How it works

From first sign-in to certified — the whole machine, in the open.

No black box, no "trust us". Here is the exact sequence a Checkpoint engagement runs through — sign in, deploy, scan, report, remediate, certify — what you do, what runs on its own, and where every byte of your data lives at each step (spoiler: your tenant, the whole time).

Everything below maps to something real in the console — nothing here is a mock-up of a feature that doesn't ship.

The end-to-end journey

Six stages. Follow the flow — then open any one of them.

This is the flow, not a metaphor for it. Each node is a real stage; the pill under it says who's driving. Tap a stage to jump to exactly what happens inside it.

Inside each stage

What actually happens, and who does it

01

Sign in

You drive ~2 min

Your Microsoft account. Read-only, and you can see exactly what it asks for.

You sign in with your own Microsoft 365 account — no new password to invent, no account on our side to create. The first consent screen requests read-only Graph scopes only, each one listed in plain English with the reason it's needed. Write access to your SharePoint is a separate consent, requested later, the first time it's actually used.

You do

  • Sign in with your Microsoft account
  • Read the plain-English consent list
  • Approve read-only access

Checkpoint does

  • Requests least-privilege scopes only
  • Opens no popup — a full-page redirect, tokens in session memory
  • Asks for write access later, separately, never up front
You Microsoft Entra Checkpoint (your browser)

Output A read-only session — nothing written anywhere yet

02

Deploy

Automatic ~15 min, once

Your registers provision as SharePoint lists — in your tenant, not ours.

A 15-minute wizard checks what Checkpoint can read in your tenant, lets you choose which SharePoint site your records live in, and provisions every register — risks, actions, controls, evidence, audit log — as native SharePoint lists you already own. There is no database on our side to copy anything into, because there is no our side. The lists inherit your permissions, retention and versioning from the moment they exist.

You do

  • Pick which purchased frameworks to start with
  • Choose the SharePoint site (your root site by default)
  • Approve write access when it's first requested

Checkpoint does

  • Provisions every register as a SharePoint list in your tenant
  • Seeds each framework's full control set
  • Idempotent — safe to re-run, never double-creates
Checkpoint Microsoft Graph Your SharePoint

Output Your compliance registers, live as SharePoint lists you own

03

Scan

Automatic ~60 sec

Your live security posture — measured, not guessed from a spreadsheet.

Checkpoint reads your live tenant signals through Microsoft Graph — MFA coverage, Conditional Access, PIM usage, guest accounts, device compliance, risky OAuth grants, Secure Score — and turns them into pass / review / fail / manual results against your frameworks. Every check is honest about its limits: something Graph can't see licence-gates to a clean "manual", never a fabricated pass.

You do

  • Click "Run scan" (or let the schedule do it)
  • Nothing else — it reads, it never changes anything

Checkpoint does

  • Reads Entra, Intune and Defender signals read-only
  • Scores every applicable control across your frameworks
  • Exports the raw evidence behind each check, SHA-256-hashed
Checkpoint Microsoft Graph Entra · Intune · Defender Your SharePoint (evidence)

Output A scored posture snapshot + timestamped, hashed evidence filed automatically

04

Report

Automatic 1 click

Readiness, gaps and evidence — one board-ready pack, built from live data.

One click turns everything you've been working in into a paginated, classification-marked report — a readiness fingerprint, posture trend, control status by theme, a residual-risk heatmap and an evidence-coverage gauge. Five report types share one engine, so an Executive Summary and an Audit Readiness Report never disagree with each other. Sparse data degrades honestly to an "insufficient history" note, never a broken chart.

You do

  • Choose a report type
  • Click "Export PDF"

Checkpoint does

  • Assembles cover, dashboard, sections, methodology and sign-off
  • Pulls every figure live from your own registers
  • Auto-increments the version and logs it to the audit trail
Your SharePoint Checkpoint report engine Board-ready PDF

Output A board-ready, print-perfect PDF — and a shareable Trust Center page

05

Remediate

Together Ongoing

Work the gaps — and the evidence collects itself as you go.

Each gap becomes an action with an owner and a due date. Checkpoint's AI drafts policy language, risk treatment notes and evidence descriptions — grounded in your own registers, never invented, and never able to take an action itself. As controls move to implemented and scans re-run, the readiness rings fill in and a projected certification date is drawn from your real velocity — not a promise made on a kickoff call.

You do

  • Assign owners and work the top gaps
  • Accept, edit or discard AI-drafted language
  • Attach evidence (or let a scan capture it)

Checkpoint does

  • Drafts policies and treatments, grounded in your data
  • Re-scans on a schedule and flags drift
  • Recomputes the projected audit-ready date as work lands
You + AI Checkpoint Your registers

Output A closing gap list, a rising readiness score, a projected certification date

06

Certify

Together Audit day

Present live, hand the auditor a pack — and keep the rhythm after.

When it's time to prove it, Checkpoint switches to a full-screen, auto-cycling board deck built from the same live data — no screenshots, no stale slides. Your auditor gets a time-boxed Auditor Pack they can open without a licence. And certification isn't a finish line: the compliance calendar, internal-audit programme and scheduled re-scans keep the governance cadence running, so the week before a surveillance audit looks like every other week.

You do

  • Present live to the board or auditor
  • Share the time-boxed Auditor Pack
  • Keep working the calendar between audits

Checkpoint does

  • Builds the live board deck from current data
  • Generates a licence-free, expiring Auditor Pack
  • Runs the ongoing cadence — reviews, re-scans, drift alerts
Your SharePoint Auditor Pack Your auditor

Output A certification you can defend — and a rhythm that keeps it

Where your data goes

Nowhere. That's the whole point.

Trace any stage on the diagram and the data only ever moves between your browser and your own Microsoft 365 tenant. Posture signals are read live through Graph; every register and evidence file is a SharePoint list you own.

Nothing is sent to Compliance365 — not because we promise not to look, but because there is no backend and no database on our side for it to go to. Off-board us and your data doesn't get walled off; it was always yours.

The full security & architecture page →

YOUR MICROSOFT 365 TENANT Checkpoint in your browser Your SharePoint every register & evidence file Microsoft Graph read-only posture signals Entra · Intune Defender Compliance365 no backend · no database

Every arrow stays inside your tenant. The one line that would reach us doesn't exist.

What to expect

A realistic timeline, not a sales fantasy

Day 0 · 30 minutes

Signed in, deployed, scanned, first report in hand

Sign-in, the setup wizard, your first live posture scan and a board-ready readiness report — all inside the first half hour, with your registers already provisioned in your own tenant.

Weeks 1–4

Work the gaps, with AI doing the drafting

The top gaps become owned actions. AI drafts the policy language and treatment notes; you review and save. Evidence files itself with every scan. The readiness rings visibly fill.

Ongoing

The cadence runs itself

Scheduled re-scans flag drift before an auditor would. The compliance calendar, internal-audit programme and management review keep ISO 27001 clauses 9.2 / 9.3 satisfied continuously.

Audit day

Present live, hand over a pack

Full-screen board mode from live data — no screenshots. Your auditor opens a time-boxed Auditor Pack without needing a licence. Nothing is assembled in a panic the night before.

Certified — and after

A certification you can defend, and keep

The projected date was computed from your real velocity all along. After certification, the same rhythm keeps every surveillance audit looking like an ordinary week.

Why it lands

The power isn't a feature list. It's what stops being your problem.

Your data never leaves

No third-party GRC SaaS holding your risk register hostage. Every record is a SharePoint list in your own tenant — governed, retained and backed up by you.

Evidence collects itself

Every scan hashes and files the raw Graph data behind each check, auto-linked to the controls it satisfies. When the auditor says "prove it", it's already filed and dated.

A date you can trust

The projected certification date is drawn from your real remediation velocity — recomputed as work lands, honest when there isn't enough history yet. No kickoff-call promises.

Certification becomes a rhythm

The cadence keeps running between audits — re-scans, reviews, drift alerts — so the week before a surveillance visit looks exactly like every other week.

Don't take the diagram's word for it

Open the actual console with sample data — no sign-up, nothing installed — and walk the same flow yourself. Or book a 30-minute session and we'll run a read-only scan against your real tenant, so you leave with your actual gaps, not a pitch.

Try the live demo Book a walkthrough

← Back to the Checkpoint product overview

Microsoft Teams