When an assessor or auditor asks how your organisation is secured, a large part of the answer already lives in Microsoft 365. The controls exist, the logs are captured, and the settings are enforced. The gap is rarely the technology. It is being able to point at the exact setting that satisfies a control, and to produce evidence for it without a week of manual work.
This guide maps common Microsoft 365, Microsoft Entra, and Microsoft Intune settings to the Cyber Essentials controls and to a handful of ISO 27001:2022 Annex A controls. Control wording follows the NCSC Cyber Essentials requirements and ISO/IEC 27001:2022. Treat the mapping as guidance for scoping your evidence, not as a substitute for your certification body's requirements, because how a control applies always depends on your own scope and configuration.
Why auditors ask for Microsoft 365 evidence
Cyber Essentials and ISO 27001 are both evidence-led. A control on paper counts for little unless you can show it is applied and working. For most organisations running Microsoft 365, the platform is where identity, devices, email, and updates are governed, so it becomes the single richest source of evidence in the assessment. The practical question is how to surface that evidence cleanly, on demand, and in a form an assessor accepts.
Cyber Essentials: the five controls in Microsoft 365
Cyber Essentials defines five technical controls. Each one maps to concrete Microsoft 365, Entra, or Intune configuration, and each produces evidence you can export.
| Cyber Essentials control | Where it lives in Microsoft 365 | Evidence you can export |
|---|---|---|
| Firewalls | Microsoft Defender Firewall managed through Intune endpoint security firewall policies on enrolled devices; the service boundary is Microsoft's for the cloud platform | Firewall policy configuration and device firewall status from the Intune admin centre |
| Secure configuration | Intune configuration profiles and Windows security baselines, Microsoft Secure Score, and blocking legacy authentication in Entra | Baseline assignment and compliance reports, Secure Score history, legacy authentication sign-in report |
| User access control | Microsoft Entra accounts, Conditional Access, multifactor authentication, least-privilege roles, and joiner, mover, and leaver processes | Conditional Access policy export, sign-in logs, role assignment lists, account review records |
| Malware protection | Microsoft Defender Antivirus and Defender for Endpoint managed through Intune, plus Defender for Office 365 Safe Attachments and Safe Links | Antivirus and Defender policy configuration, device protection status, and email threat policy settings |
| Security update management | Windows Autopatch or Windows Update for Business update rings, Intune quality update policies, and the Microsoft 365 Apps update channel | Update ring configuration and Windows update or Autopatch compliance reports showing patch levels |
Two points are worth calling out. First, Cyber Essentials is interested in the endpoint firewall and secure configuration of the devices you manage, not just the cloud service, so the Intune side of the mapping carries most of the weight. Second, security update management was previously described as patch management; the intent is the same, and Windows Autopatch is the cleanest way to evidence it.
ISO 27001:2022 Annex A: selected controls and evidence sources
ISO 27001 is broader than Cyber Essentials and covers governance, people, and process as well as technology. The controls below are a subset of the Annex A technological and organisational controls where Microsoft 365 is a primary evidence source. They are a starting point for your Statement of Applicability, not the full set.
| Annex A control | What it asks for | Microsoft 365 evidence source |
|---|---|---|
| A.5.15 Access control | Rules to control physical and logical access based on business and security requirements | Conditional Access policies, Entra role assignments, and access package or access review records |
| A.8.2 Privileged access rights | Allocation and use of privileged access restricted and managed | Microsoft Entra Privileged Identity Management eligible roles, activation approvals, and downloadable audit history |
| A.8.7 Protection against malware | Protection against malware supported by user awareness | Defender for Endpoint and Defender for Office 365 policy configuration and incident and detection reports |
| A.8.8 Management of technical vulnerabilities | Information about technical vulnerabilities obtained and exposure evaluated and addressed | Microsoft Defender Vulnerability Management exposure reports plus Autopatch or update ring patch compliance |
| A.8.13 Information backup | Backup copies maintained and tested in line with an agreed policy | Microsoft Purview retention policy configuration, plus your own records for configuration and data backup |
A.8.13 deserves care. Microsoft 365 provides service redundancy and retention controls such as Purview retention policies, but it is not a backup product, and the shared responsibility model leaves protection of your data and configuration with you. For an ISO 27001 backup control, evidence your retention configuration and your separate approach to backing up data and tenant configuration, rather than implying the platform backs itself up.
How to collect evidence without screenshot marathons
Screenshots are slow, they date quickly, and an assessor cannot verify them. Every source in the tables above can be exported instead.
- Microsoft Purview Audit log search exports activity across the tenant to CSV, so you can show what happened and when across Exchange, SharePoint, and admin actions.
- Microsoft Entra sign-in and audit logs download directly as CSV or JSON, evidencing access control, MFA, and directory changes.
- Microsoft Intune report exports and device compliance views evidence secure configuration, firewall, antivirus, and update state across managed devices.
- Microsoft Entra Privileged Identity Management provides downloadable audit history for privileged access activation and approvals.
- Microsoft Secure Score exports track secure configuration improvement over time.
- Microsoft Purview Compliance Manager holds improvement actions and lets you attach evidence files against controls, giving you one place to assemble an evidence pack.
For managed-device evidence, an Intune reporting tool can turn compliance, app, update, and configuration signals into repeatable audit packs.
For anything you repeat, prefer a scheduled export or a Microsoft Graph or PowerShell query over a manual click-through. Repeatable exports keep evidence current between audit cycles and remove the annual scramble.
Where EtherAssist and EtherInsights fit
Knowing which setting maps to which control is half the job. The other half is organising the workflow, drafting the policies and procedures that sit above the settings, and assembling evidence an assessor accepts.
EtherAssist supports that compliance workflow. It helps teams map controls to Microsoft 365 evidence, draft and maintain policies and procedures, structure assessments, and prepare an evidence pack for frameworks such as ISO 27001, ISO 9001, ISO 42001, and Cyber Essentials. It is controlled compliance and evidence preparation with a human in the loop; it organises and accelerates the work, and it does not replace your certification body or guarantee a certification outcome.
EtherInsights covers the posture side. It gives you a view of Microsoft 365 security configuration, a baseline for the tenant, and drift detection, so a control you evidenced at audit does not quietly change afterwards. Configuration backup, drift, and restore keep the estate stable between assessments, which is exactly what keeps evidence trustworthy over time.
Mapping settings to controls is the fastest way to turn a Microsoft 365 tenant you already run into audit-ready evidence. Start with the five Cyber Essentials controls, extend into the Annex A controls that matter for your scope, and replace screenshots with exports you can repeat.
Explore ISO compliance and audit readiness to see how a controlled compliance workflow and evidence preparation come together.
