Security is not a product you buy — it is a programme you run. This checklist covers the 40 controls that appear in nearly every mature enterprise security programme, grouped by domain.
Why Checklists Matter
The security controls in ISO 27001, SOC 2 and NIST CSF overlap significantly. By addressing them systematically, most organisations can prepare for multiple compliance frameworks simultaneously rather than treating each as a separate project.
Identity and Access Management (Controls 1–10)
- Multi-factor authentication on all administrative accounts
- Privileged access management (PAM) with just-in-time access
- Regular access reviews — quarterly minimum
- Service account inventory and rotation schedule
- SSO for all SaaS applications to centralise access control
Network Security (Controls 11–20)
- Network segmentation with documented firewall rules
- Web Application Firewall in blocking mode
- DDoS mitigation service with tested runbook
- Intrusion detection system with documented response procedures
- VPN or Zero Trust Network Access for all remote work
Data Protection (Controls 21–30)
Encrypt everything: data in transit (TLS 1.2+), data at rest (AES-256), and data in use where possible. Key management is the hardest part — do not overlook it.
Incident Response (Controls 31–40)
Having an incident response plan on paper is not enough. The plan must be tested through tabletop exercises at minimum twice per year. Every team member with IR responsibilities must know their role before an incident, not during one.
Tags:
CybersecurityComplianceSOC 2ISO 27001