Details of the ISO 27001:2013 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the ISO 27001:2013 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the ISO 27001:2013 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Cryptography

Policy on the use of cryptographic controls

ID: ISO 27001:2013 A.10.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
Audit Windows machines that do not store passwords using reversible encryption	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption	AuditIfNotExists, Disabled	2.0.0
Automation account variables should be encrypted	It is important to enable encryption of Automation account variable assets when storing sensitive data	Audit, Deny, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.	deployIfNotExists	1.2.0
Document and distribute a privacy policy	CMA_0188 - Document and distribute a privacy policy	Manual, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed	Audit, Deny, Disabled	1.1.0
Transparent Data Encryption on SQL databases should be enabled	Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements	AuditIfNotExists, Disabled	2.0.0

Key Management

ID: ISO 27001:2013 A.10.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Identify actions allowed without authentication	CMA_0295 - Identify actions allowed without authentication	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Terminate customer controlled account credentials	CMA_C1022 - Terminate customer controlled account credentials	Manual, Disabled	1.1.0

Physical And Environmental Security

Physical security perimeter

ID: ISO 27001:2013 A.11.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0

Physical entry controls

ID: ISO 27001:2013 A.11.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Designate personnel to supervise unauthorized maintenance activities	CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Maintain list of authorized remote maintenance personnel	CMA_C1420 - Maintain list of authorized remote maintenance personnel	Manual, Disabled	1.1.0
Manage maintenance personnel	CMA_C1421 - Manage maintenance personnel	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0

Securing offices, rooms and facilities

ID: ISO 27001:2013 A.11.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Protecting against external and environmental threats

ID: ISO 27001:2013 A.11.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Ensure information system fails in known state	CMA_C1662 - Ensure information system fails in known state	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Identify and mitigate potential issues at alternate storage site	CMA_C1271 - Identify and mitigate potential issues at alternate storage site	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Plan for continuance of essential business functions	CMA_C1255 - Plan for continuance of essential business functions	Manual, Disabled	1.1.0

Working in secure areas

ID: ISO 27001:2013 A.11.1.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0

Delivering and loading areas

ID: ISO 27001:2013 A.11.1.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Define requirements for managing assets	CMA_0125 - Define requirements for managing assets	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

Equipment sitting and protection

ID: ISO 27001:2013 A.11.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Supporting utilities

ID: ISO 27001:2013 A.11.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ automatic emergency lighting	CMA_0209 - Employ automatic emergency lighting	Manual, Disabled	1.1.0
Establish requirements for internet service providers	CMA_0278 - Establish requirements for internet service providers	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Cabling security

ID: ISO 27001:2013 A.11.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0

Equipment maintenance

ID: ISO 27001:2013 A.11.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Automate remote maintenance activities	CMA_C1402 - Automate remote maintenance activities	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Produce complete records of remote maintenance activities	CMA_C1403 - Produce complete records of remote maintenance activities	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide timely maintenance support	CMA_C1425 - Provide timely maintenance support	Manual, Disabled	1.1.0

Removal of assets

ID: ISO 27001:2013 A.11.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Define requirements for managing assets	CMA_0125 - Define requirements for managing assets	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

Security of equipment and assets off-premises

ID: ISO 27001:2013 A.11.2.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Establish terms and conditions for accessing resources	CMA_C1076 - Establish terms and conditions for accessing resources	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Verify security controls for external information systems	CMA_0541 - Verify security controls for external information systems	Manual, Disabled	1.1.0

Secure disposal or re-use of equipment

ID: ISO 27001:2013 A.11.2.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Unattended user equipment

ID: ISO 27001:2013 A.11.2.8 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Terminate user session automatically	CMA_C1054 - Terminate user session automatically	Manual, Disabled	1.1.0

Clear desk and clear screen policy

ID: ISO 27001:2013 A.11.2.9 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Operations Security

Documented operating procedures

ID: ISO 27001:2013 A.12.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Distribute information system documentation	CMA_C1584 - Distribute information system documentation	Manual, Disabled	1.1.0
Document customer-defined actions	CMA_C1582 - Document customer-defined actions	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Obtain Admin documentation	CMA_C1580 - Obtain Admin documentation	Manual, Disabled	1.1.0
Obtain user security function documentation	CMA_C1581 - Obtain user security function documentation	Manual, Disabled	1.1.0
Protect administrator and user documentation	CMA_C1583 - Protect administrator and user documentation	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Change management

ID: ISO 27001:2013 A.12.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0

Capacity management

ID: ISO 27001:2013 A.12.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct capacity planning	CMA_C1252 - Conduct capacity planning	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0

Separation of development, testing and operational environments

ID: ISO 27001:2013 A.12.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Ensure there are no unencrypted static authenticators	CMA_C1340 - Ensure there are no unencrypted static authenticators	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Implement controls to protect PII	CMA_C1839 - Implement controls to protect PII	Manual, Disabled	1.1.0
Incorporate security and data privacy practices in research processing	CMA_0331 - Incorporate security and data privacy practices in research processing	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

Controls against malware

ID: ISO 27001:2013 A.12.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

Information backup

ID: ISO 27001:2013 A.12.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Ensure information system fails in known state	CMA_C1662 - Ensure information system fails in known state	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement transaction based recovery	CMA_C1296 - Implement transaction based recovery	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Plan for continuance of essential business functions	CMA_C1255 - Plan for continuance of essential business functions	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0
Transfer backup information to an alternate storage site	CMA_C1294 - Transfer backup information to an alternate storage site	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Event Logging

ID: ISO 27001:2013 A.12.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images	Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.	AuditIfNotExists, Disabled	2.0.1-preview
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Audit diagnostic setting for selected resource types	Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.	AuditIfNotExists	2.0.1
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Auditing on SQL server should be enabled	Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.	AuditIfNotExists, Disabled	2.0.0
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Dependency agent should be enabled for listed virtual machine images	Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.	AuditIfNotExists, Disabled	2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images	Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.	AuditIfNotExists, Disabled	2.0.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Discover any indicators of compromise	CMA_C1702 - Discover any indicators of compromise	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Enforce and audit access restrictions	CMA_C1203 - Enforce and audit access restrictions	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Implement methods for consumer requests	CMA_0319 - Implement methods for consumer requests	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images	Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.	AuditIfNotExists, Disabled	2.0.1
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Obtain legal opinion for monitoring system activities	CMA_C1688 - Obtain legal opinion for monitoring system activities	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Provide monitoring information as needed	CMA_C1689 - Provide monitoring information as needed	Manual, Disabled	1.1.0
Publish access procedures in SORNs	CMA_C1848 - Publish access procedures in SORNs	Manual, Disabled	1.1.0
Publish rules and regulations accessing Privacy Act records	CMA_C1847 - Publish rules and regulations accessing Privacy Act records	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review and update the events defined in AU-02	CMA_C1106 - Review and update the events defined in AU-02	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review changes for any unauthorized changes	CMA_C1204 - Review changes for any unauthorized changes	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Protection of log information

ID: ISO 27001:2013 A.12.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0
Record disclosures of PII to third parties	CMA_0422 - Record disclosures of PII to third parties	Manual, Disabled	1.1.0
Train staff on PII sharing and its consequences	CMA_C1871 - Train staff on PII sharing and its consequences	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Administrator and operator logs

ID: ISO 27001:2013 A.12.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images	Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.	AuditIfNotExists, Disabled	2.0.1-preview
Audit diagnostic setting for selected resource types	Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.	AuditIfNotExists	2.0.1
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Auditing on SQL server should be enabled	Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.	AuditIfNotExists, Disabled	2.0.0
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Dependency agent should be enabled for listed virtual machine images	Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.	AuditIfNotExists, Disabled	2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images	Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.	AuditIfNotExists, Disabled	2.0.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images	Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.	AuditIfNotExists, Disabled	2.0.1
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Obtain legal opinion for monitoring system activities	CMA_C1688 - Obtain legal opinion for monitoring system activities	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0
Provide monitoring information as needed	CMA_C1689 - Provide monitoring information as needed	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Clock Synchronization

ID: ISO 27001:2013 A.12.4.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images	Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.	AuditIfNotExists, Disabled	2.0.1-preview
Audit diagnostic setting for selected resource types	Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.	AuditIfNotExists	2.0.1
Auditing on SQL server should be enabled	Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.	AuditIfNotExists, Disabled	2.0.0
Compile Audit records into system wide audit	CMA_C1140 - Compile Audit records into system wide audit	Manual, Disabled	1.1.0
Dependency agent should be enabled for listed virtual machine images	Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.	AuditIfNotExists, Disabled	2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images	Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.	AuditIfNotExists, Disabled	2.0.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images	Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed.	AuditIfNotExists, Disabled	2.0.1
Use system clocks for audit records	CMA_0535 - Use system clocks for audit records	Manual, Disabled	1.1.0

Installation of software on operational systems

ID: ISO 27001:2013 A.12.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

Management of technical vulnerabilities

ID: ISO 27001:2013 A.12.6.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

Restrictions on software installation

ID: ISO 27001:2013 A.12.6.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

Information systems audit controls

ID: ISO 27001:2013 A.12.7.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0

Communications Security

Network controls

ID: ISO 27001:2013 A.13.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Establish terms and conditions for accessing resources	CMA_C1076 - Establish terms and conditions for accessing resources	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Prevent split tunneling for remote devices	CMA_C1632 - Prevent split tunneling for remote devices	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Reauthenticate or terminate a user session	CMA_0421 - Reauthenticate or terminate a user session	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Separate user and information system management functionality	CMA_0493 - Separate user and information system management functionality	Manual, Disabled	1.1.0
Storage accounts should restrict network access	Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges	Audit, Deny, Disabled	1.1.1
Use dedicated machines for administrative tasks	CMA_0527 - Use dedicated machines for administrative tasks	Manual, Disabled	1.1.0
Verify security controls for external information systems	CMA_0541 - Verify security controls for external information systems	Manual, Disabled	1.1.0

Security of network services

ID: ISO 27001:2013 A.13.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Establish electronic signature and certificate requirements	CMA_0271 - Establish electronic signature and certificate requirements	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Prevent split tunneling for remote devices	CMA_C1632 - Prevent split tunneling for remote devices	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

Segregation of networks

ID: ISO 27001:2013 A.13.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Prevent split tunneling for remote devices	CMA_C1632 - Prevent split tunneling for remote devices	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Separate user and information system management functionality	CMA_0493 - Separate user and information system management functionality	Manual, Disabled	1.1.0
Use dedicated machines for administrative tasks	CMA_0527 - Use dedicated machines for administrative tasks	Manual, Disabled	1.1.0

Information transfer policies and procedures

ID: ISO 27001:2013 A.13.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Establish terms and conditions for accessing resources	CMA_C1076 - Establish terms and conditions for accessing resources	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0
Explicitly notify use of collaborative computing devices	CMA_C1649 - Explicitly notify use of collaborative computing devices	Manual, Disabled	1.1.1
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Prohibit remote activation of collaborative computing devices	CMA_C1648 - Prohibit remote activation of collaborative computing devices	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0
Verify security controls for external information systems	CMA_0541 - Verify security controls for external information systems	Manual, Disabled	1.1.0

Agreements on information transfer

ID: ISO 27001:2013 A.13.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

Electronic messaging

ID: ISO 27001:2013 A.13.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0

Confidentiality or non-disclosure agreements

ID: ISO 27001:2013 A.13.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Document organizational access agreements	CMA_0192 - Document organizational access agreements	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Ensure access agreements are signed or resigned timely	CMA_C1528 - Ensure access agreements are signed or resigned timely	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Require users to sign access agreement	CMA_0440 - Require users to sign access agreement	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update organizational access agreements	CMA_0520 - Update organizational access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

System Acquisition, Development And Maintenance

Information security requirements analysis and specification

ID: ISO 27001:2013 A.14.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Review and update the information security architecture	CMA_C1504 - Review and update the information security architecture	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0

Securing application services on public networks

ID: ISO 27001:2013 A.14.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

Protecting application services transactions

ID: ISO 27001:2013 A.14.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Prevent split tunneling for remote devices	CMA_C1632 - Prevent split tunneling for remote devices	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Separate user and information system management functionality	CMA_0493 - Separate user and information system management functionality	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0
Use dedicated machines for administrative tasks	CMA_0527 - Use dedicated machines for administrative tasks	Manual, Disabled	1.1.0

Secure development policy

ID: ISO 27001:2013 A.14.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Require developers to build security architecture	CMA_C1612 - Require developers to build security architecture	Manual, Disabled	1.1.0
Require developers to describe accurate security functionality	CMA_C1613 - Require developers to describe accurate security functionality	Manual, Disabled	1.1.0
Require developers to provide unified security protection approach	CMA_C1614 - Require developers to provide unified security protection approach	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0

System change control procedures

ID: ISO 27001:2013 A.14.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0

Technical review of applications after operating platform changes

ID: ISO 27001:2013 A.14.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

Restrictions on changes to software packages

ID: ISO 27001:2013 A.14.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0

Secure system engineering principles

ID: ISO 27001:2013 A.14.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Perform information input validation	CMA_C1723 - Perform information input validation	Manual, Disabled	1.1.0
Require developers to build security architecture	CMA_C1612 - Require developers to build security architecture	Manual, Disabled	1.1.0
Require developers to describe accurate security functionality	CMA_C1613 - Require developers to describe accurate security functionality	Manual, Disabled	1.1.0
Require developers to provide unified security protection approach	CMA_C1614 - Require developers to provide unified security protection approach	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0

Secure development environment

ID: ISO 27001:2013 A.14.2.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

Outsourced development

ID: ISO 27001:2013 A.14.2.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0
Require developers to produce evidence of security assessment plan execution	CMA_C1602 - Require developers to produce evidence of security assessment plan execution	Manual, Disabled	1.1.0

System security testing

ID: ISO 27001:2013 A.14.2.8 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Ensure there are no unencrypted static authenticators	CMA_C1340 - Ensure there are no unencrypted static authenticators	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Require developers to produce evidence of security assessment plan execution	CMA_C1602 - Require developers to produce evidence of security assessment plan execution	Manual, Disabled	1.1.0

System acceptance testing

ID: ISO 27001:2013 A.14.2.9 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign an authorizing official (AO)	CMA_C1158 - Assign an authorizing official (AO)	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Ensure resources are authorized	CMA_C1159 - Ensure resources are authorized	Manual, Disabled	1.1.0
Ensure there are no unencrypted static authenticators	CMA_C1340 - Ensure there are no unencrypted static authenticators	Manual, Disabled	1.1.0

Protection of test data

ID: ISO 27001:2013 A.14.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Ensure there are no unencrypted static authenticators	CMA_C1340 - Ensure there are no unencrypted static authenticators	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Supplier Relationships

Information security policy for supplier relationships

ID: ISO 27001:2013 A.15.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0

Addressing security within supplier agreement

ID: ISO 27001:2013 A.15.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

Information and communication technology supply chain

ID: ISO 27001:2013 A.15.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0

Monitoring and review of supplier services

ID: ISO 27001:2013 A.15.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Managing changes to supplier services

ID: ISO 27001:2013 A.15.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Information Security Incident Management

Responsibilities and procedures

ID: ISO 27001:2013 A.16.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0

Reporting information security events

ID: ISO 27001:2013 A.16.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Report atypical behavior of user accounts	CMA_C1025 - Report atypical behavior of user accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

Reporting information security weaknesses

ID: ISO 27001:2013 A.16.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Report atypical behavior of user accounts	CMA_C1025 - Report atypical behavior of user accounts	Manual, Disabled	1.1.0

Assessment of and decision on information security events

ID: ISO 27001:2013 A.16.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Report atypical behavior of user accounts	CMA_C1025 - Report atypical behavior of user accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

Response to information security incidents

ID: ISO 27001:2013 A.16.1.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Report atypical behavior of user accounts	CMA_C1025 - Report atypical behavior of user accounts	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

Learning from information security incidents

ID: ISO 27001:2013 A.16.1.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Discover any indicators of compromise	CMA_C1702 - Discover any indicators of compromise	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Report atypical behavior of user accounts	CMA_C1025 - Report atypical behavior of user accounts	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

Collection of evidence

ID: ISO 27001:2013 A.16.1.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Report atypical behavior of user accounts	CMA_C1025 - Report atypical behavior of user accounts	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

Information Security Aspects Of Business Continuity Management

Planning information security continuity

ID: ISO 27001:2013 A.17.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop and document a business continuity and disaster recovery plan	CMA_0146 - Develop and document a business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Develop contingency planning policies and procedures	CMA_0156 - Develop contingency planning policies and procedures	Manual, Disabled	1.1.0
Distribute policies and procedures	CMA_0185 - Distribute policies and procedures	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Resume all mission and business functions	CMA_C1254 - Resume all mission and business functions	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review contingency plan	CMA_C1247 - Review contingency plan	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

Implementing information security continuity

ID: ISO 27001:2013 A.17.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Ensure information system fails in known state	CMA_C1662 - Ensure information system fails in known state	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Establish requirements for internet service providers	CMA_0278 - Establish requirements for internet service providers	Manual, Disabled	1.1.0
Identify and mitigate potential issues at alternate storage site	CMA_C1271 - Identify and mitigate potential issues at alternate storage site	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement transaction based recovery	CMA_C1296 - Implement transaction based recovery	Manual, Disabled	1.1.0
Plan for continuance of essential business functions	CMA_C1255 - Plan for continuance of essential business functions	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Recover and reconstitute resources after any disruption	CMA_C1295 - Recover and reconstitute resources after any disruption	Manual, Disabled	1.1.1
Resume all mission and business functions	CMA_C1254 - Resume all mission and business functions	Manual, Disabled	1.1.0

Verify, review and evaluate information security continuity

ID: ISO 27001:2013 A.17.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Initiate contingency plan testing corrective actions	CMA_C1263 - Initiate contingency plan testing corrective actions	Manual, Disabled	1.1.0
Review the results of contingency plan testing	CMA_C1262 - Review the results of contingency plan testing	Manual, Disabled	1.1.0
Test the business continuity and disaster recovery plan	CMA_0509 - Test the business continuity and disaster recovery plan	Manual, Disabled	1.1.0

Availability of information processing facilities

ID: ISO 27001:2013 A.17.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Develop and document a business continuity and disaster recovery plan	CMA_0146 - Develop and document a business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Develop contingency planning policies and procedures	CMA_0156 - Develop contingency planning policies and procedures	Manual, Disabled	1.1.0
Distribute policies and procedures	CMA_0185 - Distribute policies and procedures	Manual, Disabled	1.1.0
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Ensure information system fails in known state	CMA_C1662 - Ensure information system fails in known state	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Identify and mitigate potential issues at alternate storage site	CMA_C1271 - Identify and mitigate potential issues at alternate storage site	Manual, Disabled	1.1.0
Plan for continuance of essential business functions	CMA_C1255 - Plan for continuance of essential business functions	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Resume all mission and business functions	CMA_C1254 - Resume all mission and business functions	Manual, Disabled	1.1.0
Review contingency plan	CMA_C1247 - Review contingency plan	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

Compliance

Identification applicable legislation and contractual requirements

ID: ISO 27001:2013 A.18.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Intellectual property rights

ID: ISO 27001:2013 A.18.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Require compliance with intellectual property rights	CMA_0432 - Require compliance with intellectual property rights	Manual, Disabled	1.1.0
Track software license usage	CMA_C1235 - Track software license usage	Manual, Disabled	1.1.0

Protection of records

ID: ISO 27001:2013 A.18.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Ensure information system fails in known state	CMA_C1662 - Ensure information system fails in known state	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement transaction based recovery	CMA_C1296 - Implement transaction based recovery	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Privacy and protection of personally identifiable information

ID: ISO 27001:2013 A.18.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Manage compliance activities	CMA_0358 - Manage compliance activities	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

Regulation of cryptographic controls

ID: ISO 27001:2013 A.18.1.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authenticate to cryptographic module	CMA_0021 - Authenticate to cryptographic module	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0

Independent review of information security

ID: ISO 27001:2013 A.18.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0

Compliance with security policies and standards

ID: ISO 27001:2013 A.18.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Technical compliance review

ID: ISO 27001:2013 A.18.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0

Information Security Policies

Policies for information security

ID: ISO 27001:2013 A.5.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish privacy requirements for contractors and service providers	CMA_C1810 - Establish privacy requirements for contractors and service providers	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Manage compliance activities	CMA_0358 - Manage compliance activities	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Review of the policies for information security

ID: ISO 27001:2013 A.5.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Organization of Information Security

Information security roles and responsibilities

ID: ISO 27001:2013 A.6.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Create configuration plan protection	CMA_C1233 - Create configuration plan protection	Manual, Disabled	1.1.0
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Designate individuals to fulfill specific roles and responsibilities	CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop and document a business continuity and disaster recovery plan	CMA_0146 - Develop and document a business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop configuration item identification plan	CMA_C1231 - Develop configuration item identification plan	Manual, Disabled	1.1.0
Develop configuration management plan	CMA_C1232 - Develop configuration management plan	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Develop contingency planning policies and procedures	CMA_0156 - Develop contingency planning policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Distribute policies and procedures	CMA_0185 - Distribute policies and procedures	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document and implement privacy complaint procedures	CMA_0189 - Document and implement privacy complaint procedures	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Ensure privacy program information is publicly available	CMA_C1867 - Ensure privacy program information is publicly available	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Manage security state of information systems	CMA_C1746 - Manage security state of information systems	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Require notification of third-party personnel transfer or termination	CMA_C1532 - Require notification of third-party personnel transfer or termination	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0
Resume all mission and business functions	CMA_C1254 - Resume all mission and business functions	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Review contingency plan	CMA_C1247 - Review contingency plan	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Segregation of Duties

ID: ISO 27001:2013 A.6.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0

Contact with authorities

ID: ISO 27001:2013 A.6.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Manage contacts for authorities and special interest groups	CMA_0359 - Manage contacts for authorities and special interest groups	Manual, Disabled	1.1.0

Contact with special interest groups

ID: ISO 27001:2013 A.6.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Disseminate security alerts to personnel	CMA_C1705 - Disseminate security alerts to personnel	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish a threat intelligence program	CMA_0260 - Establish a threat intelligence program	Manual, Disabled	1.1.0
Generate internal security alerts	CMA_C1704 - Generate internal security alerts	Manual, Disabled	1.1.0
Implement security directives	CMA_C1706 - Implement security directives	Manual, Disabled	1.1.0
Manage contacts for authorities and special interest groups	CMA_0359 - Manage contacts for authorities and special interest groups	Manual, Disabled	1.1.0

Information security in project management

ID: ISO 27001:2013 A.6.1.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Align business objectives and IT goals	CMA_0008 - Align business objectives and IT goals	Manual, Disabled	1.1.0
Allocate resources in determining information system requirements	CMA_C1561 - Allocate resources in determining information system requirements	Manual, Disabled	1.1.0
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Establish a discrete line item in budgeting documentation	CMA_C1563 - Establish a discrete line item in budgeting documentation	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Mobile device policy

ID: ISO 27001:2013 A.6.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Teleworking

ID: ISO 27001:2013 A.6.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Human Resources Security

Screening

ID: ISO 27001:2013 A.7.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Clear personnel with access to classified information	CMA_0054 - Clear personnel with access to classified information	Manual, Disabled	1.1.0
Implement personnel screening	CMA_0322 - Implement personnel screening	Manual, Disabled	1.1.0
Rescreen individuals at a defined frequency	CMA_C1512 - Rescreen individuals at a defined frequency	Manual, Disabled	1.1.0

Terms and conditions of employment

ID: ISO 27001:2013 A.7.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document organizational access agreements	CMA_0192 - Document organizational access agreements	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Ensure access agreements are signed or resigned timely	CMA_C1528 - Ensure access agreements are signed or resigned timely	Manual, Disabled	1.1.0
Ensure privacy program information is publicly available	CMA_C1867 - Ensure privacy program information is publicly available	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Require users to sign access agreement	CMA_0440 - Require users to sign access agreement	Manual, Disabled	1.1.0
Update organizational access agreements	CMA_0520 - Update organizational access agreements	Manual, Disabled	1.1.0

Management responsibilities

ID: ISO 27001:2013 A.7.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document organizational access agreements	CMA_0192 - Document organizational access agreements	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Ensure access agreements are signed or resigned timely	CMA_C1528 - Ensure access agreements are signed or resigned timely	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Require notification of third-party personnel transfer or termination	CMA_C1532 - Require notification of third-party personnel transfer or termination	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0
Require users to sign access agreement	CMA_0440 - Require users to sign access agreement	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update organizational access agreements	CMA_0520 - Update organizational access agreements	Manual, Disabled	1.1.0

Information security awareness, education and training

ID: ISO 27001:2013 A.7.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Employ automated training environment	CMA_C1357 - Employ automated training environment	Manual, Disabled	1.1.0
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0
Monitor security and privacy training completion	CMA_0379 - Monitor security and privacy training completion	Manual, Disabled	1.1.0
Provide contingency training	CMA_0412 - Provide contingency training	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0
Retain training records	CMA_0456 - Retain training records	Manual, Disabled	1.1.0
Train personnel on disclosure of nonpublic information	CMA_C1084 - Train personnel on disclosure of nonpublic information	Manual, Disabled	1.1.0

Disciplinary process

ID: ISO 27001:2013 A.7.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0

Termination or change of employment responsibilities

ID: ISO 27001:2013 A.7.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Initiate transfer or reassignment actions	CMA_0333 - Initiate transfer or reassignment actions	Manual, Disabled	1.1.0
Modify access authorizations upon personnel transfer	CMA_0374 - Modify access authorizations upon personnel transfer	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Reevaluate access upon personnel transfer	CMA_0424 - Reevaluate access upon personnel transfer	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

Asset Management

Inventory of assets

ID: ISO 27001:2013 A.8.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

Ownership of assets

ID: ISO 27001:2013 A.8.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

Acceptable use of assets

ID: ISO 27001:2013 A.8.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0

Return of assets

ID: ISO 27001:2013 A.8.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Initiate transfer or reassignment actions	CMA_0333 - Initiate transfer or reassignment actions	Manual, Disabled	1.1.0
Modify access authorizations upon personnel transfer	CMA_0374 - Modify access authorizations upon personnel transfer	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Reevaluate access upon personnel transfer	CMA_0424 - Reevaluate access upon personnel transfer	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

Classification of information

ID: ISO 27001:2013 A.8.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Categorize information	CMA_0052 - Categorize information	Manual, Disabled	1.1.0
Develop business classification schemes	CMA_0155 - Develop business classification schemes	Manual, Disabled	1.1.0
Ensure security categorization is approved	CMA_C1540 - Ensure security categorization is approved	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0

Labelling of information

ID: ISO 27001:2013 A.8.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

Handling of assets

ID: ISO 27001:2013 A.8.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Define requirements for managing assets	CMA_0125 - Define requirements for managing assets	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

Management of removable media

ID: ISO 27001:2013 A.8.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

Disposal of media

ID: ISO 27001:2013 A.8.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0

Physical media transfer

ID: ISO 27001:2013 A.8.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

Access Control

Access control policy

ID: ISO 27001:2013 A.9.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0

Access to networks and network services

ID: ISO 27001:2013 A.9.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Audit Linux machines that allow remote connections from accounts without passwords	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords	AuditIfNotExists, Disabled	3.1.0
Audit Linux machines that have accounts without passwords	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords	AuditIfNotExists, Disabled	3.1.0
Audit VMs that do not use managed disks	This policy audits VMs that do not use managed disks	audit	1.0.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.	deployIfNotExists	3.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enable detection of network devices	CMA_0220 - Enable detection of network devices	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Establish electronic signature and certificate requirements	CMA_0271 - Establish electronic signature and certificate requirements	Manual, Disabled	1.1.0
Identify actions allowed without authentication	CMA_0295 - Identify actions allowed without authentication	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0

User registration and de-registration

ID: ISO 27001:2013 A.9.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Assign system identifiers	CMA_0018 - Assign system identifiers	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Enable detection of network devices	CMA_0220 - Enable detection of network devices	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Identify actions allowed without authentication	CMA_0295 - Identify actions allowed without authentication	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Prevent identifier reuse for the defined time period	CMA_C1314 - Prevent identifier reuse for the defined time period	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review and reevaluate privileges	CMA_C1207 - Review and reevaluate privileges	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

User access provisioning

ID: ISO 27001:2013 A.9.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review and reevaluate privileges	CMA_C1207 - Review and reevaluate privileges	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0

Management of privileged access rights

ID: ISO 27001:2013 A.9.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers	Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services	AuditIfNotExists, Disabled	1.0.0
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review and reevaluate privileges	CMA_C1207 - Review and reevaluate privileges	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication	Audit usage of client authentication only via Azure Active Directory in Service Fabric	Audit, Deny, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Management of secret authentication information of users

ID: ISO 27001:2013 A.9.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644	AuditIfNotExists, Disabled	3.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.	deployIfNotExists	3.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

Review of user access rights

ID: ISO 27001:2013 A.9.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Reassign or remove user privileges as needed	CMA_C1040 - Reassign or remove user privileges as needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review and reevaluate privileges	CMA_C1207 - Review and reevaluate privileges	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Review user privileges	CMA_C1039 - Review user privileges	Manual, Disabled	1.1.0

Removal or adjustment of access rights

ID: ISO 27001:2013 A.9.2.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Initiate transfer or reassignment actions	CMA_0333 - Initiate transfer or reassignment actions	Manual, Disabled	1.1.0
Modify access authorizations upon personnel transfer	CMA_0374 - Modify access authorizations upon personnel transfer	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Reevaluate access upon personnel transfer	CMA_0424 - Reevaluate access upon personnel transfer	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review and reevaluate privileges	CMA_C1207 - Review and reevaluate privileges	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0

Use of secret authentication information

ID: ISO 27001:2013 A.9.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Terminate customer controlled account credentials	CMA_C1022 - Terminate customer controlled account credentials	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

Information access restriction

ID: ISO 27001:2013 A.9.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Secure log-on procedures

ID: ISO 27001:2013 A.9.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Enable detection of network devices	CMA_0220 - Enable detection of network devices	Manual, Disabled	1.1.0
Enforce a limit of consecutive failed login attempts	CMA_C1044 - Enforce a limit of consecutive failed login attempts	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Establish electronic signature and certificate requirements	CMA_0271 - Establish electronic signature and certificate requirements	Manual, Disabled	1.1.0
Generate error messages	CMA_C1724 - Generate error messages	Manual, Disabled	1.1.0
Identify actions allowed without authentication	CMA_0295 - Identify actions allowed without authentication	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Obscure feedback information during authentication process	CMA_C1344 - Obscure feedback information during authentication process	Manual, Disabled	1.1.0
Reveal error messages	CMA_C1725 - Reveal error messages	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0
Terminate user session automatically	CMA_C1054 - Terminate user session automatically	Manual, Disabled	1.1.0

Password management system

ID: ISO 27001:2013 A.9.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24	AuditIfNotExists, Disabled	2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days	AuditIfNotExists, Disabled	2.1.0
Audit Windows machines that do not have the minimum password age set to specified number of days	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day	AuditIfNotExists, Disabled	2.1.0
Audit Windows machines that do not have the password complexity setting enabled	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled	AuditIfNotExists, Disabled	2.0.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters	AuditIfNotExists, Disabled	2.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.	deployIfNotExists	1.2.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

Use of privileged utility programs

ID: ISO 27001:2013 A.9.4.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Access control to program source code

ID: ISO 27001:2013 A.9.4.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Improvement

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Nonconformity and corrective action

ID: ISO 27001:2013 C.10.1.g Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Context of the organization

Determining the scope of the information security management system

ID: ISO 27001:2013 C.4.3.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Determining the scope of the information security management system

ID: ISO 27001:2013 C.4.3.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Determining the scope of the information security management system

ID: ISO 27001:2013 C.4.3.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Align business objectives and IT goals	CMA_0008 - Align business objectives and IT goals	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Employ business case to record the resources required	CMA_C1735 - Employ business case to record the resources required	Manual, Disabled	1.1.0
Ensure capital planning and investment requests include necessary resources	CMA_C1734 - Ensure capital planning and investment requests include necessary resources	Manual, Disabled	1.1.0
Establish privacy requirements for contractors and service providers	CMA_C1810 - Establish privacy requirements for contractors and service providers	Manual, Disabled	1.1.0
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0

Information security management system

ID: ISO 27001:2013 C.4.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Leadership

Leadership and commitment

ID: ISO 27001:2013 C.5.1.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Align business objectives and IT goals	CMA_0008 - Align business objectives and IT goals	Manual, Disabled	1.1.0
Allocate resources in determining information system requirements	CMA_C1561 - Allocate resources in determining information system requirements	Manual, Disabled	1.1.0
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Employ business case to record the resources required	CMA_C1735 - Employ business case to record the resources required	Manual, Disabled	1.1.0
Ensure capital planning and investment requests include necessary resources	CMA_C1734 - Ensure capital planning and investment requests include necessary resources	Manual, Disabled	1.1.0
Ensure privacy program information is publicly available	CMA_C1867 - Ensure privacy program information is publicly available	Manual, Disabled	1.1.0
Establish a discrete line item in budgeting documentation	CMA_C1563 - Establish a discrete line item in budgeting documentation	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Define performance metrics	CMA_0124 - Define performance metrics	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Align business objectives and IT goals	CMA_0008 - Align business objectives and IT goals	Manual, Disabled	1.1.0
Allocate resources in determining information system requirements	CMA_C1561 - Allocate resources in determining information system requirements	Manual, Disabled	1.1.0
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Employ business case to record the resources required	CMA_C1735 - Employ business case to record the resources required	Manual, Disabled	1.1.0
Ensure capital planning and investment requests include necessary resources	CMA_C1734 - Ensure capital planning and investment requests include necessary resources	Manual, Disabled	1.1.0
Establish a discrete line item in budgeting documentation	CMA_C1563 - Establish a discrete line item in budgeting documentation	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.g Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Define performance metrics	CMA_0124 - Define performance metrics	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0

Leadership and commitment

ID: ISO 27001:2013 C.5.1.h Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Policy

ID: ISO 27001:2013 C.5.2.g Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Organizational roles, responsibilities and authorities

ID: ISO 27001:2013 C.5.3.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define performance metrics	CMA_0124 - Define performance metrics	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0

Planning

General

ID: ISO 27001:2013 C.6.1.1.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

General

ID: ISO 27001:2013 C.6.1.1.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

General

ID: ISO 27001:2013 C.6.1.1.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

General

ID: ISO 27001:2013 C.6.1.1.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

General

ID: ISO 27001:2013 C.6.1.1.e.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

General

ID: ISO 27001:2013 C.6.1.1.e.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.a.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.a.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.c.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.c.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.d.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.d.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.d.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.e.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.6.1.2.e.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.6.1.3.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.6.1.3.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.6.1.3.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.6.1.3.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.6.1.3.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.6.1.3.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0

Information security objectives and planning to achieve them

ID: ISO 27001:2013 C.6.2.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Support

Resources

ID: ISO 27001:2013 C.7.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Align business objectives and IT goals	CMA_0008 - Align business objectives and IT goals	Manual, Disabled	1.1.0
Allocate resources in determining information system requirements	CMA_C1561 - Allocate resources in determining information system requirements	Manual, Disabled	1.1.0
Employ business case to record the resources required	CMA_C1735 - Employ business case to record the resources required	Manual, Disabled	1.1.0
Ensure capital planning and investment requests include necessary resources	CMA_C1734 - Ensure capital planning and investment requests include necessary resources	Manual, Disabled	1.1.0
Establish a discrete line item in budgeting documentation	CMA_C1563 - Establish a discrete line item in budgeting documentation	Manual, Disabled	1.1.0
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0

Competence

ID: ISO 27001:2013 C.7.2.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Monitor security and privacy training completion	CMA_0379 - Monitor security and privacy training completion	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Competence

ID: ISO 27001:2013 C.7.2.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Monitor security and privacy training completion	CMA_0379 - Monitor security and privacy training completion	Manual, Disabled	1.1.0

Competence

ID: ISO 27001:2013 C.7.2.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Monitor security and privacy training completion	CMA_0379 - Monitor security and privacy training completion	Manual, Disabled	1.1.0

Competence

ID: ISO 27001:2013 C.7.2.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Retain training records	CMA_0456 - Retain training records	Manual, Disabled	1.1.0

Awareness

ID: ISO 27001:2013 C.7.3.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Awareness

ID: ISO 27001:2013 C.7.3.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Awareness

ID: ISO 27001:2013 C.7.3.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Communication

ID: ISO 27001:2013 C.7.4.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Designate authorized personnel to post publicly accessible information	CMA_C1083 - Designate authorized personnel to post publicly accessible information	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Communication

ID: ISO 27001:2013 C.7.4.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Designate authorized personnel to post publicly accessible information	CMA_C1083 - Designate authorized personnel to post publicly accessible information	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Communication

ID: ISO 27001:2013 C.7.4.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Designate authorized personnel to post publicly accessible information	CMA_C1083 - Designate authorized personnel to post publicly accessible information	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Communication

ID: ISO 27001:2013 C.7.4.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Designate authorized personnel to post publicly accessible information	CMA_C1083 - Designate authorized personnel to post publicly accessible information	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Communication

ID: ISO 27001:2013 C.7.4.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Designate authorized personnel to post publicly accessible information	CMA_C1083 - Designate authorized personnel to post publicly accessible information	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Creating and updating

ID: ISO 27001:2013 C.7.5.2.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0

Control of documented information

ID: ISO 27001:2013 C.7.5.3.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0

Control of documented information

ID: ISO 27001:2013 C.7.5.3.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Control of documented information

ID: ISO 27001:2013 C.7.5.3.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0

Control of documented information

ID: ISO 27001:2013 C.7.5.3.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Control of documented information

ID: ISO 27001:2013 C.7.5.3.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

Control of documented information

ID: ISO 27001:2013 C.7.5.3.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0

Operation

Operational planning and control

ID: ISO 27001:2013 C.8.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Information security risk assessment

ID: ISO 27001:2013 C.8.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0

Information security risk treatment

ID: ISO 27001:2013 C.8.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Performance Evaluation

Monitoring, measurement, analysis and evaluation

ID: ISO 27001:2013 C.9.1.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Monitoring, measurement, analysis and evaluation

ID: ISO 27001:2013 C.9.1.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Monitoring, measurement, analysis and evaluation

ID: ISO 27001:2013 C.9.1.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Monitoring, measurement, analysis and evaluation

ID: ISO 27001:2013 C.9.1.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Monitoring, measurement, analysis and evaluation

ID: ISO 27001:2013 C.9.1.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Monitoring, measurement, analysis and evaluation

ID: ISO 27001:2013 C.9.1.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.a.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.a.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.c Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adjust level of audit review, analysis, and reporting	CMA_C1123 - Adjust level of audit review, analysis, and reporting	Manual, Disabled	1.1.0
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0

Internal audit

ID: ISO 27001:2013 C.9.2.g Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.a Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Implement plans of action and milestones for security program process	CMA_C1737 - Implement plans of action and milestones for security program process	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.b Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.c.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Define performance metrics	CMA_0124 - Define performance metrics	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.c.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.c.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Define performance metrics	CMA_0124 - Define performance metrics	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.c.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Define performance metrics	CMA_0124 - Define performance metrics	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.d Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.e Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Management review

ID: ISO 27001:2013 C.9.3.f Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

Next steps

Additional articles about Azure Policy:

• Regulatory Compliance overview.
• See the initiative definition structure.
• Review other examples at Azure Policy samples.
• Review Understanding policy effects.
• Learn how to remediate non-compliant resources.