← Back to In a Box services In a Box · Annual Programme

Your MSP configured M365. But who is checking it's still configured correctly?

Microsoft 365 misconfiguration is behind most SME data breaches in Australia. Your MSP set it up — but settings drift, features change, and no one is watching. This programme keeps someone watching.

What's in the box

Ongoing security oversight for your Microsoft 365 environment. Where the Getting Started M365 Security Review gives you a one-time snapshot, this programme provides continuous oversight — quarterly review cycles, drift monitoring, and MSP coordination throughout the year.

Microsoft regularly changes default settings, adds new features, and deprecates old ones. Without ongoing oversight, the secure configuration you started with gradually drifts. This programme ensures someone with independent security expertise is reviewing, not just your MSP who implemented it.

The programme works alongside your MSP. We set the security direction and assess the configuration; your MSP implements the technical changes. Clear separation of duties — independent oversight without stepping on toes.

Pursuing DISP? M365 is the foundation.

Defence Industry Security Programme (DISP) membership requires demonstrable ongoing security oversight of your cloud environment. This programme's quarterly reviews and annual summary reporting satisfy the DISP monitoring requirements for M365. Ask us about the DISP pathway →

Deliverables

Quarterly security configuration review against CIS and ACSC benchmarks
Configuration drift report highlighting changes since last review
Updated remediation instructions for your MSP
New feature and risk advisory — relevant M365 changes affecting your security
DISP-ready monitoring evidence and annual summary report
Policy update recommendations as your environment evolves

Business benefits

M365 security doesn't degrade over time — someone independent is watching
Separates oversight from implementation — no MSP marking its own homework
Satisfies DISP ongoing monitoring requirements for cloud environments
Stay ahead of Microsoft platform changes that could introduce risk
Continuous compliance evidence for auditors, insurers, and procurement teams

Engagement process

BaselineInitial comprehensive review establishes your security baseline. Remediation priorities documented and agreed with your MSP.

Quarterly reviewConfiguration reviewed against benchmarks. Drift identified, new risks assessed, updated remediation recommendations issued to your MSP.

Advisory updatesBetween reviews, we flag significant M365 changes that affect your security posture and recommend action.

MSP coordinationRemediation recommendations delivered in MSP-ready format. Implementation verified at the next review cycle.

Annual summaryYear-end security report showing posture trends, remediation progress, and recommendations for the next cycle — suitable for DISP evidence packages.

Lock down your M365

When did someone last independently review your M365 configuration?

If the answer is "the MSP set it up," that's not oversight — that's implementation. Independent review is different.

Lock down your M365

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.