ISO/IEC 27001:2022 coverage

How LockList's Microsoft 365 and Google Workspace checks map to ISO 27001:2022 Annex A controls — so you can see, control by control, what your environment evidences.

Indicative mapping, not certification. These mappings show which technical findings support each Annex A control. They are guidance to focus your readiness work — confirm scope and applicability with your auditor.
Annex A controlWhat LockList assesses
A.5.15Access control

MFA for admins and all users, Security Defaults, Conditional Access coverage, named locations, guest/external access.
A.8.5Secure authentication

MFA registration coverage and per-user methods (M365), 2-Step Verification coverage and admin enrollment (Google), and blocking of legacy authentication.
A.5.17Authentication information

Self-Service Password Reset configuration and required verification methods.
A.5.18Access rights

Privileged role assignments, directory roles and membership, guest privileges, and suspended/dormant accounts.
A.8.2Privileged access rights

Super-administrator count, admin role inventory, and Privileged Identity Management (just-in-time) usage.
A.8.15Logging

Sign-in and directory audit log accessibility (M365); login and admin audit log accessibility (Google).
A.8.16Monitoring activities

Risky users (Identity Protection), Microsoft Secure Score, and Conditional Access policy visibility in sign-in logs.
A.8.20Networks security

Named locations and legacy-authentication blocking via Conditional Access.
A.5.14Information transfer

SharePoint/OneDrive external sharing posture and external email auto-forwarding rules.
A.8.12Data leakage prevention

External sharing controls and external forwarding detection across mailboxes.
A.8.1User endpoint devices

Intune device management coverage and non-compliant managed devices.
A.8.7Protection against malware

Microsoft Defender for Office 365 / email-security licensing and posture.
A.8.9Configuration management

App registrations with high-risk Graph permissions and overall identity configuration baseline.
A.5.9Inventory of information & assets

Tenant licensing/subscribed SKUs, verified domains, and a tenant/organisation overview.

Every finding in your report carries its ISO 27001 control alongside SOC 2, CIS, and HIPAA mappings. Run a free assessment →