ISO/IEC 27001:2022
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
ISO/IEC 27001:2022 is the globally recognised standard for establishing and maintaining a formal Information Security Management System (ISMS). The 2022 revision consolidated requirements into 93 controls across four critical themes: Organisational, People, Physical, and Technological.
For enterprises pursuing certification, the standard demands more than "paper compliance"—it requires provable, deterministic operational controls. This is where legacy implementations fail: firms generate documentation but lack the cryptographic or telemetry-based evidence that controls are continuously enforced in the cloud.
We build and operate the technical enforcement layer required to achieve and maintain ISO 27001 certification. Instead of merely writing policies, we translate Annex A requirements directly into Microsoft-native configurations—ensuring your tenant generates the exact cryptographic and telemetry evidence auditors demand.
Why This Matters Now
ISO 27001:2022 certification is no longer optional for enterprise procurement. Without it, your firm is automatically excluded from Tier-1 supply chain shortlists in financial services, healthcare, defence, and government. The standard forces rigorous risk-based discipline—organisations that implement it under our architecture experience significantly fewer security incidents and demonstrate immediate recovery. For M365-dependent enterprises, the 2022 revision's advanced controls on cloud services (A.5.23), threat intelligence (A.5.7), and data masking (A.8.11) demand complex, deterministic technical enforcement that require specialist configuration and operational oversight.
Framework Metadata
Scope & Applicability
ISO 27001 applies to any organisation, regardless of size, sector, or geography, that wishes to demonstrate a systematic approach to information security. The standard is scope-defined, the organisation determines which business units, systems, and data are within scope. However, auditors scrutinise scope exclusions carefully. For M365 environments, the scope typically encompasses the Entra ID tenant, all M365 workloads (Exchange, SharePoint, Teams, OneDrive), Azure subscriptions, Intune-managed devices, and the people and processes that manage them. Organisations processing data for regulated clients are increasingly expected to include their entire cloud infrastructure within scope.
Core Obligations
Access Control
Implement identity verification, role-based access, privileged access management, and access review procedures. Access must be granted on a need-to-know basis and reviewed at defined intervals.
Cryptography
Define and implement a policy on the use of cryptographic controls, including key management procedures. Encryption must protect data at rest and in transit.
Operations Security
Maintain documented operating procedures, implement change management, ensure capacity management, and separate development from production environments.
Incident Management
Establish incident response procedures, define reporting responsibilities, collect forensic evidence, and conduct post-incident reviews.
Supplier Relationships
Assess and monitor information security risks in the supply chain. Maintain security requirements in supplier agreements and audit compliance.
Logging and Monitoring
Produce, retain, and protect audit logs. Monitor systems for anomalous activity and ensure logs are available for forensic investigation.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
A.5.15 - Access Control
Entra ID Conditional Access policies enforcing MFA, device compliance, and sign-in risk evaluation. Named locations restrict access by geography.
Conditional Access policy exports, sign-in logs filtered by policy evaluation, monthly access review completion reports.
A.5.18 - Privileged Access Rights
Entra ID Privileged Identity Management (PIM) with time-bound role activation, justification requirements, and peer approval for critical roles.
PIM activation logs, role assignment reports, standing privilege audit (target: zero permanent Global Admins).
A.8.24 - Use of Cryptography
BitLocker device encryption enforced via Intune compliance policy. TLS 1.2+ enforced on all M365 endpoints. Purview Message Encryption for sensitive email.
Intune encryption compliance report, BitLocker recovery key rotation logs, TLS configuration audit.
A.5.24 - Incident Management
Microsoft Sentinel SIEM with rigorous incident classification from Defender XDR alerts. Playbooks for common scenarios (compromised account, data exfiltration).
Forensic incident timeline exports, detailed response logs, thorough post-incident review documentation.
A.8.15 - Logging
Unified Audit Log retention at 10 years (E5). Activity logs shipped to Sentinel workspace. Log integrity protected by immutable storage.
Audit log retention configuration export, Sentinel workspace retention policy, log query results for sample periods.
A.8.12 - Data Classification
Purview Sensitivity Labels (Confidential, Restricted, Internal, Public) with automatic labelling policies based on content inspection.
Label usage analytics, auto-labelling policy match reports, DLP incident summary.
Implementation Timeline
Related Frameworks
A qualified SOC 2 opinion—or the absence of one—directly determines whether enterprise clients will onboard or renew your contract.
Without Cyber Essentials certification, your firm is excluded from UK government contracts involving sensitive data and faces higher insurance premiums.
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
Ready to get ISO 27001-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against ISO 27001 requirements, close gaps, and produce audit-ready evidence.