COMPLIANCE365
CHECKPOINT

The compliance console that lives in your tenant.

Posture scanning via Microsoft Graph, a linked risk and actions register, a living Statement of Applicability, and one-click audit reports. Every record is stored as SharePoint lists inside your own Microsoft 365 tenant.

Sign-in only requests read-only Graph access for posture checks. Two further permissions are requested separately, only when first needed: SharePoint list access, the moment your registers are first loaded/created; email-send access, only if you use the "Email status update" button. An administrator must consent to each on first use.

Data residencyCheckpoint has no backend and no database. Your registers live in your SharePoint; posture checks are read at scan time and never leave the browser. (The practitioner-side Portfolio view is the one exception: it keeps a small local index — client name, tenant ID, last-synced summary numbers — in your own browser only, never any client's actual records.)
Working…

Dashboard

Live assurance position for this tenant. Every figure below is computed from the registers — nothing is typed into a slide the night before an audit.

Certification roadmap

Continuous monitoring — drift since last scan

Residual risk heatmap

Posture score trend

Governance

Activity

    Board view

    A live, presentation-ready summary — pull this up instead of screen-sharing the full console. Nothing here is editable; it always reflects the current data.

    Certification roadmap

    Top risks

    Upcoming milestones

    Posture scan

    Reads Conditional Access, directory roles, PIM, Identity Protection, Intune, OAuth app grants and Secure Score via Microsoft Graph — read-only, inside the tenant — across Identity, Devices, Apps & Data, Monitoring, Continuity, Supplier and Governance. Failed and review-grade checks become proposed risks and actions for your approval; checks with no automatable signal show Manual — verify rather than a false pass. Nothing enters the client register without a practitioner's sign-off.

    Tenant posture

    /100
    No scan yet this session

    Checks

    Risk register

    Inherent and residual scoring, linked controls and treatment actions. Residual scores recalculate automatically as linked actions complete.

    IDRiskCategorySourceInherentResidualOwnerStatus

    Actions register

    Every action traces to a risk and a control. Completing an action prompts evidence capture and updates the linked risk's residual score — the audit trail builds itself. Also the home for non-conformities and observations raised during internal or external audits.

    IDActionTypeRiskControlPriorityOwnerDueStatusEvidence

    Vendor risk

    Third-party suppliers with access to systems or data, reviewed on a cadence proportional to their criticality. Linked to the supplier-related controls (A.5.19–A.5.23, CC9.2, DISP.26) and to the risk register — an overdue review here is a live gap in the Statement of Applicability, not a separate spreadsheet.

    IDVendorCriticalityReview statusNext reviewCertificationsOwnerQuestionnaire

    AI systems

    Every AI system in use, its impact assessment status, and the ISO 42001 controls it evidences — the register ISO 42001 certification is actually built on, not a slide deck assembled the week before audit. EU AI Act risk tiers (Prohibited/High/Limited/Minimal) drive how much scrutiny each system gets.

    IDSystemRisk tierImpact assessmentVendorOwnerLast reviewed

    Frameworks

    Every framework Compliance365 delivers is available in Checkpoint — turn one on the moment a client purchases it. Enabling a framework here makes its control set appear in the Statement of Applicability immediately; nothing is deleted when a framework is switched off.

    Scan thresholds

    Posture-scan pass/review/fail thresholds, tunable per client. Each falls back to the default shown if left blank.

    Features

    Optional dashboard and workflow additions — switch any of these off per client without losing data. Turning one back on picks up exactly where it left off.

    Statement of Applicability

    One control set per purchased framework, cross-mapped to the others so shared evidence is never duplicated. ISO 27001 and ISO 42001 ship with their full Annex A; the remaining frameworks ship starter subsets — extend any of them in the SharePoint Controls list as engagements progress.

    Implementation
    ControlTitleApplicableStatusAlso satisfiesOwnerVerifiedEvidence

    Shared evidence

    One artefact often satisfies the same real-world control in every purchased framework at once. Pick a control below to see everywhere its evidence applies — across ALL entitled frameworks, following the cross-mappings already shown as "Also satisfies" on the Statement of Applicability — then attach it once instead of clicking "Link evidence" separately on each row.

    Start from a control

    Documents

    Real evidence storage in this tenant's SharePoint — the ISMS manual, policies, risk treatment plan, training records. Upload here, or upload directly in SharePoint and paste the link when linking evidence to a control or action. Files over 4 MB: upload in SharePoint directly, then paste the link.

    Upload a document

    NameCategoryModifiedSize

    Internal audits

    ISO 27001 clause 9.2 requires the organisation to run its own internal audit programme, independent of any external certification audit. Schedule audits per framework, record the outcome, and any findings raised become non-conformities or observations in the Actions register.

    IDFrameworkScopeAuditorPlannedStatus

    Management review

    ISO 27001 clause 9.3 requires top management to review the ISMS at planned intervals. Recording a review here snapshots the live inputs (posture, risks, actions, non-conformities, control readiness) at that moment, alongside attendees and decisions — a minuted record an auditor can inspect.

    IDDateAttendeesNext due

    Compliance calendar

    Every recurring ISMS activity in one place — access control reviews, BCP/DR and backup restore tests, supplier reviews, awareness training, the external surveillance audit cycle and certificate expiry. Complete an item and, if it recurs, its next due date rolls forward automatically.

    IDActivityCategoryFrequencyOwnerNext dueLast completed

    Audit log

    An append-only, read-only record of who changed what and when — control status changes, evidence links, verifications, risk approvals, action/audit/review/calendar activity and framework toggles. Evidence for ISO 27001 A.8.15 (logging) and SOC 2 CC7.2, distinct from the plain-English Activity feed on the Dashboard.

    WhenActorActionTargetBeforeAfter

    Audit reports

    Generated from the live registers, in Compliance365 brand. What used to be a fortnight of assembly is a button.

    Auditor-facing

    Statement of Applicability

    Full SoA with applicability justifications, implementation status and evidence references. The document your certification auditor opens first.

    Auditor-facing

    Risk register snapshot

    Complete register with heatmap summary, treatment decisions and movement since the last snapshot.

    Board & management

    Audit readiness report

    Per-framework readiness: control implementation, open critical risks, overdue actions, evidence coverage — and what the auditor will ask about.

    ISO 27001 · Clause 9.3

    Management review pack

    Quarterly KPI trends, top risks, action throughput and recommendations — satisfies the management review requirement directly.

    Board & C-suite

    Executive summary

    One page: score with trend arrow, implementation %, high/critical risk count, next milestone, top 3 risks. Built for a five-minute board update.

    Trust Center

    A public, read-only page — certifications held, high-level posture, Statement of Applicability summary and (optionally) your sub-processor list. Generated as a single self-contained HTML file into this tenant's own Documents library. Publishing it is a normal SharePoint sharing action you take yourself — Checkpoint generates the file and never makes anything public on its own.

    What's shown

    Company name shown on the page
    Contact email shown on the page (optional)

    Sub-processors listed publicly

    Only appears on the page if "Sub-processor list" above is switched on. Choose which vendors from the Vendor risk register are named.

    Auditor pack

    Assembles the current Statement of Applicability, an evidence index, a recent audit log excerpt and the latest management review record into one file an external auditor can open via a SharePoint sharing link — no Checkpoint licence needed. Time-boxing and access control are enforced by SharePoint's own sharing-link expiry when you create that link, not by Checkpoint.

    Framework
    Intended validity
    Scope note (optional, shown on the cover page)

    Portfolio

    A view across every client tenant you manage — not tied to whichever tenant you're currently signed into. This list itself is bookkeeping stored only in this browser's local storage — client name, tenant ID, and the last-synced summary numbers (posture score, readiness %, risk count). No risk, action or control records are ever copied here; syncing a client signs you into their tenant separately and reads their live Checkpoint data on the spot, in their own SharePoint, same as the main console. Nothing about any client is stored centrally or on Compliance365 infrastructure.