Professional Documents
Culture Documents
CIS Assessment For Microsoft 365 Environments
CIS Assessment For Microsoft 365 Environments
This tool is based on the CIS Controls Initial Assessment Tool by AuditScripts. The purpose of this tool is to provide organizations with a simple method for performing an initial assessment of their
information assurance maturity level (with an emphasis on productivity environments managed within Microsoft 365); the assessment is based on the controls defined by the CIS Controls and the Council on
Cybersecurity. Any questions about how this tool works or suggestions can be directed to alex@itpromentor.com. In order to use this tool, the assessor must only complete the answers to the drop down
menu questions in the columns labeled Policy Status and Implementation on the M365Controls worksheet. By choosing a drop down choice for each critical control, the assessment tool will automatically
generate a percentage complete based on the answers to each question. These scores can therefore be used to measure the organization's progress and what percentage of the CIS Controls they are
currently following with regard to Microsoft 365 and other common aspects of supporting information technology infrastructure. Ideally in the long term organizations would deploy tools that would
automate the collection of this information, but in the meanwhile, this tool can be used to help start the process of manually assessing an organization's maturity level. Note: this is not a complete
representation of the sub-controls contained in the actual CIS Controls Documentation; use the AuditScripts tool for a more comprehensive assessment against all systems.
Field Definitions
Control Category CIS Controls are broken into three categories: Basic, Foundational and Organization, as described in the CIS Controls documentation.
ID This is the ID number of the specific CIS Control as included in the CIS Controls documentation.
CIS Control Description This is the description behind each control as defined by the CIS Controls documentation.
Implementation Groups (IG) This defines three implementation groups that relate to each individual sub-control; these are meant to be cumulative (to complete IG2 you also must complete IG1).
Implementation Group Detail Suggested corresponding Microsoft 365 product features to implement for each sub-control (and non-Microsoft 365 items as appropriate).
Policy Status This question determines whether the organization currently has a policy defined that indicates that they should be implementing the defined sub control.
Implementation This question determines whether or not the organization currently has implemented this sub control and to what degree the control has been implemented.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Controls Simple Assessment Tool for Microsoft 365 Environments
Control
ID CIS Controls CIS Control Description IG Implementation Group Detail Policy status Implementation
Category
Enroll devices into Intune, and configure Device cleanup rules to regularly
1 No Policy Not Implemented
remove stale, inactive devices from inventory.
Actively manage (inventory, track, and correct) all
hardware devices on the network so that only authorized
Use Conditional Access to require compliant devices (this blocks
1 Inventory and Control of Hardware Assets devices are given access, and unauthorized and 2 unmanaged / non-compliant devices). No Policy Not Implemented
unmanaged devices are found and prevented from gaining
access. Auto-update inventory when network devices are added or removed.
3 Prevent unauthorized devices from connecting to corporate networks by No Policy Not Implemented
implmenting technologies such as 802.1x, client certificates, etc.
1 Configure Software updates via Intune for Windows and Office. No Policy Not Implemented
Continuously acquire, assess, and take action on new Implement patching system for third-party software packages. Use Threat
3 Continuous Vulnerability Management information in order to identify vulnerabilities, remediate, 2 & Vulnerability Management (TVM) in Microsoft Defender ATP to track No Policy Not Implemented
and minimize the window of opportunity for attackers. and remediate CVE's on your endpoints.
Deploy Endpoint security profiles via Intune; implement MAM using App
1 No Policy Not Implemented
Establish, implement, and actively manage (track, report protection policies and App configuraiton policies for mobile.
on, correct) the security configuration of mobile devices,
laptops, servers, and workstations using a rigorous Use Conditional Access to require compliant devices; for mobile devices,
5 Secure Configuration for Hardware and Software configuration management and change control process in
2
also require approved apps.
No Policy Not Implemented
Enable the Office 365 Unified audit log; enable the Alert policies. Ensure
1 No Policy Not Implemented
that logging has been enabled on all systems and networking devices.
6
Maintenance, Monitoring, and Analysis of Audit Collect, manage, and analyze audit logs of events that 2
Deploy Security Information and Event Management (SIEM) system such
as Azure Sentinel for log correlation and analysis; on a regular basis, No Policy Not Implemented
Logs could help detect, understand, or recover from an attack. review logs to identify abnormal events.
Minimize the attack surface and the opportunities for Enable Office 365 Advanced Threat Protection policies; use Intune to
7 Email and Web Browser Protections attackers to manipulate human behavior through their 2 deploy approved client apps (e.g. Edge, Oulook from Office 365). Do not No Policy Not Implemented
interaction with web browsers and email systems. allow unapproved apps for email and web browsing.
The processes and tools used to properly back up critical Consider third-party cloud backup for custom RPO, RTO, etc.; all other
10 Data Recovery Capability information with a proven methodology for timely 2 systems should be backed up automatically with at least one copy No Policy Not Implemented
recovery of it. available offline (not accessible from the network).
3 Test all restore procedures regularly to ensure backup integrity. No Policy Not Implemented
Implement AES encryption and ensure that personal and guest WiFi
1 networks are segmented and separate from corporate networks. No Policy Not Implemented
1 Conduct regular exernal and internal scans to identify known vulnerabilites. No Policy Not Implemented
Test the overall strength of an organization’s defense (the Conduct regular external and internal penetration tests to identify
20 Penetration Tests and Red Team Exercises technology, the processes, and the people) by simulating 2 vulnerabilities and attack vectors that can be used to exploit enterprise No Policy Not Implemented
the objectives and actions of an attacker. systems successfully (including technical and social vulnerabilities).
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
DO NOT CHANGE THESE VALUES
Policy Status
No Policy
Informal Policy
Partial Written Policy
Written Policy
Approved Written Policy
Implementation Status
Not Implemented
Parts of Policy Implemented
Implemented for Pilot
Moving to Production
Implementation Completed