Stop managing ISO 27001 in spreadsheets. Certvik maps all 93 controls to your Microsoft 365 environment, collects evidence automatically, and keeps you audit-ready between certifications.
Start free trial14-day free trial
From initial gap analysis to maintaining your certificate — Certvik handles the operational work so your team can focus on actually improving security.
Every ISO 27001:2022 control is pre-mapped and scored automatically against your Microsoft 365 environment. No manual assessment needed to get started.
See exactly which controls pass, which fail, and which need attention — with clear guidance on how to close each gap.
Evidence is pulled from your M365 environment on a schedule. No more chasing screenshots or exporting reports manually.
Evidence is reviewed and approved through a structured workflow. Your auditor receives clean, timestamped documentation — not a folder dump.
Controls have review dates. Certvik sends reminders to the right people before deadlines — so nothing slips between audits.
A prioritised action plan showing you exactly what to fix and in what order to achieve certification as efficiently as possible.
Every ISO 27001:2022 control comes with a downloadable Word (.docx) template — basic and detailed variants — giving you a head start on the policy and procedure documentation your auditor expects.
Explore the dashboard, controls tracking, and evidence management — exactly as your team will use it.
Compliance Dashboard
Contoso Ltd · Last scan: Today 02:00 UTC
Compliance Score
74%
+6 pts this month
Secure Score
61%
Microsoft benchmark
MFA Coverage
88%
22 / 25 users
Open Findings
5
2 high severity
Score breakdown
Active findings
MFA not enforced for 3 admin accounts
Enable MFA via Conditional Access
Guest access unrestricted in SharePoint
Restrict external sharing to verified domains
14 devices not enrolled in Intune
Enforce device compliance policy
Audit log retention below 90 days
Extend retention to 180 days in Purview
2 inactive accounts enabled over 90 days
Disable or remove stale accounts
Scan history
Real frustrations from security practitioners, and what we do differently.
The problem
"We implemented all the controls but nearly failed the audit because nothing was documented."
How Certvik solves it
Certvik scans your M365 tenant and records the state of each security control with a timestamp and a control reference — so when an auditor asks for evidence that a control was active, you have a dated, structured record to show them. It won't write your policies or fill out documents for you, but it does capture the technical evidence trail that auditors need for your M365-based controls.
The problem
"Evidence collection is a nightmare — it lives in twelve different places and someone has to chase it all down before every audit."
How Certvik solves it
Certvik pulls evidence directly from your M365 environment on a schedule. MFA status, Conditional Access policies, audit logs, device compliance — all collected automatically with timestamps and control references attached.
The problem
"We passed our surveillance audit in January. By March half our settings had drifted and we had no idea."
How Certvik solves it
Continuous scanning detects configuration drift between audit cycles and alerts you the moment a previously-compliant control falls out of configuration. You're not relying on a once-a-year snapshot.
The problem
"We're transitioning from ISO 27001:2013 to 2022 and have no idea which of the 11 new controls we actually satisfy."
How Certvik solves it
Certvik is built on ISO 27001:2022 throughout. Connect your tenant and immediately see which of the 11 new controls (cloud services, threat intelligence, data masking and more) your M365 environment already satisfies — and which have gaps.
The problem
"Microsoft Secure Score says we're at 72% but our auditor said that tells them nothing about ISO 27001 compliance."
How Certvik solves it
Your auditor is right — Secure Score doesn't map to ISO 27001 control language. Certvik takes the same M365 configuration data and maps it to specific ISO 27001:2022 clause and control references that auditors actually use.
ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework of 93 controls covering people, processes and technology that organisations use to protect sensitive information.
Certification is increasingly required by enterprise customers, government contracts, and regulations such as NIS2 in the EU. For fast-growing technology companies, ISO 27001 is often the first formal compliance requirement they encounter.
Getting certified involves a formal audit by an accredited certification body. Maintaining the certificate requires annual surveillance audits and a three-year full recertification cycle — which is where Certvik's continuous monitoring and reassessment scheduling becomes most valuable.
Certvik handles the operational side — evidence collection, scheduling, approvals and documentation. Most companies still work with a consultant for gap assessment advice and audit preparation, but Certvik significantly reduces the hours they need to spend on your account.
Typically 3–12 months depending on your starting point and company size. Certvik's gap analysis and automation can compress this significantly by eliminating the manual work that usually takes the most time.
Yes. Certvik produces documentation and evidence packs that meet the requirements of all major ISO 27001 certification bodies. Your auditor works directly from the reports Certvik generates.
Certvik reads security configuration data — things like MFA status, Conditional Access policies, audit logs and device compliance. It never reads your emails, documents or personal data.
Connect your Microsoft 365 tenant and get your compliance picture in minutes. Free for 14 days.
Start free trialISO 27001 add-on: +$299/month after trial