19 September 2025
Will Islwyn LambertIntroduction
Cybersecurity is already top of the agenda for most IT departments. Use this document as a checklist to help ensure
your IT technology stack and processes are secure throughout.
For IT departments and security teams with established processes, use this document to double check that the controls in place cover all the points mentioned in here
For IT departments and security teams looking to create security processes, put controls in place covering the points mentioned here.
Operational Controls
We've added references to the core technical controls below to show which ones align to SOC 2, ISO 27001, and NIST references.
Legend: [SOC2] aligns to SOC 2; [ISO] aligns to ISO 27001; [NIST] maps to NIST SP 800‑53/CSF.
Core Technical Controls
Access Management
- Enforce MFA for all users and admins. [SOC2][ISO A.5][NIST PR.AC]
- Role‑based access; least privilege; deny by default. [SOC2][ISO A.5][NIST PR.AC]
- Just‑in‑time elevation with expiry; session recording for admin tasks. [SOC2][ISO A.8]
- Quarterly entitlement reviews; remove dormant accounts in ≤7 days. [SOC2][ISO A.5]
Endpoint Security (Windows, macOS, Linux, Mobile)
- EDR deployed to 100% of managed endpoints with tamper protection. [SOC2][ISO A.8]
- Patch OS and high‑risk apps within SLA (Critical ≤7 days; High ≤14 days). [SOC2][ISO A.8][NIST DE.CM]
- Baseline hardening; device encryption; USB control; local admin removal. [ISO A.8]
- Verified, tested backups for key devices and servers; immutable copies. [SOC2][ISO A.5][NIST PR.DS]
Network and Zero Trust
- Adopt ZTNA for remote access; phase down VPN broad access. [SOC2][ISO A.8]
- Microsegmentation for servers and critical SaaS; block east‑west by default. [ISO A.8]
- DNS security, egress filtering, TLS 1.2+ everywhere. [SOC2][ISO A.8]
- WAF/API gateways in front of public apps; rate limiting and auth. [SOC2][ISO A.8]
Data Protection and Governance
- Data inventory and classification; label regulated data. [SOC2][ISO A.5]
- Encryption at rest and in transit; central key management; secrets rotation. [SOC2][ISO A.8]
- Backups with immutability and offline copy; recovery tests ≥ quarterly. [SOC2][ISO A.5]
- Data residency and transfer controls for regulated regions. [ISO A.5]
- Ensure databases and files on servers should be replicated, mirrored, or ideally both
API, website, and Application Security
- Inventory APIs; authenticate with OAuth2/OIDC; block anonymous writes. [SOC2][ISO A.8]
- Input validation, object‑level auth, and schema enforcement. [ISO A.8]
- Rate limiting; bot and DoS protection; full request logging. [SOC2][ISO A.8]
- Pre‑prod security testing (SAST/DAST), secrets scanning in CI/CD. [SOC2][ISO A.8]
Monitoring and Incident Response
- Centralised logs (auth, admin, EDR, firewall, cloud, SaaS); 90‑day hot; 365‑day cold. [SOC2][ISO A.8][NIST DE.AE]
- Alert tuning for credential abuse, ransomware patterns, data exfiltration. [NIST DE.CM]
- IR playbooks: phishing, ransomware, insider, vendor breach; owners assigned. [SOC2][ISO A.5][NIST RS]
- Tabletop tests ≥ semi‑annual; post‑mortems with action tracking. [SOC2][ISO A.10]
Governance, Risk, and Compliance
Policies
- Acceptable Use; Password and MFA; Remote/Hybrid Work; Access Control.
- Change Management; Secure Development; Backup and Recovery; Logging.
- Vendor Risk; Data Classification and Handling; Incident Response.
Operational Cadence
- Risk assessment monthly or quarterly; register with owners and due dates.
- Continual risk logging - when someone identifies a risk - log it!
- Internal control reviews; evidence stored and versioned.
- Third‑party assessments for critical suppliers annually.
Mappings: Policies support SOC 2 Common Criteria; ISO 27001 Annex A controls; NIST CSF Identify/Protect/Detect/Respond/Recover.
People and Process
- Security awareness for all staff; phishing; clear reporting path.
- HR‑IT joiner/mover/leaver automation; access removal within 24 hours.
- Admin access gated by approvals and expiry; activity recorded.
- Employee Cybersecurity Manual
2025 Priorities
-
AI threats: deepfake phishing; automated credential stuffing; model abuse. Controls: strong verification for payments/approvals; anomaly detection on auth.
- Cloud posture: CSPM/SSPM; least privilege; secret scanning; baseline guardrails.
- SaaS governance: SSO/MFA enforced; admin scope minimised; export and sharing policies.
- Supply chain: SBOM where feasible; dependency monitoring; vendor breach playbook.
90‑Day Implementation Plan
Days 0–30
- Enable MFA everywhere; block legacy auth.
- EDR coverage to 100%; fix gaps.
- Define patch SLAs; start weekly cadence.
- Centralise logs; create high‑value alerts.
Days 31–60
- ZTNA pilot; restrict VPN access.
- Backups: immutability + quarterly tests.
- API inventory; enforce auth and rate limits.
- Run phishing drill; close findings.
Days 61–90
- Quarterly access review; remove dormant accounts.
- Tabletop IR exercise; update playbooks.
- Vendor reviews for top 10 suppliers.
- Publish policy set; track acknowledgements.
One‑Page Checklist
| Domain | Control | Owner | Status | Evidence |
|---|
| Identity | MFA enforced; JIT admin; quarterly reviews | | | Policy, logs, review report |
| Endpoints | EDR 100%; patch SLA met; disk encryption | | | EDR reports; patch dashboard |
| Network/ZTNA | ZTNA in place; segmentation; egress control | | | Configs; change records |
| Data | Classification; encryption; immutable backups | | | Labels; KMS logs; restore test |
| APIs/Apps | Auth; input validation; rate limits; logging | | | Gateway configs; test results |
| Monitoring | Central logs; tuned alerts; 24×7 coverage | | | SIEM configs; on‑call rota |
| IR | Playbooks; roles; semi‑annual tests | | | After‑action report |
| Vendors | Risk reviews; breach clauses; offboarding | | | Assessments; contracts |
| Training | Annual training; phishing drills; tracking | | | Completion logs; drill report |
- All internet‑facing services inventoried and scanned monthly
- Default deny for inbound; egress controlled
- Secrets rotated; no hard‑coded credentials
- Payment and approval changes verified out‑of‑band
- Critical alerts reach on‑call within 2 minutes
Notes
- Use this playbook to justify control design during SOC 2 readiness or ISO 27001 audits.
- Keep evidence current: screenshots, exports, tickets, and meeting notes with dates.
- Measure progress by coverage (%), MTTR, patch SLA, and incident count.
xAssets helps companies achieve cybersecurity controls by providing a holistic inventory of your entire IT infrastructure, fed from multiple sources. Our
discovery tools provide deep intel on each endpoint and centralizing data from discovery and multiple sources include Meraki, Intune, etc, provides
an easy-to-use toolset for finding assets and hence easing the management of all aspects of cybersecurity.
You can use a free instance to evaluate the system and we are always happy to help you get started.