Framework readiness, without compliance overclaiming
ScanPosture maps observable Microsoft 365 and Entra ID controls to recognised framework themes, helping teams understand technical alignment, evidence gaps, and areas that need remediation.
ScanPosture does not certify compliance, provide legal advice, or replace formal audit sign-off.
28-day trial · No credit card · Read-only Microsoft access
What ScanPosture means by readiness
We use these terms consistently across every framework view so readiness language is never ambiguous.
Observable Readiness
ScanPosture has technical evidence that supports alignment for the assessed Microsoft 365 and Entra ID scope.
Strong
Evidence indicates the relevant control area is well supported within the assessed scope.
Moderate
Evidence supports partial alignment, but improvement or broader coverage is needed.
Limited
Evidence shows material gaps or weak coverage.
Insufficient Evidence
ScanPosture cannot draw a reliable conclusion from the observable signals available.
Out of Current Assessment Scope
The area is not assessed by the current connected scope.
Eight framework readiness views
Each framework has its own boundary statement, what ScanPosture can observe, and what it cannot conclude on its own.
Cyber Essentials
ScanPosture supports Cyber Essentials readiness by assessing Microsoft 365 and Entra ID signals related to secure configuration, access control, MFA, privileged access, and account hygiene.
ISO 27001
ScanPosture maps observable technical controls to selected ISO 27001:2022 control themes, particularly around identity, access control, privileged access, logging, monitoring, and configuration management.
GDPR Article 32
ScanPosture helps evidence selected technical safeguards relevant to GDPR Article 32, including access control, authentication strength, logging, and protection against unauthorised access.
NIST CSF 2.0
ScanPosture maps Microsoft-first posture signals to selected NIST CSF 2.0 categories, especially within the Protect and Detect functions (PR.AA, PR.DS, DE.CM, DE.AE).
NIST SP 800-53 Rev 5
ScanPosture rolls observable Microsoft 365 and Entra ID evidence into SP 800-53 Rev 5 control families: Access Control (AC), Identification and Authentication (IA), Audit and Accountability (AU), System and Information Integrity (SI), System and Communications Protection (SC).
CIS Controls v8.1
ScanPosture supports readiness against selected CIS Controls themes including account management, access control, audit logging, email security, and secure configuration.
SOC 2
ScanPosture helps produce technical evidence relevant to selected SOC 2 trust services criteria, especially access control, logical security, monitoring, and change visibility.
NCSC CAF 4.0
ScanPosture maps observable Microsoft 365 and Entra ID controls to the NCSC Cyber Assessment Framework principles relevant to identity, access, configuration, and monitoring.
What ScanPosture can and cannot see
Readiness views reflect the Microsoft 365 and Entra ID signals ScanPosture can observe. Anything outside the connected tenant, or outside the assessment scope, stays outside the report.
In scope · 10 areas observed
Out of scope
ScanPosture does not produce a formal audit judgement, give a legal compliance opinion, or assess policy documentation quality unless that documentation is uploaded or managed in-product. HR processes, endpoint configuration beyond the observable Microsoft signals, non-Microsoft cloud or SaaS platforms (unless later connected), and manual business process evidence sit outside the assessment.
Readiness views show observable technical alignment within ScanPosture’s assessment scope. They do not certify compliance.
Understand what your Microsoft evidence can and cannot support
Start your 28-day trial and see the framework readiness views against your own posture.
Observable readiness, not certification · 8 framework views · Used in MSP service reviews