Can't find your answer here? Email us at contact@certvik.com.
Certvik is a compliance operations platform for companies using Microsoft 365. It automates the evidence collection, reassessment scheduling, approval workflows and reporting that make ISO 27001 and SOC 2 compliance programs so time-consuming to maintain. It is not a replacement for a compliance consultant or auditor — it is the software that runs your compliance program day to day.
Sign in with your Microsoft 365 account. Certvik provisions your workspace automatically and starts scanning your M365 environment. You don't need to manually enter any data. Your 14-day free trial begins immediately.
This is the most common way companies begin a compliance program. First, don't panic — most enterprise customers will accept a signed security questionnaire or a compliance roadmap while you work toward certification. With Certvik, connect your M365 tenant and you'll have a gap analysis and evidence baseline within hours. That gives you something concrete to show a customer while you work toward the formal audit. ISO 27001 certification typically takes 3–12 months; SOC 2 Type II requires 6–12 months of evidence collection. Starting now is the right move.
Certvik reads security configuration data through the Microsoft Graph API — things like MFA status, Conditional Access policies, Intune device compliance, Defender alerts and audit logs. It never reads email content, documents or personal data.
You need Global Administrator or Security Administrator permissions in Microsoft 365 to connect your tenant. After that, you can invite team members with whatever role is appropriate for their responsibilities.
All plans are currently offered at Founding Member pricing — locked in for life. M365 Scan (standalone): $99/mo (normally $149). ISO 27001: $299/mo (normally $399), M365 scan included. SOC 2: $299/mo (normally $399), M365 scan included. M365 AutoSecure (one-click policy enforcement, add-on only): $199/mo (normally $299), M365 scan included. Only 25 founding member spots exist — 7 are taken. See the pricing page for full details.
The first 25 customers can lock in the M365 base plan at $199/month (or €189/month) for the lifetime of their subscription — even as prices increase in future. Once the 25 spots are taken, this offer closes permanently.
Vanta and Drata are broad GRC platforms covering many cloud environments at $10,000–$25,000+ per year. Certvik is purpose-built for Microsoft 365 environments and costs a fraction of that. If your infrastructure lives primarily in M365 — Entra ID, Teams, SharePoint, Defender, Intune — Certvik gives you deeper, more accurate coverage of that environment than a general-purpose platform does. If you run a complex multi-cloud stack with AWS, GCP, and multiple SaaS tools, a broader platform may be a better fit.
You'll receive a reminder in the last 5 days of your trial. If you don't subscribe before it expires, access to the app is paused — you'll see a subscription prompt instead of the dashboard. Your data is not deleted and becomes fully accessible again the moment you subscribe. You can always reach us at contact@certvik.com if you need more time.
Yes. There are no long-term contracts. Cancel from your billing settings at any time and you will not be charged again. Your access continues until the end of the period you have paid for.
Yes. Certvik is built for ISO 27001:2022, which introduced 93 controls across 4 themes (updated from 114 controls in the 2013 edition). All controls are pre-mapped to your M365 environment. If you were previously certified under the 2013 standard, the October 2025 transition deadline has now passed — you should already be on 2022. Certvik uses 2022 control numbering and mapping throughout.
The transition involves three main tasks: updating your Statement of Applicability to use 2022 control references, re-mapping your risk assessment to the new control structure, and implementing the 11 new controls (which include cloud services, threat intelligence, data masking and physical security monitoring). Certvik's control library is built on ISO 27001:2022, so connecting your M365 tenant will immediately show you which of the new controls your environment satisfies and which have gaps. You don't need to start from scratch — you carry over your existing evidence.
Certvik handles the operational compliance work — evidence collection, monitoring and documentation. You will still need to work with an accredited certification body for the formal audit, and most companies work with a consultant for gap assessment advice and audit preparation. Certvik significantly reduces the time and cost involved.
Certvik shows you the status of each ISO 27001:2022 control against your M365 environment — which controls are satisfied, which have gaps, and with what evidence. That gives you a clear, up-to-date input for building your SoA. The SoA itself (applicability decisions, justifications, exclusion rationale) is a document you or your consultant must own and write — Certvik doesn't generate it for you, but it removes most of the legwork in knowing what your current posture actually is.
Yes. Every ISO 27001:2022 control includes a downloadable Word (.docx) template in two variants: a basic version for getting started quickly, and a detailed version with fuller guidance and placeholder sections for your specific controls. The same applies for SOC 2 Trust Services Criteria controls. These are starting points — you still need to review, customise and own them — but they replace the blank-page problem that wastes weeks at the start of most compliance programmes. Download them directly from the evidence centre for each control.
This is one of the most common ISO 27001 surprises: you can have excellent security in practice and still fail an audit if there's no recorded evidence it was happening. ISO 27001 auditors check your Information Security Management System — the documented records — not just whether your settings are currently configured correctly. For your M365 environment, Certvik helps by scanning your tenant on a schedule and recording the state of each security control with a timestamp and control reference. That gives you a dated, structured evidence trail for your M365-based controls. You will still need to write your own policies, risk assessments and other ISMS documents — Certvik does not generate those for you.
Certvik maps controls across all five Trust Services Criteria: Security (CC), Availability (A), Confidentiality (C), Processing Integrity (PI) and Privacy (P). The Security category is always required; the others are selected based on your scope.
Certvik supports both. Type I is a point-in-time snapshot. Type II requires evidence of controls operating over a period of time (usually 6–12 months). Certvik's continuous monitoring means you are always collecting Type II evidence from day one.
That frustration is widely shared — and it's a real problem with how SOC 2 is sometimes implemented. The standard itself is sound; the issue is that point-in-time screenshot collection doesn't prove that controls were actually operating continuously. Certvik approaches this differently: it scans your live M365 configuration on a schedule, records what it finds with timestamps, and flags the moment something drifts out of compliance. The result is a continuous evidence trail of your actual security posture — not a folder of screenshots assembled the week before the auditor arrives.
A SOC 2 report attests that controls were operating effectively during the audit observation period. It doesn't guarantee those controls are still in place the day after the report is issued, and it doesn't cover gaps outside the defined scope. Configuration drift — where settings change after an audit — is one of the leading causes of this gap. Certvik's continuous monitoring detects drift between audit cycles and alerts you when a previously-compliant control falls out of configuration, so you're not relying on a once-a-year snapshot to catch real-time changes.
Not necessarily. Microsoft Secure Score measures how many of Microsoft's recommended settings are enabled in your tenant — it's a useful hygiene indicator, but it has two important limitations for compliance purposes. First, it doesn't map to ISO 27001 or SOC 2 control language, so a score of 70% tells an auditor nothing about your compliance posture. Second, some high-scoring recommendations are tied to purchasing additional Microsoft licenses rather than improving security. Certvik takes your M365 configuration and maps it directly to ISO 27001:2022 and SOC 2 controls with specific control references, giving auditors what they actually need.
Unified Audit Logging is not enabled by default across all Microsoft 365 plans, and many organisations discover during a compliance audit that they have no activity logs for the review period. This is a direct compliance failure for both ISO 27001 (A.8.15 — logging) and SOC 2 (CC7.2 — anomaly detection). Certvik checks audit logging status as part of its initial scan and flags it immediately if it's off or misconfigured — along with the specific controls that requirement maps to.
External sharing in SharePoint and Teams is one of the most common M365 misconfiguration findings in compliance audits — sites set to 'Anyone with the link', guest access configured too broadly, and no record of what's been shared externally. This maps to ISO 27001 control A.5.15 (access control) and SOC 2 CC6.3 (access restrictions). Certvik scans your tenant's sharing configuration as part of its security posture assessment and surfaces these findings with the specific controls they affect, so you know exactly what to fix before an auditor finds it.
Certvik stores data in the European Union (hosted on Supabase infrastructure). If you require data residency in a specific region, contact us.
No. Certvik only reads security configuration metadata through the Microsoft Graph API. It has no access to your email content, Teams messages, SharePoint files or personal data.
We are working toward our own ISO 27001 certification, which we expect to complete in 2026. Our security posture documentation is available on request.
Get in touch and we'll get back to you quickly.