ENS & ISO 27001 Checklist in Microsoft 365 and Azure (2025) — Complete Guide
The National Security Framework (ENS) and ISO/IEC 27001:2022 share the same purpose: protect information and back it with evidence. In Microsoft 365 and Azure this is achieved through strong identity, technical governance, data protection, continuous monitoring, incident response, and business continuity. Throughout this guide each area is broken down—what it implies, how to configure it, how to verify it, and how to keep valid audit evidence.
Adapting Microsoft 365 and Azure to ENS and ISO 27001
The client receives a comprehensive plan with technical controls, evidence, and audit support.
Executive summary and overview
The client needs to demonstrate that its information is protected and that such protection is sustainable. ENS sets measures for the Public Administration and providers; ISO 27001 structures the management system (ISMS) with policies, risks, controls, metrics, and review. The Microsoft platform provides native capabilities to materialize those controls and generate repeatable evidence.
The conceptual flow is straightforward: strong identity (Entra ID) → classified and protected data (Purview) → governed configuration (Azure Policy) → assessed posture (Defender for Cloud, MDE) → logging and detection (Log Analytics, Sentinel) → response and continuity (playbooks, backup/DR). Each block adds technical barriers and creates an auditable footprint.
ENS & ISO 27001: what they are, who they apply to, and how they fit together
ENS (Royal Decree 311/2022) structures security measures by categories (Basic/Medium/High) and relies on CCN-STIC guides that translate requirements by technology (for example, profiles for Azure and secure configurations for Microsoft 365). It applies to public-sector bodies and providers that deliver services to them, with a special focus on proportionality and traceability.
ISO/IEC 27001:2022 defines ISMS requirements and Annex A with 93 controls. It integrates risk management, scope, the Statement of Applicability (SoA), and continuous improvement (PDCA). It is certifiable by third parties, which brings external recognition and internal discipline.
Both frameworks are compatible: ISO provides the system and ENS provides the national catalogue of measures. In Microsoft, equivalence is supported by official mappings (for example, Azure Policy initiatives for ISO 27001 and ENS-specific documentation for Azure/M365) that facilitate verification.
Operating model in Microsoft: governance and responsibilities
The operating structure prevents controls from depending on specific people and facilitates auditing. Separation of duties and documented delegation are key: who designs, who approves, who deploys, and who monitors.
| Role | Scope | Key responsibilities | Deliverables |
|---|---|---|---|
| CISO / Security Lead | Global | Policy, risk analysis, SoA, controlled exceptions | Signed policies, risk register, current SoA |
| Platform Architecture | Azure/M365 | Landing zones, segmentation, tagging, system boundaries | Reference architecture, catalogs, and diagrams |
| Azure Administration | IaaS/PaaS | RBAC, networking, Azure Policy, Key Vault, diagnostics | Policy assignments, RBAC export, topologies |
| Microsoft 365 Administration | SaaS | Entra ID, DLP, retention, Defender, auditing | Applied policies and periodic reports |
| SecOps | Detection/Response | Sentinel, MDE, cases, playbooks, remediation | Rules, MTTA/MTTR metrics, post-mortems |
| Compliance | Audit | Traceability and custody of evidence | Dossier, calendar, and review minutes |
A practical cadence: monthly (privileges, access policies, anomalies), quarterly (DLP/retention, Policy exceptions, posture), semiannual (restore tests), annual (full internal audit and updated risk analysis).
Prerequisites, licensing, and functional scope
Before deploying, confirm which components are available in the tenant and subscriptions. This avoids coverage gaps and ensures visibility.
- Entra ID: multifactor authentication, Conditional Access, Privileged Identity Management, auditing, and access reviews.
- Microsoft Purview: classification and labels, label-based encryption, DLP for Email/SharePoint/OneDrive/Teams/endpoints, retention policies, eDiscovery.
- Defender: Microsoft Defender for Endpoint (EDR, vulnerabilities, isolation), Defender for Office/Apps/Identity, and Defender for Cloud for Azure.
- Azure: Management Groups, Azure Policy, Log Analytics, Microsoft Sentinel, Key Vault (CMEK), Backup, storage with immutability.
- Compliance portals: provider catalogs and documentation to append as reference in the client’s audits.
Step-by-step methodology: from requirement to evidence
The sequence turns requirements into controls and controls into repeatable evidence:
- Define scope: services, processed data, ENS category, and risk appetite. Determine zones (DEV/TEST/PROD) and internal/external dependencies.
- Map controls: relate ENS/ISO requirements to Microsoft capabilities: identity, data, network, configuration, logging, detection, response, and continuity.
- Identify gaps: assess impact and likelihood; estimate remediation effort; prioritize quick wins that reduce the most risk.
- Apply remediation: policy-as-code, Policy initiatives, scoped assignments, tags, documented exceptions with expiry date.
- Consolidate evidence: time-bound signed exports, reports with clear filters and periods, screenshots with context, custody location, and owners.
- Review and improve: internal audit, corrective actions, lessons learned, and incorporation into procedures.
Identity and access (Entra ID)
Most modern incidents rely on credentials. Access control in Entra ID drastically reduces that attack surface.
Objectives
- Universal strong authentication: MFA for all identities (including supported service accounts).
- Conditional Access: require conditions by context (user and session risk, platform, device compliance, location).
- Ephemeral privileges: PIM to grant just-in-time admin with approval, logging, and expiry.
- Resilience: controlled break-glass accounts, monitored and for exceptional use only.
- Continuous review: Access Reviews campaigns for critical roles and groups.
Suggested implementation
- Inventory current roles and admins; remove direct assignments and delegate via groups.
- Create baseline Conditional Access policies: require MFA, block unused high-risk countries, require compliant device for sensitive apps.
- Enable PIM for global and service roles; define approval flows and minimum viable durations.
- Configure two emergency accounts with usage controls and alerts; out-of-band custody.
- Plan quarterly access reviews and remove inactive members.
Useful evidence
- Export of Conditional Access policies with list of exclusions and rationale.
- PIM activity reports (activations, reasons, durations, approvals).
- Minutes from access reviews with decisions and owners.
Data protection and privacy (Microsoft Purview)
The goal is for information sensitivity to travel with the data and for improper exits to be prevented or clearly recorded.
Objectives
- Classification and labeling: simple, understandable taxonomy; labels with encryption where truly required.
- Channel-based DLP: coherent rules for email, sites, and endpoints; start in audit mode to understand impact and tune.
- Retention: keep what is necessary for legal or business obligations; avoid holding data without purpose.
- Investigation: eDiscovery and unified audit to reconstruct events when needed.
- Cryptographic control: Customer Key when an extra layer of key control is required.
Suggested implementation
- Define taxonomy with business and legal: concrete examples per label and responsible owners.
- Publish labels in informative mode and measure adoption; enable encryption only where essential.
- Deploy DLP in audit mode (Email and SharePoint/OneDrive), review false positives/negatives, and move to gradual blocking.
- Configure retention policies by document type (contracts, HR, tax, etc.) with justified exceptions.
- Establish a quarterly review process for DLP incidents and rule adjustments.
Useful evidence
- List of labels and scopes; screenshots of application and authorized decryption.
- DLP reports by period, with trends and corrective actions.
- Retention policies with regulatory justification and results from deletion audits.
Conceptual DLP example
Condition: Document labeled "Confidential" + external recipient Action: Block send and notify Exception: Designated owners with justification and loggingTechnical governance in Azure (Management Groups, Policy, Key Vault)
Technical governance reduces configuration drift and makes exceptions visible. Management Group inheritance allows controlling by default what can and cannot be deployed.
Objectives
- Clear inheritance: Management Group structure by environment and/or region.
- Policy as guardrail: initiatives that assess and, where appropriate, prevent noncompliant deployments.
- Central logging: send diagnostics to a common workspace with adequate retention.
- Keys under control: Key Vault and CMEK for resources that support it.
- Minimal exposed network: Private Endpoints, modern TLS, and closure of legacy protocols.
Suggested implementation
- Define the Management Group structure (org → region/business unit → environment) and associate subscriptions.
- Assign the ISO 27001 initiative and other relevant ones (CIS/NIST/sector benchmarks) at the root group.
- Enable Diagnostic settings per subscription for Activity/Resource logs to Log Analytics.
- Set network standards: NSG/ASG, private subnets, Private DNS, secure gateways.
- Manage keys in Key Vault with rotation and access via RBAC/PIM and audit logs.
- Manage Policy exceptions with expiration date, reason, and owner.
Useful evidence
- List of Policy assignments and their compliance by subscription.
- Lists of active exceptions with expiry date and closure plan.
- Key states, rotation, and Key Vault access logs.
Posture and risk (Defender for Cloud and Microsoft Defender for Endpoint)
Posture synthesizes hardening and exposure status. Prioritizing by risk avoids dispersion of efforts and accelerates real attack surface reduction.
Objectives
- Impact-based priority: recommendations that most increase Secure Score and close critical gaps.
- Vulnerability visibility on endpoints and servers, with patching and remediation plans.
- Signals that block: device risk (MDE) integrated with compliance and Conditional Access.
Suggested implementation
- Enable Defender for Cloud on subscriptions and review Regulatory Compliance and service-specific recommendations.
- Deploy MDE to endpoints and servers, enable attack surface reduction, and test isolation.
- Set remediation workflow in sprints with owners and due dates.
- Use MDE device risk to mark noncompliant devices and condition access.
Useful evidence
- Secure Score trend and details of closed recommendations.
- Exposure/vulnerability reports and reduction metrics.
- MDE cases with action timeline and outcomes.
Logging, detection, and response (Log Analytics, Sentinel, KQL)
Without logs there is no forensics or defensible compliance. Centralizing, detecting consistently, and responding automatically shortens timelines and leaves traceability.
Objectives
- Comprehensive ingestion from Entra ID, Microsoft 365, Azure (Activity/Resource), MDE/MDO/MDA into a central workspace.
- Relevant detections in Sentinel, with well-designed severities and suppressions.
- Orchestrated response with Logic Apps: isolate devices, revoke tokens, open ITSM incidents.
Suggested implementation
- Enable data connectors in Sentinel and validate volumes and retentions.
- Activate baseline rules (identity, privileges, exfiltration) and tune thresholds to reduce noise.
- Design playbooks for common cases (phishing, stolen token, compromised device) and test them.
- Version KQL queries and dashboards; document parameters and assumptions.
KQL example (admin sign-ins outside business hours)
SigninLogs | where ResultType == 0 | where Identity matches regex ".*(admin|adm).*" | where hour_of_day(TimeGenerated) < 7 or hour_of_day(TimeGenerated) > 20 | summarize attempts=count() by Identity, bin(TimeGenerated, 1h)Useful evidence
- List of active rules and their justification.
- Screenshots of playbook runs with timestamps.
- Dashboards with defined time range and exported results.
Continuity and resilience (BCP/DR, RTO/RPO, immutability)
Controlled exercises are the only solid evidence that the organization can resume operations after an incident. Resilience is not a one-off habit; it is a continuous process.
Objectives
- Realistic RTO/RPO by service and data, agreed with the business.
- Immutable backups and offline copies or retention that can withstand insider fraud or ransomware.
- Resilient architectures: availability zones, paired regions, private traffic, and plane separation.
- Drills with minutes, measured times, and improvement actions.
Suggested implementation
- Catalogue services and dependencies; document RTO/RPO and criticality metrics.
- Configure backup policies with immutability and periodic restore tests.
- Define runbooks (what, who, how) for typical disruptions.
- Run semiannual drills and close derived actions.
Useful evidence
- Signed BCP/DR plan, topologies, and owners.
- Backup reports and logs from real restorations.
- Drill minutes with results and improvements.
ENS checklist by domains with examples
Indicative list of ENS measures and their technical reflection in Microsoft. Final priority depends on the risk analysis and the ENS category of the system.
| ENS domain | Technical action in Microsoft | Suggested evidence |
|---|---|---|
| Organization | Least-privilege RBAC; segmentation with Management Groups; reviewable delegation | Export of roles/assignments; responsibility matrix |
| Protection | MFA + Conditional Access; CMEK/Customer Key encryption; DLP and labels | CA policies; key status; exported policies |
| Detection | Defender for Cloud + MDE; centralized diagnostics; Secure Score | Posture reports and quarterly trend |
| Response | Sentinel with rules and playbooks (isolate, revoke, notify) | Runbooks; MTTA/MTTR; closed cases |
| Recovery | Immutable backup, GRS/ZRS, DR tests | Drill minutes; RTO/RPO metrics |
| Prevention | Baseline hardening (Policy/templates), block insecure protocols, inventory | List of applied definitions; justified exceptions |
Applied ISO 27001 (Annex A 2022) checklist
Selection of high-impact controls in Microsoft. The client’s SoA must reflect applicable controls, exclusions, and reasons.
| Control | Implementation in Microsoft | Evidence |
|---|---|---|
| A 5.15 Identity security | MFA, Conditional Access, and PIM in Entra ID; emergency accounts | CA export, PIM logs, reviews |
| A 8.24 Key management | Key Vault (CMEK), Customer Key, rotation, restricted access | Key state/rotation; access audit |
| A 8.16 Logging and monitoring | Log Analytics + Sentinel; per-subscription diagnostics | KQL queries, retention, dashboards |
| A 8.28 Data protection | Sensitivity labels, encryption, DLP, retention | Exported policies; DLP incidents |
| A 8.23 Vulnerabilities | MDE (exposure, patches); Defender for Cloud (recommendations) | Exposure reports and closures |
| A 5.17 Supplier relationships | Third-party assessment, security annexes, and provider evidence | Contracts, certificates, service boundaries |
Traceability, evidence, and “smoke tests” templates
Traceability matrix (summary)
| Control | Action | Evidence | Owner | Frequency |
|---|---|---|---|---|
| 100% MFA | CA policy “Require MFA” | CA export + justified exceptions | IT Security | Monthly |
| CMEK encryption | Key Vault + config in Storage/SQL | Key state/rotation | Architecture | Semiannual |
| Email DLP | Rule “Confidential — no external” | DLP reports and FP/FN review | Compliance | Quarterly |
| Centralized logs | Diagnostic settings to Log Analytics | Policies and retention | SecOps | Monthly |
| DR tested | Annual restore drill | Minutes with RTO/RPO | Operations | Annual |
Quick checklist (smoke tests)
| Area | Check | How to verify |
|---|---|---|
| Identity | MFA enforced for all | CA export and exclusion review |
| Privileges | PIM active for critical roles | List of roles and PIM activity |
| Azure | ISO 27001 initiative at root MG | Policy → Assignments |
| Logs | Activity/Resource to central workspace | Diagnostic settings per subscription |
| Data | At least one label with encryption | Label list and application test |
Short examples
Conceptual policy — “Block access without MFA”
Condition: User without MFA method
Action: Require MFA; deny if not passed
Exception: Documented emergency accounts, with reviewKQL — unusual administrative activity
SigninLogs
| where ResultType == 0
| where Identity matches regex ".(admin|adm)."
| where hour_of_day(TimeGenerated) < 7 or hour_of_day(TimeGenerated) > 20
| summarize attempts=count() by Identity, bin(TimeGenerated, 1h)Common mistakes and how to avoid them
- Confusing provider compliance with client compliance. Provider certificates are a reference, not a substitute for the client’s controls.
- Uncontrolled Policy exceptions. Every exception needs a reason, scope, and end date; without this, they become permanent.
- No change log. Lack of traceability slows audits and makes forensics more expensive.
- DR not tested. Valid evidence is the executed, measured restoration—not the written plan.
- Unmaintained Sentinel rules. Without threshold review and tuning, noise hides relevant alerts.
Frequently asked questions
Does ENS require using services with specific certifications?
ENS requires measures and evidence. Using accredited services facilitates verification, but responsibility for the client’s controls remains with the client.
How many controls does ISO 27001:2022 include?
The 2022 Annex A includes 93 controls grouped into four categories: organizational, people, physical, and technological.
How can compliance progress be visualized in Azure?
By assigning initiatives (e.g., ISO 27001) in Azure Policy and reviewing the compliance dashboard and recommendations in Defender for Cloud.
What cadence is reasonable for evidence?
Monthly for identity and logs, quarterly for DLP/retention/posture, semiannual for restorations, annual for a full internal audit.
Official resources
- Royal Decree 311/2022 (ENS) — BOE
- ENS regulations — CCN
- CCN-STIC Guides (800/1000 series for Microsoft technologies)
- ENS at Microsoft (Azure/Microsoft 365)
- Compliance in Azure
- Azure Policy — ISO 27001 initiative
- Azure — ISO/IEC 27001
- Microsoft Compliance offerings
- ISO/IEC 27001 — official page
- CCN-STIC-884 — ENS profile in Azure
- CCN-STIC-885A — Secure configuration for Office 365
Conclusion
Treating ENS and ISO 27001 as an ongoing program—with default controls, periodic reviews, and clear evidence—reduces risk and simplifies audits. With Entra ID, Purview, Azure Policy, Defender for Cloud, MDE, and Sentinel, the client has a solid, traceable technical foundation.
Adapting Microsoft 365 and Azure to ENS for the client
Controls are implemented, policies are automated, and the evidence dossier is prepared for audit.
