Free Resource — Microsoft 365 Security

Microsoft 365
Compliance Checklist

A practical checklist for reviewing Microsoft 365 security and compliance readiness across MFA, Conditional Access, guest access, privileged accounts, Secure Score, evidence collection, and ISO 27001 readiness.

Free download

Free Microsoft 365
Compliance Checklist

Review the Microsoft 365 controls that often matter during ISO 27001 and SOC 2 readiness work.

  • MFA and Conditional Access
  • Guest user governance
  • Privileged access review
  • Microsoft Secure Score
  • Evidence and review dates
  • ISO 27001 readiness mapping

No spam. Unsubscribe any time.

Who this checklist is for

This checklist is designed for IT managers, security engineers, and compliance leads who manage Microsoft 365 environments. It is especially useful for teams that are:

Preparing for ISO 27001

ISO 27001 auditors will ask about access controls, authentication, and evidence. This checklist maps directly to the most common M365-related control areas.

Responding to customer security reviews

Enterprise customers often send security questionnaires. This checklist covers the Microsoft 365 controls that come up most frequently.

Improving your security posture

Even without an upcoming audit, running through this checklist regularly helps you catch configuration gaps before they become incidents.

What's included

The checklist covers six control areas. Each item is a concrete configuration check you can run in your Microsoft 365 admin centre or Entra ID.

MFA and Conditional Access

  • All users enrolled in MFA (Microsoft Authenticator)
  • Legacy authentication blocked via Conditional Access
  • MFA required for all admin roles
  • Sign-in risk policy configured in Entra ID

Guest User Governance

  • Guest access reviewed and scoped to required users only
  • Guest invite permissions restricted
  • Access reviews scheduled for guest accounts

Privileged Access

  • Break-glass accounts documented and tested
  • Privileged Identity Management (PIM) enabled
  • Global Admin count minimised (<5 accounts)
  • Admin roles assigned just-in-time, not permanently

Microsoft Secure Score

  • Secure Score reviewed and target set
  • Top improvement actions prioritised
  • Secure Score monitored monthly

Evidence and Review Dates

  • Evidence collection process documented
  • Review dates assigned to all controls
  • Audit trail retained for minimum 12 months

ISO 27001 Readiness Mapping

  • A.9.4 — Access control policy documented
  • A.8.5 — Secure authentication controls in place
  • A.5.17 — Authentication information managed
  • A.8.2 — Privileged access rights reviewed

Frequently asked questions

Who is this checklist for?

IT managers, security engineers, and compliance leads who are responsible for Microsoft 365 security — particularly those preparing for ISO 27001 or SOC 2 audits, or responding to customer security questionnaires.

Does completing this checklist guarantee ISO 27001 certification?

No. This checklist covers common Microsoft 365 security controls that are relevant to ISO 27001 readiness, but it is not a substitute for a full gap assessment or working with a qualified ISO 27001 consultant and certification body.

How often should I run through this checklist?

At minimum once per quarter, and before any external audit or customer security review. Some items — like Secure Score and access reviews — should be checked monthly.

Can Certvik automate this checklist for me?

Yes. Certvik connects to your Microsoft 365 tenant via the Graph API, reads your configuration automatically, and maps the results to ISO 27001 and SOC 2 controls — so you don't need to run through this manually every time.

Is this checklist free?

Yes, the checklist is completely free. Enter your email and the PDF will be sent to your inbox.

Related resources

Microsoft 365 compliance software ISO 27001 compliance software ISO 27001 evidence management M365 AutoSecure M365 security baseline guide