Microsoft 365 Security Baseline for ISO 27001 Readiness

If your organisation uses Microsoft 365 and is working toward ISO 27001 certification, you already have access to a powerful set of security controls — most of which are not enabled by default. Closing the gap between Microsoft 365's default configuration and a security baseline aligned to ISO 27001 Annex A is one of the highest-leverage things you can do before your audit.

This guide walks through the most important Microsoft 365 settings, why they matter for ISO 27001, and what auditors typically look for.

Why Microsoft 365 configuration matters for ISO 27001

ISO 27001 Annex A (2022 edition) contains 93 controls across four domains: Organisational, People, Physical, and Technological. The Technological controls (A.8) are where Microsoft 365 configuration directly contributes evidence.

Controls such as A.8.2 (Privileged access rights), A.8.5 (Secure authentication), A.8.6 (Capacity management), A.8.15 (Logging), A.8.16 (Monitoring), and A.8.20 (Network security) all have corresponding settings in Microsoft 365 and Entra ID that can either satisfy or fail the control, depending on how they are configured.

1. Multi-factor authentication (MFA) — A.8.5

What to do: Enforce MFA for all users, with no permanent exclusions.

How: In Entra ID, create a Conditional Access policy requiring MFA for all users on all applications. Do not rely on Security Defaults — they don't give you the granular control or the audit log that auditors want to see.

What auditors check: - Is MFA enforced via policy, not just recommended? - Are there any accounts (including break-glass admin accounts) excluded from MFA? - What percentage of users have completed MFA registration?

Certvik maps: MFA coverage percentage, accounts without MFA, CA policy export.

2. Conditional Access policies — A.5.15, A.8.2

What to do: Move beyond basic MFA to a layered Conditional Access strategy.

Key policies to have in place: - Require compliant device for corporate data access — ensures only managed devices reach sensitive apps like SharePoint and Exchange. - Block legacy authentication — legacy protocols (IMAP, POP3, SMTP AUTH) bypass MFA entirely. Block them unless you have a documented exception. - Sign-in risk policy — use Entra ID Protection to automatically step-up or block logins flagged as risky. - Location-based restrictions — if your team operates from a known set of countries, consider blocking authentication from unexpected locations.

What auditors check: exports of active CA policies, evidence that legacy auth is blocked, any policy exceptions and their justification.

3. Privileged identity management — A.8.2

What to do: Limit standing Global Admin accounts and use Privileged Identity Management (PIM) for just-in-time elevation.

Minimum baseline: - No more than 2–3 permanent Global Admins. - All privileged roles assigned through PIM with approval workflows and time limits. - Regular access reviews for privileged roles (Entra ID Access Reviews).

What auditors check: number of Global Admin accounts, whether PIM is active, access review completion records.

4. Audit logging and retention — A.8.15, A.8.16

What to do: Enable the Microsoft 365 Unified Audit Log and set a retention period appropriate for your ISMS (ISO 27001 doesn't specify a minimum, but 90–365 days is typical).

Where to configure: Microsoft Purview compliance portal → Audit → Audit retention policies.

Key log types to ensure are flowing: - Entra ID sign-in and audit logs - Exchange message trace and admin audit logs - SharePoint and OneDrive file access logs - Microsoft Teams activity logs

What auditors check: evidence that the audit log is enabled, retention policy configuration, and sample log exports showing events were captured during the audit period.

5. Data Loss Prevention (DLP) — A.5.12, A.8.11

What to do: Deploy DLP policies in Microsoft Purview to detect and block accidental sharing of sensitive data (credit card numbers, personal data, health information).

Minimum baseline: - A DLP policy covering Exchange, SharePoint, OneDrive, and Teams. - At minimum, detect and alert on sharing of financial account numbers and national ID numbers. - Policy tips enabled to educate users in real time.

What auditors check: active DLP policy configuration, incident reports showing the policy has been firing, and evidence that alerts are reviewed.

6. Mobile Device Management and device compliance — A.8.1

What to do: Enrol corporate-managed devices in Microsoft Intune and configure compliance policies.

Compliance policy settings auditors look for: - Minimum OS version enforced. - Encryption required. - Screen lock with PIN or biometric. - Jailbroken/rooted devices blocked.

Conditional Access link: combine device compliance policies with a CA policy that blocks access for non-compliant devices.

What auditors check: Intune compliance policy configuration export, compliance status report showing percentage of compliant devices.

7. Email security — A.8.21, A.8.23

What to do: Enable the full email authentication stack and Microsoft Defender for Office 365.

SPF, DKIM, DMARC: all three should be configured and DMARC should be set to at least p=quarantine. Auditors increasingly check this as part of phishing resistance evidence.

Microsoft Defender for Office 365 (Plan 1 minimum): - Safe Attachments: enabled for Exchange and SharePoint. - Safe Links: enabled for all users. - Anti-phishing policy: impersonation protection configured for your C-suite and key domains.

What auditors check: DMARC record, Safe Attachments/Links policy exports, defender threat reports from the audit period.

8. Microsoft Secure Score as a living baseline

Microsoft Secure Score (in the Microsoft 365 Defender portal) gives you a single score representing how well your configuration aligns to Microsoft's recommended baseline. It maps well — though not perfectly — to ISO 27001 controls.

Use Secure Score as an ongoing monitoring tool rather than a one-time checklist. Track your score over time, investigate drops, and use the improvement actions as a backlog of security tasks.

A Secure Score above 70–75% typically indicates a configuration that will satisfy most ISO 27001 technological controls without additional tooling.

Automating the baseline check

Manually exporting these settings for every audit cycle is tedious and error-prone. Certvik's Microsoft 365 security assessment connects to your tenant via Microsoft Graph and automatically evaluates your configuration against the ISO 27001 baseline — flagging gaps, generating evidence reports, and showing your posture at a glance.

It doesn't change your configuration; it reads it, maps it to controls, and tells you what to fix and what evidence you can already export to your auditor.