Methodology
How PostureIQ assesses your Microsoft 365 compliance posture.
Scoring Approach
PostureIQ produces a compliance score for each framework by evaluating two categories of evidence from your Microsoft 365 tenant:
- Posture Controls — 61 technical controls that check specific security configurations (e.g. "Is MFA enforced for all users?"). Each control returns pass, partial, fail, or not applicable.
- Device Hardening Settings — 336 settings from Intune Settings Catalog profiles (e.g. "Is real-time antivirus monitoring enabled?"). Each setting is compared against a known-compliant value.
Framework scores are a weighted blend of these two components. Each control and setting carries a weight (1-5) reflecting its security importance. The score formula is:
Framework Score = (Controls Sub-Score × Technical Weight) + (Settings Sub-Score × Settings Weight)
Where each sub-score = (earned weight / total weight) × 100. Controls that return partial earn 50% of their weight. Controls that return not applicable are excluded from both numerator and denominator.
0 – 39
Critical
40 – 64
Poor
65 – 79
Moderate
80 – 89
Good
90 – 100
Excellent
Framework Coverage
PostureIQ maps controls and settings to 6 compliance frameworks. The table below shows the scoring weight split and benchmark denominator for each.
CIS M365 Foundations v3.1.0ISO/IEC 27001:2022DORA — EU 2022/2554NIS2 — EU 2022/2555NIST CSF 2.0 (Feb 2024)CIS Intune for Windows 11 v3.0.1
| Framework | Controls Weight | Settings Weight | Clauses Covered | Benchmark Total | Coverage |
|---|---|---|---|---|---|
| CIS M365 v3 Controls | 100% | 0% | 34 | ~100 | 34% |
| ISO 27001 Controls | 80% | 20% | 15 | ~93 | 16% |
| DORA — Art.9 & Art.10 | 80% | 20% | 4 | ~18 | 22% |
| NIS2 — Art.21 | 80% | 20% | 6 | ~10 | 60% |
| NIST CSF 2.0 Controls | 80% | 20% | 10 | ~106 | 9% |
| CIS Intune for Windows 11 | 0% | 100% | 81 | ~750 | 11% |
"Clauses Covered" counts unique framework control/article IDs that at least one PostureIQ control or setting maps to. Hover for the raw mapping count.
Assessment Scope per Framework
CIS M365 v3.1.0
52 of ~100 recommendations assessed. Covers identity, device compliance, email security, collaboration, and information protection benchmarks.
ISO 27001:2022
Annex A.8 technological controls only (14 of 93 clauses). Clauses A.5 (organisational), A.6 (people), and A.7 (physical) require manual assessment. Management system clauses (4–10) are not assessed.
DORA (EU 2022/2554)
Art.9–10 technical measures only (ICT security tools, encryption, network security). Art.11–18 covering governance, incident reporting, testing, and third-party risk are not assessed.
NIS2 (EU 2022/2555)
Art.21 technical security measures only (access control, encryption, network security). Incident reporting (Art.23), supply chain security, and governance requirements are not assessed.
NIST CSF 2.0
Protect (PR) and Detect (DE) functions only. Govern (GV), Identify (partial), Respond (RS), and Recover (RC) functions are not assessed.
CIS Intune for Windows 11 v3.0.1
Settings Catalog evaluation only. Covers device hardening benchmarks across antivirus, firewall, BitLocker, audit logging, and more. Does not include legacy device configuration profiles or Windows Update for Business ring policies.
Controls by Domain
Identity & Access Management(20)
Device Compliance(6)
Email Security(17)
Data Protection(6)
Collaboration Security(6)
Information Protection(6)
Control-to-Benchmark Mapping
Each PostureIQ control is mapped to one or more framework requirements. Click any row to see the justification for each mapping.
| Control ID | Title | CIS Benchmark Ref | CIS M365 | ISO 27001 | DORA | NIS2 | NIST CSF |
|---|---|---|---|---|---|---|---|
| CTRL-ENT-001 | MFA registration rate is at least 95% CIS M365 1.1.1 (Ensure Administrative accounts are separate and cloud-only): CIS 1.1.1 requires MFA for administrative accounts; high registration is foundational ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication technologies including multi-factor DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) mandates strong authentication for ICT system access NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control including multi-factor authentication NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires identity and credential management including MFA | CIS M365 v3.0, Rec. 1.1.1 | 1.1.1 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-01 |
| CTRL-ENT-002 | Legacy authentication blocked via Conditional Access CIS M365 1.3.1 (Ensure Sign-in risk policy is configured to block sign-ins for high risk): CIS 1.3.1 recommends blocking legacy authentication to prevent credential compromise ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication by blocking legacy protocols vulnerable to credential theft DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires removing obsolete access mechanisms for ICT systems NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies that eliminate weak protocols NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing access permissions including disabling legacy auth | CIS M365 v3.0, Rec. 1.3.1 | 1.3.1 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-003 | Global Administrator count is between 2 and 4 CIS M365 1.1.3 (Ensure that between two and four Global Admins are designated): CIS 1.1.3 recommends limiting Global Administrators to reduce attack surface ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires restricted allocation of privileged access rights DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires controlled assignment of administrative ICT access NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control policies for privileged accounts NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing and limiting privileged access authorizations | CIS M365 v3.0, Rec. 1.1.3 | 1.1.3 | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-004 | Security Defaults are enabled CIS M365 1.1.2 (Ensure two emergency access accounts have been defined): CIS 1.1.2 recommends enabling Security Defaults as baseline MFA protection ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication as a baseline security control NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires baseline identity and credential management | CIS M365 v3.0, Rec. 1.1.2 | 1.1.2 | A.8.5 | — | — | PR.AA-01 |
| CTRL-ENT-005 | Per-user MFA (legacy) is not in use CIS M365 1.1.4 (Ensure Guest Users are reviewed at least biweekly): CIS 1.1.4 recommends using Conditional Access over legacy per-user MFA ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires modern secure authentication, not legacy per-user methods NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires centrally managed authentication, not per-user legacy MFA | CIS M365 v3.0, Rec. 1.1.4 | 1.1.4 | A.8.5 | — | — | PR.AA-01 |
| CTRL-ENT-006 | Self-Service Password Reset (SSPR) is enabled for all users CIS M365 1.1.6 (Ensure third party integrated applications are not allowed): CIS 1.1.6 recommends enabling SSPR for all users ISO 27001 A.5.16 (Identity management — manage the full lifecycle of identities): ISO A.5.16 requires identity lifecycle management including self-service capabilities NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires credential management including password reset processes | CIS M365 v3.0, Rec. 1.1.6 | 1.1.6 | A.5.16 | — | — | PR.AA-01 |
| CTRL-ENT-007 | Privileged Identity Management (PIM) is configured CIS M365 1.1.7 (Ensure that password hash sync is enabled for hybrid deployments): CIS 1.1.7 recommends using PIM for just-in-time privileged access ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires managing and restricting privileged access rights DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires controlled privileged access to ICT systems NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control for privileged accounts NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires defining and managing privileged access permissions | CIS M365 v3.0, Rec. 1.1.7 | 1.1.7 | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-008 | MFA required for all users via Conditional Access CIS M365 1.1.1 (Ensure Administrative accounts are separate and cloud-only): CIS 1.1.1 requires MFA enforcement for all users via Conditional Access ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication for all system users DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) mandates strong authentication for all ICT system access NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires multi-factor authentication for system access NIST CSF PR.AA-03 (Users, services, and hardware are authenticated): NIST PR.AA-03 requires authentication of all users accessing systems | CIS M365 v3.0, Rec. 1.1.1 | 1.1.1 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-03 |
| CTRL-ENT-009 | MFA required for admin roles via Conditional Access CIS M365 1.1.2 (Ensure two emergency access accounts have been defined): CIS 1.1.2 requires MFA enforcement for administrative roles ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication especially for privileged accounts DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) mandates strong authentication for administrative ICT access NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires multi-factor authentication for privileged access NIST CSF PR.AA-03 (Users, services, and hardware are authenticated): NIST PR.AA-03 requires authentication of administrative users and services | CIS M365 v3.0, Rec. 1.1.2 | 1.1.2 | A.8.5 | Art.9.4 | Art.21.2j | PR.AA-03 |
| CTRL-ENT-010 | Compliant or Hybrid-joined device required via Conditional Access CIS M365 1.2.1 (Ensure multi-factor authentication is enabled for all users in administrative roles): CIS 1.2.1 recommends requiring compliant or hybrid-joined devices ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires protection of information accessible from endpoint devices DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires security controls on ICT assets including endpoints NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires access decisions based on device compliance status | CIS M365 v3.0, Rec. 1.2.1 | 1.2.1 | A.8.1 | Art.9.2 | — | PR.AA-05 |
| CTRL-ENT-011 | High risk sign-ins blocked via Conditional Access CIS M365 1.3.1 (Ensure Sign-in risk policy is configured to block sign-ins for high risk): CIS 1.3.1 recommends blocking or challenging high-risk sign-in attempts ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires monitoring for anomalous sign-in behaviour DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires responding to anomalous ICT access attempts NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires security measures for detecting compromised access NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires monitoring for potentially adverse cybersecurity events | CIS M365 v3.0, Rec. 1.3.1 | 1.3.1 | A.8.16 | Art.9.4 | Art.21.2e | DE.CM-01 |
| CTRL-ENT-012 | No guest users assigned to admin directory roles CIS M365 1.4.1 (Ensure Security Defaults is disabled when Conditional Access is used): CIS 1.4.1 recommends ensuring no guest users have administrative roles ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires restricting privileged access to authorized internal personnel NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing privileged access excluding external identities | CIS M365 v3.0, Rec. 1.4.1 | 1.4.1 | A.8.2 | — | — | PR.AA-05 |
| CTRL-ENT-013 | PIM role activation is time-bound (max 8 hours) ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires time-limited privileged access to reduce exposure window DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires minimising duration of elevated ICT access NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access controls that limit privileged session duration NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires enforcing time-bound access for privileged roles | — | — | A.8.2 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-014 | Access reviews configured for privileged roles ISO 27001 A.5.15 (Access control — rules defined and implemented for logical and physical access): ISO A.5.15 requires periodic review of access rights to privileged assets DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires regular review of ICT access rights NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires periodic review of access control policies NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires periodic review and adjustment of access permissions | — | — | A.5.15 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-ENT-015 | Named locations configured in Conditional Access policies CIS M365 1.2.2 (Ensure multi-factor authentication is enabled for all users): CIS 1.2.2 recommends configuring named locations for location-based access control ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires location-aware controls for endpoint device access DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires location-aware authentication for ICT access NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires network security measures including location controls NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires contextual identity verification including location | CIS M365 v3.0, Rec. 1.2.2 | 1.2.2 | A.8.1 | Art.9.4 | Art.21.2e | PR.AA-01 |
| CTRL-ENT-016 | Phishing-resistant MFA required via authentication strength CIS M365 1.1.2 (Ensure two emergency access accounts have been defined): CIS 1.1.2 recommends phishing-resistant MFA via authentication strength policies ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires the strongest available authentication technologies DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires advanced authentication resistant to social engineering NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires phishing-resistant multi-factor authentication NIST CSF PR.AA-03 (Users, services, and hardware are authenticated): NIST PR.AA-03 requires phishing-resistant authentication for users and services | CIS M365 v3.0, Rec. 1.1.2 | 1.1.2 | A.8.5 | Art.9.3 | Art.21.2j | PR.AA-03 |
| CTRL-ENT-017 | Break glass accounts excluded from Conditional Access CIS M365 1.1.4 (Ensure Guest Users are reviewed at least biweekly): CIS 1.1.4 recommends excluding emergency access accounts from Conditional Access ISO 27001 A.8.2 (Privileged access rights — restrict and manage allocation and use of privileged access rights): ISO A.8.2 requires controlled emergency access procedures for privileged accounts DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires emergency access provisions for ICT system recovery NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires business continuity provisions for access management NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires emergency access procedures within access management | CIS M365 v3.0, Rec. 1.1.4 | 1.1.4 | A.8.2 | Art.9.2 | Art.21.2e | PR.AA-05 |
| CTRL-ENT-018 | Custom banned password list is enabled ISO 27001 A.5.17 (Authentication information — manage allocation and use of authentication information): ISO A.5.17 requires controls on authentication information including password quality NIS2 Art.21.2g (Basic cyber hygiene practices and cybersecurity training): NIS2 Art. 21(2)(g) requires basic cyber hygiene including password policies NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires credential quality controls including banned password lists | — | — | A.5.17 | — | Art.21.2g | PR.AA-01 |
| CTRL-ENT-019 | Sign-in risk policy blocks high risk sign-ins CIS M365 1.3.1 (Ensure Sign-in risk policy is configured to block sign-ins for high risk): CIS 1.3.1 requires blocking high-risk sign-ins, not just MFA challenge ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires active response to anomalous authentication events DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires blocking suspicious ICT access attempts NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires automated response to detected security threats NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires blocking high-confidence malicious sign-in activity | CIS M365 v3.0, Rec. 1.3.1 | 1.3.1 | A.8.16 | Art.9.4 | Art.21.2e | DE.CM-01 |
| CTRL-ENT-020 | User risk policy requires password change for high risk users CIS M365 1.3.2 (Ensure the user risk policy is configured to require password change for high risk): CIS 1.3.2 requires password change when user risk is elevated ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires remediating compromised credentials upon detection DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires remediation of compromised ICT access credentials NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires response to credential compromise indicators NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires remediation when compromised credentials are detected | CIS M365 v3.0, Rec. 1.3.2 | 1.3.2 | A.8.16 | Art.9.4 | Art.21.2e | DE.CM-01 |
| CTRL-INT-001 | BitLocker encryption required on Windows devices CIS M365 6.1.1 (Ensure BitLocker Drive Encryption is enabled on all devices): CIS 6.1.1 requires BitLocker encryption on managed Windows devices ISO 27001 A.8.24 (Use of cryptography — define and implement rules for the effective use of cryptography): ISO A.8.24 requires cryptographic controls including disk encryption to protect data at rest DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires encryption of data at rest on ICT assets NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires encryption controls for network and information systems NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protection of data-at-rest including disk encryption | CIS M365 v3.0, Rec. 6.1.1 | 6.1.1 | A.8.24 | Art.9.2 | Art.21.2e | PR.DS-01 |
| CTRL-INT-002 | Password complexity required on Windows devices CIS M365 6.1.2 (Ensure a Compliance Policy is assigned to all devices): CIS 6.1.2 requires password complexity in device compliance policies ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication including password complexity requirements NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires credential management including password strength policies | CIS M365 v3.0, Rec. 6.1.2 | 6.1.2 | A.8.5 | — | — | PR.AA-01 |
| CTRL-INT-003 | Minimum OS version enforced on Windows devices CIS M365 6.1.3 (Ensure devices lock after a period of inactivity): CIS 6.1.3 requires enforcing minimum OS version in compliance policies ISO 27001 A.8.8 (Management of technical vulnerabilities — obtain information about technical vulnerabilities and take action): ISO A.8.8 requires management of technical vulnerabilities via OS updates NIST CSF PR.PS-01 (Configuration management practices are established and applied): NIST PR.PS-01 requires configuration management including OS version enforcement | CIS M365 v3.0, Rec. 6.1.3 | 6.1.3 | A.8.8 | — | — | PR.PS-01 |
| CTRL-INT-004 | Defender Antivirus required in compliance policy CIS M365 6.2.1 (Ensure a minimum password length is configured): CIS 6.2.1 requires Defender Antivirus in device compliance policies ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires protection against malware on endpoint devices DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires malware protection controls on ICT assets NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires malware protection in information system security NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires detection of malicious code on endpoints | CIS M365 v3.0, Rec. 6.2.1 | 6.2.1 | A.8.7 | Art.9.2 | Art.21.2e | DE.CM-04 |
| CTRL-INT-005 | Firewall required in compliance policy CIS M365 6.3.1 (Ensure firewall is configured on managed devices): CIS 6.3.1 requires firewall enabled in device compliance policies ISO 27001 A.8.20 (Networks security — manage and control networks to protect information in systems and applications): ISO A.8.20 requires network security controls including host firewalls DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires network protection controls on ICT assets NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires network-level data protection including firewalls | CIS M365 v3.0, Rec. 6.3.1 | 6.3.1 | A.8.20 | Art.9.2 | — | PR.DS-01 |
| CTRL-INT-006 | Mobile device storage encryption required CIS M365 6.1.2 (Ensure a Compliance Policy is assigned to all devices): CIS 6.1.2 requires storage encryption for mobile device compliance ISO 27001 A.8.24 (Use of cryptography — define and implement rules for the effective use of cryptography): ISO A.8.24 requires cryptographic controls including storage encryption on mobile devices NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires encryption on mobile information systems NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data-at-rest on mobile devices | CIS M365 v3.0, Rec. 6.1.2 | 6.1.2 | A.8.24 | — | Art.21.2e | PR.DS-01 |
| CTRL-EXO-001 | Modern authentication enabled in Exchange Online CIS M365 1.1.2 (Ensure two emergency access accounts have been defined): CIS 1.1.2 requires modern authentication protocols for Exchange Online ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication including modern authentication protocols for email DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires modern authentication mechanisms for ICT services NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires access control via modern authentication protocols NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires secure access mechanisms including modern authentication | CIS M365 v3.0, Rec. 1.1.2 | 1.1.2 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-EXO-002 | Audit logging enabled in Exchange Online CIS M365 1.3.3 (Ensure Phishing-resistant MFA strength is required for Administrators): CIS 1.3.3 requires unified audit logging to be enabled ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires logging of activities, exceptions, and security events DORA Art.10.1 (ICT-related incident management — establish mechanisms to detect, manage, and notify ICT incidents): DORA Art. 10(1) requires logging of ICT service activities and events NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires audit logging for security monitoring NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires event data collection for analysis and correlation | CIS M365 v3.0, Rec. 1.3.3 | 1.3.3 | A.8.15 | Art.10.1 | Art.21.2j | DE.AE-03 |
| CTRL-EXO-003 | Malware filter policy is active in Exchange Online CIS M365 2.1.1 (Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled): CIS 2.1.1 requires active malware filter policies in Exchange Online ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires protection against malware in email systems DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires mechanisms to detect malicious content in communications NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires malware protection in communication systems NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires monitoring email for malicious content | CIS M365 v3.0, Rec. 2.1.1 | 2.1.1 | A.8.7 | Art.9.3 | Art.21.2e | DE.CM-01 |
| CTRL-EXO-004 | ATP Safe Links policy is enabled CIS M365 2.1.4 (Ensure Safe Attachments policy is enabled): CIS 2.1.4 requires ATP Safe Links for URL threat protection ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires URL-level malware protection in email DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires detection of malicious URLs in communications NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires URL threat protection in information systems NIST CSF PR.PS-01 (Configuration management practices are established and applied): NIST PR.PS-01 requires security configuration including URL filtering | CIS M365 v3.0, Rec. 2.1.4 | 2.1.4 | A.8.7 | Art.9.3 | Art.21.2e | PR.PS-01 |
| CTRL-EXO-005 | ATP Safe Attachments policy is enabled CIS M365 2.1.3 (Ensure all forms of mail forwarding are blocked and/or disabled): CIS 2.1.3 requires ATP Safe Attachments for email threat protection ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires scanning attachments for malware before delivery DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires detection of malicious attachments in communications NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires attachment threat protection in information systems NIST CSF PR.PS-01 (Configuration management practices are established and applied): NIST PR.PS-01 requires security configuration including attachment scanning | CIS M365 v3.0, Rec. 2.1.3 | 2.1.3 | A.8.7 | Art.9.3 | Art.21.2e | PR.PS-01 |
| CTRL-EXO-006 | Safe Links covers Office desktop applications CIS M365 2.1.1 (Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled): CIS 2.1.1 requires Safe Links protection extended to Office desktop apps ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires URL threat protection across all application vectors DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires malicious URL detection across Office applications NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires malicious code detection in desktop applications | CIS M365 v3.0, Rec. 2.1.1 | 2.1.1 | A.8.7 | Art.9.3 | — | DE.CM-04 |
| CTRL-EXO-007 | Safe Links rewrites URLs in email CIS M365 2.1.2 (Ensure Exchange Online Spam Policies are set correctly): CIS 2.1.2 requires Safe Links URL rewriting for click-time protection ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires URL rewriting to enable click-time malware scanning NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires click-time URL verification to detect malicious code | CIS M365 v3.0, Rec. 2.1.2 | 2.1.2 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-008 | Safe Attachments dynamic delivery enabled CIS M365 2.1.3 (Ensure all forms of mail forwarding are blocked and/or disabled): CIS 2.1.3 requires Safe Attachments with dynamic delivery for email flow ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires attachment scanning without disrupting email delivery DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires malicious content detection with minimal operational impact NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires attachment scanning with dynamic delivery mode | CIS M365 v3.0, Rec. 2.1.3 | 2.1.3 | A.8.7 | Art.9.3 | — | DE.CM-04 |
| CTRL-EXO-009 | Safe Attachments covers SharePoint, OneDrive, and Teams CIS M365 2.1.4 (Ensure Safe Attachments policy is enabled): CIS 2.1.4 requires Safe Attachments for SharePoint, OneDrive, and Teams ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires malware protection across all file sharing platforms NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires malicious code detection in cloud storage and collaboration | CIS M365 v3.0, Rec. 2.1.4 | 2.1.4 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-010 | Anti-phishing policy with impersonation protection enabled CIS M365 2.1.10 (Ensure anti-phishing policies are configured with impersonation protection): CIS 2.1.10 requires anti-phishing policies with impersonation protection ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires protection against email impersonation attacks NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires detection of impersonation-based phishing attacks | CIS M365 v3.0, Rec. 2.1.10 | 2.1.10 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-011 | Mailbox intelligence protection enabled in anti-phishing policy CIS M365 2.1.10 (Ensure anti-phishing policies are configured with impersonation protection): CIS 2.1.10 requires mailbox intelligence for advanced anti-phishing ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires AI-based detection of anomalous email patterns NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires intelligent detection of email-based threats | CIS M365 v3.0, Rec. 2.1.10 | 2.1.10 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-012 | DKIM signing enabled for all accepted domains CIS M365 3.2.1 (Ensure DKIM is enabled for all Exchange Online domains): CIS 3.2.1 requires DKIM signing for all accepted domains ISO 27001 A.8.24 (Use of cryptography — define and implement rules for the effective use of cryptography): ISO A.8.24 requires cryptographic email authentication via DKIM NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting email integrity via DKIM signatures | CIS M365 v3.0, Rec. 3.2.1 | 3.2.1 | A.8.24 | — | — | PR.DS-01 |
| CTRL-EXO-013 | Auto-forwarding to external domains is blocked CIS M365 2.1.3 (Ensure all forms of mail forwarding are blocked and/or disabled): CIS 2.1.3 requires blocking automatic email forwarding to external domains ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention including blocking unauthorized email auto-forwarding DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires preventing unauthorised data transfers from ICT systems NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires controls preventing unauthorized data exfiltration NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data from unauthorized external transfer | CIS M365 v3.0, Rec. 2.1.3 | 2.1.3 | A.8.12 | Art.9.2 | Art.21.2e | PR.DS-01 |
| CTRL-EXO-014 | External sender identification enabled in anti-phishing policy CIS M365 2.1.9 (Ensure that an anti-phishing policy has been created with external sender identification): CIS 2.1.9 requires identifying emails from external senders NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires enabling users to detect potentially deceptive emails | CIS M365 v3.0, Rec. 2.1.9 | 2.1.9 | — | — | — | DE.CM-04 |
| CTRL-EXO-015 | High-confidence spam action set to quarantine CIS M365 2.1.2 (Ensure Exchange Online Spam Policies are set correctly): CIS 2.1.2 requires high-confidence spam to be quarantined ISO 27001 A.8.7 (Protection against malware — implement detection, prevention, and recovery controls for malware): ISO A.8.7 requires filtering high-confidence spam as a malware vector NIST CSF DE.CM-04 (Malicious code is detected): NIST DE.CM-04 requires quarantining high-confidence spam to prevent threats | CIS M365 v3.0, Rec. 2.1.2 | 2.1.2 | A.8.7 | — | — | DE.CM-04 |
| CTRL-EXO-016 | Admin audit log retention is at least 90 days CIS M365 3.1.1 (Ensure the Microsoft 365 audit log search is turned on): CIS 3.1.1 requires retaining admin audit logs for at least 90 days ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires log retention for adequate investigation and analysis periods DORA Art.10.1 (ICT-related incident management — establish mechanisms to detect, manage, and notify ICT incidents): DORA Art. 10(1) requires sufficient retention of ICT event logs NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires audit log retention for security monitoring NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires retaining event data for correlation and analysis | CIS M365 v3.0, Rec. 3.1.1 | 3.1.1 | A.8.15 | Art.10.1 | Art.21.2j | DE.AE-03 |
| CTRL-EXO-017 | Mailbox auditing is enabled by default CIS M365 6.1.4 (Ensure mailbox auditing for all users is Enabled): CIS 6.1.4 requires mailbox auditing enabled by default ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires logging of mailbox access and modification events DORA Art.10.1 (ICT-related incident management — establish mechanisms to detect, manage, and notify ICT incidents): DORA Art. 10(1) requires logging of all ICT service activities NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires mailbox activity auditing for security NIST CSF PR.PS-04 (Log records are generated and made available for continuous monitoring): NIST PR.PS-04 requires log generation and availability for email systems | CIS M365 v3.0, Rec. 6.1.4 | 6.1.4 | A.8.15 | Art.10.1 | Art.21.2j | PR.PS-04 |
| CTRL-SPO-001 | SharePoint external sharing restricted to existing guests or more restrictive CIS M365 7.2.1 (Ensure SharePoint external sharing is managed through domain whitelist/blacklist): CIS 7.2.1 requires restricting SharePoint external sharing ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires technological access restrictions for external data sharing DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires controlling external access to ICT data NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires controlling external user access to data NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing external access permissions | CIS M365 v3.0, Rec. 7.2.1 | 7.2.1 | A.8.3 | Art.9.2 | Art.21.2j | PR.AA-05 |
| CTRL-SPO-002 | Legacy authentication protocols disabled for SharePoint Online CIS M365 7.2.7 (Ensure link sharing is restricted for SharePoint and OneDrive): CIS 7.2.7 requires disabling legacy authentication for SharePoint ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication by disabling legacy protocols for SharePoint DORA Art.9.4 (Protection and prevention — implement robust network and infrastructure security controls): DORA Art. 9(4) requires eliminating legacy authentication for ICT services NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires modern access control for information systems NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires secure access mechanisms for data services | CIS M365 v3.0, Rec. 7.2.7 | 7.2.7 | A.8.5 | Art.9.4 | Art.21.2i | PR.AA-05 |
| CTRL-SPO-003 | SharePoint guest sharing requires account match CIS M365 7.2.2 (Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled): CIS 7.2.2 requires guest invitation to match the invited email address ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication by verifying guest identity matches the invited account DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires verified identity for external ICT access NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires authenticated external user access NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires identity verification for all data access | CIS M365 v3.0, Rec. 7.2.2 | 7.2.2 | A.8.5 | Art.9.2 | Art.21.2j | PR.AA-01 |
| CTRL-SPO-004 | Anyone link expiry enforced CIS M365 7.2.1 (Ensure SharePoint external sharing is managed through domain whitelist/blacklist): CIS 7.2.1 requires time-limiting anonymous sharing links ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires time-bound access controls for shared data NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires expiring access controls for shared resources NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data through time-limited sharing links | CIS M365 v3.0, Rec. 7.2.1 | 7.2.1 | A.8.3 | — | Art.21.2i | PR.DS-01 |
| CTRL-SPO-005 | SharePoint sharing restricted to specific domains CIS M365 7.2.2 (Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled): CIS 7.2.2 requires restricting sharing to approved domains ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires domain-level access restrictions for data sharing NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires restricting data sharing to approved domains | CIS M365 v3.0, Rec. 7.2.2 | 7.2.2 | A.8.3 | — | — | PR.DS-01 |
| CTRL-SPO-006 | OneDrive sync restricted to domain-joined devices CIS M365 7.3.1 (Ensure external content sharing is restricted): CIS 7.3.1 requires OneDrive sync limited to domain-joined devices ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires endpoint device controls for data synchronization NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires protecting data sync to managed devices only | CIS M365 v3.0, Rec. 7.3.1 | 7.3.1 | A.8.1 | — | — | PR.DS-01 |
| CTRL-TEA-001 | Teams external access (federation) is disabled or restricted CIS M365 8.1.1 (Ensure external file sharing in Teams is enabled for only approved cloud storage services): CIS 8.1.1 requires restricting Teams external access (federation) ISO 27001 A.8.20 (Networks security — manage and control networks to protect information in systems and applications): ISO A.8.20 requires network security controls including restricting external federation boundaries DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires controlling external access to collaboration platforms NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires controlling external user federation NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires managing external federation permissions | CIS M365 v3.0, Rec. 8.1.1 | 8.1.1 | A.8.20 | Art.9.2 | Art.21.2j | PR.AA-05 |
| CTRL-TEA-002 | Teams guest access is disabled CIS M365 8.2.1 (Ensure users can report security concerns in Teams): CIS 8.2.1 requires disabling or restricting Teams guest access ISO 27001 A.8.3 (Information access restriction — restrict access to information and other associated assets): ISO A.8.3 requires technological access restrictions for guest users in collaboration platforms DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires controlling guest access to ICT platforms NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires restricting guest access to collaboration systems NIST CSF PR.AA-01 (Identities and credentials for authorized users, services, and hardware are managed): NIST PR.AA-01 requires managing guest identity and access | CIS M365 v3.0, Rec. 8.2.1 | 8.2.1 | A.8.3 | Art.9.2 | Art.21.2j | PR.AA-01 |
| CTRL-TEA-003 | Anonymous join to Teams meetings is disabled CIS M365 8.5.1 (Ensure external access is restricted in the Teams admin center): CIS 8.5.1 requires disabling anonymous join for Teams meetings ISO 27001 A.8.5 (Secure authentication — implement secure sign-on procedures based on authentication restrictions): ISO A.8.5 requires secure authentication for all meeting participants, preventing anonymous access DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires identity verification for ICT collaboration NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires authenticated access to meetings NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires preventing anonymous access to meetings | CIS M365 v3.0, Rec. 8.5.1 | 8.5.1 | A.8.5 | Art.9.2 | Art.21.2j | PR.AA-05 |
| CTRL-TEA-004 | Teams meeting recording restricted to org users CIS M365 8.1.1 (Ensure external file sharing in Teams is enabled for only approved cloud storage services): CIS 8.1.1 requires meeting recording limited to organizational users ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention including restricting meeting recording to prevent unauthorized capture NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires controlling recording data to authorized personnel | CIS M365 v3.0, Rec. 8.1.1 | 8.1.1 | A.8.12 | — | — | PR.DS-01 |
| CTRL-TEA-005 | Unmanaged device access to Teams restricted CIS M365 8.2.1 (Ensure users can report security concerns in Teams): CIS 8.2.1 requires restricting unmanaged device access to Teams ISO 27001 A.8.1 (User endpoint devices — protect information stored on, processed by, or accessible via user endpoint devices): ISO A.8.1 requires endpoint device controls for collaboration access DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires managed device enforcement for ICT services NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires device compliance for collaboration access | CIS M365 v3.0, Rec. 8.2.1 | 8.2.1 | A.8.1 | Art.9.2 | — | PR.AA-05 |
| CTRL-TEA-006 | Teams external domain access restricted CIS M365 8.2.2 (Ensure meeting organizers can control who can present): CIS 8.2.2 requires restricting Teams external domain access ISO 27001 A.8.20 (Networks security — manage and control networks to protect information in systems and applications): ISO A.8.20 requires network-level controls for external communications NIS2 Art.21.2i (Human resources security, access control, and asset management): NIS2 Art. 21(2)(i) requires domain-level access controls for collaboration NIST CSF PR.AA-05 (Access permissions, entitlements, and authorizations are managed): NIST PR.AA-05 requires restricting communications to approved domains | CIS M365 v3.0, Rec. 8.2.2 | 8.2.2 | A.8.20 | — | Art.21.2i | PR.AA-05 |
| CTRL-PUR-001 | DLP policies configured and active ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention controls to detect and block unauthorized data disclosure DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires data loss prevention for ICT assets NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires data loss prevention in information systems NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires data protection controls including DLP policies | — | — | A.8.12 | Art.9.2 | Art.21.2e | PR.DS-01 |
| CTRL-PUR-002 | Sensitivity labels published and available ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data classification via sensitivity labels to support leakage prevention DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires classification of ICT assets and data NIS2 Art.21.2h (Policies and procedures regarding use of cryptography and encryption): NIS2 Art. 21(2)(h) requires data classification and labelling policies NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires data classification for protection decisions | — | — | A.8.12 | Art.9.2 | Art.21.2h | PR.DS-01 |
| CTRL-PUR-003 | Retention policies configured for Exchange Online ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires retention of email records for audit and investigation DORA Art.10.1 (ICT-related incident management — establish mechanisms to detect, manage, and notify ICT incidents): DORA Art. 10(1) requires retention of ICT communication records NIS2 Art.21.2j (Use of multi-factor authentication, secured communications, and emergency communications): NIS2 Art. 21(2)(j) requires email retention for compliance and monitoring NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires retaining email data for event analysis | — | — | A.8.15 | Art.10.1 | Art.21.2j | DE.AE-03 |
| CTRL-PUR-004 | Retention policies configured for SharePoint Online ISO 27001 A.8.15 (Logging — produce, store, protect, and analyse logs recording activities, exceptions, and events): ISO A.8.15 requires retention of document records for audit and investigation DORA Art.10.1 (ICT-related incident management — establish mechanisms to detect, manage, and notify ICT incidents): DORA Art. 10(1) requires retention of document storage records NIST CSF DE.AE-03 (Events are correlated from multiple sources and sensors): NIST DE.AE-03 requires retaining document data for event analysis | — | — | A.8.15 | Art.10.1 | — | DE.AE-03 |
| CTRL-PUR-005 | Alert policies configured for security events ISO 27001 A.8.16 (Monitoring activities — monitor networks, systems, and applications for anomalous behaviour): ISO A.8.16 requires monitoring and alerting for security anomalies DORA Art.9.3 (Detection — continuously monitor and control ICT systems for anomalous activity): DORA Art. 9(3) requires automated alerting for anomalous ICT activities NIS2 Art.21.2b (Incident handling — establish procedures for detecting, managing, and reporting incidents): NIS2 Art. 21(2)(b) requires incident detection through security alerting NIST CSF DE.CM-01 (Networks and network services are monitored to find potentially adverse events): NIST DE.CM-01 requires security event monitoring and alerting | — | — | A.8.16 | Art.9.3 | Art.21.2b | DE.CM-01 |
| CTRL-PUR-006 | DLP policy covers multiple workloads ISO 27001 A.8.12 (Data leakage prevention — measures to prevent unauthorized disclosure of information from systems and networks): ISO A.8.12 requires data leakage prevention coverage across all processing platforms DORA Art.9.2 (Protection and prevention — encrypt data at rest and in transit, manage cryptographic keys): DORA Art. 9(2) requires DLP controls covering all ICT workloads NIS2 Art.21.2e (Security in network and information systems — secure acquisition, development, and maintenance): NIS2 Art. 21(2)(e) requires comprehensive DLP across information systems NIST CSF PR.DS-01 (The confidentiality, integrity, and availability of data-at-rest are protected): NIST PR.DS-01 requires data protection across all processing platforms | — | — | A.8.12 | Art.9.2 | Art.21.2e | PR.DS-01 |
Settings Library Methodology
PostureIQ evaluates Intune Settings Catalog profiles against a curated library of 336 setting definitions across 27 categories. Each entry specifies a known-compliant value derived from one of three sources:
- CIS Benchmark — Values from the CIS Microsoft Intune for Windows 11 Benchmark v3.0.1. These are the primary source and take precedence when conflicts arise.
- Microsoft Security Baseline — Values derived from Microsoft's recommended security baseline for Windows. Fills gaps not covered by CIS.
- AI Auto-Assessed — For settings not covered by CIS or Microsoft baselines, an AI pipeline evaluates the setting against vendor documentation and security best practices. High-confidence assessments are auto-approved; medium and low-confidence entries require admin review.
Settings with no known-compliant value are reported as unscored — they are visible in the findings but do not affect compliance scores. This approach prioritises honesty over inflated coverage.
Of the 336 entries, 336 have multi-framework attribution mapping them to ISO 27001, DORA, NIS2, and/or NIST CSF 2.0 requirements.
Scope & Limitations
PostureIQ assesses the technical configuration of your Microsoft 365 tenant. Scores reflect the proportion of assessed controls that pass. They do not represent full regulatory compliance.
What is assessed
- Entra ID / Azure AD identity and access controls
- Intune device compliance policies and Settings Catalog profiles
- Exchange Online email security (ATP, DKIM, anti-phishing, audit logging)
- SharePoint Online sharing and authentication restrictions
- Microsoft Teams federation and guest access controls
- Microsoft Purview DLP, sensitivity labels, retention, and alert policies
What is NOT assessed
- Governance and management system requirements (ISO 27001 Clauses 4-10)
- Organisational policies and procedures (ICT risk policy, incident response plan)
- Human resources security and security awareness training
- Physical and environmental security controls
- Supplier relationship management and third-party risk
- Business continuity and disaster recovery planning
- Legal, regulatory, and contractual obligations beyond technical configuration
Framework scores are gated behind a minimum of 5 data sources. Partial assessments (fewer than 5 sources) display a warning and may not show framework score cards.
Data Source Reference
PostureIQ collects 26 data sources from your Microsoft 365 tenant via the Graph API or the PostureIQ PowerShell collector script.
| # | Data Source | Description |
|---|---|---|
| 1 | entra_mfa_report | User MFA registration status and adoption rate |
| 2 | entra_conditional_access_policies | CA policies controlling authentication requirements |
| 3 | entra_security_defaults | Baseline Microsoft security protections toggle |
| 4 | entra_directory_roles | Admin role assignments and membership |
| 5 | entra_per_user_mfa_report | Legacy per-user MFA enablement state |
| 6 | entra_sspr_policy | SSPR policy configuration and scope |
| 7 | entra_pim_assignments | Privileged Identity Management role assignments |
| 8 | entra_pim_role_settings | PIM activation duration and approval rules |
| 9 | entra_access_reviews | Periodic access review schedules for privileged roles |
| 10 | entra_password_protection | Custom banned password list and lockout policy |
| 11 | intune_compliance_policies | Device compliance rules (BitLocker, password, OS version) |
| 12 | intune_config_profiles | Settings Catalog profiles for device hardening |
| 13 | exchange_online_settings | Modern auth, audit logging, mailbox auditing |
| 14 | exchange_malware_policies | Exchange Online malware filter configuration |
| 15 | exchange_safe_links_policies | ATP Safe Links URL protection settings |
| 16 | exchange_safe_attachments_policies | ATP Safe Attachments detonation settings |
| 17 | exchange_antiphishing_policies | Impersonation and mailbox intelligence protection |
| 18 | exchange_dkim_signing | Outbound email DKIM authentication status |
| 19 | exchange_remote_domains | Auto-forwarding and external domain rules |
| 20 | exchange_spam_policies | Spam quarantine and filtering configuration |
| 21 | purview_dlp_policies | Data loss prevention policy configuration |
| 22 | purview_sensitivity_labels | Document classification and labelling status |
| 23 | purview_retention_policies | Data retention rules for Exchange and SharePoint |
| 24 | purview_alert_policies | Security event monitoring and alerting |
| 25 | sharepoint_settings | External sharing, legacy auth, sync restrictions |
| 26 | teams_settings | Federation, guest access, and meeting controls |