Compliance Frameworks
Detailed information about the compliance frameworks supported by Securtea
Compliance Frameworks
Securtea supports multiple industry-standard security frameworks. Each framework provides a structured approach to evaluating your Microsoft 365 security posture.
CIS Microsoft 365 Foundations Benchmark
Overview
The Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark is a consensus-driven security configuration guide developed by security experts worldwide.
Themes
The CIS benchmark organizes controls into themes:
| Theme | Focus Area |
|---|---|
| Account & Authentication | Identity protection, MFA, password policies |
| Application Permissions | OAuth apps, consent policies, API access |
| Data Management | DLP policies, information protection |
| Email Security | Anti-phishing, anti-malware, mail flow |
| Auditing | Logging, monitoring, alerts |
Control Examples
- Enable MFA for all privileged accounts
- Block legacy authentication protocols
- Configure anti-phishing policies
- Enable audit log search
- Restrict external sharing
Version Support
Securtea aligns with the latest CIS benchmark version and updates controls as new versions are released.
CIS provides two profiles: Level 1 (baseline) and Level 2 (defense in depth). Securtea supports both profiles.
NIST 800-53
Overview
NIST Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems. It's widely adopted beyond government organizations.
Control Families
NIST 800-53 organizes controls into families:
| Family | Code | Focus |
|---|---|---|
| Access Control | AC | Who can access what |
| Audit & Accountability | AU | Logging and monitoring |
| Configuration Management | CM | System configurations |
| Identification & Authentication | IA | Identity verification |
| Incident Response | IR | Security incident handling |
| System Protection | SC | Technical safeguards |
M365 Mapping
Not all NIST controls apply to Microsoft 365. Securtea maps applicable controls:
- AC-2: Account Management → M365 user lifecycle
- AC-3: Access Enforcement → Conditional Access policies
- AU-2: Audit Events → Unified audit log
- IA-2: Identification → MFA configuration
Impact Levels
NIST defines three impact levels:
| Level | Requirements |
|---|---|
| Low | Basic security controls |
| Moderate | Enhanced security controls |
| High | Maximum security controls |
Securtea assesses against moderate baseline by default.
SOC 2
Overview
SOC 2 (Service Organization Control 2) is an auditing standard developed by AICPA for service providers storing customer data in the cloud.
Trust Services Criteria
SOC 2 evaluates five trust services criteria:
| Criteria | Focus |
|---|---|
| Security | Protection against unauthorized access |
| Availability | System uptime and accessibility |
| Processing Integrity | Accurate and authorized processing |
| Confidentiality | Protection of confidential information |
| Privacy | Personal information handling |
M365 Controls
Securtea maps M365 configurations to SOC 2 criteria:
Security (CC)
- Conditional Access policies
- MFA enforcement
- Data Loss Prevention
Availability (A)
- Service health monitoring
- Backup configurations
Confidentiality (C)
- Information protection labels
- External sharing restrictions
Type I vs Type II
- Type I: Point-in-time assessment (design effectiveness)
- Type II: Period assessment (operating effectiveness)
Securtea supports Type I assessments. Type II requires additional audit evidence over time.
ISO 27001
Overview
ISO/IEC 27001 is an international standard for information security management systems (ISMS). It provides a framework for managing sensitive information.
Annex A Controls
ISO 27001:2022 Annex A contains 93 controls across four themes:
| Theme | Control Count | Focus |
|---|---|---|
| Organizational | 37 | Policies, roles, responsibilities |
| People | 8 | HR security, awareness |
| Physical | 14 | Facility security |
| Technological | 34 | Technical controls |
M365 Mapping
Securtea focuses on technological controls applicable to M365:
- A.5.15: Access control
- A.5.17: Authentication information
- A.8.2: Privileged access rights
- A.8.5: Secure authentication
- A.8.15: Logging
- A.8.16: Monitoring activities
Certification Support
While Securtea doesn't provide ISO certification, assessment results support your certification efforts by:
- Documenting technical control implementation
- Providing evidence for auditors
- Identifying gaps before certification audits
Framework Comparison
Coverage Overlap
Many controls overlap across frameworks:
| Control Area | CIS | NIST | SOC 2 | ISO |
|---|---|---|---|---|
| MFA | ✓ | ✓ | ✓ | ✓ |
| Audit Logging | ✓ | ✓ | ✓ | ✓ |
| Access Control | ✓ | ✓ | ✓ | ✓ |
| Data Protection | ✓ | ✓ | ✓ | ✓ |
| Incident Response | - | ✓ | ✓ | ✓ |
Choosing a Framework
| If You Need | Consider |
|---|---|
| Detailed M365 guidance | CIS |
| U.S. federal compliance | NIST |
| Customer trust reports | SOC 2 |
| International certification | ISO 27001 |
Running Multiple Frameworks
You can assess against multiple frameworks simultaneously. Benefits include:
- Efficiency: One data collection, multiple evaluations
- Cross-mapping: See which controls satisfy multiple frameworks
- Comprehensive coverage: No gaps between frameworks
Framework Updates
Version Management
Securtea maintains framework versions:
- Current: Latest supported version
- Legacy: Previous versions (limited support)
- Preview: Upcoming versions for early adoption
Update Process
When frameworks release new versions:
- Securtea evaluates changes
- New controls are mapped to M365
- Version is released with release notes
- Historical comparisons remain available
Subscribe to release notes to be notified of framework updates.
Custom Frameworks
Enterprise customers can request custom framework support:
- Industry-specific frameworks
- Internal security standards
- Regulatory requirements
Contact your account manager to discuss custom framework development.
What's Next?
- Running Assessments - Assess against these frameworks
- Understanding Results - Interpret compliance data
- Generating Reports - Create framework-specific reports