Checklist Item #,Control Domain,Control Description,ISO 27001 Reference,SOC 2 Reference,Evidence Required,Readiness Status,Evidence Location / Notes,Owner
1,Access Control,All user accounts are provisioned through a documented request and approval process,A.5.15 / A.9.2,CC6.1,ServiceNow access request tickets; access provisioning procedure document,Ready,ServiceNow ticket export available. Procedure document: POL-AC-001 Section 5.1,Marcus Chen
2,Access Control,Privileged access accounts use individual named accounts (no shared accounts),A.9.2 / A.5.15,CC6.1,PAM system report showing zero shared accounts; Active Directory account inventory,Not Ready,14 shared admin accounts remain active (R-001). Report cannot be provided until remediation complete.,Priya Nair
3,Access Control,Multi-factor authentication is enforced for all user and service accounts,A.5.17,CC6.1,MFA enrollment report from Entra ID; exception log,Not Ready,23 service accounts not MFA-enrolled (R-003). Entra ID report will show gaps.,Marcus Chen
4,Access Control,Access reviews are conducted quarterly and completed on time,A.9.5,CC6.3,Access review completion reports for all four quarters of audit period,In Progress,Q4 2025 completed late (R-007). Q1 2026 review in progress. Q2/Q3 2025 completed on time — reports available.,Marcus Chen
5,Access Control,Third-party vendor access is time-limited and supervised,A.5.19 / A.5.22,CC9.2,Vendor access agreements; access logs showing session scope and duration,Not Ready,Clearbridge Analytics has standing access (R-004). Access agreement under revision. Current logs show unsupervised access.,Jordan Lee
6,Data Protection,Encryption at rest is enabled for all storage containing client PII,A.8.24,CC6.7,Azure storage encryption configuration report; data inventory showing PII locations,Not Ready,3 Azure Blob containers with client PII not encrypted (R-002). Configuration screenshots will show gaps.,Marcus Chen
7,Audit & Logging,Audit logs are retained for a minimum of 2 years,A.8.15,CC7.2,Purview retention policy configuration; sample log export showing date range,Not Ready,Current retention: 90 days. Required: 2 years. (R-012). Interim weekly export documented but policy not yet updated.,Priya Nair
8,Incident Response,Incident response plan is documented and tested annually,A.5.24 / A.5.26,CC7.3,Incident response policy document; tabletop exercise report from last 12 months,Not Ready,Last tabletop: April 2024 — 18 months ago (R-005). Next tabletop scheduled September 2026. No recent test report available.,Priya Nair
9,Vulnerability Management,Critical and High vulnerabilities are remediated within defined SLAs,A.8.8,CC7.1,Penetration test report (November 2025); remediation tracking log; rescan results,In Progress,2 High findings from November 2025 pen test not yet remediated (R-009). WAF mitigation in place. Full remediation July 2026.,Marcus Chen
10,Change Management,All infrastructure changes undergo security review before implementation,A.8.32,CC8.1,Change management policy; change log showing security review approval for all changes in audit period,In Progress,3 changes bypassed security review (R-010). Policy revision in progress. Change log evidence will show gaps for those 3 changes.,Priya Nair
11,Security Awareness,All employees complete mandatory annual security awareness training,A.6.3,CC2.2,LMS completion report showing 100% (or near 100%) completion,In Progress,Current completion rate: 67% (R-008). Campaign in progress. Completion report will reflect current 67% rate.,Jordan Lee
12,Data Classification,All data assets are classified and labeled per the data classification scheme,A.5.12 / A.5.13,CC6.7,Data classification policy; Purview sensitivity label report; data inventory,In Progress,~12000 legacy SharePoint documents unlabeled (R-011). Auto-labeling pilot running. Full coverage not expected before audit.,Jordan Lee
13,Business Continuity,Business continuity plan is documented and reviewed annually,A.5.29 / A.5.30,A1.2,BCP document with review date; business impact analysis; recovery time objectives,In Progress,BCP last updated 2023 (R-006). Revision in progress. Current version does not reflect cloud architecture. Draft expected August 2026.,Dana Olufsen
14,Data Retention,Data retention schedules are documented and enforced for all data categories,A.8.10,CC6.5,Data retention policy; evidence of automated retention enforcement (Purview policies); disposal certificates,Ready,Retention policy POL-DR-001 v2.3 current. Purview retention policies in place for all categories except audit logs (tracked separately as R-012). Disposal certificates available.,Dana Olufsen
15,Identity & Access Management,Terminated employee access is revoked within 24 hours of separation,A.5.18,CC6.2,HR termination report; access deprovisioning log showing timestamps relative to termination date,Ready,HR-IT integration via ServiceNow auto-triggers deprovisioning. Last 6-month deprovisioning log available. Average time: 3.2 hours.,Marcus Chen