Get an expert review of your Microsoft 365 tenant and identify security, compliance, and governance gaps before they become audit findings.
These are the findings we most commonly encounter during assessments — issues that are invisible until an auditor or attacker looks for them.
MFA not fully enforced across all users and admins
Guest users never reviewed or offboarded
Weak or misconfigured Conditional Access policies
Excessive privileged access assignments
No structured evidence trail for auditors
Low Microsoft Secure Score with no remediation plan
Each area is reviewed against Microsoft security baselines and mapped to ISO 27001 and SOC 2 control requirements where applicable.
We review your current Secure Score, identify the highest-impact improvement actions, and explain what each recommendation means in terms of real risk — not just a number.
Coverage across all users, admin accounts, and service principals. We identify MFA gaps, legacy authentication exposure, and accounts that would be most impactful to secure first.
Which policies are active, which users and applications they cover, and what attack paths remain open. We flag policies with conflicting configurations or unintended exclusions.
An inventory of guest accounts, their access levels, last activity, and whether a review process exists. Guest sprawl is one of the most commonly overlooked compliance gaps in M365.
Global admin assignments, permanent vs. eligible roles, PIM usage, emergency access accounts, and whether privileged accounts are adequately protected.
Audit log configuration, evidence collection practices, and how well your current M365 setup maps to ISO 27001 or SOC 2 control requirements.
All findings delivered in a structured written report — suitable for your IT team, CISO, board, or external auditor. Risk-rated and prioritised.
The assessment is delivered as a structured written report — not a dashboard login or a raw export. Something you can share with your auditor, board, or security team.
Report structure
Executive Summary
High-level findings for management
Detailed Findings
Technical findings, risk-rated
Compliance Observations
ISO 27001 · SOC 2 mapping
Improvement Roadmap
Prioritised by risk impact
The assessment is designed for organisations that run on Microsoft 365 and need a clear, structured picture of their security and compliance posture.
Get a clear picture of your M365 security posture and a prioritised list of what to fix — without spending weeks on manual configuration reviews.
Validate your configuration against security baselines and get specific, actionable guidance — not just a Secure Score percentage.
Understand how your current M365 configuration maps to ISO 27001 or SOC 2 requirements before your audit begins.
Enterprise customers increasingly require evidence of a security review. A structured assessment report satisfies most due diligence questionnaires.
Offer a security assessment as a managed service to your clients. Certvik can support MSPs reviewing multiple M365 tenants.
Preparing for certification? A pre-audit M365 assessment identifies the gaps your auditor will find — before they do.
A structured process from initial request to report delivery — typically completed within 5–7 business days.
Submit the form below. We'll confirm scope, timeline, and any access requirements within 1 business day.
We review your M365 tenant configuration using read-only access — no disruption to your production environment.
Findings are analysed against security baselines and compliance frameworks. Each observation is risk-rated.
You receive a structured written report with findings, risk ratings, and a prioritised improvement roadmap.
If remediation support or ongoing compliance monitoring would be useful, we can discuss how Certvik's platform helps.
Get started
Fill in the form and we'll be in touch within 1 business day to discuss scope, timeline, and next steps.
Why Certvik
Microsoft 365 focused — not a generic security checklist
ISO 27001 readiness observations included
SOC 2 readiness observations included
Read-only access — no disruption to production systems
Written report delivered, not just a dashboard
The assessment covers Microsoft Secure Score, MFA coverage, Conditional Access configuration, guest user governance, privileged access assignments, audit log setup, and compliance readiness for ISO 27001 and SOC 2. All findings are delivered in a written executive summary report.
No. We use read-only access scoped to security and configuration data via the Microsoft Graph API. We never store, read, or analyze the content of emails or documents — mailbox access is limited to detecting risky admin forwarding rules. We can discuss the exact permissions required during the scoping call.
Yes. The report includes compliance readiness observations that map your M365 configuration to ISO 27001:2022 controls. This is useful as a pre-audit review or to identify control gaps before formal certification.
Yes. Certvik works with MSPs who want to offer a security assessment as part of their service catalogue. Contact us to discuss multi-tenant arrangements.
Yes. Every finding in the report includes a recommended remediation action, prioritised by risk impact. We can also discuss ongoing remediation support and the Certvik platform for continuous compliance monitoring.
Get an expert review of your M365 tenant before your next audit, a new enterprise customer asks, or a security incident forces the question.