I have a question regarding Microsoft tools for compliance. My IT-department says this tool/software should be enough when implementing ISO 27001. I don’t think so, but I need good arguments to meet their point of views. Maybe You can help me.
My question is if it is enough with the tool from Microsoft (Microsoft Compliance) when implementing an ISMS according to ISO 27001.
My IT department thinks it should be enough with checking compliance by using this tool. That's why I am currently not able to buy tools from Advisera and other suppliers. I think it is not enough because building an ISMS is more than checking compliance by means of this tool (MS Compliance).
What is your point of view here?
We are not experts in MS Compliance tool, so what we can suggest you is to ask your IT department to demonstrate how this tool covers each mandatory clause of ISO 27001 (clause 4 to 10) and Controls from Annex A. From this assessment, you can identify if this tool can cover all your needs or if an additional solution is required.
For example, how does MS Compliance cover the definition of the ISMS scope? Does MS Compliance handle information security competence and awareness? How MS Compliance handles controls A.7.1.1 Screening and A.7.1.2 Terms and conditions of employment?
From MS Compliance documentation made available by Microsoft, it seems that this tool covers a lot of clauses and controls from ISO 27001, but not all of them.
You can also sign up for a free trial in Advisera's ISO 27001 compliance software Conformio https://advisera.com/conformio/ and double-check how the Microsoft tool compares to it.