Controls Library
The Controls Library is the central repository of all security and compliance controls within the OpsPilot365 Trust Center. Each control is mapped to one or more compliance frameworks, linked to evidence sources, and continuously assessed against your managed Microsoft 365 tenants.
Note: Controls are defined once and mapped across multiple frameworks. When a control like “Enforce MFA for all administrators” is implemented, it simultaneously satisfies requirements in SOC 2 (CC6.1), HIPAA (164.312(d)), NIST 800-171 (3.5.3), CIS (1.1.1), and CMMC (IA.L2-3.5.3). This eliminates duplicate work across compliance programs.
Library Overview
| Metric | Value |
|---|---|
| Total Controls | 247 |
| Implemented | 168 |
| Partial / Planned | 52 |
| Not Applicable | 27 |
Control Categories
Technical Controls
Automated, system-enforced controls configured within Microsoft 365 services. Continuously assessed via the Microsoft Graph API.
- Access Control — MFA enforcement, Conditional Access policies, PIM role activation, password policies, session controls
- Data Protection — DLP policies, sensitivity labels, encryption at rest, Azure Information Protection, retention policies
- Network Security — Named locations, IP restrictions, Exchange connectors, TLS enforcement, Safe Links
- Endpoint Security — Intune compliance, BitLocker, Defender for Endpoint, security baselines, ASR rules
- Logging and Monitoring — Unified audit log, sign-in logs, mailbox auditing, alert policies, threat detection
- Application Security — OAuth consent policies, app governance, enterprise app permissions, API permissions
Administrative Controls
Policy and process-based controls that require human verification. Tracked through manual attestation and evidence uploads.
- Security Policies — Acceptable use policy, information security policy, incident response plan, change management
- Personnel Security — Background checks, security awareness training, role-based access reviews, onboarding/offboarding
- Risk Management — Risk assessments, vendor management, business continuity planning, disaster recovery
- Governance — Board oversight, compliance officer designation, policy review cycles, audit schedules
Physical Controls
Physical environment controls. For cloud-hosted Microsoft 365 environments, most physical controls are inherited from Microsoft’s data center certifications.
- Inherited (Microsoft) — Data center physical security, environmental controls, media disposal, hardware lifecycle
- Customer Responsibility — Office facility security, workstation physical security, visitor management, clean desk policy
Control Implementation Status
| Status | Description | Assessment Method | Count |
|---|---|---|---|
| Implemented | Fully deployed and operational across all applicable tenants | Automated scan or manual attestation | 168 |
| Partial | Implemented in some tenants or only partially configured | Per-tenant assessment with coverage percentage | 34 |
| Planned | Scheduled for implementation with a target date | Manual tracking with milestone dates | 18 |
| Not Applicable | Does not apply to the environment | Documented justification required | 27 |
Sample Controls
| Control ID | Control Name | Category | Framework Mappings | Status |
|---|---|---|---|---|
| TC-AC-001 | Enforce MFA for All Users | Technical | SOC 2 CC6.1, HIPAA 164.312(d), NIST IA-2, CIS 1.1.1, CMMC IA.L2 | Implemented |
| TC-AC-002 | Block Legacy Authentication | Technical | SOC 2 CC6.1, CIS 1.1.3, NIST IA-5, CMMC IA.L2 | Partial |
| TC-DP-001 | Configure DLP Policies | Technical | SOC 2 CC6.7, HIPAA 164.312(c), GDPR Art.32, NIST SC-7 | Planned |
| TC-LM-001 | Enable Unified Audit Logging | Technical | SOC 2 CC7.2, HIPAA 164.312(b), NIST AU-2, CIS 3.1, CMMC AU.L2 | Implemented |
| TC-AD-001 | Security Awareness Training | Administrative | SOC 2 CC1.4, HIPAA 164.308(a)(5), NIST AT-2, CMMC AT.L2 | Implemented |
| TC-ES-001 | Deploy Defender for Endpoint | Technical | SOC 2 CC6.8, NIST SI-3, CIS 8.1, CMMC SI.L2 | Partial |
| TC-PH-001 | Data Center Physical Security | Physical | SOC 2 CC6.4, HIPAA 164.310, ISO 27001 A.11, NIST PE-2 | Inherited |
Evidence Mapping
| Evidence Type | Collection Method | Example | Refresh Frequency |
|---|---|---|---|
| Configuration Snapshot | Automated via Graph API | Conditional Access policy JSON export | Every 4 hours |
| Compliance Report | Automated via Graph API | Intune device compliance state report | Daily |
| Audit Log Extract | Automated via Graph API | Admin activity logs for past 90 days | Daily |
| Policy Document | Manual upload | Information security policy PDF | Annual review |
| Training Record | Manual upload or integration | Security awareness completion certificates | Quarterly |
| Screenshot / Attestation | Manual upload | Management sign-off on risk acceptance | As needed |
Control Testing and Validation
- Automated Continuous Assessment — Technical controls assessed every 4 hours via Microsoft Graph API. Checks actual configurations against expected baselines.
- Scheduled Manual Review — Administrative and physical controls reviewed on a configurable schedule (monthly, quarterly, annual). OpsPilot365 sends reminders to control owners.
- On-Demand Validation — Trigger manual reassessment of any control at any time. Useful before audits, after major changes, or during incident investigation.
Best Practices
- Assign a designated owner to every control for accountability and timely reviews
- Start with high-impact controls that map to multiple frameworks (MFA, audit logging, encryption)
- Document justifications when marking a control as Not Applicable
- Use inherited controls for physical security, linking to Microsoft’s SOC 2 Type II report
- Review control effectiveness quarterly to ensure alignment with evolving threats
API Reference
GET /api/addons/trust-center/controls— List all controls with status, category, and framework mappingsGET /api/addons/trust-center/controls/:controlId— Get detailed control informationPUT /api/addons/trust-center/controls/:controlId/status— Update control implementation statusGET /api/addons/trust-center/controls/:controlId/evidence— List evidence artifacts for a controlPOST /api/addons/trust-center/controls/:controlId/evidence— Upload evidence artifactPOST /api/addons/trust-center/controls/:controlId/validate— Trigger on-demand validationGET /api/addons/trust-center/controls/categories— List control categories with countsGET /api/addons/trust-center/controls/:controlId/frameworks— List frameworks referencing a controlPUT /api/addons/trust-center/controls/:controlId/owner— Assign or update control ownerGET /api/addons/trust-center/controls/export— Export controls library as CSV or PDF
Last updated on