Building an evidence-driven security baseline for a growing MSP
A growing UK/IE Managed Service Provider needed to demonstrate that customer data, credentials, and internal IT operations were protected by a documented, auditable security framework, not just informal good practice. I led the compliance programme end-to-end: scoping, evidence gathering, control mapping, audit preparation, and assessor liaison through to a clean pass.
The same disciplines, asset inventory, risk register, access reviews, internal audit, and evidence-based assessment, are the foundation of an ISO 27001 Information Security Management System. This engagement built the muscle and the artefacts that an ISO 27001 ISMS reuses directly.
As an MSP holding the keys to dozens of client environments, the business needed to evidence that security was managed, not assumed. Existing controls were in place across Microsoft 365, Intune, and endpoint protection, but they weren't tied together into a documented framework. There was no single asset register, no formal risk treatment record, and no audit cycle.
The brief was to bring the organisation to an externally assessable security baseline, harden the operational controls underneath it, and leave behind a repeatable cycle of internal audit and continuous improvement.
The goals of the programme were: establish a single source of truth for assets across endpoints, servers, and SaaS; map existing technical and organisational controls to the framework and remediate gaps; drive measurable OS, patch, and configuration compliance through Intune; produce a complete evidence pack for the external assessor; and embed a quarterly internal audit cycle so the controls baseline stays current after the certificate is issued.
The programme followed a control-loop approach common to both Cyber Essentials and ISO 27001: identify assets, assess risks, apply controls, evidence the outcome, and iterate.
I acted as the internal point of contact through the assessment cycle, translating between the technical configuration on the ground and the controls language the assessor needed to see.
Single source of truth across endpoints, servers, and SaaS — the foundation every other control hangs from.
Documented threats, likelihood, impact, and treatment decisions, reviewed on a defined cadence with management sign-off.
Mapping of in-scope controls to operational implementation, the assessor's reference document and the audit trail.
OS, patch, encryption, and configuration baselines enforced through Intune policy with reporting on drift.
Conditional access, MFA, and joiner-mover-leaver process documented and evidenced through M365 admin reports.
Quarterly review of controls, evidence, and risk register. Findings tracked to closure, feeding the next assessment.
The engagement delivered a clean external pass and, more importantly, left behind a controls baseline and an audit cycle that continues to drive improvement. Every endpoint now sits under managed compliance policy. The risk register is reviewed on a defined cadence rather than ad hoc. The evidence pack means the next assessment is a refresh, not a rebuild.
Because the artefacts produced — asset inventory, risk register, Statement of Applicability, internal audit log — are exactly those an ISO 27001 ISMS requires, the organisation is now positioned for an Annex A controls assessment with a shorter runway than a cold start would demand.
Compliance work lives or dies on the asset inventory. Every other control assumes you know what you're protecting; without a defensible inventory the rest of the framework collapses on contact with an assessor. Investing disproportionate time here paid back across every later workstream.
Evidence has to be a by-product of operations, not a separate exercise. Where controls were enforced through Intune and reported through M365 admin, the evidence existed naturally. Where controls relied on manual process, the evidence had to be created retrospectively — the slowest, most fragile part of the programme.
Audit-readiness is a posture, not a milestone. The quarterly internal audit cycle is the mechanism that keeps the baseline honest between external assessments. It's the difference between a one-off certificate and a working ISMS.