Guide · Compliance Automation
How to turn evidence collection, access reviews, and security posture into continuous assurance using the platforms you already own. No GRC platform required. No annual licence to renew.
This is the methodology we use on every engagement — written up so you can apply it yourself, or so you can evaluate whether what we propose actually makes sense before booking a call.
Most compliance consulting engagements start with a recommendation to buy Vanta, Drata, Secureframe, or one of the Australian alternatives. The argument is reasonable on the surface: a dedicated platform centralises evidence, automates collection, and gives you a single pane of glass for the auditor.
The argument breaks down on closer inspection. These platforms charge $15–60k per year in licence fees that compound across surveillance audits. They require their own implementation and training. They sit alongside the security tools you already pay for — Entra ID, Defender, Intune, Purview, Azure Policy, AWS Config — rather than replacing any of them. And when you eventually outgrow them, your evidence is locked in their format.
The alternative is to treat your existing platforms as the GRC tool. Microsoft 365, Azure, and AWS already generate the configuration data, audit logs, and policy state that auditors want to see. The job isn't to recreate that in a new system — it's to capture, structure, and retain it where it already lives.
The rest of this guide walks through how we do that across the four areas auditors care about most.
Not all evidence needs to be automated. Some controls are inherently manual (incident post-mortems, management reviews, vendor due diligence). The high-leverage targets for automation are the ones auditors sample heavily and that change frequently enough that manual capture becomes unsustainable.
1 of 4
Quarterly access reviews are an auditor favourite because they prove the least-privilege principle is operating, not just stated. Automated in Entra ID with PIM exports, Conditional Access policy snapshots, and privileged role attestation logs filed monthly. This single area typically saves 20+ hours per audit cycle once it's running.
2 of 4
Every framework expects evidence that endpoints are managed, patched, and monitored. Defender for Endpoint exposure scores, Intune compliance reports, and patch cadence exports captured fortnightly. The artefacts auditors want to see exist already — the job is to file them defensibly.
3 of 4
ISO 27001, ISO 27701, and SOC 2 all want evidence that sensitive data is classified, protected, and monitored. Purview sensitivity label reports, DLP policy exports, audit log searches, and retention policy state — automated and dated. Particularly important for the privacy frameworks.
4 of 4
For Azure: Azure Policy assignments, compliance state, and conformance against built-in initiatives. For AWS: AWS Config conformance pack results, Security Hub findings, and CloudTrail digest summaries. Both export to the same evidence library structure as the M365 controls.
Six core platforms cover roughly 85% of the evidence surface for ISO 27001, SOC 2, Essential Eight, ISO 27701, and ISO 42001 combined. Each is something you already own if you're on Microsoft 365 E5 with an Azure or AWS footprint.
Conditional Access policies, MFA enforcement, access reviews, Privileged Identity Management, and identity governance. The single most important platform for compliance automation. PIM exports drive privileged access evidence; access review reports drive least-privilege evidence.
Endpoint detection and response, vulnerability management, attack surface reduction, and security recommendations. The exposure score, vulnerability dashboard, and ASR rule reports feed directly into Essential Eight, ISO 27001, and SOC 2 evidence.
Device compliance, configuration profiles, application protection, and update rings. The platform that operationalises most of the Essential Eight technical controls. Compliance state reports and policy assignment exports are auditor staples.
Information protection, data loss prevention, retention policies, audit logs, and eDiscovery. Particularly important for ISO 27701 (privacy) and the Confidentiality TSC under SOC 2. Audit log exports and DLP policy state are the high-frequency artefacts.
The connective tissue. Power Automate flows run on schedule, pull configuration exports from the platforms above, and file them into a structured SharePoint evidence library with retention and version history. This is what makes the whole pattern continuous.
Same model, different cloud. Azure Policy assignments and compliance state for Azure workloads; AWS Config conformance packs and rules for AWS workloads. Both export to the same SharePoint structure as M365 evidence, so auditors see a unified pack.
Power BI dashboards typically sit on top of this to provide the executive view — KPIs, trend lines, and posture summaries pulled directly from the evidence library. Useful for steering committees and surveillance audit prep, but not the primary mechanism.
A folder pattern we've used across dozens of engagements. The principles: one library per control domain, dated subfolders (YYYY-MM) for sampling consistency, file properties capturing flow run IDs for provenance, retention policies enforcing what auditors expect to see.
SharePoint › Evidence Hub
├── 00_Metas/
│ ├── README.md
│ └── Evidence-Register.xlsx
├── 01_SoA-ISO27001/
│ ├── SoA-Register.xlsx
│ ├── Mapping/
│ │ └── SoA-to-Risk-Matrix.xlsx
│ └── Evidence/
│ ├── 2026-04/
│ │ ├── SoA-Change-Log.pdf
│ │ └── Reviewer-Approval.msg
│ └── 2026-05/
│ └── SoA-Change-Log.pdf
├── 02_Risk-Register/
│ ├── Risk-Register.xlsx
│ └── Evidence/
│ ├── 2026-04/Risk-Review-Minutes.pdf
│ └── 2026-05/Risk-Workshop-Attendance.pdf
├── 03_Access-Reviews-Entra/
│ ├── Exports/
│ │ ├── 2026-04/privileged-roles.csv
│ │ ├── 2026-04/mfa-state.csv
│ │ └── 2026-05/mfa-state.csv
│ ├── Screenshots/
│ │ └── 2026-05/PIM-settings.png
│ └── Approvals/
│ └── 2026-05/Access-Review-Approvals.pdf
├── 04_Endpoint-and-Patch-Defender-Intune/
│ ├── Exports/
│ │ ├── 2026-04/device-compliance.csv
│ │ └── 2026-05/defender-exposure-score.csv
│ └── Screenshots/
│ └── 2026-05/patch-profile-baseline.png
├── 05_Data-and-Privacy-Purview/
│ ├── Policies/
│ │ └── 2026-05/Retention-Policy-Settings.pdf
│ ├── Exports/
│ │ └── 2026-05/audit-log-export.csv
│ └── DPIA-ROPA/
│ ├── ROPA-Register.xlsx
│ └── 2026-05/DPIA-Consent-Flow-Approval.pdf
├── 06_Change-and-Release/
│ ├── CI-CD/
│ │ └── 2026-05/pipeline-gates.pdf
│ └── CAB/
│ └── 2026-05/CAB-Minutes.pdf
├── 07_Vendor-and-Third-Parties/
│ ├── SOC-Reports/
│ │ └── 2026/supplierA-SOC2-Type2.pdf
│ └── Security-Questionnaires/
│ └── 2026-05/Responses.zip
├── 08_Backups-and-Recovery/
│ ├── Policies/
│ │ └── Backup-Runbook.pdf
│ └── Tests/
│ └── 2026-05/Restore-Test-Report.pdf
├── 09_AI-Governance-ISO42001/
│ ├── Model-Inventory.xlsx
│ ├── Evals/
│ │ └── 2026-05/evaluation-results.csv
│ └── Oversight/
│ └── 2026-05/HITL-Approval.pdf
└── 10_Dashboards-and-KPIs/
├── PowerBI/
│ └── Compliance-Dashboard.pbix
└── Monthly-Snapshots/
└── 2026-05/kpi-export.csvA few notes on the structure. The YYYY-MM dated subfolders matter more than they look — they make auditor sampling predictable, they enforce evidence cadence (an empty folder is an obvious gap), and they support retention policies that auto-archive old evidence. Folder 00 (Metas) holds the README documenting the structure and the Evidence Register that captures flow run IDs for provenance. Anything filed in an Evidence folder must be reproducible from a documented automated flow or a documented manual process — if neither, it doesn't go in.
Four phases. The full sequence takes 6–10 weeks for most mid-market environments, depending on how much existing manual evidence has to be migrated.
Weeks 1–2
Define scope, target frameworks, and the controls each will satisfy. Inventory M365 / Azure / AWS tenants. Identify existing manual evidence to migrate. Document who owns what.
Weeks 3–6
Build the SharePoint evidence library. Stand up Power Automate flows for the four high-leverage areas. Configure access reviews, posture exports, and policy state snapshots on a defined cadence.
Weeks 7–8
Publish Power BI dashboards for steering committees. Run monthly snapshots to validate flow output. Route exceptions to control owners via Teams. Document the BAU operating model.
Weeks 9–10
Bundle artefacts into framework-specific audit packs (ISO 27001 SoA pack, SOC 2 evidence pack, Essential Eight ML2 pack). QA each pack for completeness. Hand over operating runbooks.
Three patterns we see repeatedly when organisations attempt this internally or with consultants who don't do it routinely.
The temptation is to automate everything that can be automated. Resist it. Auditors sample heavily on a small number of controls (access reviews, patching, change management, incident response). Automate those first. Evidence for low-frequency manual controls (management review minutes, vendor due diligence reports) can stay manual — building flows for them wastes effort.
Without a register that maps every evidence artefact back to its source flow (or documented manual process), auditors can challenge provenance. "Where did this CSV come from? When was it generated? By whom? Was it altered before filing?" The register makes these questions trivial to answer. Skipping it makes them existential.
Power BI is for the executive view. The source of truth is the SharePoint evidence library. Build flows that file the raw exports first, then build Power BI on top. We've seen engagements where teams invested heavily in dashboards before the underlying evidence pipeline was reliable — the dashboards looked beautiful but couldn't be defended at audit.
Most of it requires E5 features (Entra P2, Defender for Endpoint P2, Purview audit retention). E3 covers the basics but you'll need to add specific add-on SKUs for access reviews and Purview. We'll tell you what's missing during scoping.
ISO 27001, SOC 2 Type II, Essential Eight ML2, ISO 27701, and ISO 42001 — using one underlying evidence model. Most clients combine two or three frameworks in a single engagement to share the automation infrastructure.
Same evidence model across clouds. Azure Policy assignments and AWS Config conformance packs enforce guardrails. Deviations raise tasks. Monthly exports land in the same SharePoint structure as M365 evidence. Auditors see consistent artefacts across providers.
Some evidence is inherently manual — management review minutes, incident post-mortems, vendor due diligence. We don't try to automate it. We document the manual process, file the output in the same evidence library structure, and capture sign-offs through SharePoint approval workflows.
Related services
A free 30-minute call will tell you which of the four high-leverage areas to automate first based on your current M365 / Azure / AWS setup, what evidence you already have, and which framework you're working toward.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
