Insights
Operational briefings on Microsoft 365 compliance, security, and readiness. Written by practitioners, not marketers.
Board Risk: Why Conditional Access Alone Does Not Deliver Zero Trust
Organisations reporting Zero Trust maturity based solely on Conditional Access are materially misrepresenting their security posture to boards and regulators. This analysis explains the five missing architectural pillars that NIST 800-207 requires, and what management must fund to close the gap before an assessor finds it.
Phishing-Resistant Authentication: The Regulatory Baseline Boards Cannot Ignore
Commodity phishing kits now bypass push-based MFA at scale, and regulators have responded accordingly. NIST, NCSC, and CISA all mandate phishing-resistant credentials. This decision framework helps management choose between FIDO2 hardware keys and Windows Hello for Business based on workforce profile, cost, and audit evidence requirements.
Eliminating Standing Privilege: A Governance Imperative for Microsoft 365
Permanent administrative access is the single largest blast radius in most Microsoft 365 tenants and a near-certain audit finding under ISO 27001, DORA, and Cyber Essentials. This guide provides the deployment sequence for Privileged Identity Management, from role analysis through approval workflows, giving management the evidence of least-privilege enforcement that assessors require.
External Identity Governance: The Dormant Access Risk Boards Overlook
Most tenants contain hundreds of dormant external identities with persistent access to sensitive data, a finding that surfaces in virtually every ISO 27001 surveillance audit and supplier assurance review. This article sets out the full governance lifecycle for guest accounts, from controlled invitation through quarterly access review to automated removal, giving management defensible evidence of third-party access control.
Emergency Access Governance: Design, Storage, and Monitoring for Regulated Tenants
Break-glass accounts are a regulatory expectation under NIST 800-53 and ISO 27001, yet most are poorly designed or entirely unmonitored - creating both operational risk and audit exposure. This guide covers account architecture, physical credential storage, continuous Sentinel monitoring, and the quarterly testing protocol that auditors require as evidence of operational readiness.
Data Classification Governance: Why Taxonomy Failures Undermine Every Downstream Control
Sensitivity labels are the foundation upon which DLP, Insider Risk, Records Management, and Copilot governance all depend. A failed taxonomy creates compounding technical debt across every Purview workload. This operational playbook, drawn from fifty deployments, covers the design decisions, auto-labelling pitfalls, and governance structures that boards must fund to make data classification an effective control rather than a compliance checkbox.
USB Exfiltration Control: The Data Loss Prevention Measure Insurers Now Expect
Removable media remains a primary exfiltration vector in insider threat and ransomware scenarios, and cyber insurers increasingly require demonstrable USB controls as a condition of coverage. This guide configures Purview Endpoint DLP to block sensitive data transfers to removable storage while preserving legitimate peripheral use - delivering the enforceable, evidenced control that auditors and underwriters require.
External Sharing Governance: Five Controls That Prevent Regulatory Breach in SharePoint
SharePoint's default sharing settings are permissive by design, and uncontrolled external sharing is a recurring finding in regulatory examinations and data breach investigations. These five controls - implementable in under two hours - represent the minimum viable sharing governance for any regulated firm, addressing the exposure that auditors, the ICO, and management liability insurers will assess.
Ethical Wall Enforcement: Meeting SRA Conflict of Interest Obligations in Microsoft 365
The SRA requires law firms to maintain effective systems for managing conflicts of interest, and policy memos are no longer sufficient in a cloud-first environment where Teams, SharePoint, and Copilot surface information across the entire tenant. This guide covers the full Information Barriers deployment for regulated law firms, the technical enforcement of ethical walls that the COLP must be able to evidence to the regulator.
Data Residency Governance: Answering the Question Your DPO Cannot Currently Evidence
"Where is the data?" is the question every regulator, auditor, and DPIA requires a precise answer to and most organisations cannot provide one. This analysis covers the actual residency commitments across each Microsoft 365 workload, the verification methods management should require, and the licensing decisions that determine whether a data residency position is defensible under UK GDPR and DORA.
ISO 27001:2022 Certification: The Microsoft 365 Evidence Map Management Needs
The most common ISO 27001 audit failure is not missing controls, it is missing evidence that controls are operational. This practitioner's mapping translates the 2022 Annex A into concrete Microsoft 365 configurations and exportable evidence artefacts, giving management and audit committees a clear view of certification readiness and the evidence gaps that must be closed before the assessor arrives.
DORA Article 9 Compliance: The Protection Controls Financial Entities Must Evidence Now
DORA Article 9 imposes the most technically demanding protection requirements in the regulation, and the Regulatory Technical Standards leave no room for ambiguity. Financial entity boards are accountable for demonstrating that ICT security controls are implemented, monitored, and tested. This mapping translates Article 9 and its RTS into specific Microsoft 365 and Azure controls with the evidence generation guidance that compliance teams need to satisfy supervisory assessment.
Need help with something specific?
If any of these topics apply to your environment, we can assess your current posture and scope the right first step.
Start here