive customer data. Create conditional access policy requiring multifactor authentication.
ISM-1894 3 Multifactor authentication used for authenticating users of data repositories is phishing-resistant. Create conditional access policy requiring multifactor authentication and requiring a phishing resistant authentication strength.
ISM-1906 2, 3 Event logs from internet-facing servers are analyzed in a timely manner to detect cyber security events. Out of scope for this guide.
ISM-1907 3 Event logs from non-internet-facing servers are analyzed in a timely manner to detect cyber security events. Out of scope for this guide.

The rest of this guide shows how you can configure Microsoft Entra Conditional Access policies to enforce multifactor authentication for the required maturity level.