Methodology
How PostureIQ assesses your Microsoft 365 compliance posture.
Scoring Approach
PostureIQ produces a compliance score for each framework by evaluating two categories of evidence from your Microsoft 365 tenant:
- Posture Controls — 61 technical controls that check specific security configurations (e.g. "Is MFA enforced for all users?"). Each control returns pass, partial, fail, or not applicable.
- Device Hardening Settings — 381 settings from Intune Settings Catalog profiles (e.g. "Is real-time antivirus monitoring enabled?"). Each setting is compared against a known-compliant value.
Framework scores are a weighted blend of these two components. Each control and setting carries a weight (1-5) reflecting its security importance. The score formula is:
Framework Score = (Controls Sub-Score × Technical Weight) + (Settings Sub-Score × Settings Weight)
Where each sub-score = (earned weight / total weight) × 100. Controls that return partial earn 50% of their weight. Controls that return not applicable are excluded from both numerator and denominator.
0 – 39 — Critical
40 – 64 — Poor
65 – 79 — Moderate
80 – 89 — Good
90 – 100 — Excellent
Framework Coverage
PostureIQ maps controls and settings to 6 compliance frameworks. The table below shows the scoring weight split and benchmark denominator for each.
CIS M365 Foundations v3.0ISO/IEC 27001:2022DORA — EU 2022/2554NIS2 — EU 2022/2555NIST CSF 2.0 (Feb 2024)CIS Intune for Windows 11 v3.0.1
| Framework | Controls Wt | Settings Wt | Clauses Covered | Benchmark Total | Coverage |
|---|---|---|---|---|---|
| CIS M365 v6.0.1 Controls | 80% | 20% | 36 | 140 | 26% |
| ISO 27001 Controls | 80% | 20% | 15 | 34 | 44% |
| DORA — Art.9 & Art.10 | 80% | 20% | 10 | 8 | 125% |
| NIS2 — Art.21 | 80% | 20% | 9 | 10 | 90% |
| NIST CSF 2.0 Controls | 80% | 20% | 10 | 39 | 26% |
| CIS Intune for Windows 11 | 0% | 100% | 82 | 443 | 19% |
"Clauses Covered" counts unique framework control/article IDs that at least one PostureIQ control or setting maps to. Hover for the raw mapping count.
CIS M365 v6.0.1 — Per-Section Coverage
CIS M365 Foundations v6.0.1 (published 2026-02-26) contains 140 recommendations across 9 admin-center sections. PostureIQ currently maps 36 of those — fully covering Microsoft Purview audit/DLP/Information Protection (§3), partially covering Entra identity controls (§5), Exchange (§6), SharePoint (§7), Teams (§8), and Defender for Office (§2). Sections 1 (M365 admin center), 4 (Intune admin center), and 9 (Microsoft Fabric) are minimally covered or queued. The table below tracks unique recommendation IDs from the v6.0.1 PDF.
| § | Section | Mapped | Status |
|---|---|---|---|
| 1 | Microsoft 365 admin center | 1 / 15 | In progress |
| 2 | Microsoft 365 Defender (incl. SPF/DKIM/DMARC, Safe Links/Attachments, Common Attachment Filter) | 9 / 20 | Partially mapped |
| 3 | Microsoft Purview (audit log, DLP, sensitivity labels) | 4 / 4 | Fully mapped |
| 4 | Microsoft Intune admin center (tenant-wide defaults) | 2 / 2 | Fully mapped |
| 5 | Microsoft Entra admin center (identity, CA, MFA, PIM, governance) | 13 / 45 | Partially mapped |
| 6 | Exchange admin center (audit, mail flow, settings incl. SMTP AUTH) | 5 / 12 | Partially mapped |
| 7 | SharePoint admin center (sharing policies, OneDrive sync) | 4 / 13 | Partially mapped |
| 8 | Microsoft Teams admin center (external access, meetings) | 4 / 17 | Partially mapped |
| 9 | Microsoft Fabric | 0 / 12 | In progress |
"Fully mapped" means PostureIQ covers the security-impacting recommendations in the section; a handful of low-impact or duplicate recommendations may remain unmapped by design. "In progress" sections are on the roadmap.
Assessment Scope per Framework
CIS M365 v6.0.1
41 controls mapping to 36 unique recommendations out of 140 total in CIS M365 v6.0.1. Section 3 (Microsoft Purview) is fully mapped; sections 2 (Defender), 5 (Entra), 6 (Exchange), 7 (SharePoint), and 8 (Teams) are partially mapped. Sections 1 (M365 admin center), 4 (Intune admin center), and 9 (Microsoft Fabric) are minimally or not mapped — see the per-section coverage table above.
ISO 27001:2022
Annex A.8 technological controls only (34 clauses). Clauses A.5 (organisational), A.6 (people), and A.7 (physical) require manual assessment. Management system clauses (4–10) are not assessed.
DORA (EU 2022/2554)
Arts 8–12 (Chapter II) technical measures only (ICT risk management framework, protection, detection, response, recovery). Art.13–18 covering governance, incident reporting, testing, and third-party risk are not assessed.
NIS2 (EU 2022/2555)
Art. 21(2)(a–j) security measures only (access control, encryption, network security). Incident reporting (Art.23), supply chain security, and governance requirements are not assessed.
NIST CSF 2.0
Protect (PR) and Detect (DE) functions only. Govern (GV), Identify (partial), Respond (RS), and Recover (RC) functions are not assessed.
CIS Intune for Windows 11 v3.0.1
Settings Catalog evaluation only. Covers device hardening benchmarks across antivirus, firewall, BitLocker, audit logging, and more. Does not include legacy device configuration profiles or Windows Update for Business ring policies.
Controls by Domain
Identity & Access Management(20)
Device Compliance(6)
Email Security(17)
Data Protection(6)
Collaboration Security(6)
Information Protection(6)
Control-to-Benchmark Mapping
Each PostureIQ control is mapped to one or more framework requirements. Click any row to see the justification for each mapping.
| Control ID | Title | CIS Benchmark Ref | CIS M365 | ISO 27001 | DORA | NIS2 | NIST CSF |
|---|---|---|---|---|---|---|---|
| CTRL-ENT-001 | MFA registration rate is at least 95% CIS M365 5.2.2.2 (Ensure multifactor authentication is enabled for all users): CIS 5.2.2.2 requires MFA for all users; broad registration is the precondition for enforcement ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication technologies including multi-factor DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "policies and protocols for strong authentication mechanisms" — broad MFA registration is the precondition for enforcing any such mechanism NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) explicitly requires "the use of multi-factor authentication" — broad MFA registration is the precondition for enforcement NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires identity and credential management including MFA | CIS M365 v6.0.1, Rec. 5.2.2.2 | 5.2.2.2 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-01 |
| CTRL-ENT-002 | Legacy authentication blocked via Conditional Access CIS M365 5.2.2.3 (Enable Conditional Access policies to block legacy authentication): CIS 5.2.2.3 requires Conditional Access policies to block legacy authentication ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication by blocking legacy protocols vulnerable to credential theft DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires policies that "limit logical access... to what is required" — legacy auth bypasses the modern access controls that enforce this and must be removed NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies that eliminate weak protocols NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing access permissions including disabling legacy auth | CIS M365 v6.0.1, Rec. 5.2.2.3 | 5.2.2.3 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-003 | Global Administrator count is between 2 and 4 CIS M365 1.1.3 (Ensure that between two and four global admins are designated): CIS 1.1.3 requires between two and four global admins to be designated ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires restricted allocation of privileged access rights DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires logical access "limited to what is required for legitimate and approved functions" — a small GA count enforces least privilege at the highest tier NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies for privileged accounts NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing and limiting privileged access authorizations | CIS M365 v6.0.1, Rec. 1.1.3 | 1.1.3 | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-004 | Security Defaults are enabled ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication as a baseline security control NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires baseline identity and credential management | — | — | A.8.5 | — | — | PR.AA-01 |
| CTRL-ENT-005 | Per-user MFA (legacy) is not in use CIS M365 5.1.2.1 (Ensure 'Per-user MFA' is disabled): CIS 5.1.2.1 requires 'Per-user MFA' to be disabled in favour of CA-enforced MFA ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires modern secure authentication, not legacy per-user methods NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires centrally managed authentication, not per-user legacy MFA | CIS M365 v6.0.1, Rec. 5.1.2.1 | 5.1.2.1 | A.8.5 | — | — | PR.AA-01 |
| CTRL-ENT-006 | Self-Service Password Reset (SSPR) is enabled for all users CIS M365 5.2.4.1 (Ensure 'Self service password reset enabled' is set to 'All'): CIS 5.2.4.1 requires 'Self service password reset enabled' to be set to 'All' ISO 27001 A.5.16 (Identity management — manage the full lifecycle of identities): ISO A.5.16 requires identity lifecycle management including self-service capabilities NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires credential management including password reset processes | CIS M365 v6.0.1, Rec. 5.2.4.1 | 5.2.4.1 | A.5.16 | — | — | PR.AA-01 |
| CTRL-ENT-007 | Privileged Identity Management (PIM) is configured CIS M365 5.3.1 (Ensure 'Privileged Identity Management' is used to manage roles): CIS 5.3.1 requires Privileged Identity Management to be used to manage roles ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires managing and restricting privileged access rights DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires access rights under "sound administration" — PIM provides the just-in-time, auditable privileged access pattern that makes this administration tractable NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control for privileged accounts NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires defining and managing privileged access permissions | CIS M365 v6.0.1, Rec. 5.3.1 | 5.3.1 | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-008 | MFA required for all users via Conditional Access CIS M365 5.2.2.2 (Ensure multifactor authentication is enabled for all users): CIS 5.2.2.2 requires multi-factor authentication to be enabled for all users ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication for all system users DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) mandates "policies and protocols for strong authentication mechanisms" — enforcing MFA for all users via Conditional Access is the canonical implementation NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires multi-factor authentication for system access NIST CSF PR.AA-03 (Users, services, and hardware are authenticated): NIST PR.AA-03 requires authentication of all users accessing systems | CIS M365 v6.0.1, Rec. 5.2.2.2 | 5.2.2.2 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-03 |
| CTRL-ENT-009 | MFA required for admin roles via Conditional Access CIS M365 5.2.2.1 (Ensure multifactor authentication is enabled for all users in administrative roles): CIS 5.2.2.1 requires multi-factor authentication for all users in administrative roles ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication especially for privileged accounts DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires strong authentication especially for administrative access, combined with "controls that address access rights" for privileged roles NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires multi-factor authentication for privileged access NIST CSF PR.AA-03 (Users, services, and hardware are authenticated): NIST PR.AA-03 requires authentication of administrative users and services | CIS M365 v6.0.1, Rec. 5.2.2.1 | 5.2.2.1 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-03 |
| CTRL-ENT-010 | Compliant or Hybrid-joined device required via Conditional Access CIS M365 5.2.2.9 (Ensure a managed device is required for authentication): CIS 5.2.2.9 requires a managed device for authentication via Conditional Access ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires protection of information accessible from endpoint devices DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "sound network and infrastructure management" — device compliance gating enforces that only managed, hardened endpoints can reach ICT resources NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires access decisions based on device compliance status | CIS M365 v6.0.1, Rec. 5.2.2.9 | 5.2.2.9 | A.8.1 | Art.9.4 | — | PR.AA-05 |
| CTRL-ENT-011 | High risk sign-ins blocked via Conditional Access CIS M365 5.2.2.7 (Enable Identity Protection sign-in risk policies): CIS 5.2.2.7 requires Identity Protection sign-in risk policies to be enabled ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires monitoring for anomalous sign-in behaviour DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires "mechanisms to promptly detect anomalous activities" — automatically mitigating high-risk sign-ins is the direct enforcement action for this detection signal NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — high sign-in risk is exactly such an incident signal and must be detected and mitigated NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires monitoring for potentially adverse cybersecurity events | CIS M365 v6.0.1, Rec. 5.2.2.7 | 5.2.2.7 | A.8.16 | Art.10.1 | Art.21.2b | DE.CM-01 |
| CTRL-ENT-012 | No guest users assigned to admin directory roles ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires restricting privileged access to authorized internal personnel NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing privileged access excluding external identities | — | — | A.8.2 | — | — | PR.AA-05 |
| CTRL-ENT-013 | PIM role activation is time-bound (max 8 hours) CIS M365 5.3.1 (Ensure 'Privileged Identity Management' is used to manage roles): CIS 5.3.1 requires PIM to manage roles; time-bound activation is a core PIM configuration ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires time-limited privileged access to reduce exposure window DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires access rights that are "limited to what is required for legitimate and approved functions" — bounding PIM activation duration enforces that limit in time as well as scope NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access controls that limit privileged session duration NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires enforcing time-bound access for privileged roles | CIS M365 v6.0.1, Rec. 5.3.1 | 5.3.1 | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-014 | Access reviews configured for privileged roles CIS M365 5.3.3 (Ensure 'Access reviews' for privileged roles are configured): CIS 5.3.3 requires 'Access reviews' for privileged roles to be configured ISO 27001 A.5.15 (Access control — rules defined and implemented for logical and physical access): ISO A.5.15 requires periodic review of access rights to privileged assets DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires access control policies under "sound administration" — periodic access reviews are the mechanism that keeps least-privilege maintained over time NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires periodic review of access control policies NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires periodic review and adjustment of access permissions | CIS M365 v6.0.1, Rec. 5.3.3 | 5.3.3 | A.5.15 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-015 | Named locations configured in Conditional Access policies ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires location-aware controls for endpoint device access DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "sound network and infrastructure management structure" — named locations enforce network boundary controls at the authentication layer NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires network security measures including location controls NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires contextual identity verification including location | — | — | A.8.1 | Art.9.4 | Art.21.2e | PR.AA-01 |
| CTRL-ENT-016 | Phishing-resistant MFA required via authentication strength CIS M365 5.2.2.5 (Ensure 'Phishing-resistant MFA strength' is required for Administrators): CIS 5.2.2.5 requires 'Phishing-resistant MFA strength' for administrators ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires the strongest available authentication technologies DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "strong authentication mechanisms, based on relevant standards" — FIDO2, passkeys, and certificate-based auth are those standards-referenced strongest methods NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires phishing-resistant multi-factor authentication NIST CSF PR.AA-03 (Users, services, and hardware are authenticated): NIST PR.AA-03 requires phishing-resistant authentication for users and services | CIS M365 v6.0.1, Rec. 5.2.2.5 | 5.2.2.5 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-03 |
| CTRL-ENT-017 | Break glass accounts excluded from Conditional Access ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires controlled emergency access procedures for privileged accounts DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires access rights under "sound administration" — break-glass procedures ensure emergency access does not collapse the policy during incident response NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies — break-glass procedures ensure the access policy is not itself the cause of a lockout during incident response NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires emergency access procedures within access management | — | — | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-018 | Custom banned password list is enabled CIS M365 5.2.3.2 (Ensure custom banned passwords lists are used): CIS 5.2.3.2 requires custom banned passwords lists to be used ISO 27001 A.5.17 (Authentication information — manage allocation and use of authentication information): ISO A.5.17 requires controls on authentication information including password quality NIS2 Art.21.2g (Basic cyber hygiene practices and cybersecurity training): NIS2 Art. 21(2)(g) requires basic cyber hygiene including password policies NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires credential quality controls including banned password lists | CIS M365 v6.0.1, Rec. 5.2.3.2 | 5.2.3.2 | A.5.17 | — | Art.21.2g | PR.AA-01 |
| CTRL-ENT-019 | Sign-in risk policy blocks high risk sign-ins CIS M365 5.2.2.8 (Ensure 'sign-in risk' is blocked for medium and high risk): CIS 5.2.2.8 requires 'sign-in risk' to be blocked for medium and high risk ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires active response to anomalous authentication events DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires mechanisms to "promptly detect anomalous activities" — blocking high-risk sign-ins is the automated enforcement action attached to that detection signal NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — blocking high-risk sign-ins is the automated incident response attached to the detection signal NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires blocking high-confidence malicious sign-in activity | CIS M365 v6.0.1, Rec. 5.2.2.8 | 5.2.2.8 | A.8.16 | Art.10.1 | Art.21.2b | DE.CM-01 |
| CTRL-ENT-020 | User risk policy requires password change for high risk users CIS M365 5.2.2.6 (Enable Identity Protection user risk policies): CIS 5.2.2.6 requires Identity Protection user risk policies to be enabled ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires remediating compromised credentials upon detection DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires prompt detection of anomalous activities — a high user-risk score is exactly such a signal, and forcing password reset is the automated remediation Art. 10(3) calls for NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — forced password reset on high user-risk is the automatic response to a compromised-credential incident NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires remediation when compromised credentials are detected | CIS M365 v6.0.1, Rec. 5.2.2.6 | 5.2.2.6 | A.8.16 | Art.10.1 | Art.21.2b | DE.CM-01 |
| CTRL-INT-001 | BitLocker encryption required on Windows devices ISO 27001 A.8.24 (Use of cryptography — define and implement rules for the effective use of cryptography): ISO A.8.24 requires cryptographic controls including disk encryption to protect data at rest DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "protection measures of cryptographic keys whereby data is encrypted" — BitLocker is the canonical Windows encryption-at-rest mechanism for endpoint data NIS2 Art.21.2h (Policies and procedures regarding use of cryptography and encryption): NIS2 Art. 21(2)(h) requires "policies and procedures regarding the use of cryptography and, where appropriate, encryption" — BitLocker is the canonical Windows encryption-at-rest implementation NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protection of data-at-rest including disk encryption | — | — | A.8.24 | Art.9.4 | Art.21.2h | PR.DS-01 |
| CTRL-INT-002 | Password complexity required on Windows devices ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication including password complexity requirements NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires credential management including password strength policies | — | — | A.8.5 | — | — | PR.AA-01 |
| CTRL-INT-003 | Minimum OS version enforced on Windows devices ISO 27001 A.8.8 (Management of technical vulnerabilities — obtain information about technical vulnerabilities and take action): ISO A.8.8 requires management of technical vulnerabilities via OS updates NIST CSF PR.PS-01 (Configuration management practices are established and applied): NIST PR.PS-01 requires configuration management including OS version enforcement | — | — | A.8.8 | — | — | PR.PS-01 |
| CTRL-INT-004 | Defender Antivirus required in compliance policy ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires protection against malware on endpoint devices DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires ICT solutions that "minimise the risk of... unauthorised access and technical flaws" — endpoint antivirus is the last-line defence against malware compromise NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires malware protection in information system security NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires detection of malicious code on endpoints | — | — | A.8.7 | Art.9.3 | Art.21.2e | DE.CM-04 |
| CTRL-INT-005 | Firewall required in compliance policy ISO 27001 A.8.20 (Networks security — manage and control networks to protect information in systems and applications): ISO A.8.20 requires network security controls including host firewalls DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "sound network and infrastructure management structure... including automated mechanisms to isolate affected information assets" — host firewall is endpoint-side enforcement NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires network-level data protection including firewalls | — | — | A.8.20 | Art.9.4 | — | PR.DS-01 |
| CTRL-INT-006 | Mobile device storage encryption required ISO 27001 A.8.24 (Use of cryptography — define and implement rules for the effective use of cryptography): ISO A.8.24 requires cryptographic controls including storage encryption on mobile devices NIS2 Art.21.2h (Policies and procedures regarding use of cryptography and encryption): NIS2 Art. 21(2)(h) requires "policies and procedures regarding the use of cryptography and, where appropriate, encryption" — storage encryption on mobile devices is the direct implementation NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data-at-rest on mobile devices | — | — | A.8.24 | — | Art.21.2h | PR.DS-01 |
| CTRL-EXO-001 | Modern authentication enabled in Exchange Online CIS M365 6.5.1 (Ensure modern authentication for Exchange Online is enabled): CIS 6.5.1 requires modern authentication for Exchange Online to be enabled ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication including modern authentication protocols for email DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "policies and protocols for strong authentication mechanisms" — modern auth is the protocol-level precondition for MFA and token-based auth on EXO NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control via modern authentication protocols NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires secure access mechanisms including modern authentication | CIS M365 v6.0.1, Rec. 6.5.1 | 6.5.1 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-EXO-002 | Audit logging enabled in Exchange Online CIS M365 3.1.1 (Ensure Microsoft 365 audit log search is Enabled): CIS 3.1.1 requires Microsoft 365 audit log search to be Enabled ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires logging of activities, exceptions, and security events DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires mechanisms to "promptly detect anomalous activities" — unified audit logging is the data substrate without which detection mechanisms have nothing to observe NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — unified audit logging is the data substrate that incident detection and response depend on NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires event data collection for analysis and correlation | CIS M365 v6.0.1, Rec. 3.1.1 | 3.1.1 | A.8.15 | Art.10.1 | Art.21.2b | DE.AE-03 |
| CTRL-EXO-003 | Malware filter policy is active in Exchange Online ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires protection against malware in email systems DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires ICT solutions that "minimise the risk of... unauthorised access and technical flaws" — malware filtering is the baseline technical mitigation for email NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires malware protection in communication systems NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires monitoring email for malicious content | — | — | A.8.7 | Art.9.3 | Art.21.2e | DE.CM-01 |
| CTRL-EXO-004 | ATP Safe Links policy is enabled CIS M365 2.1.1 (Ensure Safe Links for Office Applications is Enabled): CIS 2.1.1 requires Safe Links for Office Applications to be Enabled ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires URL-level malware protection in email DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires ICT solutions that "minimise the risk of... unauthorised access and technical flaws" — time-of-click URL scanning is the standard defence against phishing redirection NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires URL threat protection in information systems NIST CSF PR.PS-01 (Configuration management practices are established and applied): NIST PR.PS-01 requires security configuration including URL filtering | CIS M365 v6.0.1, Rec. 2.1.1 | 2.1.1 | A.8.7 | Art.9.3 | Art.21.2e | PR.PS-01 |
| CTRL-EXO-005 | ATP Safe Attachments policy is enabled CIS M365 2.1.4 (Ensure Safe Attachments policy is enabled): CIS 2.1.4 requires Safe Attachments policy to be enabled ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires scanning attachments for malware before delivery DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires ICT solutions that "minimise the risk of... unauthorised access and technical flaws" — sandbox detonation of attachments defends against weaponised file payloads NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires attachment threat protection in information systems NIST CSF PR.PS-01 (Configuration management practices are established and applied): NIST PR.PS-01 requires security configuration including attachment scanning | CIS M365 v6.0.1, Rec. 2.1.4 | 2.1.4 | A.8.7 | Art.9.3 | Art.21.2e | PR.PS-01 |
| CTRL-EXO-006 | Safe Links covers Office desktop applications CIS M365 2.1.1 (Ensure Safe Links for Office Applications is Enabled): CIS 2.1.1 requires Safe Links for Office Applications to be Enabled ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires URL threat protection across all application vectors DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires technical solutions that minimise "unauthorised access and technical flaws" — extending Safe Links to Office apps closes the email-only-scanning bypass NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires malicious code detection in desktop applications | CIS M365 v6.0.1, Rec. 2.1.1 | 2.1.1 | A.8.7 | Art.9.3 | — | DE.CM-04 |
| CTRL-EXO-007 | Safe Links rewrites URLs in email ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires URL rewriting to enable click-time malware scanning NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires click-time URL verification to detect malicious code | — | — | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-008 | Safe Attachments dynamic delivery enabled CIS M365 2.1.4 (Ensure Safe Attachments policy is enabled): CIS 2.1.4 requires Safe Attachments policy; dynamic delivery is a sub-mode preserving end-user experience ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires attachment scanning without disrupting email delivery DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires measures that "prevent the lack of availability" while minimising unauthorised access — Dynamic Delivery keeps mail flowing during sandbox detonation NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires attachment scanning with dynamic delivery mode | CIS M365 v6.0.1, Rec. 2.1.4 | 2.1.4 | A.8.7 | Art.9.3 | — | DE.CM-04 |
| CTRL-EXO-009 | Safe Attachments covers SharePoint, OneDrive, and Teams CIS M365 2.1.5 (Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled): CIS 2.1.5 requires Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to be Enabled ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires malware protection across all file sharing platforms NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires malicious code detection in cloud storage and collaboration | CIS M365 v6.0.1, Rec. 2.1.5 | 2.1.5 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-010 | Anti-phishing policy with impersonation protection enabled CIS M365 2.1.7 (Ensure that an anti-phishing policy has been created): CIS 2.1.7 requires an anti-phishing policy to be created; impersonation protection is a core component ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires protection against email impersonation attacks NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires detection of impersonation-based phishing attacks | CIS M365 v6.0.1, Rec. 2.1.7 | 2.1.7 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-011 | Mailbox intelligence protection enabled in anti-phishing policy CIS M365 2.1.7 (Ensure that an anti-phishing policy has been created): CIS 2.1.7 requires an anti-phishing policy; mailbox intelligence is a sub-control of impersonation protection ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires AI-based detection of anomalous email patterns NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires intelligent detection of email-based threats | CIS M365 v6.0.1, Rec. 2.1.7 | 2.1.7 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-012 | DKIM signing enabled for all accepted domains CIS M365 2.1.9 (Ensure that DKIM is enabled for all Exchange Online Domains): CIS 2.1.9 requires DKIM to be enabled for all Exchange Online Domains ISO 27001 A.8.24 (Use of cryptography — define and implement rules for the effective use of cryptography): ISO A.8.24 requires cryptographic email authentication via DKIM NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting email integrity via DKIM signatures | CIS M365 v6.0.1, Rec. 2.1.9 | 2.1.9 | A.8.24 | — | — | PR.DS-01 |
| CTRL-EXO-013 | Auto-forwarding to external domains is blocked CIS M365 6.2.1 (Ensure all forms of mail forwarding are blocked and/or disabled): CIS 6.2.1 requires all forms of mail forwarding to be blocked and/or disabled ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention including blocking unauthorized email auto-forwarding DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires measures to "prevent... breaches of confidentiality and the loss of data" — external auto-forward is the most common silent data-exfiltration path post-compromise NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires controls preventing unauthorized data exfiltration NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data from unauthorized external transfer | CIS M365 v6.0.1, Rec. 6.2.1 | 6.2.1 | A.8.12 | Art.9.3 | Art.21.2e | PR.DS-01 |
| CTRL-EXO-014 | External sender identification enabled in anti-phishing policy CIS M365 6.2.3 (Ensure email from external senders is identified): CIS 6.2.3 requires email from external senders to be identified NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires enabling users to detect potentially deceptive emails | CIS M365 v6.0.1, Rec. 6.2.3 | 6.2.3 | — | — | — | DE.CM-04 |
| CTRL-EXO-015 | High-confidence spam action set to quarantine CIS M365 2.1.6 (Ensure Exchange Online Spam Policies are set to notify administrators): CIS 2.1.6 requires Exchange Online Spam Policies to notify administrators; quarantine is the recommended high-confidence response ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires filtering high-confidence spam as a malware vector NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires quarantining high-confidence spam to prevent threats | CIS M365 v6.0.1, Rec. 2.1.6 | 2.1.6 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-016 | Admin audit log retention is at least 90 days ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires log retention for adequate investigation and analysis periods DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires "mechanisms to promptly detect anomalous activities" — detection is only possible over the retention window; 90 days covers typical intruder dwell time NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — retention of audit logs for at least 90 days is what makes after-the-fact incident investigation possible NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires retaining event data for correlation and analysis | — | — | A.8.15 | Art.10.1 | Art.21.2b | DE.AE-03 |
| CTRL-EXO-017 | Mailbox auditing is enabled by default CIS M365 6.1.2 (Ensure mailbox audit actions are configured): CIS 6.1.2 requires mailbox audit actions to be configured ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires logging of mailbox access and modification events DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires detection mechanisms over ICT activities — mailbox auditing-by-default ensures the detection substrate is populated without requiring per-mailbox configuration NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — mailbox auditing-by-default ensures the incident-detection substrate is populated without per-mailbox configuration NIST CSF PR.PS-04 (Log records are generated and made available for continuous monitoring): NIST PR.PS-04 requires log generation and availability for email systems | CIS M365 v6.0.1, Rec. 6.1.2 | 6.1.2 | A.8.15 | Art.10.1 | Art.21.2b | PR.PS-04 |
| CTRL-SPO-001 | SharePoint external sharing restricted to existing guests or more restrictive CIS M365 7.2.6 (Ensure SharePoint external sharing is restricted): CIS 7.2.6 requires SharePoint external sharing to be restricted ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires technological access restrictions for external data sharing DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires access "limited to what is required for legitimate and approved functions" — anonymous Anyone-links violate least-privilege at the data-sharing layer NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires "access control policies and asset management" — anonymous Anyone-links violate access control at the data-sharing layer NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing external access permissions | CIS M365 v6.0.1, Rec. 7.2.6 | 7.2.6 | A.8.3 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-SPO-002 | Legacy authentication protocols disabled for SharePoint Online CIS M365 7.2.1 (Ensure modern authentication for SharePoint applications is required): CIS 7.2.1 requires modern authentication for SharePoint applications ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication by disabling legacy protocols for SharePoint DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires strong authentication mechanisms — legacy SharePoint protocols do not support MFA and therefore bypass any strong-authentication control applied at the tenant level NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires modern access control for information systems NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires secure access mechanisms for data services | CIS M365 v6.0.1, Rec. 7.2.1 | 7.2.1 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-SPO-003 | SharePoint guest sharing requires account match ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication by verifying guest identity matches the invited account DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires "strong authentication mechanisms" — verifying that the accepting account matches the invited address is an identity-proofing step within the external-user authentication flow NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires authenticated external user access NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires identity verification for all data access | — | — | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-01 |
| CTRL-SPO-004 | Anyone link expiry enforced CIS M365 7.2.9 (Ensure guest access to a site or OneDrive will expire automatically): CIS 7.2.9 requires guest access to a site or OneDrive to expire automatically ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires time-bound access controls for shared data NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires expiring access controls for shared resources NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data through time-limited sharing links | CIS M365 v6.0.1, Rec. 7.2.9 | 7.2.9 | A.8.3 | — | Art.21.2i | PR.DS-01 |
| CTRL-SPO-005 | SharePoint sharing restricted to specific domains ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires domain-level access restrictions for data sharing NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires restricting data sharing to approved domains | — | — | A.8.3 | — | — | PR.DS-01 |
| CTRL-SPO-006 | OneDrive sync restricted to domain-joined devices CIS M365 7.3.2 (Ensure OneDrive sync is restricted for unmanaged devices): CIS 7.3.2 requires OneDrive sync to be restricted for unmanaged devices ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires endpoint device controls for data synchronization NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data sync to managed devices only | CIS M365 v6.0.1, Rec. 7.3.2 | 7.3.2 | A.8.1 | — | — | PR.DS-01 |
| CTRL-TEA-001 | Teams external access (federation) is disabled or restricted CIS M365 8.2.1 (Ensure external domains are restricted in the Teams admin center): CIS 8.2.1 requires external domains to be restricted in the Teams admin center ISO 27001 A.8.20 (Networks security — manage and control networks to protect information in systems and applications): ISO A.8.20 requires network security controls including restricting external federation boundaries DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires logical access "limited to what is required" — unrestricted Teams federation lets any external tenant contact internal users, violating least-privilege at the collab boundary NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies — restricting Teams federation is a least-privilege control over external communication partners NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing external federation permissions | CIS M365 v6.0.1, Rec. 8.2.1 | 8.2.1 | A.8.20 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-TEA-002 | Teams guest access is disabled CIS M365 8.2.2 (Ensure communication with unmanaged Teams users is disabled): CIS 8.2.2 requires communication with unmanaged Teams users to be disabled ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires technological access restrictions for guest users in collaboration platforms DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires access controls that are "subject to sound administration" — unreviewed Teams guest accounts become persistent access paths that undermine that administration NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies and asset management — unreviewed Teams guests become persistent access paths NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires managing guest identity and access | CIS M365 v6.0.1, Rec. 8.2.2 | 8.2.2 | A.8.3 | Art.9.4 | Art.21.2i | PR.AA-01 |
| CTRL-TEA-003 | Anonymous join to Teams meetings is disabled CIS M365 8.5.1 (Ensure anonymous users can't join a meeting): CIS 8.5.1 requires anonymous users to be unable to join a meeting ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication for all meeting participants, preventing anonymous access DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires strong authentication for access to ICT systems — an open anonymous-join path to Teams meetings bypasses authentication entirely for anyone with the link NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires authenticated access to meetings NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires preventing anonymous access to meetings | CIS M365 v6.0.1, Rec. 8.5.1 | 8.5.1 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-05 |
| CTRL-TEA-004 | Teams meeting recording restricted to org users CIS M365 8.5.9 (Ensure meeting recording is off by default): CIS 8.5.9 requires meeting recording to be off by default ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention including restricting meeting recording to prevent unauthorized capture NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires controlling recording data to authorized personnel | CIS M365 v6.0.1, Rec. 8.5.9 | 8.5.9 | A.8.12 | — | — | PR.DS-01 |
| CTRL-TEA-005 | Unmanaged device access to Teams restricted ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires endpoint device controls for collaboration access DORA Art.9.4 (Protection and prevention — sound network management, least-privilege logical access, strong authentication and cryptographic keys, change management, patches): DORA Art. 9(4) requires logical access "limited to what is required" — chat to consumer Microsoft accounts is a side-channel that bypasses all tenant-level DLP and compliance controls NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires device compliance for collaboration access | — | — | A.8.1 | Art.9.4 | — | PR.AA-05 |
| CTRL-TEA-006 | Teams external domain access restricted ISO 27001 A.8.20 (Networks security — manage and control networks to protect information in systems and applications): ISO A.8.20 requires network-level controls for external communications NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires domain-level access controls for collaboration NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires restricting communications to approved domains | — | — | A.8.20 | — | Art.21.2i | PR.AA-05 |
| CTRL-PUR-001 | DLP policies configured and active CIS M365 3.2.1 (Ensure DLP policies are enabled): CIS 3.2.1 requires DLP policies to be enabled ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention controls to detect and block unauthorized data disclosure DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires measures to "prevent... breaches of confidentiality and the loss of data" — DLP intercepts confidentiality breaches at the moment of attempted data egress NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires data loss prevention in information systems NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires data protection controls including DLP policies | CIS M365 v6.0.1, Rec. 3.2.1 | 3.2.1 | A.8.12 | Art.9.3 | Art.21.2e | PR.DS-01 |
| CTRL-PUR-002 | Sensitivity labels published and available CIS M365 3.3.1 (Ensure Information Protection sensitivity label policies are published): CIS 3.3.1 requires Information Protection sensitivity label policies to be published ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data classification via sensitivity labels to support leakage prevention DORA Art.8.1 (Identification — identify, classify and document ICT-supported business functions, information assets, and ICT assets including sensitivity): DORA Art. 8 requires financial entities to "identify, classify and adequately document... information assets and ICT assets" — sensitivity labels are how M365 tenants classify information assets NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires "asset management" — sensitivity labels are the classification mechanism for information assets in M365 NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires data classification for protection decisions | CIS M365 v6.0.1, Rec. 3.3.1 | 3.3.1 | A.8.12 | Art.8.1 | Art.21.2i | PR.DS-01 |
| CTRL-PUR-003 | Retention policies configured for Exchange Online ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires retention of email records for audit and investigation DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires "mechanisms to promptly detect anomalous activities" — detection operates only over the retention window; email retention policies create that window NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident handling — email retention policies create the window over which communications-related incidents can be investigated NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires retaining email data for event analysis | — | — | A.8.15 | Art.10.1 | Art.21.2b | DE.AE-03 |
| CTRL-PUR-004 | Retention policies configured for SharePoint Online ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires retention of document records for audit and investigation DORA Art.10.1 (Detection — mechanisms to promptly detect anomalous activities, ICT-related incidents, and material single points of failure): DORA Art. 10(1) requires detection of anomalous activities — detection is only possible over the retention window for document-storage records; SharePoint retention creates that window NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires retaining document data for event analysis | — | — | A.8.15 | Art.10.1 | — | DE.AE-03 |
| CTRL-PUR-005 | Alert policies configured for security events ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires monitoring and alerting for security anomalies DORA Art.10.3 (Detection — multiple layers of control, alert thresholds, and automatic alert mechanisms triggering ICT-related incident response): DORA Art. 10(3) requires "alert thresholds... and automatic alert mechanisms for relevant staff in charge of ICT-related incident response" — Purview alert policies are exactly these NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident detection through security alerting NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires security event monitoring and alerting | — | — | A.8.16 | Art.10.3 | Art.21.2b | DE.CM-01 |
| CTRL-PUR-006 | DLP policy covers multiple workloads CIS M365 3.2.2 (Ensure DLP policies are enabled for Microsoft Teams): CIS 3.2.2 requires DLP policies to be enabled for Microsoft Teams ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention coverage across all processing platforms DORA Art.9.3 (Protection and prevention — technical solutions for secure data transfer, minimising unauthorised access, and preventing confidentiality/integrity breaches): DORA Art. 9(3) requires measures to "prevent breaches of confidentiality" — single-workload DLP leaves Teams/SharePoint/OneDrive exfiltration channels unmonitored NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires comprehensive DLP across information systems NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires data protection across all processing platforms | CIS M365 v6.0.1, Rec. 3.2.2 | 3.2.2 | A.8.12 | Art.9.3 | Art.21.2e | PR.DS-01 |
Settings Library Methodology
PostureIQ evaluates Intune Settings Catalog profiles against a curated library of 381 setting definitions across 27 categories. Each entry specifies a known-compliant value derived from one of three sources:
- CIS Benchmark — Values from the CIS Microsoft Intune for Windows 11 Benchmark v3.0.1. These are the primary source and take precedence when conflicts arise.
- Microsoft Security Baseline — Values derived from Microsoft's recommended security baseline for Windows. Fills gaps not covered by CIS.
- AI Auto-Assessed (currently disabled) — The pipeline infrastructure exists for AI-assisted classification of settings not covered by CIS or Microsoft baselines, but it is not running today. Cost and correctness review keep us in manual-curation mode: every entry in the library is reviewed and approved by a human before it influences any score. We will re-enable AI assistance only when we can guarantee the same review standard at scale.
Settings with no known-compliant value are reported as unscored — they are visible in the findings but do not affect compliance scores. This approach prioritises honesty over inflated coverage.
Of the 381 entries, 381 have multi-framework attribution mapping them to ISO 27001, DORA, NIS2, and/or NIST CSF 2.0 requirements.
Scope & Limitations
PostureIQ assesses the technical configuration of your Microsoft 365 tenant. Scores reflect the proportion of assessed controls that pass. They do not represent full regulatory compliance.
What is assessed
- Entra ID / Azure AD identity and access controls
- Intune device compliance policies and Settings Catalog profiles
- Exchange Online email security (ATP, DKIM, anti-phishing, audit logging)
- SharePoint Online sharing and authentication restrictions
- Microsoft Teams federation and guest access controls
- Microsoft Purview DLP, sensitivity labels, retention, and alert policies
What is NOT assessed
- Governance and management system requirements (ISO 27001 Clauses 4-10)
- Organisational policies and procedures (ICT risk policy, incident response plan)
- Human resources security and security awareness training
- Physical and environmental security controls
- Supplier relationship management and third-party risk
- Business continuity and disaster recovery planning
- Legal, regulatory, and contractual obligations beyond technical configuration
Framework scores are gated behind a minimum of 5 data sources. Partial assessments (fewer than 5 sources) display a warning and may not show framework score cards.
Data Source Reference
PostureIQ collects 26 data sources from your Microsoft 365 tenant via the Graph API or the PostureIQ PowerShell collector script.
| # | Data Source | Description |
|---|---|---|
| 1 | entra_mfa_report | User MFA registration status and adoption rate |
| 2 | entra_conditional_access_policies | CA policies controlling authentication requirements |
| 3 | entra_security_defaults | Baseline Microsoft security protections toggle |
| 4 | entra_directory_roles | Admin role assignments and membership |
| 5 | entra_per_user_mfa_report | Legacy per-user MFA enablement state |
| 6 | entra_sspr_policy | SSPR policy configuration and scope |
| 7 | entra_pim_assignments | Privileged Identity Management role assignments |
| 8 | entra_pim_role_settings | PIM activation duration and approval rules |
| 9 | entra_access_reviews | Periodic access review schedules for privileged roles |
| 10 | entra_password_protection | Custom banned password list and lockout policy |
| 11 | intune_compliance_policies | Device compliance rules (BitLocker, password, OS version) |
| 12 | intune_config_profiles | Settings Catalog profiles for device hardening |
| 13 | exchange_online_settings | Modern auth, audit logging, mailbox auditing |
| 14 | exchange_malware_policies | Exchange Online malware filter configuration |
| 15 | exchange_safe_links_policies | ATP Safe Links URL protection settings |
| 16 | exchange_safe_attachments_policies | ATP Safe Attachments detonation settings |
| 17 | exchange_antiphishing_policies | Impersonation and mailbox intelligence protection |
| 18 | exchange_dkim_signing | Outbound email DKIM authentication status |
| 19 | exchange_remote_domains | Auto-forwarding and external domain rules |
| 20 | exchange_spam_policies | Spam quarantine and filtering configuration |
| 21 | purview_dlp_policies | Data loss prevention policy configuration |
| 22 | purview_sensitivity_labels | Document classification and labelling status |
| 23 | purview_retention_policies | Data retention rules for Exchange and SharePoint |
| 24 | purview_alert_policies | Security event monitoring and alerting |
| 25 | sharepoint_settings | External sharing, legacy auth, sync restrictions |
| 26 | teams_settings | Federation, guest access, and meeting controls |