Automate evidence collection from your Microsoft 365 environment, manage approval workflows, and always have the right evidence when your auditor asks. No more pre-audit scrambles.
14-day free trial
Automated collection, approval workflows, review dates, and a complete audit trail — all in one place.
Certvik collects evidence directly from your M365 environment on a schedule — MFA reports, Conditional Access logs, device compliance states, audit trails — all with timestamps and control references.
Evidence passes through a structured review process before it is marked ready for audit. Reviewers are notified, decisions are logged, and the full approval chain is preserved.
Not everything comes from M365. Upload policies, contracts, training records, or any other document and attach them to the relevant ISO 27001 control — with review dates and owner assignment.
Every evidence item has a review date. Certvik notifies the assigned owner before the deadline so evidence stays current — not stale from the last audit cycle.
Every change to an evidence item — collection, upload, approval, rejection, review — is logged with a timestamp and user record. Your auditor gets a complete chain of custody.
From connection to audit-ready evidence pack in three steps.
Certvik connects to your Microsoft 365 environment via the Graph API. No agents to install. Evidence collection starts automatically after the first scan.
M365 configuration data is captured on a schedule and mapped to ISO 27001 controls. Upload any additional evidence — policies, contracts, records — and attach them to the relevant control.
Evidence passes through your approval workflow. When your auditor asks, export a structured evidence pack — timestamped, approved, and organised by control.
What we hear from teams managing ISO 27001 evidence manually.
The problem
"We collect evidence once before an audit, then it sits in a shared drive and goes out of date."
How Certvik helps
Certvik collects evidence on a schedule throughout the year, not just before audits. Evidence items have review dates and owners — so the evidence pack stays current automatically.
The problem
"Our auditor rejected evidence because it wasn't dated, signed off, or linked to a specific control."
How Certvik helps
Every evidence item in Certvik is timestamped, linked to its ISO 27001 control, and carries an approval status. There is no ambiguity about what it covers or when it was valid.
The problem
"We have evidence in email, SharePoint, a folder on someone's laptop, and a spreadsheet. Nobody knows what's current."
How Certvik helps
Certvik is the single source of truth for compliance evidence. Automated collection from M365 and manual uploads all live in one place — organised by control, with status and owner clearly visible.
The problem
"Our ISO 27001 auditor asked for evidence from controls we hadn't even realised required documentation."
How Certvik helps
Certvik maps all 93 ISO 27001:2022 controls and shows you which ones have evidence, which have gaps, and which evidence items are approaching their review date — so you're not surprised on audit day.
Certvik automatically collects M365 security configuration data — MFA status, Conditional Access policies, device compliance reports, privileged account lists, audit logs, Defender alerts, and more. The exact data collected depends on your M365 plan and permissions granted.
Yes. Any evidence that doesn't come from M365 can be uploaded directly into Certvik. Documents are attached to the relevant ISO 27001 control and managed with the same review dates, approvals, and audit trail as automatically collected evidence.
When evidence is collected or uploaded, it is assigned to a reviewer. The reviewer is notified, can approve or reject the evidence, and their decision is logged with a timestamp. Rejected evidence can be re-submitted with corrections. The full approval chain is preserved for auditors.
Yes. Certvik generates structured evidence packs that you can download and share with your auditor. Evidence is organised by ISO 27001 control, with timestamps, approval status, and control references included.
Automate evidence collection from your M365 environment and keep your ISO 27001 evidence pack current all year round. Free for 14 days.
ISO 27001 add-on: +$299/month after trial