Microsoft 365 ISO 27001 action plan — Top priorities for your first 30 days, 90 days, and beyond

The International Organization for Standardization (ISO) is an independent nongovernmental developer of voluntary international standards. The International Electrotechnical Commission (IEC) leads the preparation and publication of international standards for electrical, electronic, and related technologies. The ISO/IEC 27000 family of standards outlines controls and mechanisms that help maintain the security of information assets.

ISO/IEC 27001 is the international standard for implementing an information security management system (ISMS). An ISMS describes the necessary methods used and evidence associated with requirements that are essential for the reliable management of information asset security in any type of organization.

This article includes a prioritized action plan you can follow as you work to meet the requirements of ISO/IEC 27001. This action plan was developed in partnership with Protiviti, a Microsoft partner specializing in regulatory compliance. Learn more about how to use this action plan at Microsoft Ignite by attending this session: Chart your Microsoft 365 compliance path and information protection strategy, presented by Maithili Dandige (Microsoft) and Antonio Maio (Protiviti).

Action plan outcomes

These recommendations are provided across three phases in a logical order with the following outcomes:

Phase Outcomes
30 days Understand your ISO 27001 governance and compliance requirements.
• Conduct a risk assessment and align risk management and mitigation to that assessment’s outcomes.
• Assess and manage your compliance risks by using Microsoft Compliance Score.
• Establish standard operating procedures (SOPs) for each of the 14 ISO 27001 groups.

Start planning a roll out of an information classification and retention policies and tools to the organization to help users identify, classify, and protect sensitive data and assets.
• Learn how the Azure Information Protection application and policies can help users easily apply visual sensitivity markings and metadata to documents and emails. Develop your organization’s information classification schema, along with an education and roll out plan.
• Consider rolling out Office 365 Labels to the organization to help users easily apply record retention and protection policies to content. Plan your organization’s labels in accordance with your legal requirements for information record retention, along with an education and roll out plan.

Ensure that records related to information security are protected from loss, deletion, modification, or unauthorized access by creating Audit and Accountability policies as part of your Standard Operating Procedures (SOPs).
• Enable audit logging (including mailbox auditing) to monitor Office 365 for potentially malicious activity and to enable forensic analysis of data breaches.
• On a regular cadence, search your Office 365 tenant’s audit logs to review changes that have been made to the tenant’s configuration settings.
• Enable alert policies for sensitive activities, such as when an elevation of privileges occurs on a user account.
• For long-term storage of Office 365 audit log data, use the Office 365 Management Activity API reference to integrate with a security information and event management (SIEM) tool.

Define administrative and security roles for the organization, along with appropriate policies related to segregation of duties.
• Utilize the Office 365 administrative roles to enable separation of administration duties.
• Segment permissions to ensure that a single administrator does not have greater access than necessary.
90 days Use Microsoft 365 security capabilities to control access to the environment, and protect organizational information and assets according to your defined standard operating procedures (SOPs).
• Protect administrator and end-user accounts by enabling identity and authentication solutions, such as multi-factor authentication and modern authentication.
• Establish strong password policies to manage and protect user account credentials.
• Configure and roll out message encryption capabilities to help end users comply with your organization’s SOPs when sending sensitive data via email.
• Protect against malicious code and implement data breach prevention and response procedures.
• Configure Data Loss Prevention (DLP) policies to identify, protect, and control access to sensitive data.
• Ensure that sensitive data is stored and accessed according to corporate policies.
• Prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.
Beyond 90 days Use Microsoft 365 advanced data governance tools and information protection to implement ongoing governance programs for personal data.
• Automatically identify personal information in documents and emails
• Protect sensitive data stored and accessed on mobile devices across the organization, and ensure that compliant corporate devices are used to data.

Monitor ongoing compliance across Microsoft 365 and other Cloud applications.
• To evaluate performance against standard operating procedures (SOPs), utilize Compliance Score to perform regular assessments of the organization’s information security policies and their implementation.
• Review and monitor the information security management system on an on-going basis.
• Control and perform regular reviews of all users and groups with high levels of permissions (i.e. privileged or administrative users).
• Deploy and configure Microsoft 365 capabilities for protecting privileged identities and strictly controlling privileged access.
• As part of your standard operating procedures (SOPs), search the Office 365 audit logs to review changes that have been made to the tenant’s configuration settings, elevation of end-user privileges and risky user activities.
• Monitor your organization’s usage of cloud applications and implement advanced alerting policies.
• Track risky activities, to identify potentially malicious administrators, to investigate data breaches, or to verify that compliance requirements are being met.

30 days — Powerful Quick Wins

These tasks can be accomplished quickly and have low impact to users.

Area Tasks
Understand your ISO 27001 governance and compliance requirements. • Assess and manage your compliance risks by using the Compliance Score to conduct an ISO 27001:2013 assessment of your organization. Establish standard operating procedures (SOPs) for each of the 14 ISO 27001 groups.
Start planning a roll out of an information classification and retention policies and tools to the organization to help users identify, classify, and protect sensitive data and assets. • Help users easily identify and classify sensitive data, according to your information protection policies and standard operating procedures (SOPs), by rolling out classification policies and the Azure Information Protection application. Develop your organization’s information classification schema (policies), along with an education and roll out plan.
• Help users easily apply record retention and protection policies to content by rolling out Office 365 Labels to the organization. Plan your organization’s labels in accordance with your legal requirements for information record retention, along with an education and roll out plan.
Ensure that records related to information security are protected from loss, deletion, modification, or unauthorized access by creating Audit and Accountability policies as part of your Standard Operating Procedures (SOPs). • Enable Office 365 audit logging and mailbox auditing (for all Exchange mailboxes) to monitor Office 365 for potentially malicious activity and to enable forensic analysis of data breaches.
• On a regular cadence, search your Office 365 tenant’s audit logs to review changes that have been made to the tenant’s configuration settings.
• Enable Office 365 Alert Policies in the Microsoft 365 security or compliance center for sensitive activities, such as when an elevation of privileges occurs on a user account.
• For long-term storage of Office 365 audit log data, use the Office 365 Management Activity API reference to integrate with a security information and event management (SIEM) tool.
Define administrative and security roles for the organization, along with appropriate policies related to segregation of duties. • Utilize the Office 365 administrative roles to enable separation of administration duties. Note: many administrator roles in Office 365 have a corresponding role in Exchange Online, SharePoint Online, and Skype for Business Online.
• Segment permissions to ensure that a single administrator does not have greater access than necessary.

90 days — Enhanced Protections

These tasks take a bit more time to plan and implement but greatly increase your security posture.

Area Tasks
Use Microsoft 365 security capabilities to control access to the environment, and protect organizational information and assets according to your defined standard operating procedures (SOPs). • Protect administrator and end-user accounts by implementing identity and device access policies, including enabling multi-factor authentication (MFA) for all user accounts and modern authentication for all apps.
• Establish strong password policies to manage and protect user account credentials.
• Set up Office 365 Message Encryption (OME) to help end users comply with your organization’s SOPs when sending sensitive data via email.
• Deploy Windows Defender Advanced Threat Protection (ATP) to all desktops for protection against malicious code, as well as data breach prevention and response.
• Configure, test, and deploy Office 365 Data Loss Prevention (DLP) policies to identify, monitor and automatically protect over 80 common sensitive data types within documents and emails, including financial, medical, and personally identifiable information.
• Automatically inform email senders that they may be about to violate one of your policies — even before they send an offending message by configuring Policy Tips. Policy Tips can be configured to present a brief note in Outlook, Outlook on the web, and OWA for devices, that provides information about possible policy violations during message creation.
• Implement Office 365 Advanced Threat Protection (ATP) to help prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.

Beyond 90 Days — Ongoing Security, Data Governance, and Reporting

Secure personal data at rest and in transit, detect and respond to data breaches, and facilitate regular testing of security measures. These are important security measures that build on previous work.

Area Tasks
Use Microsoft 365 advanced data governance tools and information protection to implement ongoing governance programs for personal data. • Use Office 365 Advanced Data Governance to identify personal information in documents and emails by automatically applying Office 365 Labels.
• Use Microsoft Intune to protect sensitive data stored and accessed on mobile devices across the organization, and ensure that compliant corporate devices are used to data.
Monitor ongoing compliance across Microsoft 365 and other Cloud applications. • To evaluate performance against standard operating procedures (SOPs), use Compliance Score on an ongoing basis to perform regular ISO 27001:2013 assessments of the organization’s information security policies and their implementation.
• Review and monitor the information security management system on an on-going basis.
• Use Azure AD Privileged Identity Management to control and perform regular reviews of all users and groups with high levels of permissions (i.e. privileged or administrative users).
• Deploy and configure Privileged Access Management in Office 365 to provide granular access control over privileged admin tasks in Office 365. Once enabled, users need to request just-in-time access to complete elevated and privileged tasks through an approval workflow that is highly scoped and time-bound.
• As part of your standard operating procedures (SOPs), search the Office 365 audit logs to review changes that have been made to the tenant’s configuration settings, elevation of end-user privileges and risky user activities.
• Audit non-owner mailbox access to identify potential leaks of information and to proactively review non-owner access on all Exchange Online mailboxes.
• Use Office 365 Alert Policies, data loss prevention reports and Microsoft Cloud App Security to monitor your organization’s usage of cloud applications and implement advanced alerting policies based on heuristics and user activity.
• Use Microsoft Cloud App Security to automatically track risky activities, to identify potentially malicious administrators, to investigate data breaches, or to verify that compliance requirements are being met.

Learn more