Skip to main content

Free audit program · v1.0

MFA Coverage Quick Check

Tell us how multi-factor authentication is rolled out across your workforce, admins and third parties — get a coverage score in under 3 minutes.

  • General target area
  • ISO 27001 framework
  • 7 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Tell us how multi-factor authentication is rolled out across your workforce, admins and third parties — get a coverage score in under 3 minutes.

Risks addressed

  • Critical Stolen or phished credentials lead to account takeover
  • Critical Admin accounts compromised due to weak / no MFA
  • High Remote workers signed in from compromised devices without strong auth
  • High Third-party / contractor sessions hijacked

Controls (7)

  1. MFA enforced for all employees

    High

    MFA enforced for all employees

    How to test + evidence

    Testing procedure: Pull the IdP report showing MFA enrolment by user. Expect 100% of active employees enrolled.

    Evidence to collect: IdP MFA enrolment CSV; conditional-access policy export.

  2. MFA enforced for all administrators

    Critical

    MFA enforced for all administrators

    How to test + evidence

    Testing procedure: List all privileged role assignments and verify each account has MFA + strong factor (no SMS).

    Evidence to collect: Privileged role report + MFA factor list.

  3. MFA enforced for remote / VPN access

    High

    MFA enforced for remote / VPN access

    How to test + evidence

    Testing procedure: Review VPN auth config and conditional-access rule for off-network sign-ins.

    Evidence to collect: VPN auth config screenshot; CA policy export.

  4. MFA enforced on critical SaaS

    High

    MFA enforced on critical SaaS

    How to test + evidence

    Testing procedure: For each Tier-1 SaaS (email, finance, HR), confirm SSO + MFA enforcement at the app level.

    Evidence to collect: SaaS admin console screenshots showing SSO+MFA.

  5. Phishing-resistant MFA for admins

    High

    Phishing-resistant MFA for admins

    How to test + evidence

    Testing procedure: Verify privileged accounts use FIDO2 / hardware key / certificate — not SMS or push-only.

    Evidence to collect: Auth-method inventory for privileged group.

  6. MFA bypass / exception register reviewed quarterly

    Medium

    MFA bypass / exception register reviewed quarterly

    How to test + evidence

    Testing procedure: Pull list of users with MFA disabled or with exceptions; confirm review meeting minutes.

    Evidence to collect: Exception register + review minutes.

  7. MFA enforced on third-party / contractor access

    Medium

    MFA enforced on third-party / contractor access

    How to test + evidence

    Testing procedure: Verify external collaborators / B2B guests are subject to MFA via guest policy.

    Evidence to collect: Guest CA policy + external identities report.