Data Protection & Governance

Data sprawl is the silent compliance killer. Sensitive information flows through email, Teams, SharePoint, and third-party applications with little visibility or control. Ten data-specific risks in our register span unclassified data exposure, accidental sharing, and inadequate retention — each a direct finding in an ISO 27001 surveillance audit. Sensitivity labels, DLP policies, and retention rules transform data governance from aspiration to demonstrable, auditable control.

Added in Information Governance (Plan 3)

• Sensitivity Label Taxonomy — Define and publish sensitivity label taxonomy with stakeholders
• Manual Labeling — Deploy manual sensitivity labeling to users
• Label-Based Encryption — Configure sensitivity labels with encryption protection
• Client-Side Auto-Labeling — Configure automatic labeling recommendations in Office clients
• Service-Side Auto-Labeling — Configure automatic labeling policies for SharePoint, OneDrive, Exchange
• Exchange DLP — Data Loss Prevention policies for Exchange Online
• SharePoint/OneDrive DLP — Data Loss Prevention policies for SharePoint and OneDrive
• Teams DLP — Data Loss Prevention policies for Microsoft Teams
• Custom Sensitive Information Types — Create custom SITs for organisation-specific data patterns
• Endpoint DLP — Data Loss Prevention for Windows endpoints
• Exact Data Match — EDM-based sensitive information types for precise data matching
• Trainable Classifiers — Machine learning classifiers for content classification
• Joiner Entitlement Packages — Identity Governance lifecycle workflows for new starters
• Leaver Entitlement Packages — Identity Governance lifecycle workflows for leavers
• Access Reviews - Basic — Quarterly access reviews for privileged roles and groups
• Access Reviews - Full — Comprehensive access reviews including application access

What you receive

Delivery Package	Duration	Stakeholders	Key Deliverables
Information Protection	10–25 days	CISO, Data Owners, Legal, End Users	Label taxonomy document; Label publishing policy; Encryption configuration
Data Loss Prevention	10–25 days	CISO, Compliance, Legal	DLP policy matrix; Custom SIT definitions (SA identifiers); Endpoint DLP configuration
Identity Governance & Lifecycle	8–20 days	HR, IT Admin, Line Managers	Role-to-access package mapping; Lifecycle workflow definitions; HR connector configuration

ISO 27001 controls covered

• A.5.12 Classification of Information
• A.5.13 Labelling of Information
• A.5.16 Identity Management
• A.5.18 Access Rights
• A.6.1 Screening
• A.6.5 Responsibilities After Termination or Change of Employment
• A.8.12 Data Leakage Prevention
• A.8.24 Use of Cryptography