AD7.8 Mapping Controls to Frameworks

The universal control mapping table

This table maps your deployed controls to the most common frameworks UK organizations encounter:

*CE = Cyber Essentials (UK), E8 = Essential Eight (AU). Add your regional framework references as applicable.

When you receive a security questionnaire or audit request, use this table to find the framework reference, then point to the evidence from your program summary (AD7.6) and quarterly reports (AD7.5). You don't need to create new evidence — you need to translate existing evidence into the framework's language.

Answering client security questionnaires

The most common audit scenario for SMBs isn't a formal ISO 27001 audit — it's a client sending a security questionnaire with 50-100 questions. These questionnaires ask the same things in different ways. Common questions and your answers:

"Do you use multi-factor authentication?" — "Yes, MFA is required for all users via Microsoft Entra ID conditional access policies (CA001). Approved methods: Microsoft Authenticator app and FIDO2 security keys. Reference: Password and Authentication Policy, Section 3."

"How do you classify and protect sensitive data?" — "We use a four-tier sensitivity label taxonomy (Public, Internal, Confidential, Highly Confidential) implemented through Microsoft Purview sensitivity labels. Confidential and Highly Confidential documents are encrypted and restricted from external sharing. DLP policies detect and block unauthorized sharing of personal and financial data. Reference: Data Classification Policy."

"Do you have an incident response plan?" — "Yes. Our Incident Response Plan defines incident types, severity levels, roles, escalation procedures, and communication obligations. Response procedures are tested quarterly. Reference: Incident Response Plan (AD7.4)."

Each answer references a specific policy or control from your program. A well-documented program turns a 4-hour questionnaire ordeal into a 1-hour exercise of looking up references and pasting answers.

Building a questionnaire response library

After completing 2-3 client questionnaires, you'll notice the same questions repeated. Build a response library: a document containing pre-written answers for the 20 most common questions, each referencing your program documentation.

SECURITY QUESTIONNAIRE RESPONSE LIBRARY
[Organization Name] | Last updated: [Date]

Q: "Do you enforce multi-factor authentication?"
A: "Yes. MFA is required for all users accessing our M365 environment,
enforced through Microsoft Entra ID conditional access policy CA001.
Approved methods: Microsoft Authenticator app and FIDO2 security keys.
Reference: Password and Authentication Policy, Section 3."

Q: "Do you encrypt data at rest?"
A: "Yes. All corporate laptops use BitLocker full-disk encryption,
enforced through Intune compliance policy. Encryption status is
verified before device access to corporate data is granted.
Reference: Security Program Summary, Section 4."

Q: "Do you have an incident response plan?"
A: "Yes. Our Incident Response Plan defines incident types, severity
levels (Critical/High/Medium/Low), roles and responsibilities,
escalation procedures, and communication obligations. Response
procedures are tested quarterly on test accounts. Reference:
Incident Response Plan, Version 1.0."

Q: "How do you protect against phishing?"
A: "Multi-layered email protection through Microsoft Defender for
Office 365: Safe Links (click-time URL scanning), Safe Attachments
(sandboxed attachment analysis), anti-phishing policies (impersonation
protection for VIP users), and SPF/DKIM/DMARC email authentication.
User-reported phishing is triaged weekly. Reference: Security
Program Summary, Section 3."

Q: "Do you conduct security awareness training?"
A: "All employees sign the Acceptable Use Policy which includes
security expectations. Phishing emails reported by users are used
as real-world training opportunities. [If phishing simulation is
deployed]: Regular phishing simulations test user awareness.
Reference: Acceptable Use Policy."

Save this as C:\SecurityScripts\QuestionnaireResponses.md. Update it each time you encounter a new question. After 6 months, the library covers 90% of questions you receive — turning a 4-hour questionnaire into a 30-minute copy-paste exercise.

Maintaining the response library over time

After completing each questionnaire, review your answers for reusability. Any answer you wrote from scratch (not from the library) should be added to the library for next time. Tag each response with the framework it was written for — some answers need slight rewording depending on whether the questionnaire uses ISO 27001, NIST CSF, or generic language.

Version the response library alongside your program summary. When you update a control (new CA policy, changed DLP threshold), update the corresponding questionnaire responses. A response that says "we have 3 CA policies" when you now have 4 is a credibility risk if the assessor cross-references your program summary.

Track response metrics: how many questionnaires per year, average completion time, and whether any questionnaire revealed a gap you hadn't documented. After 4 questionnaires, you have enough data to report: "Client security assessments: 4 completed in Q1-Q2, average completion time 75 minutes (down from 4 hours before the response library was established). Zero gaps identified that weren't already documented in the program summary."

ISO 27001 gap analysis — practical approach

If your organization considers ISO 27001 certification, your deployed controls cover approximately 60-70% of Annex A controls. The main gaps for an E3 M365 environment:

A.12.4 — Logging and monitoring. Your AD5 monitoring covers M365 activity but may not cover on-premises systems, network devices, or non-Microsoft applications. ISO 27001 expects comprehensive logging across all systems.

A.12.6 — Technical vulnerability management. Your Intune compliance covers Windows patching, but ISO 27001 expects a formal vulnerability management process covering all systems — including third-party software, servers, network devices, and web applications.

A.14 — System acquisition, development, and maintenance. If your organization develops software, ISO 27001 expects secure development practices, code review, and testing. This is outside the scope of an M365 security program.

A.17 — Business continuity. ISO 27001 expects a business continuity plan covering IT service recovery, backup verification, and disaster recovery testing. Your incident response plan (AD7.4) covers security incidents but not broader business continuity.

For each gap, decide: implement the control (if feasible within your resources), document the gap as a risk acceptance (if the control is disproportionate for your organization size), or defer to a future phase (if ISO 27001 certification is a multi-year goal).

The Ridgeline documentation products at ridgelinecyber.com provide comprehensive ISO 27001 documentation sets — policies, procedures, and evidence templates that extend the four essential policies from this course into a complete ISO 27001-ready governance framework.

Choosing which frameworks to pursue

Not every framework is relevant to your organization. The decision depends on your location, your industry, and your clients' requirements:

ISO 27001 (global): Pursue if clients require it contractually, if you're in a regulated industry, or if you want a comprehensive security management system. Cost: £5,000-15,000+ for certification. Your program covers 60-70% of applicable controls.

Regional baseline certifications: These vary by country but serve the same purpose — demonstrating baseline security. UK: Cyber Essentials (£300-500). AU: Essential Eight maturity assessment (self-assessed or externally validated). US: NIST CSF self-assessment (free) or CMMC certification (for DoD contractors). Your deployed controls address the core requirements of all these frameworks.

GDPR / Privacy compliance: Not a certification but an ongoing obligation for any organization handling personal data of EU/UK residents. Your program addresses key requirements (Article 32 security measures, Article 33 breach notification via the IRP, Article 5 data protection principles via labels and DLP). Equivalent privacy frameworks exist globally: PIPEDA (Canada), Privacy Act (Australia), CCPA (US/California), POPIA (South Africa).

SOC 2: Pursue if you're a SaaS company or service provider whose clients require SOC 2 attestation. Cost: £15,000-40,000+. For most organizations outside the SaaS/service provider space, SOC 2 is unnecessary.

Client questionnaires: The most common assessment for SMBs. Use the questionnaire response library to handle these efficiently. No certification required — demonstrated controls with evidence are usually sufficient.

For most organizations, the practical priority is: regional baseline certification first (low cost, quick to achieve), privacy compliance documentation second (ongoing obligation), and ISO 27001 only if contractually required or strategically advantageous.