This guide explains the audits. Siemserva produces the evidence.
Almost all of these audits ask for the same Microsoft 365 proof: identity, access, logging, configuration, and patching. Collect it on every scan.
SOC 2 (AICPA)
Audited by a licensed CPA firm against the Trust Services Criteria.
Who must comply
SaaS, cloud, and B2B service providers whose customers demand assurance before they buy. It is the default trust report in North American technology sales.
What the auditor checks
- Security (the Common Criteria) is always in scope; Availability, Confidentiality, Processing Integrity, and Privacy are added as you scope them
- Logical and physical access controls, and least privilege
- Change management and system monitoring
- Incident response and risk management
- Vendor and vrisk management
Evidence you must produce
- MFA enforcement and access reviews
- Audit logging and monitoring
- Vulnerability and patch management
- Onboarding and offboarding records
- For Type II, the auditor tests that controls operated over the whole period
Cadence
Type I reports on design at a point in time. Type II observes operating effectiveness over a 3 to 12 month window, then repeats annually.
How Siemserva produces the evidence
The Common Criteria that live in Microsoft 365, in one scan: MFA and Conditional Access coverage, privileged and PIM access, device compliance, audit-log health, and patch and CVE posture. Every finding is ranked by Severity, mapped to the criteria, and exportable as evidence you collect continuously, not the week before fieldwork.
ISO/IEC 27001:2022
Certified by an accredited certification body against the ISMS standard.
Who must comply
Organizations that want an internationally recognized certificate for their information security management system, common in enterprise and global or EU deals.
What the auditor checks
- The ISMS itself (clauses 4 to 10): context, leadership, risk treatment, internal audit, management review
- Annex A controls (93 in the 2022 revision) across Organizational, People, Physical, and Technological themes
- Your Statement of Applicability and risk treatment plan
Evidence you must produce
- Risk assessment and Statement of Applicability
- Access control and identity records
- Logging and vulnerability management
- Configuration and change evidence showing the controls operate
Cadence
A three-year certification cycle: certification, then annual surveillance audits, then recertification in year three.
How Siemserva produces the evidence
The technological Annex A controls for Microsoft 365 (A.5 access control, A.8 technology): identity, hardening, logging, and vulnerability management, mapped automatically so your Statement of Applicability has live evidence behind it.
HIPAA Security Rule
Enforced by HHS Office for Civil Rights, usually on investigation or after a breach.
Who must comply
US healthcare covered entities and their business associates that create, receive, or store electronic protected health information (ePHI).
What the auditor checks
- Administrative, physical, and technical safeguards
- A required, documented risk analysis
- Access control, audit controls, integrity, person or entity authentication, and transmission security
Evidence you must produce
- The risk analysis and risk management plan
- Unique user IDs, access control, and authentication
- Audit logs and encryption
- Workforce access management and Business Associate Agreements
Cadence
No certificate. It is a continuous obligation, proven on an OCR investigation or audit and during partner and customer due diligence.
How Siemserva produces the evidence
The technical safeguards as they apply to Microsoft 365: authentication and MFA, access control, audit-log health, encryption posture through Purview, and device compliance, with risk-ranked findings that feed the required risk analysis.
PCI DSS 4.0
Assessed by a QSA, or self-assessed via an SAQ, as required by your acquirer and the card brands.
Who must comply
Any organization that stores, processes, or transmits cardholder data, from large merchants and processors to small businesses.
What the auditor checks
- 12 requirements and roughly 300 controls
- Secure configuration and the removal of defaults
- MFA for all access into the cardholder data environment (expanded in 4.0)
- Access control, logging and monitoring, vulnerability management, patching, and anti-malware
Evidence you must produce
- Configuration and network evidence
- MFA and access reviews
- Log retention and review
- Quarterly vulnerability scans and patch SLAs
Cadence
An annual Report on Compliance or SAQ, plus quarterly external scans. Many controls are continuous.
How Siemserva produces the evidence
The identity, access, logging, and patch requirements where they touch Microsoft 365 administration and M365-connected systems: MFA everywhere, privileged access, log health, and missing patches ranked by CISA KEV and EPSS so remediation follows real exploitation.
NIST CSF 2.0 and NIST 800-53
Assessed against an agency ATO cycle (800-53) or used voluntarily as a backbone (CSF).
Who must comply
US federal agencies and contractors (800-53), and any organization that uses the Cybersecurity Framework as a common language. CSF 2.0 adds the Govern function.
What the auditor checks
- CSF functions: Govern, Identify, Protect, Detect, Respond, and Recover
- 800-53 control families (Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Risk Assessment, System and Information Integrity, and more) at a low, moderate, or high baseline
Evidence you must produce
- Control implementation statements
- Access control and audit logging
- Configuration management and flaw remediation
- Continuous monitoring data
Cadence
Continuous monitoring, with formal assessments on the agency or ATO schedule.
How Siemserva produces the evidence
The technical 800-53 families that live in Microsoft 365 (AC, AU, IA, CM, SI), mapped automatically, with continuous-monitoring evidence and ranked findings.
CISA SCuBA
Reported by US federal civilian agencies under CISA direction; usable by anyone hardening Microsoft 365.
Who must comply
US federal civilian agencies under CISA binding directives, and any organization that wants CISA's hardened Microsoft 365 baseline. This one is Microsoft 365 specific.
What the auditor checks
- Secure Configuration Baselines per service: Entra ID, Exchange Online, SharePoint and OneDrive, Teams, Defender, and Power Platform
- MFA, Conditional Access, legacy authentication, external sharing, and logging policy
Evidence you must produce
- Per-policy conformance against each baseline
- Documented, justified exceptions
Cadence
Continuous, with agencies reporting conformance.
How Siemserva produces the evidence
Native SCuBA and MCSB mapping in a single scan, with every baseline policy ranked and paired with a validated fix, so you get a worklist instead of a pass or fail diff. See the SCuBA and MCSB tool and SCuBA tools guide.
CMMC 2.0 and NIST 800-171
Level 2 requires a C3PAO third-party assessment; lower handling allows self-assessment.
Who must comply
US Department of Defense contractors and subcontractors that handle Federal Contract Information or Controlled Unclassified Information (CUI).
What the auditor checks
- The 110 NIST 800-171 controls across 14 families
- Access control, audit and accountability, identification and authentication, configuration management, and system and information integrity
- FIPS-validated cryptography for CUI
Evidence you must produce
- A System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
- Access control, MFA, and audit logs
- Configuration baselines and flaw remediation
Cadence
A Level 2 third-party assessment every three years, with an annual affirmation.
How Siemserva produces the evidence
The 800-171 technical families in Microsoft 365: identity, access, logging, configuration, and vulnerability remediation, with findings and evidence ready to drop into your SSP and POA&M.
GDPR
Enforced by EU and UK Data Protection Authorities on investigation, DPIA review, or breach.
Who must comply
Any organization, anywhere, that processes the personal data of people in the EU or UK.
What the auditor checks
- Article 32 appropriate technical and organizational measures
- Access control, encryption, and pseudonymization
- Confidentiality, integrity, and availability of processing
- Breach detection and 72-hour notification, plus data subject access request (DSAR) handling
Evidence you must produce
- Access controls and encryption
- Logging and breach detection
- Records of processing and DPIAs
- DSAR fulfillment, often through Purview
Cadence
Continuous, proven on a DPA investigation or in the hours after a breach.
How Siemserva produces the evidence
The Article 32 measures in Microsoft 365: identity and access, audit logging, sensitivity labels and DSAR support through Purview, and breach-relevant sign-in and audit-log analysis.
One backbone behind every audit
SOC 2, ISO 27001, HIPAA, PCI DSS, NIST, SCuBA, CMMC, and GDPR use different language, but they audit the same handful of controls. In a Microsoft 365 estate that means multi-factor authentication, Conditional Access, privileged and PIM access, device compliance, audit logging, patch and CVE posture, and data protection. Get those right once and you have most of the evidence for all of them.
Siemserva collects that backbone on every scan, ranks each gap by Severity, maps it to the frameworks an auditor asks about, and attaches a validated fix. Because configuration, logs, and CVEs sit in one connected model, the same scan answers many audits at once, continuously, not in a fire drill the week before fieldwork.
Walk into your next audit with the evidence ready.
Run Siemserva by Senserva against your Microsoft 365, Intune, and Entra ID tenant and get audit-ready evidence on the first scan, mapped to the framework in front of you. Demo and Game Mode run free, no registration and no access to your tenant. Windows and Mac.