A Cloud Horizons module
Microsoft control records
for NIS2, DORA, ISO 27001.
Read-only collectors for Entra, Intune, Defender for Cloud, and Azure Policy — hashed into an append-only ledger.
GDPR · DORA · NIS2 · ISO 27001:2022
Control records · Microsoft evidence, mapped and hashed
Capabilities
Microsoft records mapped to four frameworks.
-
Read-only Microsoft collectors
Assisted collectors for Graph, Entra, Intune, Defender for Cloud, Azure Policy, and the Activity Log — they read, never write.
-
Pre-mapped control libraries
One Defender for Cloud or Azure Policy signal lands against every NIS2, DORA, ISO 27001:2022, and CIS v8 control it satisfies.
-
SHA-256 append-only ledger
Every record is hashed and appended — entries are added, never edited in place — so the trail is tamper-evident.
-
Exception register
Record controls you cannot meet yet with an owner, expiry date, and reason of record; expired exceptions surface instead of aging out.
-
Control drift digest
A recurring digest of what failed, what changed since the last run, and who owns it — MFA coverage or Conditional Access edits included.
-
Audit pack export
Export by framework, business unit, or audit period — the pack carries the underlying Microsoft records and the control mapping together.
In the product
The ledger, as you'll see it.
Real product screens — dashboard and sign-in.
How it works.
-
Connect with read-only consent
Grant the collectors read scopes on your Microsoft tenant. The first run reads Graph, Entra, Intune, Defender for Cloud, Azure Policy, and the Activity Log and pins each result to a point in time.
-
Map once, reuse across frameworks
Each signal lands against the pre-mapped NIS2, DORA, ISO 27001:2022, and CIS v8 libraries. Controls you cannot meet yet go in the exception register; everything else is hashed into the append-only ledger.
-
Export the pack your auditor asked for
Pick a framework, a business unit, or an audit period and export. The drift digest keeps you current between exports, and the auditor read-only role lets them verify the ledger without touching your tenant.
Pricing.
Read-only collectors, append-only ledger, and audit exports — included with Cloud Horizons Growth and Business.
Control Ledger ships as a Cloud Horizons module — included with Cloud Horizons Growth and Business plans, not sold separately. See Cloud Horizons pricing
Questions.
Where is my data stored?
Collector output and ledger records are stored in EU regions. The collectors use read-only consent against your Microsoft tenant — no endpoint agent, no write-back. You can give an auditor a read-only role with scoped exports rather than a shared admin login.
Does Control Ledger support SSO?
Yes. Sign-in runs through Microsoft Entra ID with OIDC. Your existing Entra groups map to Control Ledger roles — admin, operator, and auditor read-only — so you do not maintain a separate user directory.
Which compliance frameworks are pre-mapped?
Control Ledger ships libraries for NIS2 (including Article 21 risk-management measures), DORA, ISO 27001:2022, and CIS Controls v8. One collected Microsoft signal — a Defender for Cloud recommendation or an Azure Policy compliance state — lands against every control across those frameworks that it satisfies.
What does the 30-day trial include?
Control Ledger is a Cloud Horizons module, included with Cloud Horizons Growth (€399/mo) and Business (from €999/mo). Both plans start with a 30-day trial and no credit card, and Control Ledger activates with that trial. The Starter plan does not include governance modules.
Start recording Microsoft control evidence.
Connect your tenant with read-only consent and export your first audit pack in under a day.