Compliance Benchmarks
CIS Microsoft 365 benchmarks, security baselines, and compliance scoring.
CIS benchmarks deployed and scored — not just documented.
Without a measurable baseline, security is subjective — and your auditor knows it. We deploy CIS v6.0.1 with 170+ prescriptive checks across your entire M365 tenant, score your current state, remediate gaps, and monitor for drift. Compliance is continuous, not a point-in-time exercise you prepare for the week before audit.
Below is what we deploy, measure, and continuously monitor. Every benchmark check produces evidence your auditor can verify.
Foundation (Plan 1)
- Exchange CIS Fundamentals — CIS Microsoft 365 Foundations benchmark settings for Exchange Online
- SharePoint CIS Fundamentals — CIS Microsoft 365 Foundations benchmark settings for SharePoint Online
- Teams CIS Fundamentals — CIS Microsoft 365 Foundations benchmark settings for Microsoft Teams
- OneDrive CIS Fundamentals — CIS Microsoft 365 Foundations benchmark settings for OneDrive for Business
- Entra ID CIS Hardening (Identity) — CIS M365 v6.0.1 Entra ID hardening: guest access, consent, group creation, app registration, PIM approval, device join
- Entra ID CIS Hardening (Authentication) — CIS M365 v6.0.1 authentication hardening: device code flow, enrollment frequency, authenticator settings, email OTP, session controls
- Intune CIS Hardening — CIS M365 v6.0.1 Intune hardening: SecureByDefault, personal enrollment, Entra join, device quota, LAPS
- Microsoft Physical Access Controls — Microsoft-managed physical access controls for datacentres including monitoring, intrusion detection, and access logging
- Microsoft Environmental Protection — Microsoft-managed fire protection, water damage protection, emergency power, and environmental controls
- Microsoft Media Handling — Microsoft-managed media storage, sanitization, and disposal procedures
- Microsoft Datacentre Infrastructure — Microsoft-managed datacentre security including perimeter protection, cabling, and equipment protection
- Microsoft Equipment Maintenance — Microsoft-managed equipment maintenance and operational procedures
Added in Endpoint (Plan 2)
- Windows CIS L1 Benchmark — CIS Level 1 security baseline for Windows 11 Enterprise
- macOS CIS L1 Benchmark — CIS Level 1 security baseline for macOS
- Chrome CIS L1 Benchmark — CIS Level 1 security baseline for Google Chrome
- Edge CIS L1 Benchmark — CIS Level 1 security baseline for Microsoft Edge
What you receive
| Delivery Package | Duration | Stakeholders | Key Deliverables |
|---|---|---|---|
| CIS M365 Hardening | 5–12 days | IT Admin, Security Analyst | CIS assessment baseline report; Remediation plan (prioritised by risk); Deployed CIS-compliant configurations; Exception documentation |
| Passwordless & FIDO2 Strategy | 5–15 days | CISO, IT Admin, End Users | Credential strategy document; Auth method registration policies; FIDO2 key deployment plan; WHfB enrolment configuration; Password elimination roadmap |
| CIS Endpoint Hardening | 5–15 days | IT Admin, Security Analyst | CIS L1 profiles per platform; Policy exception documentation; Compliance reporting baseline; Browser hardening profiles |
Risk impact
| Risk | Before | After | Reduction |
|---|---|---|---|
| Policy and Standards Non-Conformance | 16 | 3 | 81% |
| Regulatory and Legal Non-Compliance | 16 | 3 | 81% |
| Uncontrolled Changes to Systems | 12 | 2 | 83% |
| Cryptographic Non-Compliance | 8 | 2 | 75% |
| Large Supplier Non-Compliance | 8 | 2 | 75% |
Risk scores use a likelihood × impact matrix (1–25). Lower is better.
Ready to see where you stand? Our free assessment benchmarks your compliance posture against these capabilities — in 30 minutes, no tenant access required. Start your assessment.
ISO 27001 controls covered
- A.5.1 Policies for Information Security
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.18 Access Rights
- A.8.1 User Endpoint Devices
- A.8.15 Logging
- A.8.2 Privileged Access Rights
- A.8.21 Security of Network Services
- A.8.5 Secure Authentication
- A.8.9 Configuration Management
The following physical controls are inherited from Microsoft as the cloud service provider:
- A.7.1 Physical Security Perimeters
- A.7.10 Storage Media
- A.7.11 Supporting Utilities
- A.7.12 Cabling Security
- A.7.13 Equipment Maintenance
- A.7.14 Secure Disposal or Re-use of Equipment
- A.7.2 Physical Entry
- A.7.3 Securing Offices, Rooms and Facilities
- A.7.4 Physical Security Monitoring
- A.7.5 Protecting Against Physical and Environmental Threats
- A.7.8 Equipment Siting and Protection
- A.7.9 Security of Assets Off-Premises
