Theme A.5 — Organizational controls
A.5.7 — Threat intelligence
Auditors look for: documented threat intel feed configured AND evidence the team reviews/acts on it. Codex tracks both ingestion cadence and ticket-creation rate against incoming threats.
A.5.16 — Identity management
Same evidence as SOC 2 CC6.1. Codex pulls IdP user creation logs (Google Admin SDK, Microsoft Graph audit logs, Okta/api/v1/logs?filter=eventType eq "user.lifecycle.create") and matches each provisioning event to the HRIS new-hire record.
A.5.18 — Access rights
Quarterly access review snapshot exported as the ISMS access-review record. Per-user, per-app role table with reviewer attestation timestamp.A.5.23 — Information security for use of cloud services
Cloud baseline configuration evidence per CSP:- AWS: Config rules + Security Hub findings + IAM Access Analyzer
- GCP: Security Command Center findings + Asset Inventory baseline
- Azure: Defender for Cloud secure score + Policy compliance
A.5.24-27 — Information security incident management
Per-incident evidence pulled from PagerDuty / Linear / Jira:- Incident detection time (alert fired)
- Acknowledgment time (oncall paged)
- Resolution time
- Post-mortem document link
- Root cause + corrective action
Theme A.6 — People controls
A.6.1 — Screening
HRIS connector pulls background-check completion records for each new hire:- Hire date
- Background check vendor (Checkr, Sterling, etc.)
- Check completion date
- Status (clear, with-flags, declined)
A.6.3 — Information security awareness, education and training
LMS connector pulls per-user training completion:- Course name (Security Awareness, GDPR, HIPAA, role-specific)
- Completion date
- Score (where applicable)
- Cadence: annual mandatory + new-hire onboarding
A.6.5 — Responsibilities after termination
The killer evidence: HRIS termination → IdP deactivation gap report (same as SOC 2 CC6.6).Theme A.8 — Technological controls (highest density)
A.8.1 — User endpoint devices
MDM device inventory with:- Compliance state per device
- Last check-in time
- Encryption status (FileVault, BitLocker)
- OS patch level vs latest
A.8.5 — Secure authentication
Auditors specifically want: MFA enrollment rate ≥ 95% across active users, exceptions documented.
A.8.7 — Protection against malware
EDR coverage from CrowdStrike / SentinelOne:- Endpoints with EDR installed (% coverage)
- Endpoints with stale definitions (% out-of-date)
- Detected threats in period + remediation outcomes
A.8.8 — Management of technical vulnerabilities
Multi-source vulnerability roll-up:- Snyk / GitHub Dependabot: dependency CVEs
- Wiz / Orca / Aqua: cloud workload + IaC findings
- Qualys / Tenable: infrastructure scans
- Nuclei / OWASP ZAP: web app scans
A.8.9 — Configuration management
Configuration changes correlate to PRs in code host (CM-3 from NIST).
A.8.13 — Information backup
Backup snapshot history per cloud connector + restore-test attestation log.A.8.15 — Logging
SIEM coverage report per system + per event type:- Auth events (success, failure, MFA bypass)
- Configuration changes
- Privileged operations
- Data access (read/write)
A.8.20-23 — Network security
Cloud connector pulls VPC config, security group rules, WAF policies, and network segmentation diagrams (DNS records + service mesh config).A.8.24 — Use of cryptography
A.8.25-29 — Secure development lifecycle
GitHub / GitLab connector pulls:- Branch protection rules per repo
- Required reviewer count + status
- CI status enforcement (tests must pass, security scans must pass)
- Secret-detection (GitHub Secret Scanning, GitGuardian) findings + remediation
- Code review participation rates per developer
A.8.31 — Separation of dev / test / prod
Cloud account/project separation evidence:- Dev resources in dev account, prod in prod account
- IAM roles cannot cross account boundaries
- Network isolation between environments