03 · Advanced Controls — Section Architecture and Content Guide
Section governance
Section title: 03 · Advanced Controls
Parent space: ISMS Home
Page owner: CISO
SCM restriction: isms-it-staff minimum (page-level restriction on all child pages)
isms-security sees additional evidence and assessment content
isms-all-staff cannot view this section at all
isms-management can view selected governance pages (AT-CA, AT-RA)
Last reviewed: [DATE]
Why this section is restricted
Visible to anyone who reaches the section — i.e. isms-it-staff and above.
This section contains the System Security Plan (SSP) implementation descriptions for all 110 NIST SP 800-171 Rev 2 controls, organised into the 14 control families. These pages exist here rather than in a separate document because the Confluence space itself is the SSP — structured, version-controlled, navigable, and maintainable by the engineers responsible for each control.
Access is restricted to IT Operations and security staff because the implementation details in these pages — specific configuration settings, PAM architecture, SIEM correlation rules, vulnerability scan procedures, and assessment preparation notes — would provide meaningful attack surface information to a person with malicious intent. The all-staff obligations for each control family are documented in 01 · Policies and 02 · Fundamental Controls. This section is the technical and governance layer beneath those.
For any C3PAO, DEFSTAN, or ISO 27001 assessment, the CISO exports the relevant sections to PDF for the assessor package. Assessors are not given live Confluence access — they receive the export plus access to the evidence filing locations as required.
Section structure — complete family index
The 14 control families are ordered in this section as they appear in NIST SP 800-171 Rev 2. Each family is a Confluence page with the standard structure defined in the master template below. The AT-CA page (Security Assessment) is the keystone and should be read before any other family page.
03 · Advanced Controls
├── AT-CA · Security Assessment (KEYSTONE — read first)
├── AT-AC · Access Control
├── AT-AT · Awareness and Training
├── AT-AU · Audit and Accountability
├── AT-CM · Configuration Management
├── AT-IA · Identification and Authentication
├── AT-IR · Incident Response
├── AT-MA · Maintenance
├── AT-MP · Media Protection
├── AT-PE · Physical Protection
├── AT-PS · Personnel Security
├── AT-RA · Risk Assessment
├── AT-SC · System and Communications Protection
│ ├── AT-SC-BDY · Boundary Protection (child page)
│ └── AT-SC-ENC · Encryption (child page)
└── AT-SI · System and Information Integrity
Master page template — applies to all 14 family pages
Every family page follows this structure. The template enforces consistency so that an assessor navigating between families encounters the same layout each time, and so that each section of each page can be cross-referenced predictably in the SoA and the evidence register.
PAGE STRUCTURE (all 14 families):
[Title block]
AT-[XX] · [Family full name]
NIST SP 800-171 Rev 2 · ISO 27001:2022 Annex A · DEFSTAN 05-138
[Control count] controls · [CMMC L1 count] CMMC Level 1 practices
[Metadata table]
Document ID | Family | NIST Controls | CMMC L1 Practices
ISO 27001 Annex A | DEFSTAN Profile | SCM Variant | Confluence Location
Page Owner | Last Reviewed | Related Pages | Evidence Items
[SCM variant banner]
Identifies the access level and what the all-staff equivalent is
[Section 0 — ISO 27001 Annex A mapping and framework positioning]
Table: Annex A control → NIST controls implemented → Primary evidence
Infobox: DEFSTAN 05-138 profile mapping with specific paragraph references
[Section 1 — Control implementation summary (SSP status table)]
Table: Control ID | Title | CMMC L1 | ISO 27001 | DEFSTAN | Status | Evidence
Notes on any Partially Implemented or Planned controls → POA&M reference
[Section 2 — Technical implementation procedures (all controls in family)]
For each control:
Heading: [control ID] — [control title]
Badge: CMMC L1 status | ISO 27001 | DEFSTAN | Status | Tier
Control requirement verbatim
Assessment method (from NIST SP 800-171A)
Implementation (SSP description) — detailed technical narrative
ISO 27001 infobox — specific Annex A clause mapping
Evidence items produced by this control
[Sections 3–N — Technical procedures and specifications]
Family-specific operational content:
Baseline specifications, configuration tables, procedural checklists,
schedule tables, escalation procedures, as appropriate to the family
[Evidence requirements register — full family]
Table: EV ID | Evidence Item | Controls | Frequency | Owner | Location
[Assessor preparation checklist]
Rows: Control ID | Method (Examine/Interview/Test) | Checklist items
Colour coded: Examine = blue | Interview = teal | Test = amber
[Common assessment findings and prevention]
Table: Finding | Control | How to prevent
[Security-team SCM layer — isms-security variant]
Evidence currency dashboard
MITRE ATT&CK context
Control effectiveness assessment (quarterly)
Assessment preparation — framework-specific notes
POA&M templates
[Version history]
Version | Date | Summary | Author | Approver
[Footer]
Version | Owner | Review cycle | Document ID
DEFSTAN 05-138 profile mapping — master reference
Before documenting the per-family DEFSTAN mapping, this section establishes the profile structure that all family pages reference.
DEFSTAN 05-138 defines four profiles:
Profile 0 (Baseline):
Minimum requirement for OFFICIAL-tier information
Applies to all MOD suppliers handling OFFICIAL data
§Boundary, §Access, §Identification, §Malware, §Patching, §Personnel (basic)
Profile 1 (Standard):
Required for OFFICIAL-SENSITIVE and most DEFCON contracts
Adds: §Risk Management, §Config Management, §Personnel (screening + leaver),
§Audit and Monitoring, §Incident Management, §Supplier Security
Profile 2 (Enhanced):
Required for higher-sensitivity OFFICIAL-SENSITIVE and some SECRET-adjacent work
Adds: §Vulnerability Management, §Penetration Testing, §Crypto,
§Physical Security (enhanced), §Personnel (clearance verification),
§Continuous Monitoring
Profile 3 (Advanced):
Required for SECRET and above; typically reserved for prime contractors
Adds: §Assured Services, §Cross-Domain Solutions, §Advanced Threat Detection
(Outside scope for most SME defence suppliers — this ISMS targets P0/P1/P2)
For each family page, the DEFSTAN mapping identifies:
Which profile is required for the controls in this family
The specific DEFSTAN paragraph reference (§Section)
Whether the DEFSTAN requirement is broader, narrower, or equivalent to NIST
Any DEFSTAN-specific evidence the contracting authority may request
AT-CA · Security Assessment
Document ID: AT-CA
Controls: 3.12.1, 3.12.2, 3.12.3, 3.12.4 (4 controls)
CMMC L1: None
ISO 27001: 5.35, 5.36 + clauses 9.2, 9.3
DEFSTAN: Profile 1 §Governance (SSP) · Profile 2 §Governance (assessment + monitoring)
Page owner: CISO
SCM: isms-security (full) · isms-management (Sections 0–3) · isms-it-staff (4–8)
Role in the ISMS space
AT-CA is the keystone document. It contains the SSP master section (3.12.4), the POA&M (3.12.2), the annual assessment programme (3.12.1), and the continuous monitoring plan (3.12.3). Every other family page is an implementation sub-section of this SSP. The Statement of Applicability (EV-E01) and the SSP export (EV-E05) are produced from AT-CA.
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 5.35 |
Independent review of information security |
3.12.1 (periodic assessment) |
Annual assessment report |
| 5.36 |
Compliance with policies, rules, and standards |
3.12.2 (POA&M), 3.12.3 (monitoring), 3.12.4 (SSP) |
EV-E01 (SoA) · POA&M · EV-F series |
| Clause 9.2 |
Internal audit |
3.12.1 |
EV-A02 (internal audit records) |
| Clause 9.3 |
Management review |
3.12.3 (monitoring feeds review) |
EV-A01 (management review minutes) |
DEFSTAN mapping:
Profile 1 §Governance:
Requires a documented security management system with named CISO
SSP (EV-E05) = documented system
CISO role assignment in Section 3 role table = named responsible individual
Profile 2 §Governance:
Requires formal assessment of control effectiveness
Annual internal assessment report + C3PAO triennial assessment = formal assessment
Continuous monitoring programme (EV-F01–F07) = ongoing monitoring requirement
DEFSTAN-specific note:
Contracting authority may request to review the SSP
Produce a customer-facing summary version that omits classified technical detail
Full SSP (this Confluence space) is for internal use only
Section 1 — SSP status table
| Control |
Title |
CMMC L1 |
ISO 27001 |
DEFSTAN |
Status |
Evidence |
| 3.12.1 |
Periodically assess security controls |
— |
5.35 |
P2 |
Implemented |
Annual assessment report |
| 3.12.2 |
Develop and implement POA&M |
— |
5.36 |
P2 |
Implemented |
POA&M |
| 3.12.3 |
Monitor security controls on an ongoing basis |
— |
5.36 |
P2 |
Implemented |
EV-F01–F07 |
| 3.12.4 |
Develop, document, and periodically update SSP |
— |
5.35, 5.36 |
P1 |
Implemented |
EV-E05 · EV-E01 |
Section 2 — Control implementations
3.12.4 — SSP structure and maintenance
This Confluence space is the SSP
AT-CA Section 3 = master system description, boundary, environment of operation
All AT-[family] pages = control family implementation sections
EV-E01 (SoA) = statement of applicability for all 110 controls
Update triggers: 30-day SLA for any boundary or control status change
Annual review procedure: CISO-led; all AT-[family] pages reviewed
3.12.1 — Annual assessment programme
9-phase procedure: initiation → evidence collection → interviews →
technical testing → findings review → report → POA&M update →
management presentation → SoA update
Assessment methods: Examine, Interview, Test (NIST SP 800-171A)
Independence: internal assessment supplemented by triennial C3PAO
3.12.2 — POA&M management
Separate Confluence child page: "POA&M — Plan of Action and Milestones"
17-field template per item (see AT-CA Section 4)
Monthly CISO review (EV-A04)
SLA: High-risk items 90 days; Moderate 180 days; Low 12 months
3.12.3 — Continuous monitoring
18 monitoring activities across all control families (see AT-CA Section 6)
Programme backbone: EV-F01 (SIEM log review) through EV-F07 (privileged session review)
Monitoring-to-POA&M pipeline: gap detected → POA&M entry within 5 business days
Evidence register — AT-CA
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-E05 |
SSP — this Confluence space; PDF export for assessors |
3.12.4 |
Annual review; 30-day update SLA |
CISO |
This space |
| EV-E01 |
Statement of Applicability — all 110 controls, status, evidence refs |
3.12.4 |
Updated on status change; annual full review |
CISO |
EV-E → Assessment → SoA |
| POA&M |
Plan of Action and Milestones — live child page of AT-CA |
3.12.2 |
Continuous; monthly CISO review |
CISO |
AT-CA → POA&M |
| Annual assessment report |
Internal security control assessment report |
3.12.1 |
Annual (Q4) |
CISO |
EV-A → Internal Assessments → [YYYY] |
| EV-A01 |
Management review minutes |
3.12.3 |
Annual |
CISO |
EV-A → Management Reviews → [YYYY] |
| EV-A02 |
Internal audit working files |
3.12.1 |
Annual |
CISO |
EV-A → Internal Assessments → [YYYY] → Working Files |
| EV-A03 |
Corrective action register |
3.12.2 |
Continuous |
CISO |
EV-A → Corrective Actions |
| EV-A04 |
Monthly POA&M review record |
3.12.2, 3.12.3 |
Monthly |
CISO |
EV-A → POA&M Reviews → [YYYY-MM] |
| EV-A08 |
ISMS role competency records |
3.12.1 |
Annual |
CISO/HR |
EV-A → Role Competency |
| EV-F01–F07 |
Continuous monitoring evidence set |
3.12.3 |
Per-item frequency |
Per-item owner |
EV-F → Continuous Monitoring |
AT-AC · Access Control
Document ID: AT-AC
Controls: 3.1.1–3.1.22 (22 controls)
CMMC L1: AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L1-3.1.22 (4 practices)
ISO 27001: 5.3, 5.10, 5.12, 5.13, 5.14, 5.15, 5.18, 6.7, 8.1, 8.2, 8.3, 8.5, 8.10, 8.20, 8.24
DEFSTAN: Profile 0 §Access (3.1.1, 3.1.2, 3.1.20) · Profile 1 §Access (3.1.3–3.1.7) · Profile 2 §Access (3.1.8–3.1.22)
Page owner: IT Manager / CISO
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 5.15 |
Access control |
3.1.1, 3.1.2 |
EV-D01 · EV-D02 |
| 5.18 |
Access rights |
3.1.1, 3.1.2, 3.1.5 |
EV-D01 · EV-D03 |
| 8.2 |
Privileged access rights |
3.1.5, 3.1.6, 3.1.7 |
EV-D01 (quarterly privileged review) |
| 8.3 |
Information access restriction |
3.1.3 |
CUI group membership |
| 5.14 |
Information transfer |
3.1.3 |
DLP configuration · EV-F05 |
| 6.7 |
Remote working |
3.1.20 |
VPN config · EV-D19 |
| 8.5 |
Secure authentication |
3.1.22 |
Session lock GPO · EV-D19 |
| 8.20 |
Network security |
3.1.3 |
Firewall rules · EV-F03 |
DEFSTAN mapping:
Profile 0 §Access:
Named accounts: 3.1.1 (unique identity per person)
Role-appropriate access: 3.1.2 (least privilege)
Remote access controlled: 3.1.20 (VPN mandatory, documented)
Profile 1 §Access:
CUI data flow control: 3.1.3
Separation of duties: 3.1.4
Privileged account separation: 3.1.5, 3.1.6
Privilege use logging: 3.1.7
Profile 2 §Access:
Session controls: 3.1.10, 3.1.11
Remote access encryption: 3.1.13
Wireless monitoring: 3.1.16, 3.1.17
Mobile device policy: 3.1.18
CUI via external systems: 3.1.21, 3.1.22
DEFSTAN-specific evidence:
For DEFSTAN-scope contracts with named personnel requirements:
Contract-specific access group membership list (GRP-CONTRACT-[MOD-REF])
Updated within 5 days of any personnel change on the contract
Key technical procedures
JML workflow: See FC-03 IT Staff Technical Procedures (full detail)
Joiner: 10-step provisioning with screening gate → EV-D03
Mover: additive-minus-excess access update → EV-D03
Leaver: 9-step de-provisioning with pre-departure SIEM review → EV-D04
Privileged account management:
Dual-account model: firstname.lastname (standard) + adm-firstname.lastname (privileged)
PAM-mediated access: all privileged actions via PAM session checkout
Session recording: all admin sessions recorded → EV-F07
Break-glass: two accounts in sealed envelope; CISO + IT Manager joint access
Access review programme:
Quarterly: EV-D01 (privileged accounts — all adm- accounts + CUI group)
Annual: EV-D02 (all-user access review — full population)
Both: line manager confirmation required; findings to ITSM within 5 days
DEFSTAN contract access review:
Any change to GRP-CONTRACT-[MOD-REF] membership:
Requires CISO approval
Logged in EV-D03 with contract reference
Contracting authority notification if required by contract schedule
Evidence register — AT-AC
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D01 |
Quarterly privileged account review |
3.1.5, 3.1.6, 3.3.8, 3.9.2 |
Quarterly |
IT Manager |
EV-D → Access Control Reviews → Privileged [YYYY-QQ] |
| EV-D02 |
Annual all-user access review |
3.1.1, 3.1.2 |
Annual |
IT Manager |
EV-D → Access Control Reviews → All-User [YYYY] |
| EV-D03 |
JML provisioning log — all joiner and mover events |
3.1.1, 3.1.2, 3.5.1, 3.9.1 |
Per event (within 24h) |
IT Operations |
EV-D → Access Control → JML Log |
| EV-D04 |
Leaver de-provisioning checklist — all leavers |
3.1.1, 3.9.2 |
Per leaver (within 5 days) |
IT Ops + HR |
EV-D → Access Control → JML Log → Leavers |
| EV-D05 |
Quarterly MFA coverage report (6-check procedure) |
3.5.3, 3.7.5 |
Quarterly |
IT Manager |
EV-D → Access Control → MFA Status → [YYYY-QQ] |
| EV-F07 |
Monthly privileged session recording review |
3.1.5, 3.1.6, 3.3.2 |
Monthly |
CISO |
EV-F → Continuous Monitoring → Privileged Sessions |
AT-AT · Awareness and Training
Document ID: AT-AT
Controls: 3.2.1, 3.2.2, 3.2.3 (3 controls)
CMMC L1: None
ISO 27001: 6.3 (Awareness), 7.2 (Competence), 7.3 (Awareness obligations)
DEFSTAN: Profile 1 §Personnel (awareness) · Profile 2 §Personnel (role-specific training)
Page owner: CISO / HR Manager
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 6.3 |
Information security awareness, education and training |
3.2.1, 3.2.2 |
EV-B05 (annual training completion) |
| 7.2 |
Competence (clause — not Annex A) |
3.2.2 (role-specific training) |
EV-A08 · EV-B06 |
| 7.3 |
Awareness (clause — not Annex A) |
3.2.1 (security awareness) |
EV-B05 |
DEFSTAN mapping:
Profile 1 §Personnel:
All staff with OFFICIAL access receive security awareness training
Annual completion records retained and available to contracting authority
Phishing simulation programme satisfies the "tested awareness"
element that DEFSTAN Profile 1 increasingly requires
Profile 2 §Personnel:
Role-specific training for CUI handlers, privileged users, IR team
CISO competency records (EV-A08) satisfy Profile 2 requirement for
a qualified named security officer
Training effectiveness measurement required at Profile 2:
Phishing click rate trend (EV-B07) = effectiveness metric
Pre/post quiz scores (where platform supports) = competence measurement
Key technical procedures
Annual campaign:
Platform: [training platform name]
Launch: [month each year] — 4-week completion window
Module duration: 45 minutes
Completion tracking: platform → HR system → CISO report
Non-completion escalation: Week 1 (launch) → Week 2 (reminder) →
Week 3 (line manager notification) → Deadline → Policy breach process
Phishing simulation:
Frequency: every 6–8 weeks (rotating schedule)
Platform: [phishing simulation platform]
Reporting: Aggregate departmental click rate → CISO monthly
Individual click: training page redirect (not disciplinary)
Individual report: confirmed detection → EV-B07 credit
Scenarios: credential harvesting / executive impersonation / malicious attachment /
invoice fraud / courier notification
Role-specific training library:
CUI handling module: before CUI access granted; annually thereafter
OFFICIAL-SENSITIVE module: before DEFSTAN access; as required by contract
IRT familiarisation: all IRT members before first IR exercise
Privileged access briefing: before adm- account issued
Supplier security assessment: before any staff conduct vendor assessment
Evidence register — AT-AT
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-B05 |
Annual security awareness training completion record |
3.2.1 |
Annual |
HR Manager |
EV-B → Training → Annual Campaign → [YYYY] |
| EV-B06 |
Role-specific training completion records |
3.2.2 |
Per module completion |
HR Manager |
EV-B → Training → Role-Specific |
| EV-B07 |
Phishing simulation results — aggregate (not individual) |
3.2.3 |
Per simulation campaign |
CISO |
EV-B → Training → Phishing Simulations → [YYYY] |
| EV-A08 |
ISMS role competency records — CISO and key personnel |
3.2.2 |
Annual review |
CISO/HR |
EV-A → Management System → Role Competency |
AT-AU · Audit and Accountability
Document ID: AT-AU
Controls: 3.3.1–3.3.9 (9 controls)
CMMC L1: None
ISO 27001: 8.15 (Logging), 8.16 (Monitoring), 8.17 (Clock synchronisation)
DEFSTAN: Profile 1 §Audit · Profile 2 §Audit and Monitoring
Page owner: IT Manager / Security Analyst
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 8.15 |
Logging |
3.3.1 (create logs) · 3.3.2 (user traceability) |
EV-F06 (SIEM health) |
| 8.16 |
Monitoring activities |
3.3.6 (security alerts) · 3.3.7, 3.3.8 (audit monitoring) |
EV-F01 (log review) |
| 8.17 |
Clock synchronisation |
3.3.7 (NTP hierarchy) |
NTP configuration · EV-F06 |
DEFSTAN mapping:
Profile 1 §Audit:
Audit log created for all OFFICIAL system access
Logs retained for defined period (minimum 6 months active; 2 years archive)
Our 90-day hot / 36-month total retention exceeds Profile 1 minimum
Profile 2 §Audit and Monitoring:
Continuous monitoring with SIEM
Privileged account activity reviewed regularly (EV-D01, EV-F07)
Audit log tamper protection required (SIEM immutability)
Alerting for security events (SIEM correlation rules)
DEFSTAN-specific note:
Contracting authority may request log extracts for a specific time period
covering a DEFSTAN-contract system in connection with an incident or audit
Prepare: the SIEM export procedure that produces a filtered log extract
for a specific date range and source system, suitable for contracting
authority review without exposing the full SIEM dataset
Key technical procedures
Log source inventory: maintained in AT-AU Section 3
Required sources: identity (AD/Entra ID), endpoint (Windows event),
network boundary (firewall/IDS), servers (syslog/auditd),
cloud (native connectors), application (CUI apps)
Log forwarding configuration: documented in OP-03 (Logging and SIEM)
Windows: WEF → WEC → SIEM
Linux: rsyslog + audisp → SIEM syslog listener
Network: syslog TCP → SIEM
Cloud: native data connector → SIEM
Retention tiers:
Hot (searchable): 90 days
Warm (retrievable <24h): days 91–365
Archive (retrievable <72h): days 366–1095 (36 months)
NTP hierarchy: OP-03 §NTP
Stratum 0: time.google.com / uk.pool.ntp.org
Stratum 1: internal NTP server (chrony, authenticated)
Stratum 2: all CUI-scope systems (GPO + chrony config)
Acceptable offset: <0.1 seconds
Audit trail protection (3.3.4):
SIEM immutability: enabled (cloud SIEM with write-once storage or
equivalent tamper-evident logging)
Log deletion alert: any deletion event in SIEM → Critical alert
SIEM admin audit trail: monitored by CISO monthly (EV-F06)
Evidence register — AT-AU
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-F01 |
Monthly SIEM log review |
3.3.1–3.3.6 |
Monthly |
Security Analyst |
EV-F → Continuous Monitoring → Log Reviews |
| EV-F06 |
Monthly SIEM health report — log source status, retention, tamper |
3.3.1, 3.3.4, 3.3.7, 3.3.8 |
Monthly |
IT Manager |
EV-F → Continuous Monitoring → SIEM Health |
| EV-F07 |
Monthly privileged session recording review |
3.3.2, 3.3.9 |
Monthly |
CISO |
EV-F → Continuous Monitoring → Privileged Sessions |
| EV-D19 |
SIEM log source baseline — all sources, expected volumes, forwarding methods |
3.3.1 |
Annual + on source change |
IT Manager |
AT-AU → Log Source Inventory |
AT-CM · Configuration Management
Document ID: AT-CM
Controls: 3.4.1–3.4.9 (9 controls)
CMMC L1: None
ISO 27001: 5.9, 5.37, 8.9, 8.18, 8.19, 8.32, 8.33
DEFSTAN: Profile 1 §Config Mgmt (inventory + baseline) · Profile 2 §Config Mgmt (full change control)
Page owner: IT Manager
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 8.9 |
Configuration management |
3.4.1 (inventory), 3.4.2 (baseline) |
EV-D19 · EV-D20 |
| 8.32 |
Change management |
3.4.3 (track changes) · 3.4.4 (SIA) · 3.4.5 (access for changes) |
EV-D21 |
| 8.18 |
Use of privileged utility programs |
3.4.7 (software restriction) |
WDAC/AppLocker config |
| 8.19 |
Installation of software on operational systems |
3.4.8, 3.4.9 |
Approved software list |
| 5.9 |
Inventory of information and other associated assets |
3.4.1 |
EV-D22 |
DEFSTAN mapping:
Profile 1 §Configuration Management:
Documented baseline for all OFFICIAL-scope systems
Inventory of system components
Change to OFFICIAL systems requires documented process
Profile 2 §Configuration Management:
Formal change management with security impact analysis
Software restriction on OFFICIAL-scope systems
Configuration drift detection and correction
Separation of environments (dev/test/production)
DEFSTAN-specific note:
Profile 2 SIA template must include a question about whether the
change affects the information processed by the DEFSTAN contract
If yes: contracting authority may need to be notified depending
on the contract schedule requirements
Key technical procedures (reference FC-02 for full detail)
Baseline documents: BL-WIN11, BL-WINSRV, BL-MAC, BL-UBUNTU, BL-NET, BL-CLOUD
Enforcement: GPO (Windows), MDM (macOS/Windows), Ansible (Linux), IaC (cloud)
Drift detection: MDM continuous, SIEM event-based, Ansible weekly check mode,
quarterly CIS-CAT Pro (EV-D20)
Change categories: Standard (pre-approved) / Normal (CAB 48h) / Major (CAB+CISO 5d) / Emergency
Change record: RFC with SIA → CAB review → implementation log → post-change verification → EV-D21
Approved software list: documented in AT-CM child page
5 categories: Productivity / Developer tools / Security tools / Privileged utilities / Extensions
Approval SLA: 3 business days (IT Manager) + 2 days (CISO for CUI/internet-touching)
Denied software register: maintained with reasons
Asset register (EV-D22): quarterly reconciliation with network discovery
Fields: asset ID, hostname, OS, owner, CUI scope (Y/N), location, last verified
Evidence register — AT-CM
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D19 |
Baseline configuration specifications (BL-[PLATFORM] documents) |
3.4.2 |
Annual + on major OS/CIS release |
IT Manager |
AT-CM → Baseline Documents |
| EV-D20 |
Quarterly configuration audit (CIS-CAT Pro output + deviation analysis) |
3.4.1, 3.4.2 |
Quarterly |
IT Manager |
EV-D → Config Management → Config Audits |
| EV-D21 |
Change management records (RFC per change including SIA) |
3.4.3, 3.4.4, 3.4.5 |
Per change |
IT Manager |
EV-D → Config Management → Change Log |
| EV-D22 |
Asset register — CUI-scope system component inventory |
3.4.1 |
Quarterly reconciliation |
IT Operations |
EV-D → Config Management → Asset Register |
| EV-D08 |
Configuration exception register |
3.4.2 (deviations) |
Per exception |
CISO |
EV-D → Vulnerability Management → Patch Exceptions |
AT-IA · Identification and Authentication
Document ID: AT-IA
Controls: 3.5.1–3.5.11 (11 controls)
CMMC L1: IA.L1-3.5.1, IA.L1-3.5.2 (2 practices)
ISO 27001: 5.16, 5.17, 8.5, 8.24
DEFSTAN: Profile 0 §Identification (3.5.1, 3.5.2) · Profile 1 §Access (3.5.3–3.5.7) · Profile 2 §Access (3.5.8–3.5.11)
Page owner: IT Manager / CISO
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 5.16 |
Identity management |
3.5.1 (identify users) |
AD/Entra ID user objects |
| 5.17 |
Authentication information |
3.5.2 (authenticate before access), 3.5.7 (password complexity), 3.5.8 (password reuse) |
FGPP configuration · EV-D05 |
| 8.5 |
Secure authentication |
3.5.3 (MFA), 3.5.4 (replay resistant), 3.5.5 (identifier reuse), 3.5.6 (identifier disable) |
CA policies · EV-D05 |
| 8.24 |
Use of cryptography |
3.5.10 (cryptographically protected passwords) |
Password hashing config |
DEFSTAN mapping:
Profile 0 §Identification:
Named accounts (3.5.1): every individual has unique identifier
Authentication before access (3.5.2): no unauthenticated sessions
Profile 1 §Access:
MFA for remote access (3.5.3): VPN + cloud services require MFA
Replay-resistant authentication (3.5.4): Kerberos / TLS / MFA tokens
Identifier management (3.5.5, 3.5.6): account lifecycle controls
Password policy (3.5.7, 3.5.8, 3.5.9): FGPP enforced
Profile 2 §Access:
Obscure feedback (3.5.11): password fields mask input — standard browser/OS behaviour
Cryptographic authentication (3.5.10): FIPS-validated password hashing (SHA-512 on Linux;
Kerberos AES-256 on Windows)
PKI-based authentication (3.5.3 enhanced): FIDO2 hardware keys for privileged accounts
DEFSTAN MFA note:
Profile 2 contracts may specify that MFA is required for ALL access to OFFICIAL systems,
not just remote access. Confirm with contracting authority whether office-based
workstation logins require MFA (typically: Entra ID joined + Windows Hello for Business
satisfies this requirement without additional friction)
Key technical procedures (reference FC-03 IT Staff Procedures for full detail)
Conditional Access policies — four required (CA-001 through CA-004):
CA-001: Admin MFA all access — FIDO2 required; sign-in frequency: every time
CA-002: User MFA all access — Authenticator (number matching) required
CA-003: Block legacy authentication — explicit deny on legacy client types
CA-004: Break-glass exclusion — MFA still required; FIDO2 only; compliant device not required
MFA methods:
Allowed: Microsoft Authenticator (number matching) · FIDO2 hardware keys
Required for admin: FIDO2 only (Authenticator not sufficient for adm- accounts)
Prohibited: SMS OTP · voice calls (SIM-swap vulnerable)
FGPP configuration:
Standard users (FGPP-Standard-Users):
MinPasswordLength: 16 · PasswordHistoryCount: 24 · LockoutThreshold: 5 · LockoutDuration: 15 min
Privileged users (FGPP-Privileged-Users):
MinPasswordLength: 20 · PasswordHistoryCount: 24 · LockoutThreshold: 5 · LockoutDuration: 30 min
Account lifecycle (3.5.5, 3.5.6):
Identifier reuse: disabled for 6 months after account deletion
Inactive identifiers: disabled after 90 days of no logon (SIEM alert at 60 days)
Temporary identifiers: Temporary Access Pass — 4 hours maximum; single-use
Certificate management (3.5.3 PKI):
Device certificates: issued by internal CA · deployed via MDM
Short-lived SSH user certs (from PAM): 8-hour validity
Full certificate lifecycle: see OP-02 Certificate Management
Evidence register — AT-IA
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D05 |
Quarterly MFA coverage report (6-check procedure) |
3.5.3 |
Quarterly |
IT Manager |
EV-D → Access Control → MFA Status |
| EV-D19 |
MFA configuration baseline (CA policies, FGPP, auth methods) |
3.5.3, 3.5.7, 3.5.8 |
Annual + on change |
CISO |
AT-IA → Configuration Baseline |
| EV-D30 |
Certificate and key inventory |
3.5.3 (PKI), 3.13.8, 3.13.10 |
Monthly review |
IT Operations |
EV-D → Cryptography → Certificate Inventory |
| EV-D31 |
Annual encryption audit — FIPS module certification |
3.5.10 |
Annual |
IT Manager |
EV-D → Cryptography → Encryption Audit |
AT-IR · Incident Response
Document ID: AT-IR
Controls: 3.6.1, 3.6.2, 3.6.3 (3 controls)
CMMC L1: None
ISO 27001: 5.24 (IR planning), 5.25 (IR assessment), 5.26 (IR response), 5.27 (IR learning), 5.28 (Evidence collection)
DEFSTAN: Profile 1 §Incident Management (all 3 controls) · Profile 2 §Incident Management (3.6.3 testing)
Page owner: CISO
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 5.24 |
Information security incident management planning |
3.6.1 (establish IR capability) |
IRP document (EV-D11) |
| 5.26 |
Response to information security incidents |
3.6.2 (track, document, report) |
EV-D12 · EV-D13 |
| 5.27 |
Learning from information security incidents |
3.6.2 (post-incident review) |
EV-D13 (PIR records) |
| 5.28 |
Collection of evidence |
3.6.2 (retain records) |
EV-D12 (incident records) |
DEFSTAN mapping:
Profile 1 §Incident Management:
Documented IR procedure: IRP (EV-D11) satisfies this
Incident reporting to contracting authority: 24-hour window
(vs DFARS 72-hour and ICO 72-hour — DEFSTAN 24-hour is the tightest clock)
Post-incident review required for all significant incidents
Profile 2 §Incident Management:
Annual IR exercise required (3.6.3)
Q4 combined exercise (OP-05) satisfies this requirement
Exercise report (EV-D15) retained and available to contracting authority
Reporting obligations (three parallel clocks):
DFARS §252.204-7012: 72h from discovery → US DoD (DIBNet portal)
UK GDPR: 72h from discovery → ICO (if personal data risk)
DEFSTAN contract: 24h from discovery → contracting authority
The 24-hour DEFSTAN clock means the security team must make the
notification/no-notification decision within 24 hours for DEFSTAN-scope
incidents regardless of whether investigation is complete
Key technical procedures
IRT composition:
Incident Commander: CISO
Technical Lead: IT Manager
Security Analyst
HR Manager (for insider threat or personnel-related incidents)
Legal counsel (on-call, not full-time)
Comms lead: [CEO/MD or designated communications officer]
IR phases:
1. Detection and identification (EV-D12 opened)
2. Containment (immediate then long-term)
3. Eradication
4. Recovery
5. Post-incident review (EV-D13, within 10 days)
6. Lessons learned (IRP update, training update)
Playbook library (family-specific rapid-triage guides):
PB-01: Credential compromise / account takeover
PB-02: Ransomware / destructive malware
PB-03: Data exfiltration
PB-04: Phishing campaign (widespread)
PB-05: Insider threat
PB-06: Physical security incident
PB-07: Supplier security incident
(Each playbook: 30-minute rapid triage guide before formal IRT activation)
Evidence preservation (3.6.2):
Memory acquisition before system shutdown
Disk image before remediation
Log export from SIEM for incident time window
Chain of custody record for all forensic evidence
Evidence register — AT-IR
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D11 |
Incident Response Plan (IRP) |
3.6.1 |
Annual review + post-incident update |
CISO |
AT-IR → IRP Document |
| EV-D12 |
Individual incident records |
3.6.2 |
Per incident |
CISO |
EV-D → Incident Response → Incidents → [YYYY] |
| EV-D13 |
Post-incident review records |
3.6.2 |
Per significant incident |
CISO |
EV-D → Incident Response → PIR → [YYYY] |
| EV-D14 |
IRT contact list and escalation matrix |
3.6.1 |
Quarterly verification |
CISO |
AT-IR → IRT Contact List |
| EV-D15 |
Annual IR exercise report |
3.6.3 |
Annual (Q4) |
CISO |
EV-D → Incident Response → Exercise Records |
AT-MA · Maintenance
Document ID: AT-MA
Controls: 3.7.1–3.7.6 (6 controls)
CMMC L1: None
ISO 27001: 5.37 (Documented operating procedures), 8.9 (Config management)
DEFSTAN: Profile 1 §Maintenance (all 6 controls)
Page owner: IT Manager
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 5.37 |
Documented operating procedures |
3.7.1, 3.7.2 (maintenance procedures) |
Maintenance procedure docs |
| 8.9 |
Configuration management |
3.7.3 (remove media before maintenance) · 3.7.4 (check media) |
EV-D24 (maintenance log) |
DEFSTAN mapping:
Profile 1 §Maintenance:
All 6 controls in scope — DEFSTAN specifically emphasises 3.7.5
(MFA for remote maintenance) and 3.7.6 (supervision of non-cleared personnel)
For DEFSTAN contracts:
Any vendor performing remote maintenance on a system that processes
OFFICIAL information must use MFA for their remote session
Vendor cannot initiate maintenance connection — must be invited by
IT Operations who control session establishment and termination
Supervised maintenance record (EV-D26M):
For any maintenance by personnel without BPSS screening:
Supervision requirement documented
IT Operations engineer named as supervisor
Duration and scope of maintenance documented
System returned to secure state confirmed
Key technical procedures
Maintenance scheduling (3.7.1):
All maintenance requiring system downtime: Normal or Major RFC
Emergency maintenance: Emergency RFC with verbal CISO approval
Maintenance windows: standard window Tuesday/Thursday 22:00–02:00 UTC
CUI system maintenance: IT Manager approval minimum; CISO for Major changes
Remote maintenance (3.7.5):
Platform: PAM-mediated (vendor authenticates to PAM, not directly to system)
Vendor credential: individual PAM account for vendor engineer (not shared)
MFA: TOTP minimum for vendors (FIDO2 for our own staff)
Session: initiated by IT Operations; vendor cannot self-initiate
Recording: all remote maintenance sessions recorded in PAM
Session evidence: EV-D32M (remote maintenance session log)
Termination: IT Operations terminates session on completion
Media handling during maintenance (3.7.3, 3.7.4):
CUI-scope media removed from system before maintenance by non-cleared vendor
If removal not feasible: maintain visual supervision throughout
Media returned after maintenance: scan with AV before reconnecting to CUI network
Document in maintenance log (EV-D24)
Approved maintenance personnel list:
Named register of individuals approved to maintain CUI-scope systems
Updated when personnel change: triggers EV-D04 leaver process for departing
maintenance engineers (remove from list; revoke PAM account)
Evidence register — AT-MA
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D21 |
Maintenance RFCs (change management records) |
3.7.1, 3.7.2 |
Per maintenance event |
IT Manager |
EV-D → Config Management → Change Log |
| EV-D24 |
Maintenance log — scheduled and unscheduled |
3.7.1, 3.7.2, 3.7.3, 3.7.4 |
Per maintenance event |
IT Operations |
EV-D → Maintenance → Maintenance Log |
| EV-D32M |
Remote maintenance session log (PAM records) |
3.7.5 |
Per remote session |
IT Manager |
EV-D → Maintenance → Remote Sessions |
| EV-D05 |
Quarterly MFA coverage — includes maintenance MFA verification |
3.7.5 |
Quarterly |
IT Manager |
EV-D → Access Control → MFA Status |
Document ID: AT-MP
Controls: 3.8.1–3.8.9 (9 controls)
CMMC L1: MP.L1-3.8.3 (sanitise or destroy media before disposal/reuse)
ISO 27001: 5.12, 5.13, 7.10, 7.14, 8.10, 8.13, 8.24
DEFSTAN: Profile 1 §Physical (sanitisation) · Profile 2 §Data Handling (CUI marking, encryption, backup)
Page owner: IT Manager / Facilities Manager
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 7.10 |
Storage media |
3.8.1 (protect media) · 3.8.3 (sanitise) · 3.8.5 (control transport) |
EV-D22 · EV-D25 |
| 7.14 |
Secure disposal or re-use of equipment |
3.8.3 (sanitise/destroy) |
EV-D25 · EV-D26 |
| 5.12 |
Classification of information |
3.8.1, 3.8.2 (access restriction) |
Classification scheme |
| 5.13 |
Labelling of information |
3.8.4 (marking) |
Physical media labels |
| 8.13 |
Information backup |
3.8.9 (protect backup CUI) |
EV-D27 · EV-D28 |
DEFSTAN mapping:
Profile 1 §Physical:
Sanitisation required before disposal or reuse: 3.8.3
NCSC-approved sanitisation methods required (HMG IA Standard No. 5)
ADISA certification required for commercial disposal of OFFICIAL assets
Profile 2 §Data Handling:
CUI marking on all physical media: 3.8.4
Encryption for portable media: 3.8.6 (FIPS-validated AES-256)
Backup encryption: 3.8.9 (client-side before upload)
DEFSTAN disposal evidence:
ADISA certificate (individual asset serial number level, not batch)
Must be retained permanently
Available to contracting authority on request
For assets disposed of since contract start: complete ADISA certificate
records should exist for every CUI-scope asset
Key technical procedures
Sanitisation procedure (MP.L1-3.8.3) by media type:
HDDs (reuse): NIST 800-88 Purge — Secure Erase command (ATA Secure Erase or equivalent)
Minimum 1 pass; verify with vendor tool; log in EV-D26
HDDs (disposal): Physical destruction — degauss + shred (ADISA compliant vendor)
Certificate required per asset: EV-D25
SSDs (reuse): Cryptographic erase (if self-encrypting drive) or
vendor-supplied Secure Erase command; verify erasure; log EV-D26
SSDs (disposal): Physical destruction (shred to ≤2mm particles); EV-D25
USB/flash media: Cryptographic erase or physical destruction; EV-D26
Optical media: Physical destruction (cross-cut shredder or industrial shredder); EV-D26
Paper CUI: Cross-cut shredder (DIN 66399 Level P-4 minimum) or confidential waste bin
Mobile phones (disposal): Factory reset + cryptographic erase via MDM; EV-D26
CUI marking:
Physical label: "CUI" in red on physical media; applied before any data is stored
Electronic marking: file property metadata; SharePoint sensitivity label;
document header/footer from approved template
Backup encryption: see OP-01 (Backup and Recovery) for full procedure
AES-256 client-side before upload to cloud or write to backup appliance
Key in PAM vault (never at cloud provider)
Quarterly restoration test: EV-D28
Evidence register — AT-MP
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D22 |
Media register — all CUI-bearing physical media |
3.8.1, 3.8.2 |
Continuous; quarterly audit |
IT Operations |
EV-D → Physical Security → Media Register |
| EV-D25 |
Destruction certificates (ADISA — per-asset serial number) |
3.8.3 (CMMC L1) |
Per disposal event; retained permanently |
IT Operations |
EV-D → Physical Security → Destruction Certs |
| EV-D26 |
Internal media sanitisation log |
3.8.3 |
Per sanitisation event; retained permanently |
IT Operations |
EV-D → Physical Security → Sanitisation Log |
| EV-D27 |
Daily backup completion logs |
3.8.9 |
Daily; reviewed weekly |
IT Operations |
EV-D → BCM → Backup Logs |
| EV-D28 |
Quarterly backup restoration test records |
3.8.9 |
Quarterly |
IT Manager |
EV-D → BCM → Restoration Tests |
| EV-D31 |
Annual encryption audit (backup encryption + FIPS module) |
3.8.6, 3.8.9 |
Annual |
IT Manager |
EV-D → Cryptography → Encryption Audit |
AT-PE · Physical Protection
Document ID: AT-PE
Controls: 3.10.1–3.10.6 (6 controls)
CMMC L1: PE.L1-3.10.1, PE.L1-3.10.2, PE.L1-3.10.3, PE.L1-3.10.5 (4 practices)
ISO 27001: 7.1 (Physical security perimeters), 7.2 (Physical entry), 7.3 (Securing offices), 7.4 (Physical security monitoring), 7.9 (Clear desk)
DEFSTAN: Profile 0 §Physical (3.10.1, 3.10.2, 3.10.3) · Profile 1 §Physical (3.10.4, 3.10.5, 3.10.6)
Page owner: Facilities Manager / CISO
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 7.1 |
Physical security perimeters |
3.10.1 (physical access authorisation) |
ACS configuration |
| 7.2 |
Physical entry |
3.10.2 (physical access devices) · 3.10.3 (escort visitors) |
EV-D23 · EV-D24 |
| 7.4 |
Physical security monitoring |
3.10.2 (CCTV) |
EV-D29 |
| 7.9 |
Security of assets off-premises |
3.10.5 (alternative sites) |
Travel security policy |
DEFSTAN mapping:
Profile 0 §Physical:
Controlled access to building (3.10.1): ACS on all entry points; card access
Visitor control (3.10.3): sign-in, escort, sign-out
CCTV coverage (3.10.2): entry points and common areas
Profile 1 §Physical:
Equipment protection (3.10.4): cable locks; screen locks; laptop tethering
Secure areas (3.10.5): server room access restricted to named IT personnel
Maintenance in secure areas (3.10.6): supervised; logged in EV-D24
DEFSTAN site inspection:
Contracting authority may conduct a physical security inspection of
premises where OFFICIAL information is processed
Prepare: zone diagram, visitor log sample, ACS configuration,
CCTV coverage diagram, server room access log
Key technical procedures
Three-zone model:
Zone 1: Public (reception, meeting rooms accessible to visitors)
Visitor sign-in: name, organisation, host, purpose, time in/out
No CUI-scope systems in Zone 1
Zone 2: Controlled (general office area, staff workstations)
Access: card required; no tailgating
CUI work may occur here (screens not visible to visitors)
Visitor: escorted at all times; visitor badge visible
Zone 3: Secure (server room, secure storage, CISO office)
Access: card + PIN; named individuals only; list maintained in EV-D23 annex
No visitors permitted without: IT Manager written approval + continuous escort
All access logged: ACS log minimum; CCTV required at entry
ACS configuration:
All Zone 2 and 3 access points under electronic ACS
Card deactivation: Facilities deactivates within 1 hour of leaver notification
Quarterly review: access log cross-referenced against HR (EV-D23 quarterly review)
After-hours access: alert → CISO within 1 hour
CCTV:
Coverage: all building entry/exit points + server room entrance + common areas
Retention: 31 days (UK GDPR minimum for security purposes with DPO sign-off)
Health check: monthly image quality and coverage verification (EV-D29)
Clear desk enforcement:
Automated screen lock: 15 minutes (GPO/MDM — see AT-IA)
End of day: documented in Acceptable Use Policy; manager confirms compliance
Spot checks: CISO or Facilities quarterly walk; findings to EV-D29
Evidence register — AT-PE
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D23 |
Physical access log review — ACS exports + visitor log |
3.10.1, 3.10.4, 3.10.5 |
Quarterly review |
Facilities Manager |
EV-D → Physical Security → Access Logs |
| EV-D24 |
Visitor and contractor sign-in/out log |
3.10.3 |
Continuous; retained 12 months |
Facilities Manager |
EV-D → Physical Security → Visitor Log |
| EV-D29 |
CCTV and facility monitoring check record |
3.10.2 |
Monthly (image quality) + quarterly (coverage) |
Facilities Manager |
EV-D → Physical Security → CCTV Records |
AT-PS · Personnel Security
Document ID: AT-PS
Controls: 3.9.1, 3.9.2 (2 controls)
CMMC L1: None
ISO 27001: 6.1 (Screening), 6.2 (Terms and conditions), 6.4 (Disciplinary), 6.5 (Responsibilities after termination)
DEFSTAN: Profile 1 §Personnel (both controls — screening standard and leaver process)
Page owner: HR Manager / CISO
SCM: isms-it-staff · isms-security (HR Manager granted read access to operational sections)
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 6.1 |
Screening |
3.9.1 (screen before authorising access) |
EV-B08 (screening register) |
| 6.2 |
Terms and conditions of employment |
3.9.2 (supporting — NDA creates enforceable obligation) |
EV-B01 (signed contracts) |
| 6.5 |
Responsibilities after termination |
3.9.2 (protect CUI after personnel action) |
EV-D04 · EV-B09 |
DEFSTAN mapping:
Profile 1 §Personnel:
Screening level mapped to information sensitivity:
OFFICIAL: BPSS minimum
OFFICIAL-SENSITIVE (certain categories): SC clearance minimum
SC clearance: sponsored by contracting authority via UKSV
Clearance register: maintained for all SC/DV cleared staff
Contracting authority notified within [contract-specified timeframe]
if a cleared person departs
DEFSTAN departure notification:
Must occur regardless of whether the departed individual held a
security clearance — the contracting authority is informed of any
change in personnel with access to DEFSTAN-contract OFFICIAL information
Timeframe: confirm from contract schedule (typically 5 business days)
Key technical procedures
Screening matrix (Section 3 of AT-PS):
12 role categories from general staff (right to work only) through
DEFSTAN OFFICIAL-SENSITIVE (SC clearance required)
Cross-referenced against EV-B08 screening register quarterly
BPSS components:
Identity verification (original documents)
Right to work in UK (legal entitlement)
Employment history (3 years, explained gaps)
Criminal record check (unspent convictions)
Conducted by: UKAS-accredited screening provider or approved HR process
SC clearance:
Conducted by: UKSV (UK Security Vetting) — cannot be self-initiated
Timeline: 4–12 weeks average
Sponsorship: contracting authority or government department
Leaver de-provisioning checklist (EV-D04) — three sections:
HR: exit interview, NDA acknowledgement (EV-B09), property return
IT Operations: account disable, MFA revoke, equipment retrieval, data custody
CISO: SIEM review, risk assessment, contracting authority notification
Evidence register — AT-PS
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-B08 |
Personnel security screening register — all CUI-scope staff and contractors |
3.9.1 |
Per hire; annual review |
HR Manager |
EV-B → Personnel Security → Screening Register |
| EV-B09 |
Departure NDA confirmation — signed at exit interview |
3.9.2 |
Per leaver |
HR Manager |
EV-B → Personnel Security → Departure NDAs |
| EV-B01 |
Signed employment contracts and NDAs |
3.9.1 (supporting), 3.9.2 (supporting) |
Per hire |
HR Manager |
EV-B → Personnel Security → Employment Agreements |
| EV-D04 |
Leaver de-provisioning checklist (3-section, tri-signed) |
3.9.2 |
Per leaver (filed within 5 days) |
IT Ops + HR + CISO |
EV-D → Access Control → JML Log → Leavers |
AT-RA · Risk Assessment
Document ID: AT-RA
Controls: 3.11.1, 3.11.2, 3.11.3 (3 controls)
CMMC L1: None
ISO 27001: 5.7 (Threat intelligence), 8.8 (Technical vulnerability management) + clauses 6.1.2, 8.2
DEFSTAN: Profile 1 §Risk (3.11.1) · Profile 2 §Patching (3.11.2, 3.11.3)
Page owner: CISO
SCM: isms-it-staff · isms-security · isms-management (Sections 1–3)
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 5.7 |
Threat intelligence |
3.11.1 (threat intelligence as risk assessment input) |
EV-C02 (threat intelligence section) |
| 8.8 |
Management of technical vulnerabilities |
3.11.2 (scan) · 3.11.3 (remediate per risk) |
EV-D06 · EV-D07 |
| Clause 6.1.2 |
Risk assessment process |
3.11.1 |
EV-C01 · EV-C02 |
| Clause 8.2 |
Information security risk assessments |
3.11.1 |
EV-C02 |
DEFSTAN mapping:
Profile 1 §Risk:
Documented risk process with named CISO
Annual risk assessment report (EV-C02) satisfies this
Risk register available to contracting authority on request
(Produce a sanitised risk register summary excluding operationally sensitive
details before sharing with contracting authority)
Profile 2 §Patching:
Monthly authenticated vulnerability scanning: EV-D06
Patch tracking register with SLA: EV-D07 (SLA from vendor release date)
CISA KEV: 7-day SLA regardless of CVSS score
DEFSTAN risk appetite alignment:
Contracting authority may ask: "What is your risk appetite for CUI risks?"
Answer: Low — any High or Very High risk must be treated (not accepted)
Document risk appetite statement in the risk management policy
and reference it in EV-C02
Key technical procedures
Risk methodology: qualitative 5×5 likelihood × impact matrix
Likelihood levels: Very Low / Low / Moderate / High / Very High
Impact levels: Very Low / Low / Moderate / High / Very High
Risk appetite: Low — High and Very High risks must be treated;
Moderate may be accepted with CISO approval
Annual risk assessment: 9-phase procedure
Phase 1: initiation and scoping (4 weeks before workshop)
Phase 2: threat intelligence gathering (NCSC, CISA, CISP, MITRE ATT&CK)
Phase 3: asset valuation
Phase 4: risk identification workshop
Phase 5: risk evaluation and treatment decisions
Phase 6: report production (EV-C02)
Phase 7: management review
Phase 8: risk register update (EV-C03 in 05 · Risk Register)
Phase 9: POA&M integration (EV-C04 → AT-CA POA&M)
Vulnerability scanning programme:
Monthly: authenticated network scan — all CUI-scope systems
Weekly: internet-facing systems
Triggered: within 24 hours of CISA KEV entry affecting in-scope technology
Quarterly: DAST (web applications)
Monthly: cloud CSPM export
Annual: penetration test (EV-D09)
SLA clock from vendor release date (not detection date):
Critical: 7 days · High: 14 days · Medium: 30 days · Low: 90 days
CISA KEV: 7 days regardless of CVSS score
Evidence register — AT-RA
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-C01 |
Risk assessment initiation record |
3.11.1 |
Annual (before assessment) |
CISO |
EV-C → Risk Management → Risk Assessments → [YYYY] |
| EV-C02 |
Annual risk assessment report |
3.11.1 |
Annual |
CISO |
EV-C → Risk Management → Risk Assessments → [YYYY] |
| EV-C03 |
Risk register (live, in 05 · Risk Register) |
3.11.1 |
Continuous; reviewed monthly |
CISO |
05 · Risk Register |
| EV-C04 |
Risk treatment action log |
3.11.1 |
Continuous |
CISO |
EV-C → Risk Management → Risk Treatment Actions |
| EV-D06 |
Vulnerability scan reports — all scan types |
3.11.2 |
Monthly (network); quarterly (DAST); monthly (CSPM) |
Security Analyst |
EV-D → Vulnerability Management → Scan Reports |
| EV-D07 |
Patch tracking register (SLA from vendor release date) |
3.11.3 |
Weekly review |
IT Manager |
EV-D → Vulnerability Management → Patch Register |
| EV-D08 |
Patch exception register |
3.11.3 |
Per exception; monthly review |
CISO |
EV-D → Vulnerability Management → Patch Exceptions |
| EV-D09 |
Annual penetration test report |
3.11.2 |
Annual |
CISO |
EV-D → Vulnerability Management → Penetration Tests |
| EV-F02 |
Monthly security metrics report (vulnerability section) |
3.11.3 |
Monthly |
CISO |
EV-F → Continuous Monitoring → Metrics Reports |
AT-SC · System and Communications Protection
Document ID: AT-SC (parent) + AT-SC-BDY (boundary child) + AT-SC-ENC (encryption child)
Controls: 3.13.1–3.13.16 (16 controls)
CMMC L1: SC.L1-3.13.1, SC.L1-3.13.5 (2 practices — documented in FC-01)
ISO 27001: 8.20, 8.21, 8.22, 8.24, 8.26, 8.27
DEFSTAN: Profile 0 §Boundary (3.13.1, 3.13.5) · Profile 1 §Boundary (3.13.2–3.13.7) · Profile 2 §Boundary and §Crypto (3.13.8–3.13.16)
Page owner: IT Manager / CISO
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 8.20 |
Network security |
3.13.1 (monitor/protect comms), 3.13.5 (DMZ) |
EV-F03 · EV-D19 |
| 8.22 |
Segregation of networks |
3.13.2, 3.13.3 (separation of user/system functions) |
Network zone diagram |
| 8.24 |
Use of cryptography |
3.13.8, 3.13.10, 3.13.11 |
EV-D30 · EV-D31 |
| 8.26 |
Application security requirements |
3.13.9 (terminate inactive sessions), 3.13.14 |
Session timeout config |
| 8.27 |
Secure system architecture and engineering principles |
3.13.2, 3.13.3 |
AT-SC-ARC page |
DEFSTAN mapping:
Profile 0 §Boundary: FC-01 covers these — 3.13.1 and 3.13.5
Profile 1 §Boundary:
Network segmentation (3.13.2, 3.13.3): zone model documented + enforced
VPN encryption (3.13.8 supporting): IKEv2 AES-256 documented
Profile 2 §Boundary:
Deny by default, permit by exception (3.13.6): firewall default deny rule
Network-layer filtering (3.13.7): IDS/IPS at boundary
Profile 2 §Cryptography:
Transmission protection (3.13.8): TLS 1.2 minimum; TLS 1.3 preferred
FIPS-validated crypto (3.13.11): documented in EV-D31
Session authenticity (3.13.15): TLS mutual auth where applicable
DEFSTAN encryption note:
For OFFICIAL information in transit, the minimum is TLS 1.2 with
government-approved cipher suites (NCSC Commercial Cryptography guidance)
TLS 1.0 and 1.1: prohibited
Export cipher suites: prohibited
NULL cipher suites: prohibited
Child page structure
AT-SC-BDY · Boundary Protection (child of AT-SC)
Controls: 3.13.1, 3.13.2, 3.13.3, 3.13.5, 3.13.6, 3.13.7
Contains: full network architecture specification (extends FC-01 technical layer)
Additional content vs FC-01:
Detailed IDS/IPS rule categories and alert procedure
DNS filtering and web proxy configuration
Cloud network security groups specification
Wireless security configuration (3.13.14, 3.13.15)
Mobile code restrictions (3.13.13)
Voice over IP security (3.13.14)
Advanced network monitoring (beyond fundamental tier)
AT-SC-ENC · Encryption (child of AT-SC)
Controls: 3.13.8, 3.13.9, 3.13.10, 3.13.11, 3.13.12, 3.13.15, 3.13.16
Contains: full cryptographic implementation specification
Key sections:
FIPS module certificate table — per system, per algorithm
Key management procedure — full lifecycle from generation to destruction
Certificate management (links to OP-02)
TLS configuration specification — minimum cipher suites per platform
At-rest encryption — per storage type (HSM-backed KMS)
VPN cryptographic specification
Backup encryption (links to OP-01)
Evidence register — AT-SC
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D19 |
Firewall rule register, network zone diagram, external connection register |
3.13.1, 3.13.5, 3.13.6 |
Annual + on change |
IT Manager |
AT-SC-BDY |
| EV-F03 |
Monthly firewall rule review |
3.13.1, 3.13.6 |
Monthly |
IT Manager |
EV-F → Continuous Monitoring → Firewall Reviews |
| EV-F04 |
Monthly IDS/IPS alert review |
3.13.1, 3.13.7 |
Monthly |
Security Analyst |
EV-F → Continuous Monitoring → IDS Reviews |
| EV-D30 |
Certificate and key inventory |
3.13.8, 3.13.10 |
Monthly review |
IT Operations |
EV-D → Cryptography → Certificate Inventory |
| EV-D31 |
Annual encryption audit (FIPS module certificate numbers) |
3.13.11 |
Annual |
IT Manager |
EV-D → Cryptography → Encryption Audit |
Document ID: AT-SI
Controls: 3.14.1–3.14.7 (7 controls)
CMMC L1: SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5 (4 practices — highest L1 count)
ISO 27001: 8.7 (Malware protection), 8.8 (Technical vulnerability management), 8.16 (Monitoring activities), 8.23 (Web filtering)
DEFSTAN: Profile 1 §Malware and §Patching (L1 controls) · Profile 2 §Audit and Monitoring (3.14.6, 3.14.7)
Page owner: IT Manager / Security Analyst
SCM: isms-it-staff · isms-security
Section 0 — ISO 27001 and DEFSTAN mapping
| Annex A |
Control |
NIST implemented |
Primary evidence |
| 8.7 |
Protection against malware |
3.14.2 (AV), 3.14.4 (update signatures), 3.14.5 (scheduled + real-time scan) |
EV-D32 |
| 8.8 |
Technical vulnerability management |
3.14.1 (identify and correct flaws) |
EV-D06 · EV-D07 (shared with AT-RA) |
| 8.16 |
Monitoring activities |
3.14.6 (monitor organisational systems), 3.14.7 (identify unauthorised use) |
EV-F01 · EV-F04 |
| 8.23 |
Web filtering |
3.14.2 (supporting — malware delivery via web) |
Web proxy config |
DEFSTAN mapping:
Profile 1 §Malware:
AV on all endpoints and servers: 3.14.2 (CMMC L1)
Daily signature updates: 3.14.4 (CMMC L1)
Real-time scanning: 3.14.5 (CMMC L1)
Central management console: required for Profile 1 (EV-D32 produced from console)
Profile 1 §Patching:
Identify and correct flaws: 3.14.1 (CMMC L1)
Patching SLA: DEFSTAN Profile 1 requires documented patching SLA
Our 7/14/30/90-day SLA (EV-D07) satisfies this
Profile 2 §Audit and Monitoring:
SIEM monitoring for security events: 3.14.6
Investigation of unusual activity: 3.14.7
Both satisfied by EV-F01 (monthly SIEM log review) and SIEM correlation rules
DEFSTAN note on shared evidence:
EV-D06 (vulnerability scan reports) and EV-D07 (patch register) are the
same evidence items as AT-RA. DEFSTAN assessors reviewing §Patching may
ask for these directly — ensure they are current and accessible
Key technical procedures
AV/EDR deployment specification (3.14.2, 3.14.4, 3.14.5):
Platform: [EDR product — specify]
Windows: deployed via Intune; real-time protection, cloud-delivered, tamper protection ON
macOS: deployed via Jamf; real-time ON; Gatekeeper ON; SIP verified
Linux: deployed via Ansible; AppArmor in enforce mode; auditd active
Coverage verification: 100% of CUI-scope devices (EV-D32)
Alert on: protection disabled; signatures >48h old; threat not remediated in 30 min
Offline systems: maximum 7-day offline update interval (manual package import)
Flaw identification and remediation (3.14.1):
Scanner-to-patch-register pipeline:
EV-D06 (scan) → findings within 24h → EV-D07 (patch register) → SLA tracking
Shared evidence with AT-RA: EV-D06 and EV-D07 satisfy both 3.11.2 (RA) and 3.14.1 (SI)
SLA measured from vendor release date (not detection date)
Security alert monitoring (3.14.6):
SIEM correlation rules: 5 categories (see AT-AU for full rule library)
Monthly review: EV-F01 (SIEM log review covers SI monitoring obligation)
Real-time alerting: SIEM → IT Operations on-call for Critical alerts
Unauthorised use identification (3.14.7):
Baseline behaviour established via 30-day rolling average in SIEM
Anomaly detection: volume-based (file access, authentication, network)
User behaviour analytics: [UEBA product if deployed] or SIEM manual review
Evidence register — AT-SI
| EV ID |
Evidence Item |
Controls |
Frequency |
Owner |
Location |
| EV-D06 |
Vulnerability scan reports (shared with AT-RA) |
3.14.1 |
Monthly + triggered |
Security Analyst |
EV-D → Vulnerability Management → Scan Reports |
| EV-D07 |
Patch tracking register (shared with AT-RA) |
3.14.1 |
Continuous |
IT Manager |
EV-D → Vulnerability Management → Patch Register |
| EV-D32 |
Monthly AV/EDR coverage report |
3.14.2, 3.14.4, 3.14.5 |
Monthly |
Security Analyst |
EV-D → Security Operations → AV Coverage |
| EV-F01 |
Monthly SIEM log review (monitoring + alert review) |
3.14.6, 3.14.7 |
Monthly |
Security Analyst |
EV-F → Continuous Monitoring → Log Reviews |
| EV-F04 |
Monthly IDS/IPS alert review |
3.14.6 |
Monthly |
Security Analyst |
EV-F → Continuous Monitoring → IDS Reviews |
| EV-F02 |
Monthly security metrics (SI section: AV coverage, patch compliance) |
3.14.1, 3.14.2 |
Monthly |
CISO |
EV-F → Continuous Monitoring → Metrics Reports |
Cross-family evidence dependency map
Used by the security team during assessment preparation to sequence evidence production in dependency order.
UPSTREAM → DOWNSTREAM dependencies:
EV-B08 (Screening register)
↓ must precede EV-D03 (provisioning date must follow screening date)
EV-D03 (JML provisioning log)
↓ feeds EV-D01 (quarterly review — all access grants have a provenance)
↓ feeds EV-D02 (annual review — same)
↓ cross-referenced by AT-PS assessors against EV-B08
EV-D04 (Leaver de-provisioning)
↓ referenced by EV-D01 (cross-reference: any active account for departed staff)
↓ referenced by EV-D05 (MFA revocation confirmed)
EV-D06 (Vulnerability scan reports)
↓ feeds EV-D07 (each scan finding → patch register entry within 24h)
↓ referenced by both AT-RA (3.11.2) and AT-SI (3.14.1)
EV-D07 (Patch tracking register)
↓ feeds EV-F02 (monthly metrics — patch compliance rate)
↓ referenced by both AT-RA (3.11.3) and AT-SI (3.14.1)
EV-F06 (SIEM health report)
↓ must confirm SIEM is healthy before EV-F01 (log review) has evidentiary value
↓ if EV-F06 shows a log source gap, EV-F01 for that period is incomplete
EV-D05 (MFA coverage report)
↓ referenced by AT-IA (3.5.3) and AT-MA (3.7.5) — same evidence item
EV-D21 (Change management records)
↓ upstream of EV-D19 credibility (firewall rule register only trustworthy if all
changes have RFC records — undocumented changes invalidate the register)
EV-C02 (Annual risk assessment report)
↓ feeds EV-C04 (risk treatment actions → POA&M)
↓ informs remediation prioritisation in EV-D07 (risk context for patch SLA adjustment)
↓ informs SIEM correlation rule priorities (threat scenarios → detective controls)
SoA cross-reference table — all 110 controls
This table is maintained in EV-E01 (Statement of Applicability). The version here is the Confluence navigation reference.
| Family |
Controls |
CMMC L1 |
ISO 27001 Annex A |
DEFSTAN Profile |
Confluence Page |
SoA Status |
| AC — Access Control |
3.1.1–3.1.22 (22) |
4 practices |
5.3, 5.10, 5.12–5.15, 5.18, 6.7, 8.1–8.3, 8.5, 8.10, 8.20, 8.24 |
P0–P2 |
AT-AC |
[status] |
| AT — Awareness and Training |
3.2.1–3.2.3 (3) |
0 |
6.3, 7.2, 7.3 |
P1–P2 |
AT-AT |
[status] |
| AU — Audit and Accountability |
3.3.1–3.3.9 (9) |
0 |
8.15–8.17 |
P1–P2 |
AT-AU |
[status] |
| CA — Security Assessment |
3.12.1–3.12.4 (4) |
0 |
5.35, 5.36 + cl.9.2, 9.3 |
P1–P2 |
AT-CA |
[status] |
| CM — Configuration Management |
3.4.1–3.4.9 (9) |
0 |
5.9, 5.37, 8.9, 8.18, 8.19, 8.32, 8.33 |
P1–P2 |
AT-CM |
[status] |
| IA — Identification and Auth |
3.5.1–3.5.11 (11) |
2 practices |
5.16, 5.17, 8.5, 8.24 |
P0–P2 |
AT-IA |
[status] |
| IR — Incident Response |
3.6.1–3.6.3 (3) |
0 |
5.24–5.28 |
P1–P2 |
AT-IR |
[status] |
| MA — Maintenance |
3.7.1–3.7.6 (6) |
0 |
5.37, 8.9 |
P1 |
AT-MA |
[status] |
| MP — Media Protection |
3.8.1–3.8.9 (9) |
1 practice |
5.12, 5.13, 7.10, 7.14, 8.10, 8.13, 8.24 |
P1–P2 |
AT-MP |
[status] |
| PE — Physical Protection |
3.10.1–3.10.6 (6) |
4 practices |
7.1–7.4, 7.9 |
P0–P1 |
AT-PE |
[status] |
| PS — Personnel Security |
3.9.1–3.9.2 (2) |
0 |
6.1, 6.2, 6.4, 6.5 |
P1 |
AT-PS |
[status] |
| RA — Risk Assessment |
3.11.1–3.11.3 (3) |
0 |
5.7, 8.8 + cl.6.1.2, 8.2 |
P1–P2 |
AT-RA |
[status] |
| SC — System and Comms Protection |
3.13.1–3.13.16 (16) |
2 practices |
8.20–8.22, 8.24, 8.26, 8.27 |
P0–P2 |
AT-SC / AT-SC-BDY / AT-SC-ENC |
[status] |
| SI — System and Info Integrity |
3.14.1–3.14.7 (7) |
4 practices |
8.7, 8.8, 8.16, 8.23 |
P1–P2 |
AT-SI |
[status] |
| Totals |
110 controls |
17 practices |
49 Annex A controls |
P0–P2 |
14 pages |
|
Assessment preparation master checklist — all families
Used by the CISO to prepare the assessor package for any C3PAO, Cyber Essentials+, ISO 27001, or DEFSTAN assessment. This checklist is maintained as a child page of AT-CA.
DOCUMENT PREPARATION (4 weeks before assessment):
[ ] SoA (EV-E01) reviewed and current — all 110 controls, status accurate
[ ] SSP PDF export generated from Confluence — all AT-[family] pages included
[ ] POA&M reviewed — all items current; progress notes within 30 days
[ ] All EV-F items current (no overdue monthly monitoring outputs)
[ ] All EV-D quarterly items current for the past 4 quarters
[ ] Network topology diagram current (within 12 months of last significant change)
[ ] External connection register (EV-D19) current
TECHNICAL PREPARATION (2 weeks before):
[ ] External port scan of public IP ranges — confirm no unexpected open ports
[ ] Internal vulnerability scan — confirm EV-D07 patch register is current
[ ] MFA coverage report (EV-D05) — confirm 100% coverage
[ ] CA policy test — legacy auth blocked, compliant device required
[ ] SIEM health check — all log sources active; no gaps
[ ] Firewall rule review (EV-F03) — no undocumented rules
[ ] Account audit — no departed staff with active accounts
EVIDENCE PACKAGE ASSEMBLY (1 week before):
[ ] Evidence register — all items with location and current date
[ ] EV-B08 (screening) cross-referenced against EV-D03 (provisioning dates)
[ ] EV-D04 (leavers) — last 12 months, all signed, timestamps confirmed
[ ] EV-D01 (quarterly privilege review) — last 4 quarters, all signed
[ ] EV-D06 (vulnerability scans) — last 3 months, authenticated scans confirmed
[ ] EV-D07 (patch register) — SLA computed from vendor release date confirmed
[ ] EV-C02 (risk assessment) — within 12 months, CISO signed
[ ] EV-D11 (IRP) — reviewed and current
[ ] EV-D15 (IR exercise) — annual exercise conducted within 12 months
INTERVIEW PREPARATION (assessment week):
IT Manager: JML process, change management process, patch SLA clock
CISO: risk assessment methodology, POA&M management, monitoring programme
Security Analyst: SIEM operation, alert triage, vulnerability scan procedure
HR Manager: screening process, leaver notification procedure
Facilities Manager: zone model, visitor procedure, ACS management
Version and maintenance schedule
| Family page |
Last reviewed |
Next review |
Trigger for unscheduled update |
| AT-CA |
[DATE] |
[DATE+12m] |
Any control status change; SSP boundary update |
| AT-AC |
[DATE] |
[DATE+12m] |
JML process change; MFA platform change |
| AT-AT |
[DATE] |
[DATE+12m] |
Training platform change; DEFSTAN training requirement change |
| AT-AU |
[DATE] |
[DATE+12m] |
New log source added; retention policy change |
| AT-CM |
[DATE] |
[DATE+12m] |
New OS in scope; CIS Benchmark major version release |
| AT-IA |
[DATE] |
[DATE+12m] |
MFA platform change; CA policy modification |
| AT-IR |
[DATE] |
[DATE+12m] |
Post-incident IRP update; exercise findings |
| AT-MA |
[DATE] |
[DATE+12m] |
New maintenance vendor; remote access platform change |
| AT-MP |
[DATE] |
[DATE+12m] |
Disposal method change; new NCSC sanitisation guidance |
| AT-PE |
[DATE] |
[DATE+12m] |
Building change; ACS platform upgrade |
| AT-PS |
[DATE] |
[DATE+12m] |
New DEFSTAN contract with different screening level |
| AT-RA |
[DATE] |
[DATE+12m] |
Post-risk-assessment update; CISA KEV programme change |
| AT-SC / BDY / ENC |
[DATE] |
[DATE+12m] |
Network architecture change; new crypto standard |
| AT-SI |
[DATE] |
[DATE+12m] |
EDR platform change; SIEM correlation rule update |
03 · Advanced Controls — Section owner: CISO. Access: isms-it-staff minimum (page-level restriction on all child pages). For assessment access, contact CISO to arrange a controlled export. Questions: [ciso@organisation.com]