Free Assessment
Free Assessment

Plans & Services

A maturity journey, not a feature list

Every plan collects evidence and tracks corrective actions. The difference is how far you go — from baseline protection to full ISO 27001 certification.

Plan 1 Foundation

Secure your front door

Typical delivery: 2-4 weeks

Protection against the most common attack vectors. Email authentication, CIS baselines, and identity controls that stop the majority of threats.

  • Email authentication locked down (SPF, DKIM, DMARC)
  • Conditional Access policies for users, admins, and devices
  • CIS security baselines configured and validated
  • Anti-phishing and safe link protection
  • Evidence collection begins from day one
Evidence collected · Corrective actions tracked
Security baseline CIS benchmarks · Email authentication · Access control
Secure my environment
Plan 2 Endpoint Most popular

Control your estate

Typical delivery: 4-6 weeks

Every device managed, every identity protected. Defender for Endpoint, Intune compliance, privileged access, and threat detection via Sentinel.

  • Every device managed and compliant via Intune
  • Threats detected in real time (Defender for Endpoint)
  • Privileged access controlled and time-limited (PIM)
  • Application catalogue — your users install from a secure source
  • Microsoft Sentinel for security monitoring
Evidence collected · Corrective actions tracked
ISO 27001 gap analysis Preparing for compliance · Gaps identified · Roadmap provided
Take control
Plan 3 Information Governance

Get Copilot ready

Typical delivery: 6-8 weeks

Full ISO 27001 ISMS, data classification, DLP, and AI governance. Your data needs to be classified, labelled, and governed before Copilot touches it. Plan 3 gets you there.

  • Your data classified and labelled automatically
  • Data Loss Prevention policies enforced across M365
  • Full ISO 27001 ISMS with audit-ready evidence
  • Copilot-ready data governance
  • Secure Score consistently above 75
Evidence collected · Corrective actions tracked
Full ISO 27001 ISMS Policies · SoA · Risk register · Management review · Audit preparation
Get certified

Evidence from day one

Every plan — not just Plan 3 — collects compliance evidence and opens corrective actions when issues are found. When you're ready to pursue ISO 27001, the evidence trail is already there. Your history becomes your certification accelerator.

Automated collection

Evidence gathered directly from your M365 tenant — no manual screenshots or spreadsheets.

Corrective actions

Non-compliant findings automatically generate tickets with remediation guidance.

Audit-ready reports

When you reach Plan 3, your evidence history feeds directly into auditor-grade reports.

Secure Secure Services

Email Security

SPF, DKIM, DMARC, anti-phishing, and safe attachments for Microsoft 365 email.

View capabilities →

Identity & Access Management

Conditional Access, MFA, Privileged Identity Management, and passwordless authentication.

View capabilities →

Endpoint Security

Microsoft Defender for Endpoint, Intune compliance, attack surface reduction, and device management.

View capabilities →

Threat Detection & Response

Microsoft Sentinel SIEM, Defender for Identity, incident response, and advanced threat analytics.

View capabilities →
24 risks directly mitigated

Identity compromise (9 risks), endpoint threats (10), email attacks (2), and network exposure (3) — each mapped to specific M365 capabilities with residual risk scoring after deployment.

Key stakeholders: IT Admin, SOC, Security Analyst

Every Secure capability maps to a Statement of Work with named stakeholder roles. Your IT team deploys alongside our engineers — no black-box handover.

Evidence from day one

Conditional Access policy compliance, Defender alert resolution, CIS benchmark scores — all collected automatically. When you're ready for ISO 27001, the Secure evidence trail is already months deep.

22 capabilities in Plan 1 → 46 by Plan 2

Start with email authentication, CIS benchmarks, and Conditional Access. Plan 2 adds Intune, Defender for Endpoint, PIM, and Sentinel. Each capability weighted by risk reduction impact.

Comply Comply Services

Data Protection & Governance

Data Loss Prevention, sensitivity labels, information protection, and retention policies.

View capabilities →

Compliance Benchmarks

CIS Microsoft 365 benchmarks, security baselines, and compliance scoring.

View capabilities →

Backup & Disaster Recovery

Microsoft 365 backup, business continuity planning, and disaster recovery validation.

View capabilities →
33 risks in governance, compliance, and data protection

Policy gaps (16 risks), regulatory exposure (7), and data handling failures (10) — all traced to specific controls with CIA impact scoring. Residual risk drops to 2-3 after deployment.

Key stakeholders: CISO, Legal, DPO, Data Owners

Compliance isn't just IT. We map 179 legal requirements across 12 jurisdictions to your controls — and ensure Legal, HR, and Data Protection Officers are engaged at the right stages.

93 controls with automated evidence

DLP policy enforcement logs, sensitivity label application rates, retention policy compliance, access review completions — all fed into auditor-grade reports that pass ISO 27001 surveillance.

Plan 3 unlocks full data governance — 78 capabilities

Sensitivity labels, DLP across all M365 workloads, insider risk management, advanced audit, lifecycle workflows. This is where ISO 27001 certification becomes achievable — and sustainable.

Succeed Succeed Services

Cloud & AI Security

Cloud app security, AI governance, Microsoft Defender for Cloud Apps, and lifecycle workflows.

View capabilities →
31 risks in infrastructure, insider threats, and monitoring

Cloud infrastructure gaps (19 risks), insider abuse (6), and detection blind spots (5) — addressed through Defender for Cloud, Sentinel advanced analytics, and AI governance controls.

Key stakeholders: Board, DevOps, Application Owners

Succeed is where security becomes strategic. We engage your Board with governance dashboards, your DevOps teams with AI agent identity controls, and Application Owners with workload identity governance.

Evidence for strategic decisions, not just auditors

Sentinel incident trends, risk register movements, stakeholder engagement status, Secure Score trajectory — data that drives board-level security investment decisions, not just compliance checkboxes.

24 delivery packages across the full maturity journey

From email security (3-8 days) to AI governance (8-20 days). Each package has defined capabilities, stakeholder roles, delivery estimates, and prerequisites — a structured path from Traditional (0-39%) to Optimal (90%+) maturity.

Need to comply with more than ISO 27001? We've got you covered.

We don't try to be a multi-framework GRC tool. Instead, we natively integrate with Microsoft Purview Compliance Manager — the compliance platform already in your M365 tenant. All evidence we collect is tagged and uploaded to Compliance Manager, where Microsoft automatically maps it against 300+ regulatory standards. You implement ISO 27001. Compliance Manager does the rest.

ISO 27001 Evidence

93 controls collected from your M365 tenant

Microsoft Purview Compliance Manager

Automatic mapping & continuously updated by Microsoft

300+ Regulatory Standards

Visible in your existing M365 portal

GDPR NIS2 DORA POPIA CCPA PCI DSS SOX HIPAA UK GDPR ISO 22301 + 290 more via Compliance Manager

No manual re-tagging. No separate GRC platform. Microsoft maintains the regulatory mappings — your evidence flows automatically.

Not sure where to start?

Our free AI assessment maps your M365 configuration against all 93 ISO 27001 controls and recommends the right plan for your environment.

Discover Your Security Gaps