In this module

AD7.7 Audit Readiness and Security Assessments

5-6 hours · Module 7 · Free

Operational Objective

Whether it's a client security questionnaire, an insurance renewal assessment, a regulatory audit, or a certification assessment (Cyber Essentials in the UK, Essential Eight in Australia, NIST CSF in the US, or ISO 27001 globally), you'll eventually need to demonstrate that your security program exists and works. The controls you've deployed in Modules AD1-AD6 address the core requirements of every major security framework — but the assessor doesn't know what you've configured. They need evidence: screenshots, exports, policy documents, and configuration summaries mapped to whatever framework they're assessing against. This subsection builds the evidence collection process and the framework-agnostic assessment approach that works regardless of which framework your assessor uses.

Deliverable: An evidence collection process and assessment readiness package that maps your deployed controls to any security framework — enabling rapid response to client questionnaires, insurance assessments, and certification audits regardless of the framework used.

Estimated completion: 30 minutes

Figure AD7.7 — Your deployed controls address the core requirements of every major security framework. The controls are universal; the framework labels are regional. One evidence base serves all assessments — you translate the evidence into each framework's language as needed.

The five universal security domains

Every security framework — regardless of region or industry — evaluates the same five domains. Your program covers all five:

1. Access Control (Who can access what) Your controls: MFA for all users (CA001), admin MFA (CA002), device compliance enforcement (CA003), break-glass accounts, least-privilege admin roles. Framework equivalents: ISO 27001 A.9, NIST CSF PR.AC, Cyber Essentials "Access Control," Essential Eight "Restrict Admin Privileges" + "MFA."

2. Threat Protection (How you block attacks) Your controls: Safe Links, Safe Attachments, anti-phishing policies, SPF/DKIM/DMARC, Defender Antivirus, network protection. Framework equivalents: ISO 27001 A.12.2, NIST CSF PR.DS + DE.CM, Cyber Essentials "Malware Protection," Essential Eight "Application Control" + "Email Filtering."

3. Endpoint Security (How you protect devices) Your controls: Intune compliance policies, BitLocker encryption, Windows Firewall verification, OS patching via Windows Update, BYOD app protection. Framework equivalents: ISO 27001 A.6.2 + A.10.1, NIST CSF PR.DS + PR.IP, Cyber Essentials "Firewalls" + "Secure Configuration" + "Patching," Essential Eight "Patch Applications" + "Patch OS."

4. Data Protection (How you classify and protect data) Your controls: 4-tier sensitivity labels with encryption, DLP policies, SharePoint sharing restrictions, external access controls. Framework equivalents: ISO 27001 A.8.2 + A.13.2, NIST CSF PR.DS, GDPR Articles 5/32, PIPEDA Principle 7.

5. Detection and Response (How you find and fix incidents) Your controls: Monday security review, alert notifications, sign-in log monitoring, incident response procedures, evidence preservation, post-incident review. Framework equivalents: ISO 27001 A.12.4 + A.16, NIST CSF DE + RS. All frameworks require monitoring and incident response capability.

When an assessor asks about any security domain, you map their question to one of these five domains and reference your deployed controls. The framework label changes; the underlying control doesn't.

Building the evidence collection package

Create an evidence folder that supports any assessment:

SecurityEvidence/
├── 01-AccessControl/
│   ├── CA001-AllUsers-MFA-Policy.png
│   ├── CA002-AdminMFA-Policy.png
│   ├── CA003-CompliantDevice-Policy.png
│   ├── MFA-Registration-Report.csv
│   ├── Admin-Role-Assignments.csv
│   └── BreakGlass-Documentation.docx
├── 02-ThreatProtection/
│   ├── SafeLinks-Policy.png
│   ├── SafeAttachments-Policy.png
│   ├── AntiPhishing-Policy.png
│   ├── DMARC-DNS-Record.png
│   └── ThreatProtection-Stats.csv
├── 03-EndpointSecurity/
│   ├── Compliance-Policy-Windows.png
│   ├── Compliance-Rate-Report.csv
│   ├── BitLocker-Encryption-Report.csv
│   ├── WindowsUpdate-Ring-Config.png
│   └── BYOD-AppProtection-Policy.png
├── 04-DataProtection/
│   ├── SensitivityLabels-Config.png
│   ├── DLP-Policies.png
│   ├── SharePoint-SharingConfig.csv
│   └── LabelAdoption-Report.csv
├── 05-DetectionAndResponse/
│   ├── MondayReview-Checklist.pdf
│   ├── AlertNotification-Config.png
│   ├── WeeklySecurityLog.csv
│   ├── IncidentResponsePlan.pdf
│   └── ProcedureTesting-Log.txt
├── 06-Governance/
│   ├── AcceptableUsePolicy.pdf
│   ├── PasswordAuthPolicy.pdf
│   ├── DataClassificationPolicy.pdf
│   ├── QuarterlyReports/
│   └── ProgramSummary.pdf
└── EvidenceIndex.md

The EvidenceIndex.md maps each evidence file to framework controls:

EVIDENCE INDEX
File: CA001-AllUsers-MFA-Policy.png
  ISO 27001: A.9.4.2 | NIST CSF: PR.AC-7
  Cyber Essentials: Access Control | Essential Eight: MFA

File: BitLocker-Encryption-Report.csv
  ISO 27001: A.10.1.1 | NIST CSF: PR.DS-1
  Cyber Essentials: Secure Config | GDPR: Article 32(1)(a)

Automated evidence collection

# Collect-SecurityEvidence.ps1
$evidenceDir = "C:\SecurityEvidence-$(Get-Date -Format 'yyyyMMdd')"
New-Item -Path $evidenceDir -ItemType Directory -Force | Out-Null

Connect-MgGraph -Scopes "Policy.Read.All","DeviceManagementManagedDevices.Read.All" -NoWelcome

# Access Control evidence
$acDir = "$evidenceDir\01-AccessControl"
New-Item -Path $acDir -ItemType Directory -Force | Out-Null
Get-MgIdentityConditionalAccessPolicy -All |
    Select-Object DisplayName, State, CreatedDateTime,
        @{N="GrantControls";E={$_.GrantControls.BuiltInControls -join ", "}} |
    Export-Csv "$acDir\ConditionalAccessPolicies.csv" -NoTypeInformation

# Endpoint Security evidence
$esDir = "$evidenceDir\03-EndpointSecurity"
New-Item -Path $esDir -ItemType Directory -Force | Out-Null
Get-MgDeviceManagementManagedDevice -All |
    Select-Object DeviceName, ComplianceState, OperatingSystem,
        OsVersion, IsEncrypted, UserPrincipalName |
    Export-Csv "$esDir\DeviceCompliance.csv" -NoTypeInformation

# Secure Score
$score = Get-MgSecuritySecureScore -Top 1
$pct = [math]::Round($score.CurrentScore / $score.MaxScore * 100, 1)
Write-Host "Secure Score: $pct%" -ForegroundColor Green
Write-Host "Evidence collected to: $evidenceDir" -ForegroundColor Green

Run quarterly alongside report data collection. CSV exports plus portal screenshots form the complete evidence package.

Regional framework quick reference

Your controls are universal. Here's how they map to frameworks your learners may encounter:

UK — Cyber Essentials: 5 controls (firewalls, secure config, access control, malware, patching). Your program covers all 5. Cost: £300-500 Basic, £1,500-3,500 Plus.

Australia — Essential Eight: 8 mitigation strategies. Your program fully addresses MFA, patch applications, patch OS, restrict admin privileges. Partially addresses application control, restrict Office macros, user application hardening. Does not address daily backups (outside M365 scope).

US — NIST CSF: 5 functions (Identify, Protect, Detect, Respond, Recover). Your program covers Identify (Intune asset management), Protect (access control, email, data), Detect (monitoring), Respond (IR procedures). Recover is partially covered.

EU — NIS2: Requires risk management, incident handling, business continuity, supply chain security, training. Your program addresses risk management, incident handling, and awareness. Business continuity and supply chain are outside course scope.

Global — ISO 27001: 93 controls across 4 themes. Your program covers approximately 60-70%. See AD7.8 for detailed gap analysis.

The key insight: every framework asks the same fundamental questions. "Do you use MFA?" "Do you protect against malware?" "Do you monitor for threats?" Your answers are the same. Only the reference numbers change.

Compliance Myth: "We need to implement different controls for different frameworks"

Every major security framework shares 80% of its requirements. MFA is required by ISO 27001, NIST CSF, Cyber Essentials, Essential Eight, and virtually every client questionnaire. You don't need different MFA implementations for different frameworks — you need one MFA implementation with different reference numbers. Build the controls once (AD1-AD6), document them once (AD7), and reference them differently for each framework.

Decision point

A client sends a security questionnaire based on ISO 27001 Annex A. Your organization isn't ISO 27001 certified. How do you respond?

Option A: "We're not ISO 27001 certified, so we can't answer this questionnaire."

Option B: "We're not ISO 27001 certified, but our security program addresses the relevant Annex A controls. Here's our response mapping each question to our deployed controls and evidence." Use the evidence collection and control mapping to answer each question with specific references to your policies, configurations, and reports. Many clients accept demonstrated controls as evidence of security maturity even without formal certification.

The correct answer is Option B. Certification is one form of assurance. Demonstrated controls with documented evidence are another. The program summary, quarterly reports, and evidence folder provide comprehensive demonstration of security maturity regardless of certification status.

Try it: Build your evidence collection package

1. Create the evidence folder structure from this subsection 2. Run Collect-SecurityEvidence.ps1 to populate CSV exports 3. Take screenshots of each major policy (CA policies, compliance, DLP, Safe Links/Attachments) 4. Create EvidenceIndex.md mapping each file to at least 2 framework references 5. Identify which regional framework is most relevant to your organization

Initial collection: 45-60 minutes. Subsequent quarterly collections: 15-20 minutes.

An insurance company asks for evidence of your "endpoint protection program" during policy renewal. They don't specify a framework. What do you provide?

A verbal description of your Intune compliance policies — Verbal descriptions aren't evidence.

The full program summary — Too much detail for a targeted request.

The Endpoint Security evidence folder: device compliance report (97%+), BitLocker encryption report (100%), Windows Update ring config, compliance policy screenshot — targeted evidence demonstrating endpoint protection — Correct. The evidence folder structure makes this a 5-minute retrieval: open folder 03, attach the files.

A framework certification — Only relevant if you have one AND the insurer accepts it.

Operational Artifact — Evidence Collection Package

Framework-agnostic evidence folder with 6 domains. PowerShell evidence collection script. Evidence index mapping files to ISO 27001, NIST CSF, and regional frameworks. Regional quick reference for Cyber Essentials (UK), Essential Eight (AU), NIST CSF (US), NIS2 (EU), and ISO 27001 (global). One evidence base serves all assessments. Initial collection: 45-60 minutes. Quarterly updates: 15-20 minutes.

Preparing for insurance security assessments

Cyber insurance renewals increasingly require evidence of security controls. Insurers ask about MFA, endpoint protection, email filtering, backup, and incident response. Your evidence folder addresses every common insurance question:

"Do you enforce multi-factor authentication?" → Evidence folder 01-AccessControl: CA001 policy screenshot + MFA registration report showing coverage percentage. One sentence answer: "MFA is required for all users via conditional access policy, verified by [X]% registration rate."

"Do you have endpoint detection and response?" → On E3, you have Defender Antivirus (not full EDR). Be honest: "We deploy Microsoft Defender Antivirus on all managed devices with real-time protection, verified by compliance policy. Full EDR (Defender for Endpoint P2) is evaluated in our E5 upgrade roadmap." Insurers appreciate honesty about scope — it builds trust for the controls you DO have.

"Do you test your incident response plan?" → Evidence folder 05-DetectionAndResponse: procedure testing log showing quarterly test dates. One sentence: "Incident response procedures are tested quarterly on test accounts. Last test: [date]."

"How quickly can you detect a breach?" → Your weekly monitoring cadence gives a maximum 7-day detection window (Monday to Monday). Alert notifications for high-severity events reduce this to hours. Answer: "Security monitoring operates on a weekly structured review with real-time notifications for high-severity events. Maximum detection delay: 7 days for low-severity events, under 4 hours for high-severity events."

Insurance assessments typically require less evidence than certification audits. Your evidence folder provides more than enough — select the relevant files per question rather than sending the entire folder.

Assessment preparation timeline

When you receive an assessment request (client questionnaire, insurance renewal, certification application), follow this timeline:

Day 1 (30 minutes): Read the assessment requirements. Identify which of the 5 universal domains each question maps to. Note any questions that don't map to your evidence (gaps to address in the response).

Day 2 (60-90 minutes): Run Collect-SecurityEvidence.ps1 to refresh your evidence exports. Take updated screenshots of any portal configurations that have changed since the last collection. Update the evidence index if new files were added.

Day 3-5 (2-4 hours): Complete the assessment questionnaire. For each question, reference the evidence index to find the supporting file, write a concise answer (2-3 sentences), and attach the evidence file. For gaps: document honestly what you don't have and what compensating controls exist.

Day 5-7: Review your responses for accuracy and completeness. Submit.

This timeline works for any assessment type. A 75-question client questionnaire takes 3-4 hours. A Cyber Essentials self-assessment takes 2-3 hours. An insurance renewal assessment takes 1-2 hours. The evidence folder eliminates the research time — you're looking up answers, not investigating configurations.

Handling gaps honestly in assessments

Not every question maps to a control you've deployed. When you encounter a gap, be honest and specific:

Bad answer: "Yes, we have that" (when you don't). Bad answer: "No" (without context). Good answer: "We don't currently have [specific capability]. Our compensating controls are [description]. This gap is documented in our program summary (Section 9) and is on our improvement roadmap for [timeline]."

Assessors — whether client questionnaire reviewers, insurance underwriters, or certification auditors — respect honest gap disclosure with compensating controls more than vague affirmative answers. If you claim "yes" to a control you don't have and the assessor tests it (in a Cyber Essentials Plus or ISO 27001 Stage 2 audit), the failed test damages your credibility across every answer.

Common gaps for E3 environments and their honest answers: "Do you have EDR?" → "We deploy Microsoft Defender Antivirus with real-time protection on all managed devices. Full EDR (Defender for Endpoint) is on our E5 upgrade roadmap. Compensating control: Intune compliance policies verify AV health on every device, and weekly monitoring checks for security alerts." This is honest, demonstrates awareness of the gap, and shows a plan to address it.

Keeping evidence fresh

Evidence older than 90 days loses credibility in assessments. An assessor who sees a compliance report from 6 months ago wonders whether the compliance rate has changed since then. Run the evidence collection script quarterly (alongside your quarterly report production) and replace stale exports with current ones.

Set a calendar reminder: "Refresh security evidence" on the same day as "Produce quarterly report." The same PowerShell script run produces both report data and evidence exports — two deliverables from one script execution. After 4 quarters, you have a year of evidence showing consistent security posture, not a single point-in-time snapshot.

Evidence index best practices

The evidence index is the map that connects your files to framework controls. Keep it practical:

Format: Use a simple markdown table rather than a complex spreadsheet. The index should be readable by anyone — assessors, auditors, and colleagues. Each entry maps one file to its framework references in one line.

Granularity: One entry per evidence file. Don't create separate entries for different sub-questions within a framework control — one file often addresses multiple related questions. The assessor can determine which specific sub-question the evidence answers.

Updates: When you add a new evidence file (new policy approved, new control deployed), add an entry to the index. When you remove a file (policy superseded, control decommissioned), remove the entry. The index stays in sync with the evidence folder because updates are small and incremental — not a quarterly rebuild.

Testing: Before submitting evidence for any assessment, open the evidence index and click through 5 random entries. Verify each referenced file exists, opens correctly, and shows current data. A broken link or stale export in the evidence folder undermines the entire package.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus

← Previous Next →