Framework readiness, without compliance overclaiming
ScanPosture maps observable Microsoft 365 and Entra ID controls to recognised framework themes, helping teams understand technical alignment, evidence gaps, and areas that need remediation.
ScanPosture does not certify compliance, provide legal advice, or replace formal audit sign-off.
What ScanPosture means by readiness
We use these terms consistently across every framework view so readiness language is never ambiguous.
Observable Readiness
ScanPosture has technical evidence that supports alignment for the assessed Microsoft 365 and Entra ID scope.
Strong
Evidence indicates the relevant control area is well supported within the assessed scope.
Moderate
Evidence supports partial alignment, but improvement or broader coverage is needed.
Limited
Evidence shows material gaps or weak coverage.
Insufficient Evidence
ScanPosture cannot draw a reliable conclusion from the observable signals available.
Out of Current Assessment Scope
The area is not assessed by the current connected scope.
Six framework readiness views
Each framework has its own boundary statement — what ScanPosture can observe, and what it cannot conclude on its own.
Cyber Essentials
ScanPosture supports Cyber Essentials readiness by assessing Microsoft 365 and Entra ID signals related to secure configuration, access control, MFA, privileged access, and account hygiene.
Boundary: It does not submit, approve, or certify a Cyber Essentials assessment.
ISO 27001
ScanPosture maps observable technical controls to selected ISO 27001:2022 control themes, particularly around identity, access control, privileged access, logging, monitoring, and configuration management.
Boundary: It does not replace a formal ISO 27001 audit or certification.
GDPR Article 32
ScanPosture helps evidence selected technical safeguards relevant to GDPR Article 32, including access control, authentication strength, logging, and protection against unauthorised access.
Boundary: It does not provide legal advice or determine GDPR compliance.
NIST CSF
ScanPosture maps Microsoft-first posture signals to selected NIST CSF security outcomes, especially across the Protect and Detect functions.
Boundary: It does not assess the full organisational NIST CSF programme.
CIS Controls
ScanPosture supports readiness against selected CIS Controls themes including account management, access control, audit logging, email security, and secure configuration.
Boundary: It does not perform full endpoint, network, or server configuration assessment unless those areas are observable in the connected scope.
SOC 2
ScanPosture helps produce technical evidence relevant to selected SOC 2 trust services criteria, especially access control, logical security, monitoring, and change visibility.
Boundary: It does not provide a SOC 2 audit opinion or replace an auditor’s procedures.
What ScanPosture can and cannot see
Readiness views reflect the Microsoft 365 and Entra ID signals ScanPosture can observe. Anything outside the connected tenant, or outside the assessment scope, stays outside the report.
What is in scope
- Microsoft 365 configuration signals
- Entra ID identity and access controls
- Conditional Access posture
- Privileged role configuration
- Guest and external access
- Non-human identity
- Exchange Online security posture
- SharePoint and Teams collaboration posture
- Logging and audit configuration
- Device posture where observable
What is not automatically in scope
- Formal audit judgement
- Legal compliance opinion
- Policy documentation quality unless uploaded or managed in-product
- HR processes
- Endpoint configuration beyond observable Microsoft signals
- Non-Microsoft cloud or SaaS platforms unless later connected
- Manual business process evidence
Readiness views show observable technical alignment within ScanPosture’s assessment scope. They do not certify compliance.
Understand what your Microsoft evidence can and cannot support
Book a 30-minute walkthrough of the framework readiness views against a working ScanPosture tenant.