ISO 27001 Framework
Map your Microsoft 365 tenant configurations to the ISO/IEC 27001 Information Security Management System (ISMS) standard. OpsPilot365 Trust Center automates Annex A control assessments, supports risk treatment planning, and generates Statement of Applicability documentation for certification preparation.
Note: ISO 27001 compliance mapping is part of the Trust Center add-on. It covers all 93 Annex A controls from the ISO 27001:2022 revision, with automated assessments for controls applicable to Microsoft 365 environments managed by MSPs.
ISMS Approach
ISO 27001 requires organizations to establish, implement, maintain, and continually improve an Information Security Management System. OpsPilot365 supports the ISMS lifecycle for M365-related controls.
- Plan — Risk assessment, scope definition, control selection.
- Do — Implement controls via M365 policies and configurations.
- Check — Automated monitoring, audits, management review.
- Act — Corrective actions, continual improvement, drift remediation.
Annex A Control Categories (ISO 27001:2022)
The 2022 revision consolidates controls into four themes. OpsPilot365 maps Microsoft 365 settings to each applicable Annex A control, providing automated assessment where possible.
| Theme | Controls | Key M365 Mappings | Auto-Assessed |
|---|---|---|---|
| Organizational (A.5) | 37 controls | Information security policies, roles, threat intelligence, supplier management | 18 of 37 |
| People (A.6) | 8 controls | User onboarding/offboarding, security awareness, access reviews | 5 of 8 |
| Physical (A.7) | 14 controls | Device management via Intune, BitLocker, remote wipe | 6 of 14 |
| Technological (A.8) | 34 controls | MFA, encryption, DLP, logging, malware protection, network controls | 28 of 34 |
Key Annex A Control Mappings
Detailed mapping between Annex A controls and Microsoft 365 configurations assessed by OpsPilot365.
| Control ID | Control Name | M365 Implementation |
|---|---|---|
| A.5.1 | Policies for information security | Security policy documents, Conditional Access policies |
| A.5.15 | Access control | Entra ID Conditional Access, RBAC, PIM |
| A.8.2 | Privileged access rights | PIM role assignments, just-in-time access, admin MFA |
| A.8.5 | Secure authentication | MFA enforcement, passwordless methods, legacy auth blocking |
| A.8.10 | Information deletion | Retention policies, data lifecycle management |
| A.8.11 | Data masking | Sensitivity labels, DLP policies, information barriers |
| A.8.15 | Logging | Unified Audit Log, sign-in logs, mailbox auditing |
| A.8.24 | Use of cryptography | TLS enforcement, S/MIME, message encryption, BitLocker |
Risk Assessment and Treatment
ISO 27001 clause 6.1 requires a formal risk assessment and treatment process. OpsPilot365 integrates risk analysis data from Microsoft 365 to support this requirement.
- Risk Identification — Automated asset inventory from Microsoft 365 services, threat intelligence from Microsoft Defender signals, vulnerability data from Secure Score and compliance scans, configuration risk scoring based on deviation from best practices.
- Risk Treatment Options — Mitigate: Apply M365 controls to reduce risk. Transfer: Document shared responsibility with Microsoft. Accept: Record risk acceptance with management approval. Avoid: Disable services or features introducing risk.
- Risk Register — Centralized risk register linked to M365 controls, impact and likelihood scoring matrix, risk owner assignment per tenant or control area, treatment plan tracking with status and deadlines.
- Management Review — Scheduled review reports for leadership, risk trend analysis over time, effectiveness measurement of implemented controls, exportable reports for ISMS management review meetings.
Statement of Applicability (SoA)
The SoA is a mandatory document for ISO 27001 certification that lists all Annex A controls and states whether each is applicable, implemented, and justified. OpsPilot365 auto-generates this document.
Note: OpsPilot365 generates the Statement of Applicability based on the tenant’s M365 service usage and control assessment results. Controls not relevant to cloud-based M365 services are automatically marked as not applicable with justifications. MSPs can override applicability for client-specific requirements.
| SoA Field | Description | Auto-Populated |
|---|---|---|
| Control Reference | Annex A control identifier and name | Yes |
| Applicable | Whether the control is in scope | Yes |
| Justification | Reason for inclusion or exclusion | Yes |
| Implementation Status | Current implementation level | Yes |
| Implementation Method | How the control is achieved in M365 | Yes |
| Evidence Reference | Link to collected evidence artifacts | Yes |
Certification Preparation
OpsPilot365 helps MSPs guide their clients through the ISO 27001 certification journey by tracking readiness across all required documentation and control areas.
- Gap Analysis Report — Comprehensive comparison of current M365 configurations against all applicable Annex A controls, identifying gaps and providing prioritized remediation guidance.
- Internal Audit Support — Generate internal audit checklists based on control assessments. Track findings, non-conformities, and corrective actions with deadlines and ownership.
- Stage 1 Readiness Check — Verify that ISMS documentation (scope, SoA, risk assessment, policies) is complete before the Stage 1 certification audit document review.
- Stage 2 Evidence Package — Export complete evidence packages demonstrating control effectiveness for the Stage 2 on-site certification audit.
API Reference
GET /api/addons/trust-center/frameworks/iso27001/status— Get ISO 27001 compliance status summary for a tenantGET /api/addons/trust-center/frameworks/iso27001/controls— List all Annex A controls with assessment resultsGET /api/addons/trust-center/frameworks/iso27001/soa— Generate or retrieve the Statement of ApplicabilityGET /api/addons/trust-center/frameworks/iso27001/risks— Get risk register entries linked to ISO 27001 controlsPOST /api/addons/trust-center/frameworks/iso27001/scan— Trigger an ISO 27001 compliance assessment scanGET /api/addons/trust-center/frameworks/iso27001/evidence— Export evidence package for certification auditGET /api/addons/trust-center/frameworks/iso27001/gap-analysis— Generate gap analysis report for certification preparation