How to Prepare for ISO 27001:2022 Using Microsoft 365
Published 15 Apr 2026
· By
Pawan Sharma
· Compliance
· 21 min read
ISO/IEC 27001:2022 has 93 Annex A controls across 4 themes — Organizational, People, Physical, and Technological. If your workplace runs on Microsoft 365, you already own a significant portion of what the standard asks for. You just need to know which features to turn on, which licences to buy, what evidence to export, and — critically — which 33 controls M365 cannot help you with at all.
This is the practical guide I use when Indian enterprise CISOs ask me to take them from "we have M365 E3" to "we have an ISO 27001-ready control environment". It covers the full 93-control mapping (green = strong M365, amber = partial, red = gap), the E3 vs E5 licensing math, a 20-week implementation sequence, what evidence auditors actually accept, and honest disclosure of the gaps you'll need to close with non-M365 tools.
The authoritative ISO control-to-M365 mapping lives inside Microsoft Purview Compliance Manager's built-in ISO/IEC 27001:2022 template. The mapping in this post is a practitioner synthesis from Microsoft Learn documentation and is meant to help you plan your assessment before you open Compliance Manager — not to replace it.
1. ISO 27001:2022 at a Glance
The 2022 revision consolidated the old 114 controls into 93, reorganised them from 14 domains into 4 themes, and introduced 11 brand-new controls covering cloud services, threat intelligence, data masking, DLP, monitoring, web filtering, and secure coding. The 2013 → 2022 transition deadline was 31 October 2025. Every new certification from 2024 onward is automatically on 2022.
A.5 — Organizational
37 controls
Policies, roles, access control, supplier relationships, cloud services, incident management, compliance, records.
A.6 — People
8 controls
Screening, NDAs, training, remote work, termination, event reporting.
A.7 — Physical
14 controls
Perimeters, entry, monitoring, clear desk, storage media, disposal. Mostly outside M365 scope.
A.8 — Technological
34 controls
Endpoints, authentication, malware, vulnerability, DLP, logging, monitoring, cryptography, SDLC.
The 11 New Controls in 2022
Microsoft 365 natively addresses 8 of these 11. A.5.30 (ICT BCP), A.7.4 (physical monitoring), and A.8.28 (secure coding) remain gaps you'll need to close outside M365.
2. The M365 Security Product Family
Before we map controls, here's the product family you're working with. M365 security isn't one product — it's seven overlapping suites that together form your ISMS toolkit.
Identity
Microsoft Entra ID
Directory, SSO, MFA, Conditional Access (P1), Identity Protection, PIM, access reviews (P2). The gatekeeper for every control that touches authentication and access.
Threat Protection
Microsoft Defender XDR
Unified portal across Defender for Endpoint (EDR + MDVM), Defender for Office 365 (email + collab), Defender for Cloud Apps (CASB), Defender for Identity (on-prem AD).
Data Protection
Microsoft Purview
Information Protection (sensitivity labels), DLP, Audit, Records Management, Insider Risk Management, eDiscovery, Compliance Manager. The heart of your ISO evidence pipeline.
Device Management
Microsoft Intune
MDM for corporate devices, MAM App Protection Policies for BYOD, configuration profiles, compliance policies, security baselines, Autopilot provisioning.
Posture
Microsoft Secure Score
Quantified security posture across Identity, Devices, Apps, Data. Auditable snapshot your board understands. Pair with Secure Score for Devices in MDVM.
Governance
Compliance Manager
360+ regulatory templates including ISO/IEC 27001:2022. Tracks improvement actions, compliance score, shared-responsibility split between Microsoft and you, evidence repository.
SIEM / SOAR (Separate Billing)
Microsoft Sentinel
Cloud SIEM billed via Azure consumption. Pull in Defender XDR, Entra, Intune, firewall, network, and on-prem logs for cross-source correlation. Default 30-day retention — extend to 180+ days to satisfy CERT-In's log retention rule for Indian enterprises.
3. E3 vs E5 — The Licensing Decision That Decides Your ISO Coverage
Most Indian enterprises I walk into are on E3. E3 gives you a respectable baseline but caps you at roughly 60% of the controls you need. E5 closes most of the gap. The add-on SKUs (E5 Security, E5 Compliance) let you uplift piecemeal if a full E5 upgrade doesn't fit the budget.
| Capability | E3 | E5 | ISO 27001 Controls Impacted |
|---|---|---|---|
| Entra ID Conditional Access, MFA, SSPR | ✓ | ✓ | A.5.15, A.5.17, A.8.3, A.8.5 |
| Entra ID P2 — Identity Protection, PIM, access reviews | — | ✓ | A.5.3, A.5.18, A.8.2 |
| Defender for Office 365 P1 (Safe Links, Safe Attachments) | ✓ | ✓ | A.8.7 |
| Defender for O365 P2 — Threat Explorer, AIR, Attack Simulation Training | — | ✓ | A.5.24–27, A.6.3 |
| Defender for Endpoint P1 (AV, ASR, web/device control) | ✓ | ✓ | A.8.7, A.8.23 |
| Defender for Endpoint P2 — EDR, MDVM, advanced hunting | — | ✓ | A.8.8, A.8.16 |
| Defender for Cloud Apps (CASB) & Defender for Identity | — | ✓ | A.5.23, A.5.7 |
| Purview Information Protection (manual labels + DLP) | ✓ | ✓ | A.5.12, A.5.13, A.8.11, A.8.12 |
| Auto-labelling, trainable classifiers, DLP for Teams chat | — | ✓ | A.5.12, A.8.12 |
| Purview Audit Standard (180-day) | ✓ | ✓ | A.5.28, A.8.15 |
| Purview Audit Premium (1-year, MailItemsAccessed, high-value events) | — | ✓ | A.5.28, A.8.15 |
| Insider Risk Management, Communication Compliance | — | ✓ | A.5.10, A.8.12, A.8.16 |
| Records Management (file plan, disposition) | — | ✓ | A.5.33, A.8.10 |
| Intune MDM + MAM + Security Baselines | ✓ | ✓ | A.8.1, A.8.9, A.7.9 |
| Compliance Manager with ISO 27001:2022 template | ✓ | ✓ | A.5.1, A.5.36 |
💡 E3 vs E5 cost math (directional)
E3 MSRP is around USD 36/user/month, E5 around USD 57. The delta of ~USD 21 (~₹1,800–1,900/user/month) for E5 buys you Entra P2, Defender P2 across Endpoint + Office, Defender for Cloud Apps, Defender for Identity, Audit Premium, Insider Risk, Records Management, and DLP for Teams. For a 500-user Indian enterprise, the E5 uplift runs roughly ₹1.0–1.1 Cr per year. Validate exact SKU pricing with your CSP — INR pricing moves with currency and promotional terms.
4. Annex A — Control-by-Control Mapping to M365
Here's the full 93-control mapping, colour-coded. Green rows are controls M365 covers strongly. Amber rows are partial coverage — M365 gets you evidence and some enforcement but you'll need supplementary process or tooling. Red rows are true gaps M365 does not address.
A.5 — Organizational Controls (37)
| # | Control | M365 coverage |
|---|---|---|
| A.5.1 | Policies for information security | Compliance Manager templates, SharePoint policy library |
| A.5.2 | Roles & responsibilities | Entra role assignments, PIM eligible roles |
| A.5.3 | Segregation of duties | Entra PIM JIT, approval workflows (E5) |
| A.5.4 | Management responsibilities | Secure Score + Compliance Manager ownership (partial) |
| A.5.5 | Contact with authorities | Process control — not M365 |
| A.5.6 | Contact with special interest groups | Process control — not M365 |
| A.5.7 ⓝ | Threat intelligence | Defender XDR Threat Analytics, MDVM threat insights |
| A.5.8 | InfoSec in project management | Governance — not M365 |
| A.5.9 | Inventory of assets | Intune + Defender for Endpoint device inventory, Purview Data Map |
| A.5.10 | Acceptable use | Intune APP, Conditional Access, DLP policy tips |
| A.5.11 | Return of assets | Intune retire/wipe, Conditional Access block on departure |
| A.5.12 | Classification of information | Purview sensitivity labels + auto-labelling (auto-label E5) |
| A.5.13 | Labelling of information | Purview sensitivity labels — content markings, headers, watermarks |
| A.5.14 | Information transfer | Purview DLP egress policies, Exchange Transport Rules |
| A.5.15 | Access control | Entra Conditional Access, Entra RBAC |
| A.5.16 | Identity management | Entra lifecycle workflows, Entra ID Governance |
| A.5.17 | Authentication information | Entra MFA, Windows Hello, FIDO2, Authenticator, SSPR |
| A.5.18 | Access rights | Entra access reviews (E5 P2), PIM, group-based access |
| A.5.19 | InfoSec in supplier relationships | Vendor risk process — not M365 |
| A.5.20 | Security in supplier agreements | Contractual — not M365 |
| A.5.21 | ICT supply chain | SBOM / vendor attestations — not M365 |
| A.5.22 | Monitoring supplier services | Defender for Cloud Apps SaaS posture (partial) |
| A.5.23 ⓝ | Cloud services security | Defender for Cloud Apps CASB, Conditional Access (MDCA E5) |
| A.5.24 | IS incident planning | Defender XDR incidents, Sentinel playbooks |
| A.5.25 | Assessment of IS events | Defender XDR triage, Sentinel analytics rules |
| A.5.26 | Response to IS incidents | Defender XDR AIR, Sentinel SOAR playbooks |
| A.5.27 | Learning from incidents | Defender XDR incident timeline, Sentinel hunting |
| A.5.28 | Collection of evidence | Purview Audit (Premium E5), Defender XDR export |
| A.5.29 | IS during disruption | M365 SLA covers Microsoft side — customer BCP still needed |
| A.5.30 ⓝ | ICT readiness for BCP | DR runbooks, Azure Site Recovery — not M365 |
| A.5.31 | Legal, regulatory, contractual requirements | Compliance Manager (DPDPA, CERT-In, RBI, SEBI templates) |
| A.5.32 | Intellectual property rights | Purview DLP, sensitivity labels, Intune SAM |
| A.5.33 | Protection of records | Purview Records Management (E5), retention labels, Audit immutability |
| A.5.34 | Privacy & protection of PII | Purview Information Protection, DLP PII templates, Priva |
| A.5.35 | Independent review of IS | Audit process — not M365 |
| A.5.36 | Compliance with policies | Compliance Manager score, Secure Score, Intune reports |
| A.5.37 | Documented operating procedures | SharePoint/Wiki can host; not a security control |
A.6 — People Controls (8)
Most People controls are HR and contractual — M365 does not address them. Only 3 of 8 are technology-satisfiable. Document the HR process and upload it as evidence.
| # | Control | M365 coverage |
|---|---|---|
| A.6.1 | Screening | HR process — not M365 |
| A.6.2 | Employment terms | HR / contractual — not M365 |
| A.6.3 | Awareness & training | Attack Simulation Training in Defender for O365 P2 (E5) |
| A.6.4 | Disciplinary process | HR — not M365 |
| A.6.5 | Termination responsibilities | Intune retire/wipe, Entra disable, Conditional Access |
| A.6.6 | NDAs | Contractual — not M365 |
| A.6.7 | Remote working | Conditional Access, Intune APP, Defender for Endpoint, Entra App Proxy |
| A.6.8 | Event reporting | Report Message add-in in Outlook, Defender for O365 user-reported phishing |
A.7 — Physical Controls (14)
Physical controls are almost entirely outside M365's scope. Microsoft's Service Trust Portal provides the Azure/M365 datacentre attestations for A.7.1–A.7.6, A.7.8, A.7.11–A.7.13 (Microsoft's side of shared responsibility). For your own offices, data closets, and BYOD devices, you'll need CCTV, access control, environmental monitoring, and UPS/fire suppression — all non-M365.
| # | Control | M365 coverage |
|---|---|---|
| A.7.1 | Physical perimeters | Service Trust Portal (Microsoft side only) |
| A.7.2 | Physical entry | STP attestation only |
| A.7.3 | Securing offices | STP attestation only |
| A.7.4 ⓝ | Physical security monitoring | CCTV / access control — not M365 |
| A.7.5 | Environmental threats | STP attestation only |
| A.7.6 | Secure areas | STP attestation only |
| A.7.7 | Clear desk / clear screen | Intune screen lock policy, Windows idle timeout |
| A.7.8 | Equipment siting | Physical — not M365 |
| A.7.9 | Off-premises assets | Intune + Defender for Endpoint, BitLocker via Intune |
| A.7.10 | Storage media | BitLocker, Intune removable storage policy, Endpoint DLP device controls |
| A.7.11 | Supporting utilities | UPS / power — not M365 |
| A.7.12 | Cabling security | Physical — not M365 |
| A.7.13 | Equipment maintenance | Facilities — not M365 |
| A.7.14 | Secure disposal / re-use | Intune wipe + BitLocker (partial — physical disposal still manual) |
A.8 — Technological Controls (34)
| # | Control | M365 coverage |
|---|---|---|
| A.8.1 | User endpoint devices | Intune MDM/MAM + Defender for Endpoint + BitLocker |
| A.8.2 | Privileged access rights | Entra PIM (E5 P2), Conditional Access for admins, PAWs |
| A.8.3 | Information access restriction | Conditional Access, sensitivity labels, SharePoint permissions |
| A.8.4 | Access to source code | GitHub / Azure DevOps — not M365 proper |
| A.8.5 | Secure authentication | Entra MFA, passwordless (Windows Hello, FIDO2), Conditional Access |
| A.8.6 | Capacity management | M365 admin center health (partial) |
| A.8.7 | Protection against malware | Defender for Endpoint AV + ASR, Defender for O365 Safe Attachments |
| A.8.8 | Vulnerability management | Microsoft Defender Vulnerability Management (MDVM) (P2) |
| A.8.9 ⓝ | Configuration management | Intune configuration profiles + security baselines |
| A.8.10 ⓝ | Information deletion | Purview Retention Labels, Records Management disposition (E5) |
| A.8.11 ⓝ | Data masking | Purview Information Protection encryption, sensitivity labels |
| A.8.12 ⓝ | Data leakage prevention | Purview DLP — Exchange, SharePoint, OneDrive, Teams (E5), Endpoint, Edge, on-prem scanner |
| A.8.13 | Information backup | Exchange retention, OneDrive Files Restore, SharePoint versions — Microsoft explicitly does not call these backup |
| A.8.14 | Redundancy of IPFs | Azure availability zones — not M365 |
| A.8.15 | Logging | Purview Audit Standard/Premium |
| A.8.16 ⓝ | Monitoring activities | Defender XDR, Sentinel, Entra Identity Protection |
| A.8.17 | Clock synchronization | Azure NTP, Intune time sync GPO |
| A.8.18 | Privileged utility programs | Intune app control policies, Defender app control |
| A.8.19 | Software installation | Intune app deployment, Autopilot, allow/block lists |
| A.8.20 | Networks security | Conditional Access, Entra Private Access, Global Secure Access |
| A.8.21 | Network services security | Conditional Access, Defender for Cloud Apps |
| A.8.22 | Segregation of networks | Fortinet VLANs / VNets — not M365 |
| A.8.23 ⓝ | Web filtering | Defender for Endpoint Web Content Filtering + Network Protection |
| A.8.24 | Use of cryptography | BitLocker, sensitivity label encryption, Customer Key (E5), Double Key Encryption |
| A.8.25 | Secure development lifecycle | GitHub Advanced Security / ADO — not M365 |
| A.8.26 | Application security requirements | SDLC — not M365 |
| A.8.27 | Secure system architecture | Architecture — not M365 |
| A.8.28 ⓝ | Secure coding | GitHub Advanced Security / SAST / DAST — not M365 |
| A.8.29 | Security testing | VAPT / SAST / DAST — not M365 |
| A.8.30 | Outsourced development | Contractual — not M365 |
| A.8.31 | Dev / test / prod separation | Azure subscriptions / tenants |
| A.8.32 | Change management | Intune change rings (partial) |
| A.8.33 | Test information | Data masking process — not M365 |
| A.8.34 | Protection during audit testing | Audit process — not M365 |
ⓝ = new control introduced in the 2022 revision.
5. The Honest Coverage Summary
Of the 93 Annex A controls, M365 meaningfully addresses roughly 55–60. That's a strong platform advantage, but the remaining 33 controls are process, HR, physical, network, and SDLC-related — areas M365 was never designed to cover. Telling your auditor "we use M365" is not a compliance strategy; telling them "we use M365 for these 55 controls and here's what we do for the other 33" is.
Strong Coverage
~56
Identity, access, endpoint, DLP, audit, threat detection, sensitivity labels, CASB, PIM (most need E5).
Partial Coverage
~10
Physical (STP attestation), change management, clock sync, supplier monitoring, disruption response.
Gaps
~27
HR/contractual, physical security, network segmentation, SDLC, BCP beyond M365 SLA, legal process.
What you'll need beyond M365
| Gap area | Controls | What to buy / build |
|---|---|---|
| Supplier / vendor risk | A.5.19, A.5.20, A.5.21 | Vendor questionnaire, contract review, vendor risk register (OneTrust, ServiceNow IRM) |
| People controls | A.6.1, A.6.2, A.6.4, A.6.6 | HR process, NDAs, background checks, disciplinary SOP |
| Physical (client side) | A.7.1–A.7.6, A.7.8, A.7.11–A.7.13 | CCTV, access control, UPS, fire suppression, environmental monitoring |
| Network segmentation | A.8.22 | Fortinet firewalls, VLANs, SD-WAN, micro-segmentation |
| SDLC / secure coding | A.8.4, A.8.25–A.8.31, A.8.33 | GitHub Advanced Security, Azure DevOps, SAST/DAST/SCA |
| BCP / DR beyond M365 SLA | A.5.29, A.5.30, A.8.13, A.8.14 | Third-party M365 backup (Veeam, AvePoint, Keepit), DR runbooks, Azure Site Recovery |
| Legal / audit process | A.5.5, A.5.6, A.5.8, A.5.35 | Legal counsel, ISAC membership, internal audit function |
6. Your 20-Week ISO 27001 Readiness Sprint
Here's the phased rollout I use with customers. It assumes you already have M365 E3 at minimum and are willing to uplift to E5 or add the E5 Security/Compliance SKUs for Phase 2 onwards. If you stay on pure E3, you'll hit a ceiling around Phase 3.
Phase 1 — Weeks 1–4
🔐 Identity & Foundation
- Enable Security Defaults or baseline Conditional Access — MFA for admins, MFA for all users, block legacy auth
- Roll out Entra MFA organization-wide — Authenticator app preferred over SMS
- Review Microsoft Secure Score and action the top 10 high-impact improvements
- Enable Purview Audit (Standard 180-day; Premium 1-year if on E5)
- Enroll corporate devices into Intune; enforce BitLocker via Intune compliance policy
- Controls covered: A.5.15, A.5.17, A.8.1, A.8.5, A.8.15
Phase 2 — Weeks 5–10
🛡 Data Protection & Classification
- Define sensitivity taxonomy: Public / Internal / Confidential / Highly Confidential
- Roll out Purview sensitivity labels with content markings and container labels for Teams/SharePoint sites
- Enable auto-labelling for obvious patterns (PAN, Aadhaar, GSTIN, credit card) — E5 feature
- Deploy DLP policies across Exchange, SharePoint, OneDrive, Teams (E5 for Teams chat), and Endpoint
- Configure retention policies aligned to DPDPA + CERT-In
- Enable Defender for Endpoint onboarding; move ASR rules from audit to block gradually
- Enable Defender for Office 365 Safe Links + Safe Attachments for all users
- Controls covered: A.5.12, A.5.13, A.5.14, A.5.33, A.7.10, A.8.7, A.8.10, A.8.11, A.8.12, A.8.23, A.8.24
Phase 3 — Weeks 11–16
🔎 Detection, Response & Privileged Access
- Unify investigation in Defender XDR portal
- Enable MDVM for continuous vulnerability posture
- Enable Defender for Cloud Apps and run Cloud Discovery against existing logs (E5)
- Enable Entra Identity Protection risk policies — block high sign-in risk, MFA on medium
- Enable PIM for all admin roles — eligible-only, approval required for Global Admin
- Stand up Microsoft Sentinel for cross-source correlation + 180-day CERT-In log retention in India region
- Controls covered: A.5.3, A.5.7, A.5.18, A.5.23, A.5.24–27, A.8.2, A.8.8, A.8.16
Phase 4 — Weeks 17–20
📋 Governance, Evidence & Gap Closure
- Create the ISO/IEC 27001:2022 assessment in Compliance Manager; walk through every improvement action
- Build policy documents into SharePoint with retention labels (A.5.1, A.5.37)
- Run an Attack Simulation Training campaign targeting the entire org (A.6.3)
- Schedule quarterly access reviews (A.5.18)
- Close the gaps from Section 5 — Fortinet for A.8.22, GitHub Advanced Security for SDLC, third-party backup for A.8.13, vendor risk process for A.5.19–21
- Export Secure Score, Compliance Manager assessment, DLP policies, and audit logs for the auditor pre-read
- Conduct an internal gap audit before Stage 1 external audit
- Controls covered: A.5.1, A.5.31, A.5.36, A.6.3 + evidence for everything above
7. Evidence Auditors Accept
Big 4 ISO auditors in India (Deloitte, EY, KPMG, PwC, BSI, DNV) all accept Compliance Manager exports as supporting evidence, but they will ask for underlying policy exports and sampled log evidence. Here's the export toolkit I prepare before every Stage 1 audit:
| Evidence | Where to export from | Supports controls |
|---|---|---|
| Secure Score report | Defender XDR → Secure Score → Export CSV | A.5.36, A.8.8 |
| Compliance Manager ISO 27001 assessment | Compliance Manager → Assessments → Export Excel | All technical controls |
| Conditional Access policies | Entra admin → CA → Export JSON | A.5.15, A.5.17, A.5.18, A.8.3, A.8.5 |
| Entra sign-in & audit logs | Entra → Monitoring → Export CSV / Log Analytics | A.5.15, A.8.15, A.8.16 |
| Purview Audit log search export | Purview → Audit → Search → Export | A.5.28, A.8.15 |
| Intune device compliance report | Intune → Reports → Device Compliance | A.8.1, A.8.9 |
| Defender XDR incident reports | Defender XDR → Incidents → Export | A.5.24–A.5.28 |
| MDVM security recommendations | Defender XDR → Vulnerability management → Export | A.8.8 |
| DLP policy reports | Purview → DLP → Reports | A.5.14, A.8.12 |
| Microsoft STP ISO 27001 attestation | servicetrust.microsoft.com → Audit Reports → ISO 27001 SoA | Microsoft side of shared responsibility |
8. Indian Context — DPDPA, CERT-In, Data Residency
📍 Data Residency
M365 India Region
Microsoft operates datacentres in Chennai, Mumbai, and Pune. India is a Local Region Geography — Exchange, SharePoint, OneDrive, Teams, and Purview data is stored at rest in India. Advanced Data Residency (ADR) add-on extends this to a broader set. Check your tenant's assigned region in the M365 admin centre.
⚖ DPDPA alignment
DPDP Rules 2025 → M365
Rule 6's seven security safeguards map almost one-for-one onto Entra Conditional Access (access controls), Purview Audit (1-year log retention), Defender (monitoring), BitLocker (encryption), Intune (configuration). Rule 7's two-stage breach notification fits the Defender XDR + notification engine pattern. See our DPDPA Implementation Playbook.
🇮🇳 CERT-In directions
180-Day Retention + 6-Hour Reporting
Purview Audit Standard's 180-day default satisfies CERT-In for M365-originated logs. For firewall, IDS, WAF, VPN logs, you need Sentinel or a local SIEM. Incident reporting to CERT-In within 6 hours is a process layer on top of Defender XDR alerting — not a tool, a runbook.
🏦 RBI / SEBI overlay
Sectoral Mandates Still Apply
RBI's 2018 payment data localisation, SEBI CSCRF 6-hour reporting, and IRDAI cyber guidelines continue on top of ISO 27001. M365 India region satisfies data residency; Compliance Manager has DPDPA, RBI, SEBI, and CERT-In templates you can run alongside ISO 27001:2022.
9. How Ogma Helps
We've taken Indian enterprises through ISO 27001 readiness for over a decade, and M365-heavy environments are now the majority pattern. Our delivery approach combines the Microsoft stack with the non-M365 pieces you need to close the 27 gaps honestly.
| Ogma Service | ISO 27001:2022 controls closed |
|---|---|
| M365 Security Hardening | Entra, Defender, Purview, Intune deployment and tuning for all 55+ M365-addressable controls |
| Compliance Manager engagement | ISO 27001:2022 assessment walk-through, improvement actions, evidence upload, audit-ready export |
| Fortinet network segmentation | A.8.22 (segregation of networks), A.8.20, A.8.21, A.8.23 |
| Vulnerability Assessment (VA) | A.8.8 (vulnerability management), evidence for A.5.36 |
| Breach & Attack Simulation (BAS) | A.5.7 (threat intelligence), A.5.24–27 (incident management), A.8.29 (security testing) |
| Threat Intelligence (TI) feed | A.5.7 (threat intelligence) |
| Managed SOC | A.5.24–27 incident response, A.8.15, A.8.16 logging and monitoring on non-M365 sources |
| ISMS documentation | A.5.1, A.5.2, A.5.37, A.6.1–A.6.6 process controls |
| Internal audit & pre-certification review | A.5.35 (independent review), Stage 1 audit preparation |
Targeting ISO 27001:2022 certification?
We combine Microsoft 365 security hardening with the Fortinet, SOC, VA, BAS, and TI layers that close the 27 gaps M365 cannot.
10. Key Takeaways
- 93 Annex A controls across 4 themes — Organizational, People, Physical, Technological. 2013 → 2022 transition deadline was 31 October 2025.
- M365 addresses ~56 controls strongly and another ~10 partially. The remaining ~27 are process, HR, physical, network, and SDLC gaps M365 was never designed to cover.
- E3 gets you the baseline (Conditional Access, Defender P1, DLP for Exchange/SharePoint/OneDrive, Audit Standard, Intune). E5 closes most of the remaining gap — Entra P2, Defender P2, MDCA, Audit Premium, Records Management, IRM, DLP for Teams.
- Purview Compliance Manager is the authoritative ISO 27001:2022 mapping tool. Create the assessment on day 1 of your sprint; every improvement action is a task you can assign.
- Microsoft ships 8 of the 11 new 2022 controls natively. A.5.30 (BCP), A.7.4 (physical monitoring), and A.8.28 (secure coding) are gaps.
- Rule 6 of DPDP Rules 2025 maps almost one-for-one onto M365 Rule 6 — encryption, access control, logging, continuity, 365-day retention, processor contracts, TOM. One control set, two certifications.
- Microsoft Sentinel extends CERT-In compliance to non-M365 log sources (firewalls, IDS, WAF, VPN). Plan for the data tier cost — 180-day retention adds up fast.
- M365 India region (Chennai, Mumbai, Pune) satisfies data residency for DPDPA, RBI, and SEBI. ADR add-on extends the set if needed.
- The 27-control gap is your non-M365 shopping list — Fortinet for A.8.22, GitHub Advanced Security for SDLC, third-party backup for A.8.13, HR process for A.6, vendor risk platform for A.5.19–21.
- Auditors accept the exports. Secure Score, Compliance Manager assessment, Conditional Access JSON, Intune compliance reports, Defender XDR incidents, Purview Audit search results — they're the evidence pack your Stage 1 auditor will ask for.
Sources and References
- ISO/IEC 27001:2022 — Information security management systems — Requirements
- Microsoft Purview Compliance Manager overview
- Compliance Manager regulations list (360+ templates including ISO 27001:2022)
- Build and manage assessments in Compliance Manager
- Microsoft Azure & M365 ISO/IEC 27001 compliance offering
- Microsoft Service Trust Portal (Audit Reports + ISO 27001 SoA)
- Microsoft Purview service description (licensing)
- Microsoft Purview sensitivity labels
- Microsoft Purview Data Loss Prevention overview
- Data loss prevention and Microsoft Teams
- Microsoft Purview Audit solutions
- Microsoft Purview Insider Risk Management
- Microsoft Defender for Cloud Apps (CASB)
- Microsoft Defender for Endpoint
- Microsoft Entra Privileged Identity Management (PIM)
- Microsoft 365 data locations (India region)
- Advanced Data Residency in Microsoft 365
- Advisera — 11 new ISO 27001:2022 controls explained
- ISMS.online — ISO 27001:2022 Annex A guide
- CoreView — Microsoft 365 Security Best Practices
- Grassroots IT — M365 Security Features for ISO 27001 Compliance
- CERT-In Directions (28 April 2022) — 6-hour reporting + 180-day log retention
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
