Scope note: this checklist deliberately does not cover risk registers, Statements of Applicability, policy documents,
incident response plans, HR security, or physical/office security — those live in your GRC platform (e.g. Probo) as governed
controls with maturity levels and owners. This checklist is the technical field-verification layer underneath the ISO 27001
Annex A Technological controls that sit outside email (O365) and endpoint (Windows) hardening: network perimeter,
vulnerability management, active monitoring, data masking/leakage, privileged access, and any custom-built applications.
A.8.20 ISO 27001 Annex A control referenceBeyond ISO baseline — stricter recommended control