Controls Matrix
Compliance Controls Matrix
This matrix summarizes control objectives, implementation approach, framework mapping context, and expected evidence artifacts for Aegis security operations.
| Control Family | Objective | Implementation | Framework Mappings | Evidence Artifacts |
|---|---|---|---|---|
| Cryptographic Protection | Ensure credential confidentiality and key custody boundaries. | Client-side encryption with user-derived master key workflows. | SOC 2 CC6, ISO 27001 A.8/A.10 | Architecture docs, crypto boundary narrative, key handling runbook. |
| Access Governance | Restrict and verify access to sensitive credential operations. | Role-aware sharing, session guard checks, and policy constraints. | SOC 2 CC6/CC7, ISO 27001 A.5/A.9 | Policy definitions, role assignment exports, administrative audit logs. |
| Monitoring and Detection | Identify suspicious activity and exposure indicators quickly. | Breach monitoring signals, risk prioritization, and review workflows. | SOC 2 CC7, ISO 27001 A.8/A.16 | Alert timelines, triage records, monthly posture reports. |
| Incident Response | Contain credential events and document response actions. | Rotation playbooks, session revocation steps, and post-incident review process. | SOC 2 CC7, ISO 27001 A.5/A.16 | Incident timeline, remediation checklist, verification sign-off. |
| Auditability and Retention | Provide evidence exports for governance and assurance review. | Chronological activity logs and structured export workflows. | SOC 2 CC3/CC8, ISO 27001 A.5/A.18 | Export packages, retention policy references, review cadence records. |
Review Notes
Framework references are mapping guidance, not a certification claim. Teams should align these controls to their own scoped control set and auditor expectations.
For detailed answers, review the Compliance FAQ.