Certvik scans your M365 tenant and produces a structured security assessment against ISO 27001:2022 controls and SOC 2 Trust Services Criteria — automatically, in the language your auditor uses.
14-day free trial
Certvik goes beyond a security score — it maps your M365 configuration to the control frameworks your auditors, customers, and regulators actually check against.
Certvik scans your Microsoft 365 tenant via the Graph API and produces a structured security assessment — no manual data gathering required.
Assessment findings are mapped directly to ISO 27001:2022 controls and SOC 2 Trust Services Criteria — in the language your auditor uses, not a proprietary score.
See which controls your current M365 configuration satisfies, which have partial coverage, and which are missing entirely — with guidance on what to address first.
Your security posture is not static. Certvik rescans on a schedule and alerts you when previously-covered controls drift out of configuration.
Export your security assessment as a Word or PDF report — suitable for your auditor, CISO, board, or an enterprise customer due diligence questionnaire.
Every area below is read directly from your M365 tenant via the Graph API and evaluated against ISO 27001 and SOC 2 control requirements.
Multi-factor authentication
MFA coverage across all users and admin accounts, per-user and per-policy status.
Conditional Access policies
Which policies are active, which users and apps they cover, and what gaps exist.
Microsoft Defender settings
Defender for Endpoint and Office 365 configuration against baseline security recommendations.
Device compliance (Intune)
Managed device count, compliance policy status, non-compliant devices, and unenrolled devices.
Privileged access
Global admin and privileged role assignments, legacy admin accounts, and emergency access configuration.
Sharing and external access
SharePoint and OneDrive external sharing settings, guest access policies, and Teams external federation.
Audit log configuration
Whether audit logging is enabled and correctly configured across your M365 services.
Email security
Anti-phishing, anti-spam, DKIM, DMARC, and safe links/attachments configuration.
What we hear from teams trying to use existing security tools for compliance readiness.
The problem
"Microsoft Secure Score says 68%. Our auditor says that doesn't mean anything for ISO 27001."
How Certvik helps
Your auditor is right. Certvik translates the same M365 configuration data into ISO 27001:2022 control language — the specific clause and control references auditors check against.
The problem
"We had a penetration test but nobody looked at whether our M365 settings met compliance baselines."
How Certvik helps
A penetration test and a compliance assessment answer different questions. Certvik assesses your M365 configuration specifically against the controls ISO 27001 and SOC 2 auditors check.
The problem
"We need to show a new enterprise customer we have a security baseline — but we don't have anything documented."
How Certvik helps
Certvik's assessment report documents your M365 security configuration in a structured format that satisfies most enterprise customer security questionnaires and due diligence requests.
The problem
"We completed an assessment six months ago. Nobody checked whether anything changed since then."
How Certvik helps
Certvik rescans on a schedule. Configuration changes are detected and you are alerted when something that was previously covered drifts out of compliance.
No. A penetration test actively probes for exploitable vulnerabilities. Certvik's security assessment reads your M365 configuration settings and evaluates them against ISO 27001 and SOC 2 control requirements. They complement each other — they answer different questions.
No. Certvik reads security configuration data only — MFA status, policy settings, device compliance state, role assignments, and similar configuration data. It never reads emails, documents, chat messages, or personal user data.
Certvik requires read-only access to your M365 tenant via the Microsoft Graph API. The specific permissions requested are scoped to security and configuration data. Full details are available in the setup guide during onboarding.
Yes. The Certvik assessment report documents your M365 security configuration in a structured format that works well for customer security questionnaires, enterprise procurement requests, and ISO 27001 or SOC 2 audit evidence.
Connect your M365 tenant and get a gap analysis against ISO 27001 and SOC 2 controls in minutes. Free for 14 days.
14-day free trial