📊 SoA Control Reference Map

SoA Control (Rel)ReferenceReference TypeSection / DetailsMaintenance
A.5.9P8 Asset ManagementPolicy§3 Asset categories; §4 Information Asset RegisterDraft
A.5.31NZ/AU Privacy Act ComplianceExternalNZ Privacy Act, AU Privacy Act regulatory complianceDraft
A.8.18ADUE ComplianceTechnicalJailbreak/rooting detectionDraft
A.8.10BYOD-PROC-01ProcedureOffboarding data deletion procedureDraft
A.8.2Entra ID PIM (Planned)TechnicalPrivileged Identity Management — planned implementationDraft
A.5.17Entra ID MFATechnicalSecurity Defaults — MFA for all usersDraft
A.5.15P1 BYODPolicy§3 Zero Trust principlesDraft
A.7.7P1 BYODPolicyScreen lock policy sectionDraft
A.8.27L1 ISPPolicy§3 Zero Trust principles; Platform = PolicyDraft
A.8.24CA100 RedkeyTechnicalHardware-encrypted USB for secure data transportDraft
A.8.15Intune Audit LogsTechnicalIntune audit trailDraft
A.6.8BYOD-PROC-04ProcedureIncident reporting sectionDraft
A.5.32Employment ContractsEvidenceIP rights clauses in employment agreementsDraft
A.8.8UpdatestEvidenceWeekly patch evidenceDraft
A.8.33P7 ADGPolicy§Test Data Management — restriction on use of production data in testingDraft
A.8.1BYOD-PROC-01~04ProcedureDevice lifecycle; patch management; access control & data protection; monitoring & incident responseDraft
A.8.25GitHub Security FeaturesTechnicalGitHub security features (Dependabot, code scanning)Draft
A.5.33Notion ISMS Document SystemEvidenceISMS documentation structure in NotionDraft
A.6.4P3 HRPolicy§4.4 Disciplinary processDraft
A.8.10P1 BYODPolicy§6.5 Selective Wipe (offboarding/device change — corporate data deletion)Draft
A.8.4P7 ADGPolicySource code management sectionDraft
A.8.15P2 M365Policy§8 Monitoring & Audit EvidenceDraft
A.5.27P9 Incident ManagementPolicySEC-POL-INC-009 §6 Post-Incident Review (Lessons Learned) — Severity 1/2 mandatory review, root cause analysis, improvement actions, quarterly aggregate reviewDraft
A.8.15Entra ID Sign-in LogsTechnicalSign-in log collectionDraft
A.5.28P2 M365Policy§8 Monitoring (log sources for evidence collection)Draft
A.8.26P8 Asset Management & Information Classification PolicyPolicy§3.5 SaaS Category Classification — defines A/B/C framework, classification criteria, and information classification linkageDraft
A.7.3N/AExternalNo offices/rooms/facilities — not applicableDraft
A.5.3Audit Log MonitoringTechnicalCompensating control: audit log monitoring for segregation of dutiesDraft
A.5.12P2 M365Policy§3 Two-Level Classification (Confidential=Private Channel / General=Standard Channel); Platform = Policy principleDraft
A.7.13BYOD-PROC-01ProcedureDevice change sectionDraft
A.5.25Microsoft Defender AlertsTechnicalDefender alerting for incident assessmentDraft
A.5.28P9 Incident ManagementPolicySEC-POL-INC-009 §5.4 Investigation & Evidence Collection — Entra ID/Defender/Intune/UAL/SaaS log collection, evidence preservation (Private Channel), Chain of Custody, timeline reconstructionDraft
A.5.10L1 ISPPolicy§3 Acceptable use principlesDraft
A.5.2P2 M365Policy§7 Admin RolesDraft
A.5.2L2 Domain PoliciesPolicyAll L2 policies — Roles & Responsibilities sectionsDraft
A.8.22Zero Trust / CA PolicyTechnicalZero Trust (network segmentation unnecessary); CA policy-based logical separationDraft
A.8.5P2 M365Policy§6.1 Platform-specific Protection MethodDraft
A.5.37BYOD-PROC-04ProcedureMonitoring & Incident Response procedureDraft
A.5.23P2 M365Policy§6.3 CA Prerequisite for cloud service securityDraft
A.8.8Defender Vulnerability ManagementTechnicalVulnerability scanning and managementDraft
A.6.1P3 HRPolicy§4.1 Pre-employment screeningDraft
A.7.12N/AExternalNo cabling infrastructure — not applicableDraft
A.6.7Conditional AccessTechnicalCA policies for remote workingDraft
A.5.17Conditional AccessTechnicalPremium: Device Compliance; Basic+P1: SPO BlockDraft
A.8.7UpdatestEvidenceUpdate evidence for endpoint protectionDraft
A.5.37BYOD-PROC-02ProcedurePatch Management procedureDraft
A.8.12P2 M365Policy§5.3 Private Channel Isolation; CA Default Block; Purview DLP not used (proportionate control)Draft
A.7.13Updatest Weekly Update EvidenceEvidenceWeekly update evidence from UpdatestDraft
A.8.13SharePoint versioningTechnicalSharePoint version history for document rollbackDraft
A.8.30P7 ADGPolicy§Outsourced Development Security RequirementsDraft
A.5.17ADUE Compliance PolicyTechnicalApple User Enrollment compliance policy enforcementDraft
A.8.32ISMS Document Version ControlEvidenceISMS document version management recordsDraft
A.8.27P7 ADGPolicy§Architecture — Secure system architecture principlesDraft
A.8.9Intune Configuration ProfilesTechnicalDevice configuration managementDraft
A.5.9SaaS Service ListEvidenceInventory of SaaS services in useDraft
A.5.2P1 BYODPolicy§4 RolesDraft
A.8.2Conditional AccessTechnicalCA policies for admin accountsDraft
A.5.16Entra IDTechnicalIdentity management platformDraft
A.7.9P1 BYODPolicyFull BYOD policy + encryption requirementsDraft
A.8.15M365 UALTechnicalUnified Audit LogDraft
A.5.29P5 BCPPolicyBusiness continuity planningDraft
A.5.36Defender/Intune Compliance DashboardTechnicalDefender and Intune compliance dashboards for conformance monitoringDraft
A.8.16Intune Compliance DashboardTechnicalIntune compliance monitoring dashboardDraft
A.8.20Zero Trust ArchitectureTechnicalNo network trust; CA-based access; Cloud-onlyDraft
A.5.17P1 BYODPolicy§5.3 User ConsentDraft
A.5.34P1 BYODPolicy§6 Privacy Boundary (§6.3 Data Ownership vs Management Jurisdiction; §6.4 MAM Control Scope; §6.5 Selective Wipe Notice)Draft
A.5.10P1 BYODPolicy§5 Acceptable Use (§5.2 Prohibited Use); §7 Non-Managed App Security (MAM external app controls)Draft
A.5.26P9 Incident ManagementPolicySEC-POL-INC-009 §5.3 Containment & Response (account block, Selective Wipe, session revocation, device isolation); §5.5 Recovery & RemediationDraft
A.5.36P2 M365Policy§8 Monitoring & Audit Evidence (weekly/monthly/quarterly reviews)Draft
A.8.32P7 ADGPolicy§Change ManagementDraft
A.5.30P5 BCPPolicyICT readiness for business continuityDraft
A.5.15BYOD-PROC-03ProcedureAccess Control & Data Protection procedureDraft
A.7.10CA100 RedkeyTechnicalRedkey management + encryption requirementsDraft
A.5.22P4 Supplier & Third-Party SecurityPolicy§4 Supplier Monitoring & ReviewDraft
A.5.33M365 Retention PoliciesTechnicalM365 retention policies for records managementDraft
A.7.8P1 BYODPolicyPhysical management guidelines — BYOD environment, no corporate-owned equipmentDraft
A.5.18P2 M365Policy§5 Teams Membership Management; §7.3 Teams Governance (Team/Channel creation restrictions); CA Allow/BlockDraft
A.5.37BYOD-PROC-03ProcedureAccess Control & Data Protection procedureDraft
A.5.23P7 ADGPolicyApplication & Data Governance policyDraft
A.5.14P2 M365Policy§3.3 External Sharing; §5.4 L3 Collaboration Partner ChannelsDraft
A.7.1N/AExternalNo physical perimeter — not applicableDraft
A.5.7Microsoft Defender Threat IntelligenceTechnicalPlatform-native threat intelligence feedDraft
A.7.9MAMTechnicalMobile Application ManagementDraft
A.8.1Intune MDM/MAMTechnicalMobile Device Management (MDM) + Mobile Application Management (MAM) enforcement for BYODDraft
A.8.9Conditional AccessTechnicalCA policies for configuration enforcementDraft
A.5.14P6 Communications & MediaPolicyInformation transfer rules sectionDraft
A.6.7P2 M365Policy§5–6 Trust Model & Security ControlsDraft
A.5.6CISO/Security Director Industry NetworksExternalIndustry network engagement by CISO and Security Director for threat intelligence and contact with authoritiesDraft
A.5.15P2 M365Policy§5 Access Control Tiers (L1/L2/L3 Trust Model); §6 Security Controls by Tier; §6.3 CA Default Block/AllowDraft
A.8.26SaaS Category FrameworkTechnicalSaaS Category A/B/C framework — classification criteria for application security controlsDraft
A.5.9CA100 Asset RegisterEvidenceCA100 hardware appliance asset registerDraft
A.7.9CA100 Redkey USBTechnicalHardware encrypted USB storageDraft
A.6.5BYOD-PROC-01ProcedureOffboarding — Selective Wipe + account deactivationDraft
A.5.26P1 BYODPolicy§6.5 Selective WipeDraft
A.8.26P7 ADGPolicy§Application Security RequirementsDraft
A.7.11N/AExternalRelies on Cloud SLA — not applicableDraft
A.5.23SaaS Category FrameworkTechnicalEnforced SAML + CA for cloud service controlsDraft
A.7.5N/AExternalRelies on M365/AWS SLA — not applicableDraft
A.6.6P3 HRPolicyNDA sectionDraft
A.8.19MAM App ProtectionTechnicalApp protection policies for software installation controlDraft
A.8.34Entra ID RBACTechnicalAudit access controlled via least-privilege RBACDraft
A.5.1L1 ISP (SEC-POL-ISP-001)PolicyISMS overarching policyDraft
A.7.9ADUETechnicalApple User Enrollment complianceDraft
A.5.35Internal Audit Program (Planned)EvidenceNot yet established; future independent review by CISO plannedDraft
A.5.23P1 BYODPolicy§7 Non-Managed App Security (MAM external app controls)Draft
A.8.31P7 ADGPolicy§Environment Separation — tenant/subscription separation in cloudDraft
A.7.4N/AExternalNo physical security monitoring — not applicableDraft
A.5.7CISO Industry IntelligenceExternalCISO industry intelligence network and sourcesDraft
A.5.25P9 Incident ManagementPolicySEC-POL-INC-009 §4 Severity classification (4-level); §5.2 Triage & AssessmentDraft
A.7.7ADUE ComplianceTechnicalAuto-lock enforcement via compliance policyDraft
A.8.3P2 M365Policy§5.3 Private Channel Isolation; §5.4 L3 Dedicated Channels; §6.3 CA Default BlockDraft
A.6.7MAMTechnicalMobile Application Management for data protectionDraft
A.5.9Intune BYOD Enrollment ListEvidenceBYOD device registration inventory from IntuneDraft
A.8.1ADUETechnicalApple User Enrollment prerequisite / compliance controlsDraft
A.8.13AFI BackupTechnicalThird-party Microsoft 365 backupDraft
A.8.16Defender DashboardTechnicalDefender monitoring dashboardDraft
A.5.20P2 M365Policy§3.3 External Sharing policy linkageDraft
A.5.21P4 Supplier & Third-Party SecurityPolicySupplier management across ICT supply chainDraft
A.8.7ADUE ComplianceTechnicalDevice compliance enforcementDraft
A.5.21P1 BYODPolicy§7 Non-Managed App Security (MAM external SaaS controls)Draft
A.5.36L1 ISPPolicy§5 Policy review cycle linkageDraft
A.5.31L1 ISPPolicy§2 Regulatory alignmentDraft
A.8.18Entra ID RBACTechnicalAdmin tool access via role-based access controlDraft
A.5.3P2 M365Policy§7 Admin Roles — Global Admin minimization, role-based privilege separationDraft
A.8.28GitHub Code ScanningTechnicalGitHub code scanning for secure coding enforcementDraft
A.8.12P1 BYODPolicy§6.4 MAM Control Scope (Copy/Paste restriction); §3.1 Windows Edge-onlyDraft
A.5.29100% Cloud ArchitectureTechnicalCloud-only structure minimizes physical disruption riskDraft
A.5.16P2 M365Policy§4 Licence Tiers (3-SKU: Premium/Basic+P1/Exchange); §7 Admin Roles; §4.2 Business Standard prohibitionDraft
A.8.6M365 License ManagementTechnicalM365 license management + Cloud SaaS auto-scaling; on-premises capacity N/ADraft
A.5.32Context BriefPolicy§1 Data Ownership MatrixDraft
A.8.24ADUE Encryption RequirementTechnicalADUE compliance requires device encryption (FileVault/BitLocker)Draft
A.8.34Audit Procedure (TBD)ProcedureAudit testing access control procedure — to be documentedDraft
A.5.4L1 ISPPolicy§4.1 CEO: resource allocation; CISO: strategic oversightDraft
A.6.3P3 HRPolicy§4.3 Onboarding briefing + annual refresher trainingDraft
A.8.9ADUE Compliance PoliciesTechnicalCompliance policy enforcementDraft
A.5.10P2 M365Policy§3 Data ClassificationDraft
A.6.5P3 HRPolicy§4.5 Post-termination/transfer security obligationsDraft
A.8.8BYOD-PROC-02ProcedurePatch Management procedureDraft
A.5.33SharePoint Document ManagementTechnicalSharePoint document management systemDraft
A.5.25BYOD-PROC-04ProcedureMonitoring sectionDraft
A.8.28P7 ADGPolicy§Secure Coding GuidelinesDraft
A.5.34P3 HRPolicyPrivacy sectionDraft
A.5.24P9 Incident ManagementPolicySEC-POL-INC-009 §3 Roles/Responsibilities; §4 Classification (4-level Severity); §5.1 Detection sources; §7 Incident RegisterDraft
A.7.2N/AExternalNo physical entry controls — not applicableDraft
A.6.7ADUETechnicalApple User Enrollment for BYOD complianceDraft
A.5.20P4 Supplier & Third-Party SecurityPolicy§3 Supplier Security Requirements; §5 Contractual ClausesDraft
A.5.19P1 BYODPolicy§7 Non-Managed App Security (SaaS supplementary controls)Draft
A.7.10P1 BYODPolicyStorage media sectionDraft
A.8.2P2 M365Policy§7 Admin Roles (§7.2 Admin Account Separation)Draft
A.5.23EXT-03aExternalExternal reference for cloud service securityDraft
A.5.19P4 Supplier & Third-Party SecurityPolicySEC-POL-STP-005 — Supplier security requirementsDraft
A.5.33P2 M365Policy§8.2 Audit Evidence RepositoryDraft
A.8.30P4 Supplier PolicyPolicySupplier security requirements for outsourced developmentDraft
A.8.3P1 BYODPolicy§6.4 MAM Control ScopeDraft
A.5.11BYOD-PROC-01ProcedureDevice change / offboarding — Selective Wipe procedureDraft
A.8.7Microsoft Defender for EndpointTechnicalEndpoint protection platformDraft
A.5.4P2 M365Policy§7.1 CEO: Executive sponsor of ISMSDraft
A.8.29P7 ADGPolicy§Testing Procedures — proportionate application at current scaleDraft
A.5.30M365 SLA 99.9%TechnicalM365 built-in availability + data backupDraft
A.8.19UpdatestEvidenceSoftware inventory evidenceDraft
A.8.15Microsoft Defender AlertsTechnicalDefender alert loggingDraft
A.8.4GitHub Access ControlTechnicalGitHub access control + SAML SSODraft
A.8.17Cloud NTP SynchronizationTechnicalCloud services auto-NTP sync; no self-managed serversDraft
A.8.5Conditional AccessTechnicalPremium: Device Compliance; Basic+P1: SPO BlockDraft
A.5.11P1 BYODPolicy§6.5 Selective Wipe NoticeDraft
A.8.21M365/Cloud SLATechnicalM365/Cloud SLA + CA-based network location policy (if needed)Draft
A.5.37BYOD-PROC-01ProcedureDevice Lifecycle procedureDraft
A.8.13Microsoft 365 built-in backup/restoreTechnicalBaseline Microsoft 365 backup/retention capabilities (as used in operations)Draft
A.8.23Defender for Endpoint Web ProtectionTechnicalWeb protection + limited BYOD applicabilityDraft
A.8.16BYOD-PROC-04ProcedureMonitoring sectionDraft
A.8.1Conditional Access (CA)TechnicalAccess gating for BYOD conditionsDraft
A.5.8P7 ADGPolicySecurity review procedure sectionDraft
A.8.24M365 TLS/BitLockerTechnicalM365 encryption at rest (BitLocker) and in transit (TLS 1.2+)Draft
A.6.5P1 BYODPolicy§6.5 Selective Wipe NoticeDraft
A.8.32Intune Policy Change LogsTechnicalIntune policy change audit trailDraft
A.8.19P1 BYODPolicy§7 Non-Managed App Security (MAM external app supplementary controls: account separation, 2FA, AI service controls)Draft
A.5.1L2 Domain Policies (P1–P9)PolicyP1–P7 complete; P8 Asset Management / P9 Incident Management in progressDraft
A.8.14M365 SLA 99.9%TechnicalM365 SLA 99.9% + AWS availability zones; self-managed redundancy N/ADraft
A.5.26BYOD-PROC-04ProcedureIncident response proceduresDraft
A.5.5P5 BCPPolicyIncident reporting procedure sectionDraft
A.5.5L1 ISPPolicy§4 CISO: regulatory liaison roleDraft
A.6.6P4 Supplier & Third-Party SecurityPolicyThird-party NDA requirementsDraft
A.7.14BYOD-PROC-01ProcedureDevice change/disposal — Selective WipeDraft
A.5.2L1 ISPPolicy§4 Governance Structure (CEO, CISO, Security Director)Draft
A.5.21SaaS Category FrameworkTechnicalA/B/C category-based supplier control differentiationDraft
A.8.5Entra ID MFATechnicalSecurity Defaults — MFA enforced for all usersDraft
A.5.37Additional Operational Procedures (Planned)ProcedureAudit, management review, and other operational procedures — to be developedDraft
A.8.5ADUE ComplianceTechnicalApple User Enrollment compliance enforcementDraft
A.6.7P1 BYODPolicy§3.1 Windows BYOD Edge-only restriction; §6 Privacy Boundary; §7 MAM external app controls — 100% WFA environmentDraft
A.5.25P2 M365Policy§8 MonitoringDraft
A.6.2P3 HRPolicy§4.2 Employment agreements + NDADraft
A.7.14CA100 RedkeyTechnicalPhysical destruction guide for hardware encrypted USBDraft
A.8.25P7 ADGPolicy§SDLC — Secure Development Lifecycle requirementsDraft
A.5.22P1 BYODPolicy§7.2 SaaS Category-based security assessmentDraft
A.8.10M365 Retention PoliciesTechnicalData retention and deletion policiesDraft
A.8.16P2 M365Policy§8.1 Ongoing Monitoring (weekly/monthly/quarterly schedule)Draft
A.5.13P2 M365Policy§3.2 Classification Principles — channel-based classification (Platform = Policy); §3.2(3) Purview Sensitivity Labels non-use rationale documentedDraft
A.8.11Teams Channel IsolationTechnicalData access restricted by Teams channel isolation; no separate masking tools usedDraft
A.5.3L1 ISPPolicy§4 Segregation of duties (CEO↔CISO↔Security Director)Draft
A.8.1P1 BYODPolicy§3 Zero Trust; §3.1 Windows Edge-only restriction; §3.2 Full MDM exception path; §6 Privacy Boundary; §7 MAM controlsDraft
A.5.11P3 HRPolicyOffboarding procedure sectionDraft
A.7.6N/AExternalNo secure areas — not applicableDraft
A.5.1BYOD-PROC-01~04ProcedureDevice Lifecycle; Patch Management; Access Control & Data Protection; Monitoring & Incident ResponseDraft
A.7.13P1 BYODPolicyEquipment management sectionDraft
A.5.24BYOD-PROC-04ProcedureIncident response sectionDraft
A.5.31P4 Supplier & Third-Party SecurityPolicyContract management sectionDraft
A.5.19SaaS Category FrameworkTechnicalA/B/C/D category framework for SaaS risk classificationDraft
A.5.18BYOD-PROC-03ProcedureAccess rights sectionDraft
A.5.22SaaS Periodic ReviewEvidenceRegular SaaS service reviewDraft
A.6.8P3 HRPolicySecurity incident reporting obligationDraft