ISO 27001:2022 Certification: The Microsoft 365 Evidence Map Management Needs

ISO 27001:2022 Annex A Mapped to Microsoft 365 Controls

The 2022 revision of ISO 27001 collapsed the previous 114 controls into 93, reorganised across four themes: Organisational (A.5), People (A.6), Physical (A.7), and Technological (A.8). In practice, across certification programmes for mid-market and enterprise tenants, the most common audit failure isn't missing controls - it's missing evidence that controls are operational. Microsoft 365, properly configured, can satisfy roughly 60-65 of the 93 controls with native tooling. The trick is knowing where to look and what to export.

Purview Compliance Manager: Your Starting Point

Before diving into individual controls, configure Purview Compliance Manager with the ISO 27001:2022 assessment template. Navigate to Microsoft Purview > Compliance Manager > Assessments > Add Assessment and select the ISO/IEC 27001:2022 template. This gives you a pre-built mapping with Microsoft-managed controls (actions Microsoft takes on the platform) and customer-managed controls (your responsibility).

The compliance score here is directional, not authoritative - no auditor will accept a Compliance Manager score as evidence. But it is an excellent tracker for internal readiness. A typical workflow exports improvement actions weekly via:

# Export Compliance Manager assessment data via Graph
Connect-MgGraph -Scopes "ComplianceManager.Read.All"
$assessment = Get-MgComplianceManagerAssessment -Filter "displayName eq 'ISO 27001:2022'"
$actions = Get-MgComplianceManagerAssessmentAction -AssessmentId $assessment.Id
$actions | Export-Csv -Path "./iso27001-actions-$(Get-Date -Format yyyy-MM-dd).csv" -NoTypeInformation

A.5 - Organisational Controls

These are the governance controls that auditors hit hardest. Here are the ones flagged most frequently:

A.5.1 - Policies for Information Security

• M365 Control: Purview Information Protection policies, DLP policies, Conditional Access policies documented in Entra ID
• Evidence: Export all active policies via Get-DlpCompliancePolicy | Select Name, Mode, CreatedDate, ModifiedDate and Get-MgIdentityConditionalAccessPolicy | Select DisplayName, State, CreatedDateTime
• Gotcha: Auditors want to see a policy review cadence, not just the policy. A useful practice is to tag each policy with a custom attribute for last-review-date

A.5.2 - Information Security Roles and Responsibilities

• M365 Control: Entra ID Privileged Identity Management (PIM) role assignments with justification requirements
• Evidence: Get-MgRoleManagementDirectoryRoleAssignment | Select PrincipalId, RoleDefinitionId, Status - export active vs eligible assignments
• Key Point: If you have permanent Global Admin assignments outside break-glass accounts, expect a nonconformity

A.5.15 - Access Control

• M365 Control: Conditional Access policies, Entra ID Access Reviews, PIM
• Evidence: The combination of CA policy exports and completed Access Review histories. Navigate to Entra ID > Identity Governance > Access Reviews and export the last 12 months of completed reviews

A.5.23 - Information Security for Use of Cloud Services

• M365 Control: Microsoft Defender for Cloud Apps (MDCA) shadow IT discovery, app governance policies
• Evidence: MDCA Cloud Discovery report showing sanctioned vs unsanctioned apps, plus OAuth app governance policies

A.5.24 - Information Security Incident Management Planning

• M365 Control: Microsoft Sentinel incident response playbooks, Defender XDR automated investigation
• Evidence: Exported playbook definitions from Sentinel, plus incident response metrics (MTTA, MTTR) from the Sentinel workbook

A.5.29 - Information Security During Disruption

• M365 Control: Multi-geo redundancy configuration, Exchange Online backup policies, SharePoint site recovery settings
• Evidence: Service health incident reports via Get-MgServiceAnnouncementHealthOverview, plus documented BCP/DR runbooks that reference M365 service resilience SLAs

A.6 - People Controls

A.6.1 - Screening

• Limited M365 applicability, but Entra ID lifecycle workflows can enforce pre-onboarding checks before account provisioning
• Evidence: Lifecycle workflow configuration showing account creation is gated behind HR system approval

A.6.3 - Information Security Awareness, Education and Training

• M365 Control: Microsoft Defender for Office 365 Attack Simulation Training
• Evidence: Campaign completion rates and phish-click metrics. Export via the Security portal: Email & collaboration > Attack simulation training > Overview

A.6.5 - Responsibilities After Termination or Change of Employment

• M365 Control: Entra ID lifecycle workflows for offboarding - disable account, revoke sessions, remove from groups, convert mailbox to shared
• Evidence:

# Verify offboarding automation
Get-MgIdentityGovernanceLifecycleWorkflow | Where-Object { $_.Category -eq "Leaver" } |
    Select DisplayName, IsEnabled, LastModifiedDateTime

A.7 - Physical Controls

Physical controls have limited M365 applicability, but A.7.10 (Storage Media) maps directly to BitLocker enforcement via Intune and Purview sensitivity labels preventing download to unmanaged devices. Evidence: Intune device compliance policy showing encryption required, plus Conditional Access policies blocking unmanaged device access to sensitive content.

A.8 - Technological Controls

This is where M365 shines. The technological controls map almost 1:1 to platform features.

A.8.1 - User Endpoint Devices

• M365 Control: Intune device compliance policies, Defender for Endpoint onboarding
• Evidence: Get-MgDeviceManagementDeviceCompliancePolicy export plus Defender device health dashboard

A.8.2 - Privileged Access Rights

• M365 Control: PIM with time-bound activation, approval workflows, and access reviews
• Evidence:

# Export PIM role settings showing time-bound and approval requirements
Get-MgPolicyRoleManagementPolicyAssignment -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole'" |
    ForEach-Object {
        $rules = Get-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $_.PolicyId
        [PSCustomObject]@{
            RoleId = $_.RoleDefinitionId
            Rules = ($rules | Select RuleType, Setting | ConvertTo-Json -Compress)
        }
    }

A.8.3 - Information Access Restriction

• M365 Control: Purview sensitivity labels with encryption, SharePoint site-level access restrictions, Teams private channels
• Evidence: Label policy configuration plus DLP incident reports showing blocked sharing attempts

A.8.5 - Secure Authentication

• M365 Control: Entra ID authentication methods policy - FIDO2, passkeys, Microsoft Authenticator with number matching
• Evidence: Get-MgPolicyAuthenticationMethodPolicy showing password-less methods enforced, legacy authentication blocked via CA

A.8.7 - Protection Against Malware

• M365 Control: Defender for Endpoint with cloud-delivered protection, Defender for Office 365 Safe Attachments and Safe Links
• Evidence: Anti-malware policy configuration export plus monthly detection/quarantine statistics

A.8.8 - Management of Technical Vulnerabilities

• M365 Control: Defender Vulnerability Management, Intune Windows Update for Business rings
• Evidence: TVM exposure score trend, plus patching compliance percentage from Get-MgDeviceManagementDeviceCompliancePolicyDeviceStateSummary

A.8.9 - Configuration Management

• M365 Control: Intune configuration profiles, security baselines, Defender for Endpoint security recommendations
• Evidence: Baseline compliance dashboard showing drift percentage. A weekly KQL query against IntuneDevices tracks configuration drift:

IntuneDevices
| where TimeGenerated > ago(7d)
| where ComplianceState != "Compliant"
| summarize DriftCount = dcount(DeviceId) by ComplianceState

A.8.11 - Data Masking

• M365 Control: Purview exact data match classifiers, sensitivity labels with content marking and encryption
• Evidence: DLP policy hits showing classified content was masked or blocked before egress

A.8.12 - Data Leakage Prevention

• M365 Control: Purview DLP policies across Exchange, SharePoint, Teams, endpoints
• Evidence: DLP incident dashboard in Purview portal, monthly false-positive tuning records

A.8.15 - Logging

• M365 Control: Unified Audit Log, Microsoft Sentinel ingestion of all M365 workload logs
• Evidence: Sentinel data connector status showing active ingestion from all workloads. Verify with:

# Check audit log retention and status
Get-AdminAuditLogConfig | Select UnifiedAuditLogIngestionEnabled
Get-MailboxAuditBypassAssociation | Where { $_.AuditBypassEnabled -eq $true }

A.8.16 - Monitoring Activities

• M365 Control: Sentinel analytics rules, Defender XDR custom detection rules
• Evidence: Active analytics rule inventory with hit rates, plus alert-to-incident promotion metrics

Practical Tips for Certification

1. Build an evidence library early. A recommended practice is to create a SharePoint site called "ISMS Evidence Vault" with folders mapped to each Annex A control. Automated Power Automate flows dump monthly exports into the correct folders.

2. Automate everything exportable. The single biggest time sink in ISO 27001 certification is manual evidence gathering. Every control mapping above can be scripted. A monthly PowerShell runbook in Azure Automation that produces the full evidence pack.

3. Map once, certify many. If you're also pursuing SOC 2 or Cyber Essentials, build your evidence taxonomy around control objectives rather than framework-specific numbering. Purview Compliance Manager supports multiple assessments against the same control set.

4. Don't forget the Statement of Applicability. Your SoA must reference which Annex A controls are applicable and which are excluded with justification. Physical controls (A.7) for a cloud-only firm can be largely scoped out, but you must document why.

The 2022 revision is a significant improvement in structure, and M365's native tooling has matured to the point where a well-configured tenant provides evidence coverage for the majority of controls. The remaining gap is always governance documentation - policies, procedures, and management review minutes - which no technology can replace.