If you are a cybersecurity lead or compliance officer at a Moroccan Infrastructure of Vital Importance, this playbook was built for you.
As a regulator-mandated entity under Law 05-20, your organization faces increasing scrutiny to demonstrate sovereign control over data processed in cloud environments. You are required to implement data classification aligned with DGSSI's national framework, enforce access controls based on sensitivity levels, and maintain audit-ready evidence for regulatory review. The complexity of mapping these requirements to SaaS platforms like Microsoft 365, Google Workspace, and AWS, while ensuring continuous compliance, is a daily operational burden. Manual configuration without structured guidance risks misclassification, noncompliant data flows, and exposure during audits.
Engaging external consultants from major international firms to build a compliant cloud adoption framework typically costs between EUR 80,000 and EUR 250,000. Alternatively, dedicating an internal team of three full-time specialists for four to six months to reverse-engineer DGSSI guidance into technical controls demands significant bandwidth and subject matter expertise. This playbook delivers the same outcome, a fully implementable, audit-supporting compliance framework, for a one-time cost of $395.
What you get
| Phase | File Type | Description | Count |
| Assessment | Domain Assessment Questionnaire | 30-question evaluation per domain based on Confidentiality, Integrity, and Availability impact scoring per DGSSI criteria | 7 |
| Classification | Data Sensitivity Assessment Template | Structured worksheet to classify data types in Microsoft 365 (Exchange, SharePoint, Teams) using DGSSI-defined sensitivity levels: Public, Internal, Sensitive, Highly Sensitive | 1 |
| Implementation | Cloud Configuration Playbook | Step-by-step guides to configure Microsoft Purview, Conditional Access policies, DLP rules, and retention labels in M365; equivalent controls for Google Workspace and AWS IAM/S3 policies | 21 |
| Governance | RACI Matrix Template | Predefined responsibility assignment for data owners, IT administrators, security teams, and legal stakeholders across classification and enforcement activities | 1 |
| Governance | Work Breakdown Structure (WBS) | Phased project plan with 142 discrete tasks across discovery, classification, configuration, testing, and review stages | 1 |
| Evidence | Evidence Collection Runbook | Instructions for generating screenshots, logs, policy exports, and configuration reports required for DGSSI audits | 1 |
| Audit | Audit Preparation Playbook | Checklist and documentation package to prepare for regulatory inspection, including sample responses and evidence indexing | 1 |
| Mapping | Cross-Framework Mapping Matrix | Detailed alignment between DGSSI controls, Law 05-20 articles, ISO/IEC 27001:2022 clauses, and NIST SP 800-53 Rev. 4 families | 31 |
Domain assessments
Each of the seven domain assessments contains 30 structured questions scored across Confidentiality, Integrity, and Availability dimensions, enabling granular risk scoring and classification decisions:
- Human Resources Data: Evaluates employee records, payroll systems, and personnel management platforms for sensitivity based on national privacy thresholds.
- Financial Systems: Assesses general ledger, payment processing, and budgeting data for exposure impact under Law 05-20 financial integrity requirements.
- Operational Technology (OT) Data: Reviews process control logs, SCADA telemetry, and maintenance records from industrial systems for availability-critical classification.
- Customer Service Records: Analyzes citizen or client interaction data, support tickets, and identity verification logs for personal data handling compliance.
- Strategic Planning Documents: Covers long-term infrastructure roadmaps, investment plans, and risk registers that may qualify as state-sensitive assets.
- IT Infrastructure Configurations: Examines network diagrams, server settings, and identity provider configurations for integrity-critical status.
- Regulatory Reporting Data: Focuses on submissions to DGSSI, sector regulators, and oversight bodies that require chain-of-custody tracking.
What this saves you
| Activity | Without This Playbook | With This Playbook |
| Classify data per DGSSI standards | Manual interpretation of guidelines, inconsistent application across departments | Structured assessment templates with pre-scored criteria and decision rules |
| Configure Microsoft 365 compliance controls | Trial-and-error setup of Purview, DLP, and Conditional Access with no audit trail | Step-by-step configuration guides with exact policy names, conditions, and enforcement actions |
| Prepare for DGSSI audit | Reactive evidence gathering, incomplete documentation, last-minute escalations | Pre-built evidence runbook and audit playbook with indexed deliverables |
| Map controls across frameworks | Time-intensive manual cross-referencing between Law 05-20 and ISO/NIST | Ready-to-use mapping matrix showing equivalent requirements across four frameworks |
| Assign implementation responsibilities | Ambiguous ownership leading to gaps in execution | Predefined RACI and WBS with 142 implementation tasks and role assignments |
Who this is for
- Cybersecurity managers in banking institutions required to protect customer financial data under national sovereignty rules
- IT compliance leads in public administration agencies managing citizen data and digital service platforms
- Information security officers in mining and energy firms overseeing operational technology and environmental reporting systems
- Cloud adoption project managers tasked with deploying Microsoft 365 or Google Workspace within regulated environments
- Data protection officers responsible for aligning data handling practices with Law 05-20 and DGSSI guidance
- Internal audit teams preparing for regulatory inspections of cloud configurations and data governance
- Chief information security officers seeking standardized implementation across multiple business units
Cross-framework mappings
This playbook includes explicit mappings between the following regulatory and technical frameworks:
- DGSSI National Data Classification Guide (2025 edition)
- Law 05-20 on the Protection of Personal Data (Morocco)
- ISO/IEC 27001:2022 Information Security Management
- NIST SP 800-53 Revision 4 Security and Privacy Controls
What is NOT in this product
- This is not a software tool or automated scanner. It does not integrate with Microsoft 365, Google Workspace, or AWS APIs.
- No consulting services, training sessions, or onboarding support are included.
- The playbook does not cover on-premises infrastructure hardening or physical security controls.
- It does not include legal advice or official certification from DGSSI or any government body.
- Support for cloud platforms beyond Microsoft 365, Google Workspace, and AWS is not provided.
- Industry-specific data models for healthcare or education are outside the scope of this release.
- There is no mobile application, web portal, or cloud-based dashboard associated with this product.
Lifetime access and satisfaction guarantee
You receive permanent download access to all 64 files with no subscription, no login portal, and no recurring fees. Store the files in your secure environment and use them across teams and projects indefinitely. If this playbook does not save your team at least 100 hours of manual compliance work, email us for a full refund. No questions, no friction.
About the seller
We have spent 25 years building structured compliance frameworks for regulated organizations worldwide. Our research covers 692 national and international regulatory standards, with 819,000+ cross-framework mappings developed to streamline implementation. Our materials are used by over 40,000 practitioners across 160 countries, including cybersecurity teams in critical infrastructure sectors who rely on precise, auditable, and sovereign-aligned guidance.
>
