How it works
Three steps to
ISO 27001.
You stay in control. CertAria guides you through each stage — scan your tenant, close the gaps, pass the audit. No consultant needed.
- Read-only scan permissions
- No data leaves your tenant
- Built on Microsoft Power Platform
Scan your M365 tenant
Connect your Microsoft 365 tenant (read-only, 4 specific permissions) and see which ISO 27001 controls you already evidence. Five minutes.
How this works
The scan reads 4 Graph API scopes — your device policies, security configuration, sensitivity labels, and audit settings. It doesn't change anything. You get a gap report showing which controls are already evidenced, which need work, and where to start.
The scan runs in your browser. No data leaves your tenant. CertAria reads configuration, not content.
Close the gaps
CertAria generates your task list, in priority order, and guides you through each one. The AI agent answers your questions in Teams. 20–40 hours of your time, not 100–200.
How this works
CertAria creates your ISMS — the documentation system that proves you manage information security. It uses the evidence from your scan to auto-populate what it can, then generates tasks for what needs human input.
Each task tells you what to do, why it matters for certification, and how long it typically takes. The AI agent in Teams answers questions as you go — "what does this control mean for my business?" gets a plain-English answer, not a clause reference.
Your policies, evidence, and risk assessments live in your own M365 tenant. Nothing is stored externally.
Pass the audit
CertAria prepares you for Stage 1 (documentation review) and Stage 2 (evidence audit). After you're certified, it stays as your ongoing ISMS — scheduling reviews, tracking changes, keeping you ready for surveillance audits.
How this works
Stage 1 is a documentation review — the auditor checks your ISMS exists and is properly structured. CertAria's business process flows guide you through this.
Stage 2 is the evidence audit — the auditor checks your controls are actually working. CertAria's automated evidence collection means most of this is already documented.
After certification, CertAria keeps running. Monthly task generation, policy review reminders, and continuous monitoring mean you're always audit-ready — not scrambling before each surveillance visit.
Certification work is broken into manageable, auditable steps.
Each phase links tasks to controls, expected evidence, and review checkpoints.
You can show progress clearly to leadership and auditors at any point.
You stay in control.
No consultant needed
CertAria replaces the consultant — AI guidance, automated tasks, evidence collection. You do the thinking. The tool does the scaffolding.
Your data stays yours
Everything runs inside your M365 tenant. No external platform. No data leaving your infrastructure. Deployed via AppSource in 30 minutes.
Your pace, your timeline
Work evenings, weekends, or in focused sprints. CertAria tracks where you are and picks up where you left off. No consultant scheduling.
See where you stand.
You now know the three steps. The first one takes five minutes and shows you exactly how much of ISO 27001 your M365 tenant already covers. Read-only, no data leaves your environment, and the gap report tells you exactly where to start.