M365 governance: a playground of challenging rules

by Henry Bisilliat Donnet - Information Management Consultant
| minute read

Microsoft’s cloud-powered productivity platform, M365, offers numerous tools that make it easier to control and protect your organisation’s information. They can also help you put in place the governance you need to ensure alignment of business and legal requirements. Having looked at the security technology aspect in my previous blog post, let’s see what else you need to successfully align your business and legal requirements using the M365 platform.

Before you start implementing your security and compliance rules, there are some basic steps you need to take on your compliance journey:

Step 1: determine your business needs

Ask yourself what information your users need to accomplish their work in an efficient way. What are their work processes and goals? What do they need to deliver? Once you have a clear view of your users’ work processes and the information assets they need, you can translate these needs into functional requirements.

Step 2: determine your legal and industry-specific requirements

Your legal department should be able to tell you exactly which laws and industry-specific regulations apply to your organisation and how that affects how you handle data. But as new laws and regulations are regularly being introduced – on data privacy, AI, sustainability, etc. – you definitely need to review the situation from time to time.

Step 3: determine your information flows

By determining your information flows, you will get insights on how information is shared between work processes, systems and people. These must align with the requirements mentioned in step 1 and 2 to optimise your compliance. When you understand how information passes through and is used within your organisation, you’ll have a clear view on which rules you need to apply for lifecycle management, access management, data classification, sensitivity labelling, etc.

Is that it?

No. Just feeding all your requirements and rules into a platform or system isn’t enough to govern your information in the long term, as requirements and rules can change. So you need a dedicated information governance team to manage these changes over time.

First of all, you need a compliance officer or committee that regularly reviews business and regulatory requirements to make sure everything is still aligned with the current situation. They must always have the answers to the following questions: “Have new laws been introduced?” and “Have business needs changed?” If the answer is yes, these changes have to be communicated to your IT department to make sure your platform gets updated.

In addition to keeping your platform compliant, IT is responsible for monitoring your systems daily and taking corrective action whenever a problem is detected, for example within Microsoft Defender or Purview.

Users themselves will always be a major risk factor when handling information, unless they are kept properly trained and informed. You have to make sure your users know the rules and procedures inside out and make them feel responsible for the information they are handling. Keep them informed and updated by making training an ongoing process. Security measures are pointless without user adoption and involvement.

My colleagues and I have years of experience in helping organisations to implement M365 and ensuring compliance. We can support you from start to finish, from making an inventory of your business and legal requirements to translating these requirements into functional needs. We can even upgrade or redesign your M365 environment, and ensure your Defender and Purview settings are fully aligned with your business and compliance needs. And most importantly, we can train your staff to handle information governance fully independently. Just let us know when and where we can help.