docs(compliance): add manual control verification templates for CIS M…

[Ashjani]

Summary

Work in progress, still not finished, adding GRC content for the manual control verification integration.

This PR adds verification templates for the 14 CIS M365 v6.0.0 controls that cannot be
automated. Each template contains step-by-step auditor instructions, a keyword list for
confidence scoring, severity level, and evidence type. Templates are formatted to match
the ControlVerificationTemplate schema and will be seeded via POST /v1/verification-templates/
once Aaron's migration is merged.

Still to be added to this PR:

• Manual control classification doc (docs/compliance/manual_control_classification.md)
• Confidence threshold justification doc (docs/compliance/confidence_threshold_justification.md)
• Confidence scoring algorithm (backend-api/app/services/confidence_scorer.py)

Type of Change

• Bug fix
• New feature
• Breaking change
• Refactor / code cleanup
• Documentation
• CI/CD / infrastructure
• Security

Affected Components

• /backend-api
• /frontend
• /engine (collectors / policies)
• /security
• /infrastructure
• /.github/workflows
• /docs

Motivation

14 controls in the CIS M365 Foundations Benchmark v6.0.0 cannot be checked automatically
because Microsoft does not expose those settings through a stable API. When a scan runs,
these controls are created with status pending and never update. There is no guidance for
auditors on what to check or upload.

This PR provides the content layer for the manual verification workflow , auditor
instructions and keywords for all 14 controls so that when Aaron Alijani's ControlVerificationTemplate
table and endpoints are merged, the table can be seeded immediately and auditors have
structured guidance for every pending manual control.

Testing Done

• Unit tests pass locally
• Tested manually — describe how:
• No tests required : documentation and JSON data only, no executable code in this PR yet

Security Considerations

No security impact. This PR adds documentation and a JSON data file only. No secrets,
credentials, API permissions, or data exposure changes.

Breaking Changes

• No breaking changes

Rollback Plan

• Revert commit is sufficient

Checklist

• Code follows project conventions
• No secrets, credentials, or tokens committed
• Relevant documentation updated (if applicable)
• CI/CD workflows pass on this branch
• PR is focused on one thing

Screenshots

Not applicable , no frontend or visual changes.

[du-dhartley]

This is currently blocked by the changes required on PR #229 around the version and benchmark/framework specifications. As we will be dealing with multiple versions of multiple benchmarks or frameworks, it's critical that the data living in the database can be explicitly matched on the combination of benchmark, version and control_id, rather than control_id alone.

[du-dhartley]

Requesting changes based on my previous comment about this being blocked by another PR for version reasons