In our webinar with Ontinue in July, 50% of our audience were tackling ISO 27001 for the first time which probably seems daunting…even more so if you’re not familiar with your Microsoft 365 security and compliance journey.
That’s why we suggested starting here in step 1 when looking at your Microsoft maturity through the lens of ISO 27001.
The first step to set you up for success is to assess and benchmark your current stance and maturity level across the Microsoft security ecosystem. Whether it’s a case of tuning in Microsoft-centric benchmarking activities that are already operational, or beginning from a standing start, there are some useful places to find the raw information necessary to help you assess where you currently are.
Firstly, head to the Microsoft service trust portal because this is where Microsoft set out their stance as an ISO 27001 certified platform vendor.
This is important information because in using Microsoft 365 you are sharing the information security risk with Microsoft.
In using Microsoft 365 you are signed up to the Shared Responsibility model where Microsoft takes on responsibility for platform. Microsoft 365 are acting in a SaaS vendor capacity. They take on responsibility right up to the application level.
You take on the risks inherent in your data (your IP, the sensitive data you carry, the regulatory obligations you have, your housekeeping duties, your devices, your vulnerabilities around identities and access).
Microsoft give you a powerhouse of controls for you to fulfil on your side of the bargain. But it’s still your side of the bargain.
So to help you assess and benchmark how well you’re doing in some areas of that, waiting for you in Microsoft Compliance Centre is Compliance Manager.
It’s where you can benchmark your approach to compliance against regulations and standards, manage incremental improvements, and get support and information for audits.
As a default it’s busy right now assessing your environment against a Data Protection Baseline which are controls for key regulations and standards for data protection and general data governance (NIST/GDPR) .
It’s designed for non–technical compliance/risk professionals to use, but it’s worryingly underutilized in our opinion. If you’d like more information and guidance on Microsoft Compliance Manager, download our quick start guide.
In Compliance Manager, not only do you have a great starting place with the Data Privacy assessment. You might also have included in your licence in Compliance Manager an ISO 27001 template. If not you can purchase it – it’s considered a ‘Premium assessment’.
It will guide you on controls in place already against the clauses in the standard, give suggestions for improvements and if you don’t already have a tool for managing your ISO 27001 reporting – you can use this as a home to manage the process (tracking people/process not just tech controls).
From a cyber security perspective, available to you is the Microsoft Secure Score which is a great indicator on your cyber maturity and again – giving you a list of improvement actions.
All these Microsoft native scores and assessments and dashboards are there at your fingertips, and are great as a starting point, and for tracking to evidence your improvement over time.
BUT
They can be difficult to interpret on their own, and tricky to join up the conversation between what the dashboard is telling you, and what constitutes best next actions relevant to your unique context of prioritised risk.
Which is what ISO 27001 is all about – building and managing your ISMS within the “risk context of the organisation“.
So that’s why you’ll be taking these assessments and dashboards then folding in your internal and external landscape – and that’s where Ontinue and Cloud Essentials often assist organisations in order that they can prioritise and plan.
Catch up on the full webinar on Ontinue’s website.