ISO 27001
12 controls
A.5.1
Information Security Policy
"Do you have a written information security policy approved by management?"
What You Need To Do: Write a 2-3 page policy covering data classification, access control, incident response, and acceptable use. Have your CEO or board sign it. Review annually. This is the foundation document that every other control references.
Evidence needed: Signed policy document (PDF), board minutes showing approval, annual review record
A.5.2
Roles & Responsibilities
"Have you assigned clear security responsibilities to specific people?"
What You Need To Do: Define who is responsible for security in your organisation: a CISO (or equivalent), data owners for each system, and an incident response lead. Document these in a RACI matrix.
Evidence needed: RACI matrix, org chart with security roles highlighted, role descriptions
A.5.3
Segregation of Duties
"Can any single person both approve and execute sensitive actions?"
What You Need To Do: Ensure no one person can both approve access AND grant it, or both write code AND deploy it to production. Review all admin accounts for conflicting roles.
Evidence needed: SoD rule documentation, role conflict analysis, exception register
A.8.5
Secure Authentication
"Do all your users need a second factor (phone app, security key) to log in?"
What You Need To Do: Enable Multi-Factor Authentication (MFA) for ALL users, not just admins. If you use Microsoft 365, go to Entra ID > Security > Conditional Access and create a policy requiring MFA. If Google Workspace, enable 2-Step Verification.
Evidence needed: MFA policy screenshots, conditional access policy export, MFA enrollment report
A.5.24
Incident Response Planning
"Do you have a documented plan for when a security incident happens?"
What You Need To Do: Write an Incident Response Plan covering: (1) Who to call, (2) How to contain the breach, (3) When to notify regulators (OAIC requires 72 hours for notifiable breaches), (4) Post-incident review process.
Evidence needed: Incident Response Plan document, contact list, tabletop exercise records
A.8.8
Vulnerability Management
"Do you regularly scan your systems for security vulnerabilities?"
What You Need To Do: Run monthly vulnerability scans on all internet-facing systems. Fix critical findings within 48 hours, high within 7 days. Use Qualys, Nessus, or free OpenVAS. Keep records of every scan and remediation.
Evidence needed: Monthly scan reports, remediation tracking log, patch management records
A.5.19
Supplier Security
"Do your vendors who handle your data have adequate security controls?"
What You Need To Do: List ALL vendors who store or process your data. Check if each has SOC 2 Type II or ISO 27001 certification. Sign a Data Processing Agreement (DPA) with every vendor. Review annually.
Evidence needed: Vendor register, DPA copies, vendor certification evidence, risk assessment
A.6.1
Personnel Screening
"Do you background-check employees before giving them access to sensitive systems?"
What You Need To Do: Implement background checks for all employees who will access sensitive data. For contractors, require agency-provided screening evidence. Document the screening process.
Evidence needed: Background check policy, screening records (redacted), contractor vetting SOP
A.6.3
Security Awareness Training
"Do your staff receive regular security training?"
What You Need To Do: Implement mandatory security awareness training for all staff. Include phishing recognition, password hygiene, data handling, and incident reporting. Track completion. Run quarterly phishing simulations.
Evidence needed: Training completion reports, phishing simulation results, training materials
A.8.9
Configuration Management
"Do you have a formal process for approving changes to production systems?"
What You Need To Do: Establish a Change Advisory Board (CAB) or approval process. All production changes require approval before implementation. Document rollback procedures for each change.
Evidence needed: Change management policy, CAB meeting minutes, change request records
A.5.22
Supplier Monitoring
"Do you continuously monitor your vendors' security posture?"
What You Need To Do: Track vendor certification expiry dates. Set up alerts for vendor breach notifications. Conduct annual vendor security reviews. Use Activitee's VRM module to automate.
Evidence needed: Vendor review schedule, breach monitoring evidence, certification tracker
A.7.1
Physical Security
"Are your offices and data centres physically secure?"
What You Need To Do: If using cloud (AWS, Azure, GCP), physical security is inherited. Document this. If on-premises, implement access badges, CCTV, visitor logs, and secure server rooms.
Evidence needed: Cloud provider SOC 2 report, physical access logs, CCTV policy
SOC 2
8 controls
CC1.1
Integrity & Ethics
"Does your organisation have a code of conduct that all employees acknowledge?"
What You Need To Do: Write a Code of Conduct covering ethical behaviour, conflict of interest, whistleblower protection. Require annual acknowledgement from all staff.
Evidence needed: Code of Conduct document, signed acknowledgement records
CC3.2
Risk Assessment
"Do you formally identify and assess security risks?"
What You Need To Do: Maintain a Risk Register listing all security risks. Score each by likelihood and impact. Define treatment strategies (mitigate, accept, transfer, avoid). Review quarterly.
Evidence needed: Risk register, risk assessment methodology, quarterly review minutes
CC6.1
Logical Access Controls
"How do you control who can access your systems?"
What You Need To Do: Implement role-based access control (RBAC). Enforce MFA for all users. Use a PAM solution for privileged access. Eliminate shared accounts.
Evidence needed: RBAC documentation, MFA policy, PAM configuration, service account inventory
CC6.2
Access Provisioning
"How do you grant access to new joiners and revoke it for leavers?"
What You Need To Do: Implement automated provisioning: new starter gets role-appropriate access on day 1. Leaver has all access revoked within 24 hours. No manual account creation.
Evidence needed: Onboarding checklist, offboarding SOP, provisioning logs, orphan account reports
CC6.3
Access Reviews
"Do you regularly review who has access to what?"
What You Need To Do: Conduct quarterly access certification campaigns. Every manager reviews their team's access. Revoke unnecessary permissions. Document attestation.
Evidence needed: Certification campaign results, recertification evidence, exception approvals
CC7.1
Vulnerability Management
"Do you scan for and fix vulnerabilities regularly?"
What You Need To Do: Monthly external scans, quarterly internal scans. SLA: critical = 48 hours, high = 7 days, medium = 30 days. Track remediation in a ticketing system.
Evidence needed: Scan results, remediation SLA tracking, patch compliance dashboard
CC7.2
Security Monitoring
"Do you monitor your systems for suspicious activity?"
What You Need To Do: Centralise logs in a SIEM (Datadog, Splunk, Elastic). Forward logs from ALL systems including SaaS apps. Set up alerting rules for anomalous behaviour.
Evidence needed: SIEM dashboard screenshots, alerting rule configuration, log source inventory
CC8.1
Change Management
"Do you formally control changes to your production environment?"
What You Need To Do: Require approval for all production changes. Document rollback procedures. Separate development from production environments. Use feature flags for releases.
Evidence needed: Change management policy, approval records, deployment procedures
Essential Eight
6 controls
E8-1
Application Control
"Can only approved software run on your computers?"
What You Need To Do: Implement application whitelisting on all workstations and servers. Only approved applications can execute. Use Microsoft AppLocker or similar.
Evidence needed: AppLocker policy export, approved application list, blocked execution logs
E8-2
Patch Applications
"Do you update your software within 48 hours of a critical patch?"
What You Need To Do: Subscribe to vendor security advisories. Critical patches applied within 48 hours. High within 7 days. Automate where possible (WSUS, SCCM, Intune).
Evidence needed: Patch compliance report, patching schedule, automated deployment logs
E8-3
MS Office Macro Settings
"Are macros disabled for documents from the internet?"
What You Need To Do: Block macros in files from the internet. Only allow macros from trusted locations. Disable VBA in PowerPoint. Log macro execution attempts.
Evidence needed: Group Policy settings, macro trust configuration, execution logs
E8-5
Restrict Admin Privileges
"Do your admins use separate accounts for admin tasks?"
What You Need To Do: Create separate admin accounts (not used for email or browsing). Implement JIT (just-in-time) privilege elevation. Review admin access monthly.
Evidence needed: Admin account inventory, JIT policy, monthly review records
E8-7
Multi-Factor Authentication
"Do all users use phishing-resistant MFA?"
What You Need To Do: Deploy FIDO2 security keys or Windows Hello for Business. Phase out SMS-based MFA. Enforce MFA for all users on all systems.
Evidence needed: MFA enrollment report, conditional access policies, phishing-resistant MFA rollout plan
E8-8
Regular Backups
"Are your backups tested and stored offline?"
What You Need To Do: Daily backups of critical data. Test recovery quarterly. Keep offline copies (not connected to network). Define RTO and RPO for each system.
Evidence needed: Backup schedule, recovery test results, offline backup verification, RTO/RPO documentation
90-Day Implementation Plan
Week 1-2
Foundation
Write Information Security Policy. Assign security roles (CISO/equivalent). Set up risk register. Enable MFA for all admin accounts.
Week 3-4
Access Controls
Implement MFA for all users. Document access provisioning/deprovisioning SOP. Conduct initial access review. Identify shared accounts.
Week 5-6
Vendor & Data
Build vendor register. Request SOC 2/ISO certs from data-processing vendors. Sign DPAs. Classify data by sensitivity level.
Week 7-8
Vulnerability Management
Set up vulnerability scanning (Qualys/Nessus/OpenVAS). Run first scan. Remediate critical findings. Establish patching SLA.
Week 9-10
Incident Response
Write Incident Response Plan. Conduct tabletop exercise. Set up SIEM/log aggregation. Define breach notification procedures (OAIC: 72h).
Week 11-12
Training & Review
Deploy security awareness training. Run phishing simulation. Conduct quarterly access review. Review and update all policies.
Month 4-6
Continuous Compliance
Implement continuous monitoring. Automate evidence collection. Conduct internal audit. Prepare for external assessment/certification.
Activitee AI Copilot — Reads Your Systems, Not Just Your Frameworks
Ask about any control and get personalised guidance for your industry, jurisdiction, and tech stack. The AI Copilot references your live identity system data when connected to Activitee.
Ready to Track Your Implementation?
Your roadmap tells you WHAT to do. Subscribe to Activitee and the AI Copilot will query your live identity systems per control, auto-collect evidence, track implementation progress, and run continuous compliance checks — with native IRAP, ISM, Essential Eight, and CPS 234 coverage that US competitors don't offer.
Start with Activitee