Secure and
Certifiable
Bundle

Your Microsoft 365 tenant deployed and hardened across six workstreams — Entra ID, Exchange Online, SharePoint and OneDrive, Teams, Defender for Business, and Purview. Configured to the Konve IT security baseline and aligned to Cyber Essentials controls from Go-Live. This is the platform everything else in the bundle builds on.

• MFA enforcement and Conditional Access policy
• Exchange Online — mailboxes, routing, DNS, retention, anti-phishing
• SharePoint and OneDrive — structure, permissions, sharing policy
• Microsoft Teams governance and meeting controls
• Defender for Business activation and security baseline
• Purview — sensitivity labels, DLP, audit logging

Third-party backup deployed at Go-Live — Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams all protected from day one. UK-based immutable storage with retention aligned to your regulatory obligations. Initial backup verified before handover.

• Solution selected, deployed, and connected to your tenant
• All four M365 data sources covered
• UK-based immutable storage — retention aligned to your obligations
• First backup cycle verified before programme proceeds

Every device enrolled into Intune, governed by compliance policies, and verified as compliant. This is the device control layer required by Cyber Essentials — the programme will not proceed to certification until all in-scope devices are enrolled and compliant. Conditional Access integration with the tenant deployment from Service 01.

• Intune environment setup and Entra ID integration
• Device compliance policies and Conditional Access enforcement
• BitLocker encryption enforcement and recovery key escrow
• Windows, iOS, Android, and macOS device enrolment
• All devices verified compliant before Cyber Essentials phase begins
• Remote wipe capability active from completion

Gap assessment, targeted remediation, and supported certification submission. The gap assessment at Phase 1 is significantly abbreviated in this bundle — the tenant deployment and Intune deployment have already addressed the majority of the controls. What remains is verification and submission.

• Phase 1 gap assessment — abbreviated, reflecting Services 01 and 03 already complete
• Phase 2 remediation of any residual gaps identified at assessment
• IASME self-assessment questionnaire preparation and review
• Supported submission to IASME certification body
• IASME certification included
• 30-day resubmission support included

Advanced email security deployed on top of the Microsoft 365 environment from Service 01 — AI-powered phishing detection, impersonation protection, payment diversion controls, and enforced DMARC authentication. SPF, DKIM, and DMARC are already configured in Service 01 as part of the Exchange Online workstream. This service adds the full Mimecast or Proofpoint layer and payment instruction controls.

• Mimecast or Proofpoint Essentials deployment
• AI-powered inbound phishing and malware filtering
• Impersonation protection — senior personnel and domain lookalikes
• Payment instruction controls for law firms and professional services
• Outbound data loss prevention
• DMARC enforcement verified and DMARC reporting configured