Details of the ISO 27001:2013 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the ISO 27001:2013 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the ISO 27001:2013 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Cryptography
Policy on the use of cryptographic controls
ID: ISO 27001:2013 A.10.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 2.0.0 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Key Management
ID: ISO 27001:2013 A.10.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
Physical And Environmental Security
Physical security perimeter
ID: ISO 27001:2013 A.11.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Physical entry controls
ID: ISO 27001:2013 A.11.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Securing offices, rooms and facilities
ID: ISO 27001:2013 A.11.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Protecting against external and environmental threats
ID: ISO 27001:2013 A.11.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
Working in secure areas
ID: ISO 27001:2013 A.11.1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Delivering and loading areas
ID: ISO 27001:2013 A.11.1.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Equipment sitting and protection
ID: ISO 27001:2013 A.11.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Supporting utilities
ID: ISO 27001:2013 A.11.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Manual, Disabled | 1.1.0 |
| Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Cabling security
ID: ISO 27001:2013 A.11.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Equipment maintenance
ID: ISO 27001:2013 A.11.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Manual, Disabled | 1.1.0 |
Removal of assets
ID: ISO 27001:2013 A.11.2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Security of equipment and assets off-premises
ID: ISO 27001:2013 A.11.2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Secure disposal or re-use of equipment
ID: ISO 27001:2013 A.11.2.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Unattended user equipment
ID: ISO 27001:2013 A.11.2.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
Clear desk and clear screen policy
ID: ISO 27001:2013 A.11.2.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Operations Security
Documented operating procedures
ID: ISO 27001:2013 A.12.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Manual, Disabled | 1.1.0 |
| Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Manual, Disabled | 1.1.0 |
| Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Manual, Disabled | 1.1.0 |
| Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Change management
ID: ISO 27001:2013 A.12.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Capacity management
ID: ISO 27001:2013 A.12.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Separation of development, testing and operational environments
ID: ISO 27001:2013 A.12.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Implement controls to protect PII | CMA_C1839 - Implement controls to protect PII | Manual, Disabled | 1.1.0 |
| Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Controls against malware
ID: ISO 27001:2013 A.12.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Information backup
ID: ISO 27001:2013 A.12.3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Event Logging
ID: ISO 27001:2013 A.12.4.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
| Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
| Enforce and audit access restrictions | CMA_C1203 - Enforce and audit access restrictions | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Implement methods for consumer requests | CMA_0319 - Implement methods for consumer requests | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
| Publish access procedures in SORNs | CMA_C1848 - Publish access procedures in SORNs | Manual, Disabled | 1.1.0 |
| Publish rules and regulations accessing Privacy Act records | CMA_C1847 - Publish rules and regulations accessing Privacy Act records | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Protection of log information
ID: ISO 27001:2013 A.12.4.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
| Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
| Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Administrator and operator logs
ID: ISO 27001:2013 A.12.4.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
| Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
| Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Clock Synchronization
ID: ISO 27001:2013 A.12.4.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Manual, Disabled | 1.1.0 |
| Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
| Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Manual, Disabled | 1.1.0 |
Installation of software on operational systems
ID: ISO 27001:2013 A.12.5.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Management of technical vulnerabilities
ID: ISO 27001:2013 A.12.6.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 4.0.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Restrictions on software installation
ID: ISO 27001:2013 A.12.6.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Information systems audit controls
ID: ISO 27001:2013 A.12.7.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
Communications Security
Network controls
ID: ISO 27001:2013 A.13.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Security of network services
ID: ISO 27001:2013 A.13.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
Segregation of networks
ID: ISO 27001:2013 A.13.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
Information transfer policies and procedures
ID: ISO 27001:2013 A.13.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Agreements on information transfer
ID: ISO 27001:2013 A.13.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
Electronic messaging
ID: ISO 27001:2013 A.13.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
Confidentiality or non-disclosure agreements
ID: ISO 27001:2013 A.13.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
System Acquisition, Development And Maintenance
Information security requirements analysis and specification
ID: ISO 27001:2013 A.14.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Securing application services on public networks
ID: ISO 27001:2013 A.14.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
Protecting application services transactions
ID: ISO 27001:2013 A.14.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
Secure development policy
ID: ISO 27001:2013 A.14.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
| Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
| Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
System change control procedures
ID: ISO 27001:2013 A.14.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Technical review of applications after operating platform changes
ID: ISO 27001:2013 A.14.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Restrictions on changes to software packages
ID: ISO 27001:2013 A.14.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Secure system engineering principles
ID: ISO 27001:2013 A.14.2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
| Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
| Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
| Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Secure development environment
ID: ISO 27001:2013 A.14.2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Outsourced development
ID: ISO 27001:2013 A.14.2.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
System security testing
ID: ISO 27001:2013 A.14.2.8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
System acceptance testing
ID: ISO 27001:2013 A.14.2.9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Manual, Disabled | 1.1.0 |
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
Protection of test data
ID: ISO 27001:2013 A.14.3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Supplier Relationships
Information security policy for supplier relationships
ID: ISO 27001:2013 A.15.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Addressing security within supplier agreement
ID: ISO 27001:2013 A.15.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
Information and communication technology supply chain
ID: ISO 27001:2013 A.15.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
Monitoring and review of supplier services
ID: ISO 27001:2013 A.15.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Managing changes to supplier services
ID: ISO 27001:2013 A.15.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Information Security Incident Management
Responsibilities and procedures
ID: ISO 27001:2013 A.16.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
Reporting information security events
ID: ISO 27001:2013 A.16.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Reporting information security weaknesses
ID: ISO 27001:2013 A.16.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
Assessment of and decision on information security events
ID: ISO 27001:2013 A.16.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Response to information security incidents
ID: ISO 27001:2013 A.16.1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Learning from information security incidents
ID: ISO 27001:2013 A.16.1.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Collection of evidence
ID: ISO 27001:2013 A.16.1.7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Information Security Aspects Of Business Continuity Management
Planning information security continuity
ID: ISO 27001:2013 A.17.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Implementing information security continuity
ID: ISO 27001:2013 A.17.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Manual, Disabled | 1.1.1 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
Verify, review and evaluate information security continuity
ID: ISO 27001:2013 A.17.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Manual, Disabled | 1.1.0 |
| Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Manual, Disabled | 1.1.0 |
| Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Availability of information processing facilities
ID: ISO 27001:2013 A.17.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Compliance
Identification applicable legislation and contractual requirements
ID: ISO 27001:2013 A.18.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Intellectual property rights
ID: ISO 27001:2013 A.18.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
| Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
Protection of records
ID: ISO 27001:2013 A.18.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Privacy and protection of personally identifiable information
ID: ISO 27001:2013 A.18.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Regulation of cryptographic controls
ID: ISO 27001:2013 A.18.1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Independent review of information security
ID: ISO 27001:2013 A.18.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Compliance with security policies and standards
ID: ISO 27001:2013 A.18.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Technical compliance review
ID: ISO 27001:2013 A.18.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Information Security Policies
Policies for information security
ID: ISO 27001:2013 A.5.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Review of the policies for information security
ID: ISO 27001:2013 A.5.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Organization of Information Security
Information security roles and responsibilities
ID: ISO 27001:2013 A.6.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Manual, Disabled | 1.1.0 |
| Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Segregation of Duties
ID: ISO 27001:2013 A.6.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
| Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
| Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Contact with authorities
ID: ISO 27001:2013 A.6.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
Contact with special interest groups
ID: ISO 27001:2013 A.6.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
| Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Manual, Disabled | 1.1.0 |
| Implement security directives | CMA_C1706 - Implement security directives | Manual, Disabled | 1.1.0 |
| Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
Information security in project management
ID: ISO 27001:2013 A.6.1.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
| Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Mobile device policy
ID: ISO 27001:2013 A.6.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Teleworking
ID: ISO 27001:2013 A.6.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Human Resources Security
Screening
ID: ISO 27001:2013 A.7.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
| Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
| Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
Terms and conditions of employment
ID: ISO 27001:2013 A.7.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Management responsibilities
ID: ISO 27001:2013 A.7.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Information security awareness, education and training
ID: ISO 27001:2013 A.7.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
Disciplinary process
ID: ISO 27001:2013 A.7.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
| Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Termination or change of employment responsibilities
ID: ISO 27001:2013 A.7.3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Asset Management
Inventory of assets
ID: ISO 27001:2013 A.8.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
Ownership of assets
ID: ISO 27001:2013 A.8.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Acceptable use of assets
ID: ISO 27001:2013 A.8.1.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Return of assets
ID: ISO 27001:2013 A.8.1.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Classification of information
ID: ISO 27001:2013 A.8.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
Labelling of information
ID: ISO 27001:2013 A.8.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Handling of assets
ID: ISO 27001:2013 A.8.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Management of removable media
ID: ISO 27001:2013 A.8.3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Disposal of media
ID: ISO 27001:2013 A.8.3.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Physical media transfer
ID: ISO 27001:2013 A.8.3.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Access Control
Access control policy
ID: ISO 27001:2013 A.9.1.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
Access to networks and network services
ID: ISO 27001:2013 A.9.1.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
User registration and de-registration
ID: ISO 27001:2013 A.9.2.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Assign system identifiers | CMA_0018 - Assign system identifiers | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
User access provisioning
ID: ISO 27001:2013 A.9.2.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Management of privileged access rights
ID: ISO 27001:2013 A.9.2.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Management of secret authentication information of users
ID: ISO 27001:2013 A.9.2.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Review of user access rights
ID: ISO 27001:2013 A.9.2.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
Removal or adjustment of access rights
ID: ISO 27001:2013 A.9.2.6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Use of secret authentication information
ID: ISO 27001:2013 A.9.3.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Information access restriction
ID: ISO 27001:2013 A.9.4.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Secure log-on procedures
ID: ISO 27001:2013 A.9.4.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
| Reveal error messages | CMA_C1725 - Reveal error messages | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
Password management system
ID: ISO 27001:2013 A.9.4.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | AuditIfNotExists, Disabled | 2.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Use of privileged utility programs
ID: ISO 27001:2013 A.9.4.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Access control to program source code
ID: ISO 27001:2013 A.9.4.5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Improvement
Nonconformity and corrective action
ID: ISO 27001:2013 C.10.1.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Nonconformity and corrective action
ID: ISO 27001:2013 C.10.1.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Nonconformity and corrective action
ID: ISO 27001:2013 C.10.1.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Nonconformity and corrective action
ID: ISO 27001:2013 C.10.1.g Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Context of the organization
Determining the scope of the information security management system
ID: ISO 27001:2013 C.4.3.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Determining the scope of the information security management system
ID: ISO 27001:2013 C.4.3.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Determining the scope of the information security management system
ID: ISO 27001:2013 C.4.3.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Manual, Disabled | 1.1.0 |
| Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Manual, Disabled | 1.1.0 |
| Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Manual, Disabled | 1.1.0 |
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
Information security management system
ID: ISO 27001:2013 C.4.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Leadership
Leadership and commitment
ID: ISO 27001:2013 C.5.1.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
| Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Manual, Disabled | 1.1.0 |
| Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Define performance metrics | CMA_0124 - Define performance metrics | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
| Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Manual, Disabled | 1.1.0 |
| Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Manual, Disabled | 1.1.0 |
| Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.g Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Define performance metrics | CMA_0124 - Define performance metrics | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Leadership and commitment
ID: ISO 27001:2013 C.5.1.h Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Policy
ID: ISO 27001:2013 C.5.2.g Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Organizational roles, responsibilities and authorities
ID: ISO 27001:2013 C.5.3.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define performance metrics | CMA_0124 - Define performance metrics | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Planning
General
ID: ISO 27001:2013 C.6.1.1.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
General
ID: ISO 27001:2013 C.6.1.1.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
General
ID: ISO 27001:2013 C.6.1.1.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
General
ID: ISO 27001:2013 C.6.1.1.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
General
ID: ISO 27001:2013 C.6.1.1.e.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
General
ID: ISO 27001:2013 C.6.1.1.e.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.a.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.a.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.c.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.c.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.d.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.d.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.d.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.e.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.6.1.2.e.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.6.1.3.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.6.1.3.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.6.1.3.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.6.1.3.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.6.1.3.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.6.1.3.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Information security objectives and planning to achieve them
ID: ISO 27001:2013 C.6.2.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Support
Resources
ID: ISO 27001:2013 C.7.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
| Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
| Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Manual, Disabled | 1.1.0 |
| Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Manual, Disabled | 1.1.0 |
| Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
| Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
| Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
Competence
ID: ISO 27001:2013 C.7.2.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Competence
ID: ISO 27001:2013 C.7.2.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
Competence
ID: ISO 27001:2013 C.7.2.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
Competence
ID: ISO 27001:2013 C.7.2.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
Awareness
ID: ISO 27001:2013 C.7.3.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Awareness
ID: ISO 27001:2013 C.7.3.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Awareness
ID: ISO 27001:2013 C.7.3.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Communication
ID: ISO 27001:2013 C.7.4.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Communication
ID: ISO 27001:2013 C.7.4.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Communication
ID: ISO 27001:2013 C.7.4.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Communication
ID: ISO 27001:2013 C.7.4.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Communication
ID: ISO 27001:2013 C.7.4.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Creating and updating
ID: ISO 27001:2013 C.7.5.2.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Control of documented information
ID: ISO 27001:2013 C.7.5.3.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Control of documented information
ID: ISO 27001:2013 C.7.5.3.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Control of documented information
ID: ISO 27001:2013 C.7.5.3.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Control of documented information
ID: ISO 27001:2013 C.7.5.3.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Control of documented information
ID: ISO 27001:2013 C.7.5.3.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Control of documented information
ID: ISO 27001:2013 C.7.5.3.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Operation
Operational planning and control
ID: ISO 27001:2013 C.8.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Information security risk assessment
ID: ISO 27001:2013 C.8.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
Information security risk treatment
ID: ISO 27001:2013 C.8.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Performance Evaluation
Monitoring, measurement, analysis and evaluation
ID: ISO 27001:2013 C.9.1.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Monitoring, measurement, analysis and evaluation
ID: ISO 27001:2013 C.9.1.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Monitoring, measurement, analysis and evaluation
ID: ISO 27001:2013 C.9.1.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Monitoring, measurement, analysis and evaluation
ID: ISO 27001:2013 C.9.1.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Monitoring, measurement, analysis and evaluation
ID: ISO 27001:2013 C.9.1.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Monitoring, measurement, analysis and evaluation
ID: ISO 27001:2013 C.9.1.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.a.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.a.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.c Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Internal audit
ID: ISO 27001:2013 C.9.2.g Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.a Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Implement plans of action and milestones for security program process | CMA_C1737 - Implement plans of action and milestones for security program process | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.b Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.c.1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Define performance metrics | CMA_0124 - Define performance metrics | Manual, Disabled | 1.1.0 |
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.c.2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.c.3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Define performance metrics | CMA_0124 - Define performance metrics | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.c.4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Define performance metrics | CMA_0124 - Define performance metrics | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.d Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.e Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Management review
ID: ISO 27001:2013 C.9.3.f Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for