SharePoint Forge Cyber Essentials Tracker
A live UK Cyber Essentials and CE Plus readiness tracker inside SharePoint — Microsoft 365 tenant signals where licensing and availability allow, plus a seeded control tracker, with a continuous audit-ready evidence trail.
£2,495/year
The business problem
Why this package exists.
UK organisations pursuing or maintaining Cyber Essentials certification face the same four pains every cycle: evidence is scattered across Entra, Intune, Defender, Secure Score and email threads; posture drifts between annual assessments; manual controls (joiner-leaver, supplier confirmations, patch procedures) fall through the cracks; and Cyber Essentials Plus verification items need a ready position before the assessor's live tests. The Cyber Essentials Tracker solves all four in a single web part — driven by your live tenant signals where your Microsoft 365 licensing exposes them — with no SaaS subscription and no data leaving the tenant.
Included with Cyber Essentials Tracker
- SPFx web part scoring all five Cyber Essentials themes — Firewalls, Secure configuration, Security update management, User access control, Malware protection — against the current NCSC / IASME question set
- Live tenant posture from 24 Microsoft Graph evaluators with per-check RAG status and remediation deep links
- Auto-provisioned Cyber Essentials Tracker SharePoint list seeded with 20 manual controls covering CE Plus verification, organisational policy and supplier confirmations
- Inline editor for manual controls — implementation status, evidence link, notes, last-reviewed date — versioned by SharePoint
- Glassmorphism UI with theme-aware light + dark modes, WCAG AA contrast, full keyboard navigation
- Print-to-PDF and CSV exports ready to drop into the IASME assessor evidence pack
- Deployment guide, admin checklist and release notes
In your tenant
What it looks like.
Every pixel renders inside the customer's SharePoint Online — no SaaS backend, no data leaves the tenant.
What you get
A package designed to be deployed, not consulted on.
Deployment model
Designed to be deployed by a Microsoft 365 or SharePoint administrator using the included guide. Typical deployment is a single working session, not a project.
Licence & support
Licensed annually to one verified business domain. Active licence includes downloads, documentation, supported updates and authenticated support tickets.
Technical requirements
Requires SharePoint Online with a tenant-level App Catalog. The web part requests ten delegated Microsoft Graph read-only permissions (User, Directory, Policy, RoleManagement, Reports, AuditLog, SecurityEvents, DeviceManagement managed devices + configuration, Organization) — approved once by a tenant admin in SharePoint Admin → API access. Viewers need a directory role that can read tenant security data (Global Reader is the typical fit). Intune and Microsoft Defender aren't required — checks for missing services show as not assessable rather than breaking the dashboard.
FAQ
Common questions.
Will this give us Cyber Essentials certification?
No. Formal certification has to be issued by an IASME-accredited certification body. This is a continuous posture-monitoring and evidence-gathering dashboard intended to make certification preparation faster and to maintain compliance between assessments. The exports drop straight into the assessor's evidence pack.
Does it cover Cyber Essentials Plus too?
Yes — the tracker includes the CE Plus verification items (live MFA test, malware-detection test, vulnerability scan, external scan readiness) so the organisation knows what's in place before the assessor performs the hands-on tests. The dashboard surfaces the same Graph signals an assessor would expect to see.
What if our tenant doesn't have Intune or Defender?
Every per-source service degrades gracefully. Checks that depend on a missing service are marked not assessable with a clear reason ('Intune does not appear to be configured for this tenant') and excluded from scoring — they don't drag the rest of the dashboard down.
Can we add our own organisation-specific controls?
Yes. The tracker is a standard SharePoint list — open Site contents → Cyber Essentials Tracker → New and add a row. Set the theme (FIREWALLS, SECURE_CONFIG, UPDATES, USER_ACCESS, MALWARE) and the dashboard picks it up on the next refresh.
Does any data leave our Microsoft 365 tenant?
No. The web part reads from Microsoft Graph and a SharePoint list inside your tenant only. Exports are generated client-side in the browser from data already loaded into the session. The only outbound call is the standard SharePoint Forge licence heartbeat used to verify your subscription.
Ready to deploy Cyber Essentials Tracker?
Buy securely through Stripe, then access your package and documentation through the SharePoint Forge customer portal.
Related
Other SharePoint Forge packages.
NIST CSF Tracker
A continuous NIST CSF 2.0 control tracker driven by live Microsoft 365 tenant signals, where licensing and availability allow.
- Live NIST CSF 2.0 tenant signals, where available
- Built-in tracker for manual subcategories
- Auditor-ready PDF + CSV exports
Signal365 Cost
An executive licence-efficiency dashboard that surfaces wasted Microsoft 365 spend from idle and inactive licences, where signal availability allows.
- Monthly licence-waste figure in GBP, where signals allow
- Per-SKU utilisation + inactive users
- Branded PDF + PowerPoint export
Signal365 Adoption
An adoption-and-usage dashboard showing how actively your people use Microsoft 365 across Teams, Exchange, SharePoint, OneDrive and Copilot, where signal availability allows.
- Weighted M365 adoption score, where signals allow
- Per-service active users + 90-day trend
- Branded PDF + PowerPoint export
