Free Assessment
Free Assessment

How It Works

When the auditor arrives, the evidence is already there.

That's the end state. Not a scramble to collect documents. Not a consultant writing policies from templates. A live, verifiable evidence trail, built over months, from your actual M365 tenant.

Here's how you get there.

Assess Week 1
Configure Weeks 2-8
Prove Ongoing
Stay Continuous
Phase 1

Assess your environment

Identify gaps. Define scope. Automate the plan.

Week 1

Our team

A GMS security consultant reviews your M365 tenant against CIS security benchmarks for Microsoft 365. Not a generic questionnaire — a structured assessment of your actual Entra ID, Defender, Intune, and Purview configuration.

We assess your Zero Trust maturity across seven pillars: identity, endpoints, data, apps, infrastructure, network, and visibility. Every gap maps to a specific capability we can deploy.

The platform

The assessment engine runs automated CIS checks against your tenant via Microsoft Graph. Each recommendation produces a pass/fail result with specific remediation guidance — including the PowerShell script or portal path to fix it.

The output is a scoped Statement of Work generated automatically from your gaps — not a generic proposal, but a plan built from your actual tenant state.

Phase 2

Configure your security

Structured deployment. Verified configuration.

Weeks 2-8

Our team

GMS engineers deploy your security foundation in a structured sequence — three plans, each building on the last. We don't hand you a checklist. We configure your tenant, validate every setting, and manage the rollout across your user base.

  • Foundation (2-4 weeks): Your email secured, your identities protected, your baselines set
  • Endpoint (4-6 weeks): Every device managed, every app controlled, threats detected in real time
  • Information Governance (6-8 weeks): Your data classified, your policies enforced, Copilot-ready
The platform

Every configuration is tracked against CIS v6.0.1 benchmarks. Intune policy sets are aligned to CIS Level 1 recommendations. Drift detection monitors for configuration changes — if a Conditional Access policy is modified or disabled, the platform flags it before the next evidence collection run.

Evidence collection begins from day one. By the time we reach Plan 3, you have months of compliance history before any auditor arrives.

Phase 3

Prove you're compliant

Live evidence. Auditor-ready.

Ongoing

Our team

We write your ISMS policies — not from templates, but from your actual configuration. Your A.8.1 endpoint policy references your Intune compliance profiles, your BitLocker encryption threshold (≥95%), your Defender for Endpoint onboarding target. An auditor can verify every claim by navigating to the portal path in the policy.

When the auditor arrives, our team is there. We've prepared for this — Hundreds of auditor questions, classified by difficulty, mapped to controls, with evidence ready for each one.

The platform

Automated scripts query your tenant on schedule — every ISO 27001 control decomposed into weighted compliance rules with specific thresholds. Your compliance score is updated daily. Screenshots from the M365 admin portal are captured alongside API evidence — auditors see both the data and the portal view.

Evidence reports are generated per collection run. Non-compliant findings automatically create corrective action tickets. When the issue is fixed and verified on two consecutive checks, the ticket auto-closes.

Phase 4

Stay compliant

Uninterrupted security. Adaptive management.

Continuous

Our team

Compliance isn't a project — it's an ongoing managed service. GMS monitors your compliance posture, responds to incidents synced from Microsoft Defender, manages corrective actions through ConnectWise, and prepares you for surveillance audits.

When regulations change, when Microsoft updates features, when your organisation grows — we adapt the configuration and update the policies. Your ISMS stays current because we're operating it, not just advising on it.

The platform

14 ISMS registers run continuously — risk, assets, incidents, training, legal requirements, suppliers, corrective actions, and more. They're not spreadsheets. They're live registers fed by real data, cross-referenced so a risk links to its controls, controls link to evidence, evidence links to corrective actions, and corrective actions link to tickets.

Risk Control Evidence Corrective Action Ticket

Structured rollout. Dependencies respected.

Each capability has prerequisites. Devices must be onboarded before device-based Conditional Access. Identity must be hardened before data governance. We deploy in the right order.

1
Foundation Weeks 1-2
  • Email Security
  • CIS M365 Hardening

No dependencies — start immediately

2
Endpoint & Detection Weeks 3-5
  • Device Management (Intune)
  • Endpoint Security (MDE + ASR)
  • Defender for Identity
  • Sentinel Deployment

Devices onboarded before access policies

3
Access & Governance Weeks 4-6
  • Conditional Access
  • Privileged Identity Management

Requires device compliance in place

4
Data & AI Weeks 5-8
  • Information Protection
  • Data Loss Prevention
  • AI Governance
  • Access Reviews

Requires identity + endpoint complete

24 delivery packages. Evidence collection runs in parallel from day one.

Incredible depth. Not a shallow integration.

Generic platforms connect via read-only APIs and check against a basic list. We assess, deploy, and enforce across the complete M365 security stack.

78 Zero Trust Capabilities — Assessed, Deployed, Enforced

We don't just reference Zero Trust in a slide deck. We systematically deploy all 78 capabilities defined in the Microsoft Zero Trust Maturity Model across seven architectural pillars.

Identity

Entra ID P2, PIM with JIT activation, passwordless auth (FIDO2), sign-in risk policies, legacy protocol elimination

Endpoints

Intune device compliance, Defender for Endpoint, attack surface reduction rules, CIS L1 baselines for Windows and macOS

Data

Purview DLP across Exchange/SharePoint/Teams/Endpoints, sensitivity labels with auto-classification, exact data match

Applications

Defender for Cloud Apps, OAuth consent governance, shadow IT discovery, session controls

Infrastructure

Azure Policy enforcement, Defender for Cloud posture management, JIT VM access, administrative MFA

Network

Defender Network Protection, Exchange Online Protection hardening, malicious domain blocking, DMARC/SPF/DKIM

SecOps

Microsoft Sentinel connectors, automated investigation, incident correlation, managed threat response

7 CIS Benchmarks — Deployed and Hardened

We don't just assess against CIS benchmarks — we deploy every recommendation across your M365 tenant, endpoints, and browsers, then monitor for drift.

CIS Microsoft 365 Foundations

Identity, email, data, apps, and audit hardening across the entire M365 tenant

CIS Windows 11 on Intune

OS-level security baselines, BitLocker enforcement, attack surface reduction

CIS macOS on Intune

FileVault encryption, Gatekeeper, firewall policies, system integrity

CIS Microsoft Edge

Browser security policies, extension governance, SmartScreen enforcement

CIS Google Chrome

Safe browsing, extension controls, download restrictions, cookie policies

CIS Azure Foundations

Cloud infrastructure security, RBAC governance, resource policy enforcement

Android Benchmark

Mobile device security, app protection policies, corporate data isolation

Endpoint Mastery — Every Device, Every Setting

A compliance agent can verify if antivirus is on. We govern the Intune configuration catalog — device compliance, CIS L1 baselines, automated patch deployment, BitLocker and FileVault encryption, and Defender for Endpoint onboarding across your entire fleet.

When a device falls out of compliance, Conditional Access instantly revokes its access to corporate resources. When a patch fails to install, the device is flagged. When encryption is disabled, access is blocked. This closed-loop architecture — where detection immediately triggers enforcement — is what separates deep engineering from passive monitoring.

Beyond the checkbox: the automated internal auditor

Most organisations prepare for an external audit once a year. We run an internal audit every day. 93 ISO 27001 controls, assessed automatically against your live M365 tenant. Not preparing for the auditor. Being the auditor.

Daily evidence collection

Automated scripts query your tenant via Microsoft Graph — compliance state, device health, policy configurations, user attestations. Fresh evidence, not last quarter's screenshots.

AI-powered audit preparation

Ask the AI any question an auditor would. It retrieves evidence from your tenant, reasons about compliance, and responds with cited sources. When evidence is missing, it says so — no fabrication.

Corrective actions that close themselves

Non-compliant findings automatically create remediation tickets. When the issue is fixed and verified on two consecutive checks, the ticket auto-closes. Closed-loop compliance.

34 technological controls mastered

The 2022 ISO standard defines 34 technological controls — DLP, configuration management, vulnerability management, web filtering, cryptography. These are where our M365 depth is absolute.

"Not preparing for an audit. Running one. Every day."

The AI layer: 30 years of expertise, available on demand

The AI doesn't replace our team. It preserves what we've learned operating M365 tenants for 1,200+ customers and encodes it into a system that scales.

It says "I don't know"

When evidence is missing, the AI tells you. No fabrication, no hallucination. That's how you know the positive answers are trustworthy. The first question any buyer has about AI is "does it make things up?" Ours doesn't.

It answers auditor questions with evidence

Ask it anything an auditor would. It retrieves evidence from your tenant, reasons about compliance, and responds with cited sources — distinguishing between what it can prove, what the framework says, and what it recommends.

It preserves institutional knowledge

Everything we've learned securing M365 tenants is encoded in the system. When someone leaves your team, the knowledge stays. When a new regulation emerges, the platform adapts.

Why this works when other approaches don't

vs. Consulting firms

They write policies from templates and leave. We operate the systems we secure. Our policies reference your actual configuration because we configured it.

vs. Generic compliance platforms

They connect to 400 platforms superficially. We go deep into one ecosystem — Microsoft 365 — with CIS benchmarks, automated evidence collection, and policies that name specific portal paths in your tenant.

vs. AI compliance startups

They read the ISO standard last month. We've been delivering Microsoft security for 30 years. The AI encodes our expertise — it doesn't replace it.

vs. Doing it yourself

You'd need to build automated evidence collection for every ISO 27001 control, decompose each into weighted compliance rules, build a full set of ISMS registers, and map your M365 capabilities to ISO requirements. We've already done it.

The outcome isn't a certificate. It's a moat.

When compliance is embedded in operations — not bolted on top — it becomes a competitive advantage that competitors can't replicate. Sophisticated buyers are learning to tell the difference between paper compliance and operational compliance.

"What would it mean if you could answer any auditor question in sixty seconds? That's not a compliance programme. That's a competitive advantage."

See Where You Stand View Plans