Free Microsoft 365 Security Assessment Tool based on CIS Controls

Note: I have updated this workbook to reflect changes in v8 of the CIS Controls framework. Please see this post for more details.

Update: I also offer a course on implementing the CIS Controls. Included with this course is an expanded assessment workbook (to include all three implementation groups) and other resources such as Information Security Policy templates, and more.

Especially in the small and mid-sized enterprise space, it can be very difficult to persuade customers to spend additional money on their technology investments “because security.” Therefore, education is an important part of your job as an advisor in this area. Besides being able to paint a picture of “what good looks like” for stakeholders on a conceptual level, you also need to clearly illustrate the risks that their business faces.

In other words, you want to be able to highlight the risks that they are choosing to accept by not spending that extra money.

The best way to do this is to perform an initial assessment against a standardized and reputable security control framework such as the NIST Cyber Security Framework (CSF) or the Center for Internet Security (CIS). One extremely valuable resource that I like to use is a free “Initial Assessment” tool published by AuditScripts. It’s wonderful, and I encourage you to check it out. The workbook goes into good detail on each of the 20 critical controls laid out by CIS, in three separate “Implementation Groups” (IGs).

For each group, you have a set of recommended actions or “to-do’s.” Using the tool you can report on whether the control is implemented, whether there is a policy backing the control, and you may indicate whether you have this control automated and reported to the business. All of these responses have varying degrees of “completeness” that you can choose from such as “Informal policy” vs. “Approved written policy.” In turn these responses roll up into some nice reporting and a dashboard that does a really nice job of illustrating an organization’s maturity and currently accepted risk level.

I copied this idea and general format into a simple, one-page spreadsheet that contains some specific recommended actions for Microsoft 365, specifying the features or settings to implement for each Implementation Group. A keen eye will notice that not all of the CIS controls can be addressed purely within Microsoft 365. For example some controls pertain to software development practices or networking security technologies. However, I have still included some descriptions for each of the controls regardless, borrowing heavily from CIS documentation. After all, just because you cannot address a risk with Microsoft 365 does not mean that it doesn’t exist.

It is far from being a perfect tool, and not even as complete as the AuditScripts workbook on which it is based, but I think it is an easy one to adopt and understand for those working to move their customers further into Microsoft 365.

Once you answer all of the questions for your organization, you’ll see lots of holes and opportunities to provide valuable improvements. But when you are prioritizing the work, it is recommended to approach implementation in the following order: Focus on IG1 before proceeding to IG2 (i.e. to complete IG2 you must also complete IG1). As well, plan to complete the Basic controls (ID #1-6) before proceeding to the Foundational (ID #7-16) and finally Organizational (ID #17-20). You should make an effort to address each of the controls to at least IG1, but very few small or mid-sized orgs would be willing to spend the $ to complete IG3–and that’s okay.

The point is to have a roadmap with a prioritized list of action items (based on a trusted security framework) that can be reported back to the business–and in that regard, I think this works nicely.

That is probably enough backstory and description to get you started. You can download your copy of the workbook here.

And here is a link to the CIS Controls.

As well as the initial assessment tool (on which my own was based) at AuditScripts.