Compliance Frameworks

Regulatory coverage mapping for HIPAA, PCI-DSS, NIST, CMMC, SOC 2

live data
0

Major frameworks

HIPAA · PCI · NIST · CMMC · more

0%

Higher insurance cost

Without MFA + EDR controls

0

Avg HIPAA fine

Per breach incident (USD)

0%

SMBs close post-breach

Within 6 months

OverviewCIS ControlsCyber InsuranceFramework crosswalk

CIS Controls as the universal compliance foundation

The CIS Controls were designed to be the practitioner's answer to "where do I start?" — and they happen to map directly to the requirements of every major compliance framework. Organisations that implement CIS Controls via Microsoft 365 don't have to start from scratch for HIPAA, PCI-DSS, SOC 2, NIST, or CMMC audits. The controls are already in place.

HIPAA Security Rule

78% CIS overlap

US federal law requiring administrative, physical, and technical safeguards for protected health information (PHI).

Technical Safeguard §164.312(a)(2)(iv)

Encryption of PHI at rest and in transit

CIS 3Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data....

M365 satisfies via

Microsoft PurviewDefender for Cloud Apps

Technical Safeguard §164.312(d)

Unique user identification and authentication

CIS 5Account Management

Use processes and tools to assign and manage authorisation to credentials for user accounts, including admin accounts....

M365 satisfies via

Entra IDPurview

Technical Safeguard §164.312(a)(1)

Access control — minimum necessary access

CIS 6Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials for user accounts based on least privil...

M365 satisfies via

Entra IDMicrosoft Intune

Technical Safeguard §164.312(b)

Audit controls — hardware, software, and activity logs

CIS 8Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack....

M365 satisfies via

Microsoft PurviewMicrosoft Sentinel

Technical Safeguard §164.312(e)(1)

Transmission security — protect PHI in transit

CIS 9Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors — the most common attack delivery mechanisms....

M365 satisfies via

Defender for Office 365Defender for Endpoint

Administrative Safeguard §164.308(a)(5)

Security awareness training for all workforce members

CIS 14Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behaviour among the workforce to be security conscious....

M365 satisfies via

Defender for Office 365 P2

Administrative Safeguard §164.308(a)(6)

Security incident response and reporting procedures

CIS 17Incident Response Management

Establish a program to prepare for, detect, contain, and eradicate attacks and recover from them effectively....

M365 satisfies via

Defender XDRMicrosoft Sentinel

The presales message

When a customer says "we need to be HIPAA compliant" or "we're going through a SOC 2 audit," the answer isn't "buy a separate compliance tool." The answer is: "Let's look at which CIS Controls you have implemented in Microsoft 365 — because most of those audit requirements are already covered." Microsoft 365 E5 + Purview Suite addresses 75–89% of the requirements across every major framework shown here.