Skip to main content

Stop Shipping Settings, Start Shipping a Standard: CIS Controls for M365

Nick Ross3 min read

TL;DR

  • Implementing a Microsoft 365 checklist at onboarding is not the same as having a cybersecurity standard; the difference is a framework that explains why each control exists.
  • The CIS Controls' implementation groups let organizations of different sizes and maturity levels prioritize security work instead of attempting everything at once.
  • Scoring a current profile and a target profile across the CIS Controls turns a static checklist into a measurable improvement roadmap.
  • A control matrix mapping Entra ID, Intune, Exchange, Teams, SharePoint, OneDrive, Defender, and Purview settings to CIS Controls, with license requirements, makes the baseline auditable across customers.
  • As of May 2024, automated tooling can run pass/fail checks of a Microsoft 365 tenant against the CIS Controls and generate the evidence report for you.

Every MSP has a Microsoft 365 onboarding checklist. Far fewer can hand a client, an auditor, or an insurer a document explaining what standard that checklist serves, who reviews it, and how far the customer sits from the target state. That second thing is a security practice. The first is just settings.

The pattern shows up in conversation after conversation with MSPs: the checklist gets implemented at onboarding, Secure Score recommendations fill in the gaps, and the customer hears about their improving posture. What is missing is the layer above: written policy definitions and a north-star framework that gives the whole effort structure. Because time and resources are always the constraint, the question that matters is which actions are most impactful for your MSP and, downstream, for every customer you manage.

A quick maturity check before the framework

Five questions to locate yourself:

  • Do we follow a framework or standard that gives our cybersecurity strategy a consistent approach?
  • Do we have written, implemented policy definitions across customers, such as an incident response plan, vulnerability management, and backup and disaster recovery?
  • Do we keep base policy definitions that can be modified for the uniqueness of each customer environment?
  • Do we run a formal review process for the policies and controls in place?
  • Do we set current and target profiles for our cybersecurity improvements?

If the honest answer to most of these is no, your security lifecycle is ad-hoc and reactive. That is fixable, and the CIS Controls are a practical north star to fix it with. The template below organizes your policy definitions around them and puts a why behind every control you implement.

Why the CIS Controls fit MSPs

CIS Controls framework overview

The CIS Controls are a set of actionable security best practices from the Center for Internet Security, covering the essential areas of information security in a structured, adaptable way. The feature that makes them especially practical for MSPs is the implementation groups: prioritization tiers that let organizations of different sizes and maturity levels sequence their security work. Start with the safeguards protecting the most critical assets and processes, then build outward. That tiered approach is what makes the CIS Controls workable across a customer base that ranges from five-seat shops to regulated mid-market clients.

Score where you are, define where you are going

The template includes a basic self-scoring assessment to surface where your gaps exist today. The goal is to rank yourself across the CIS Controls against both a current profile and a target profile:

CIS Controls self-assessment scoring profiles

Tabs within the assessment carry the per-control scoring, including a current score and target scores:

Assessment tabs with current and target scores across the CIS Controls

The matrix: every M365 control, its CIS mapping, its license

The operational core of the template is a matrix of recommended Microsoft security controls across Entra ID, Intune, Exchange, Teams, SharePoint, OneDrive, Defender, and Purview, each mapped to the CIS Controls. Every row carries the base license requirement for the control plus checklist columns, so you can track implementation progress across customers and answer "why is this setting on?" with a framework citation instead of a shrug.

Microsoft 365 control matrix mapped to CIS Controls with license requirements

Going multi-tenant: the Power BI layer

For tracking assessments over time across all of your customers, there is an enablement ebook and a multi-tenant Power BI template. The ebook also bundles the rollout material you need when controls touch end users:

  • Setup instructions for each Microsoft control
  • PowerShell scripts
  • Video tutorials
  • 40+ end-user notification templates for controls that impact end users
Power BI template for tracking CIS assessments across customers

Details: CIS Controls Power BI template (opens in new tab).

Or skip the manual pass entirely

As of May 2024, the assessment itself can be automated. CloudCapsule performs automated pass/fail checks of Microsoft 365 tenant security against the CIS Controls and generates the report. Here is what the output looks like:

CloudCapsule automated CIS assessment report overview
CloudCapsule report detail showing control pass/fail results
CloudCapsule report detail with remediation context

You can run a free assessment on a tenant at cloudcapsule.io, and a full sample report is here (opens in new tab).

Frequently asked questions

What are CIS implementation groups?

Implementation groups are the CIS Controls' prioritization tiers. They let organizations of varying size and security maturity start with the safeguards protecting the most critical assets and build up methodically, rather than treating all controls as equally urgent.

Why map Microsoft 365 controls to a framework instead of just using Secure Score?

Secure Score recommends settings but does not give you policy definitions, a review cadence, or a defensible rationale tied to a recognized standard. Mapping controls to the CIS Controls supplies the why that clients, auditors, and insurers increasingly ask for.

Can the CIS assessment be automated for Microsoft 365?

Yes. As of May 2024, CloudCapsule performs automated pass/fail checks of Microsoft 365 tenant security against the CIS Controls and generates a report, replacing the manual evidence-gathering pass.

The CIS assessment that runs while you grab coffee

Scoring a tenant against the CIS Controls by hand eats a day. CloudCapsule runs automated pass/fail checks across 250+ controls in about 60 seconds and hands you the client-ready report, free for your first tenant.

Run a free assessment
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading