Skip to main content

Compliance Engine

Assess your Microsoft 365 security posture against industry frameworks

complianceassessmentframeworksCISNISTSOC 2

Compliance Engine

Securtea's compliance engine evaluates your Microsoft 365 configuration against industry-standard security frameworks. Identify gaps, track remediation, and demonstrate compliance to auditors.

What Is Compliance Assessment?

A compliance assessment analyzes your Microsoft 365 configuration against a set of security controls defined by a compliance framework. The engine:

  1. Collects data from your M365 tenant via Microsoft Graph API
  2. Evaluates controls by comparing configurations to expected values
  3. Generates results showing which controls pass, fail, or need manual review
  4. Calculates scores to measure your overall compliance level

Supported Frameworks

Securtea supports multiple industry-standard frameworks:

CIS Microsoft 365 Foundations Benchmark

The Center for Internet Security (CIS) benchmark provides prescriptive guidance for securing Microsoft 365:

  • Scope: M365-specific security configurations
  • Controls: 100+ security recommendations
  • Updates: Aligned with CIS benchmark versions
  • Best for: Organizations wanting detailed M365 security guidance

NIST 800-53

The National Institute of Standards and Technology framework covers comprehensive security controls:

  • Scope: Broad security control families
  • Controls: Selected controls applicable to M365
  • Updates: Aligned with NIST revision 5
  • Best for: U.S. government contractors, regulated industries

SOC 2

Service Organization Control 2 focuses on security, availability, and confidentiality:

  • Scope: Trust Services Criteria
  • Controls: Mapped from M365 configurations
  • Updates: Aligned with AICPA standards
  • Best for: SaaS companies, service providers

ISO 27001

International standard for information security management:

  • Scope: Information security controls
  • Controls: Annex A controls mapped to M365
  • Updates: Aligned with ISO 27001:2022
  • Best for: Organizations seeking ISO certification

How It Works

Framework Structure

Each framework is organized hierarchically:

Framework (e.g., CIS Microsoft 365)
└── Themes (e.g., Identity & Access Management)
    └── Controls (e.g., Enable MFA for all users)
        └── Signals (e.g., Check Conditional Access policies)

Control Evaluation

For each control, the engine:

  1. Executes signals - Queries Microsoft Graph for relevant data
  2. Evaluates conditions - Compares data against expected values
  3. Determines status - Pass, fail, or manual review
  4. Records evidence - Stores the data for audit purposes

Assessment Run

When you run an assessment:

  1. Select framework(s) to evaluate
  2. Engine queries your M365 tenant
  3. Controls are evaluated in parallel
  4. Results are compiled and scored
  5. Assessment completes and results are available

Understanding Results

Control Statuses

StatusMeaning
PassControl requirements are met
FailControl requirements are not met
Manual ReviewRequires human verification
Not ApplicableControl doesn't apply to your environment
ErrorEvaluation encountered an issue

Scoring

Your compliance score represents the percentage of applicable controls that pass:

Score = (Passing Controls / Applicable Controls) × 100

Example: If 80 of 100 applicable controls pass, your score is 80%.

Severity Levels

Controls have assigned severity levels:

SeverityImpact of Non-Compliance
CriticalImmediate security risk
HighSignificant security gap
MediumModerate security concern
LowMinor security improvement

Getting Started

Run Your First Assessment

  1. Navigate to Compliance in the sidebar
  2. Click Run Assessment
  3. Select framework(s) to evaluate
  4. Click Start Assessment
  5. Wait for completion (typically 2-5 minutes)
  6. Review your results

Schedule Recurring Assessments

For continuous compliance monitoring:

  1. Go to Compliance > Settings
  2. Click Configure Schedule
  3. Select frequency (daily, weekly, monthly)
  4. Choose frameworks to include
  5. Click Save Schedule

Key Features

Multi-Framework Assessment

Assess against multiple frameworks simultaneously:

  • Run combined assessments
  • See cross-framework control mapping
  • Identify controls that satisfy multiple frameworks

Evidence Collection

Automatically collect evidence for each control:

  • Configuration snapshots
  • API response data
  • Timestamps and metadata

Historical Tracking

Track compliance over time:

  • View assessment history
  • Compare results between runs
  • Identify trends and patterns

Remediation Guidance

Get actionable steps to address failures:

  • Step-by-step remediation instructions
  • Links to relevant Microsoft documentation
  • Priority recommendations

What's Next?

Global Search

Search for pages, settings, and documentation