Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit

GMS Certification Pathway

ISO/IEC 27001:2022 readiness, certification, and continuous compliance for Microsoft 365.

Prepare, certify, and operate continuously — under the same management system we hold ourselves.

Speak with the team

The GMS Certification Pathway prepares Microsoft 365 environments for ISO/IEC 27001:2022 certification and operates them in continuous compliance thereafter. The methodology has been refined across 1,200 tenant deployments and is delivered by the engineers who operate the controls they implement. It is underpinned by the same management system under which Global Micro itself holds ISO/IEC 27001, ISO 22301, and ISO/IEC 20000-1 certification.

93 ISO 27001 controls
mapped to tenant configuration
78 Zero Trust capabilities
tied to specific controls
105 risks
with evidence rules daily
1,200+ tenant deployments
refined the methodology

Why organisations engage us

Most ISO 27001 programmes fail at the same point. Policies are drafted, controls are described, and the binder is presented to the auditor. The auditor asks for evidence that the controls are deployed, configured, and operating as intended within the technology environment. The evidence does not exist, because no one was responsible for producing it.

We address this by combining the work usually distributed across three parties — the management system consultant, the security implementer, and the GRC platform — into a single engagement. The same team writes the Statement of Applicability, deploys the Microsoft 365 controls that satisfy each Annex A reference, and instruments the tenant to produce daily evidence against those controls. There is one operating model, one accountability line, and one body of evidence that traces from policy through to runtime configuration.

Our approach

The Pathway is delivered in four sequenced workstreams. Each can be engaged independently for organisations that already have parts of their programme in place.

Assess

Assess

A structured readiness assessment against the 93 controls of ISO/IEC 27001:2022 Annex A and the management system clauses 4 to 10. Outputs include a control-by-control gap analysis, a tenant configuration baseline against the relevant CIS Microsoft 365 benchmarks, a risk register seeded from our 105-risk reference library, and a recommended scope statement for the ISMS.

Typical duration: 2 to 4 weeks.

Implement

Implement

An 8-week engineering engagement that deploys the Microsoft security stack against the agreed scope. Identity, endpoint, data, email, and information protection controls are configured to satisfy the relevant Annex A references and the applicable CIS benchmarks. Conditional Access is redesigned. The full Microsoft 365 E5 or Business Premium security capability is activated and documented. The ISMS documentation suite — policies, procedures, Statement of Applicability, scope, and the four mandatory clause documents — is produced in parallel and aligned to the deployed configuration.

Operate

Operate

A managed service where our engineers operate the deployed control set, collect evidence daily across all in-scope controls, and produce monthly compliance reporting for the executive and the audit committee. Evidence is collected through read/write tenant orchestration, retained natively in Defender and Log Analytics, and made available through the GMS Audit Agent portal. Where remediation is required, our engineers act on the tenant directly rather than raising a ticket.

Assure

Assure

Surveillance audit preparation, internal audit delivery, management review facilitation, and direct liaison with your certification body. We have supported clients through audits with BSI, DNV, SGS, LRQA, BM TRADA, and Bureau Veritas.

Extending the ISMS to cover AI

Where clients are adopting AI — Microsoft 365 Copilot, Copilot Studio agents, Azure AI services — those services fall inside the ISMS scope for information security purposes and under the emerging AI management system scope for governance purposes. We extend the existing controls to cover AI access patterns, we add AI-specific controls to the evidence framework, and we prepare the ISMS for integration with ISO/IEC 42001 — the international management system standard for AI, which we are certifying to this year.

Engagement criteria

The Pathway is designed for organisations operating Microsoft 365 (E3, E5, or Business Premium) at between 50 and 5,000 users, with a defined certification objective and executive sponsorship for the management system. We do not offer this engagement for non-Microsoft estates; specialist firms exist for those environments and we will refer you on request.

Demonstrated outcomes

The engagements below illustrate the pattern, drawn from across our client base. Named reference engagements are available under NDA.

Financial services · 200 users

Engaged with no formal information security programme, a customer-imposed deadline of six months, and an in-flight RFP requiring ISO 27001 certification. Achieved Stage 2 certification within four months. Zero non-conformities at first surveillance audit. RFP awarded.

Legal services · 400 users

Engaged following a failed surveillance audit under a previous consultancy. The existing ISMS was rebuilt to align with deployed configuration over a 12-week engagement. Certification recovered at the next surveillance window. Now in third year of continuous compliance under our managed service.

Software · 800 users

Microsoft 365 E5 in place but utilised at approximately 25 per cent of its security capability. Full activation of Defender for Office 365, Defender for Endpoint, Defender for Cloud Apps, Purview Information Protection, and Purview DLP. Secure Score increased from baseline 32 to 86 over the engagement. SOC 2 Type II achieved in parallel.

Engagement model and commercials

Implementation is delivered as a fixed-scope, fixed-fee engagement following a paid Assess workstream. Operate and Assure are delivered under a multi-year managed service agreement, typically three years with annual review.

Engagements are governed by a master services agreement under Global Micro Solutions (Pty) Ltd (Johannesburg). Commercial terms are scoped to the environment and confirmed at the close of the Assess workstream. We do not publish pricing; the work is not commodity work and a published rate card would misrepresent the scope of your specific engagement.

Speak with the team

A 45-minute introductory conversation with a senior member of our practice — typically the engagement principal who would lead your work — to understand your environment, your certification objectives, and the timeline you are operating to. We will tell you whether the Pathway is the right engagement for you. If it is not, we will tell you what is, including where another firm would serve you better.

Arrange an introduction →

South Africa +27 (0)11 731 0600
Ireland +353 1 578 9175
United Kingdom +44 20 8396 0877
Saudi Arabia +966 (0)11 261 1472
UAE +971 02 654 4061
United States +1 404 689 6434

secure | comply | succeed