Question 1. Why does your security program need written policies if the technical controls are already deployed and working?
Policies aren't needed — the controls speak for themselves — Controls without policy authorisation can be challenged by users, overruled by management, and dismissed by auditors.
Policies authorize the controls (management approval), set user expectations (what they must and must not do), enable monitoring legitimacy (the AUP monitoring disclosure), and ensure continuity (the next IT admin knows what was deployed and why) — Correct. Policies transform configurations into an authorized organizational program.
Policies are only needed for ISO 27001 certification — Policies are valuable regardless of certification. They provide authority, user expectations, and continuity for any organization.
Policies are needed to comply with GDPR only — GDPR requires certain documentation, but policies serve multiple purposes beyond GDPR compliance.
Question 2. What four essential policies does every M365 security program need?
GDPR policy, ISO 27001 policy, NIST policy, SOC 2 policy — These are frameworks, not policies. Policies implement framework requirements.
Firewall policy, antivirus policy, patch management policy, access control policy — Too granular. These are implementation details that belong in procedure documents.
Privacy policy, cookie policy, terms of service, data retention policy — These are external-facing documents. Security policies are internal governance documents.
Acceptable Use Policy, Password and Authentication Policy, Data Classification Policy, and Incident Response Plan — each one authorizing specific technical controls and setting operational expectations — Correct. Four policies, 5-6 pages total, covering all seven layers of the security program.
Question 3. Why is Section 8 (Monitoring) of the Acceptable Use Policy critical?
Without the monitoring disclosure, reviewing sign-in logs, DLP Activity Explorer, and email threat reports may violate employee privacy expectations under UK GDPR. The disclosure provides the transparency that legitimises your AD5 security monitoring program — Correct. The monitoring disclosure is the legal foundation for your entire monitoring cadence.
It tells employees they're being watched — creating a deterrent effect — Deterrence is a secondary benefit. The primary purpose is legal compliance with UK data protection law.
It's required by specific certification frameworks — Most certification frameworks don't specifically require a monitoring disclosure. Data protection law (GDPR, PIPEDA, Privacy Act) requires transparency about data collection.
It satisfies insurance requirements — Some insurers may require it, but the primary driver is UK data protection law.
Question 4. Your quarterly report shows: MFA 100%, phishing blocked 47, compliance 97%, labels 98%, 2 incidents (both contained in under 30 minutes), Secure Score 67%. How long should it take to produce this report?
A full day — collecting data from multiple portals — The consolidated script collects most data in 5 minutes.
2-3 hours — writing the narrative from scratch — The template is established. You're updating numbers, not writing from scratch.
20-30 minutes — run the data collection script (5 min), update the template with new numbers (15-25 min). The first report takes longer (45-60 min) but subsequent reports use the established template — Correct. The script automates data collection. The template standardizes the format. Your job is updating numbers and writing the executive summary.
Zero — the script generates the report automatically — The script collects data. The report requires human interpretation: the executive summary, trend analysis, and next steps are written by you.
Question 5. Your organization needs a baseline security certification. You've deployed all AD1-AD7 controls and built the evidence collection package. How long should the certification process take?
6-12 months — certification is a major project — For organizations starting from zero, yes. Your controls are already deployed and documented.
2-6 weeks — the controls are deployed and documented. Preparation involves assembling evidence from your evidence folder (1-2 hours), completing the assessment questionnaire (2-4 hours), and submitting to the certification body. The actual certification timeline depends on the framework and assessor — Correct. Since you've deployed, documented, and evidenced the controls, certification is an evidence-assembly exercise, not a deployment project.
1 day — just fill in a form — Certification questionnaires require specific, accurate evidence. Rushing risks rejection.
Not possible on E3 — certification requires E5 — Every major security framework's core requirements are met by E3 capabilities. MFA, encryption, antivirus, patching, monitoring, and incident response are all achievable on E3.
Question 6. What makes your E5 business case more persuasive than a vendor's pitch?
Lower cost — The cost is the same.
Better slides — Presentation quality isn't the differentiator.
Management trusts you more than the vendor — Trust helps, but the key differentiator is data.
Your business case uses YOUR operational data — incident count, monitoring gaps, label adoption metrics, after-hours detection delays — all from the quarterly reports management has already seen and trusts. The vendor uses industry averages and theoretical benefits — Correct. Specific, evidenced data from your environment beats generic data from a vendor's slide deck.
Question 7. You're going on a 3-week holiday. What documentation enables your colleague to maintain the security program?
The one-page handover document: program summary reference, Monday review checklist and script location, incident response procedures and scripts, escalation contacts, known patterns (expected FPs), and your emergency contact — Correct. One page covering: what to read (program summary), what to do weekly (Monday review), what to do if something goes wrong (IR procedures + escalation), and what to ignore (known FPs). Enables program maintenance within 2 hours of reading.
Admin credentials and a verbal briefing — Verbal briefings are forgotten by Wednesday.
The complete program summary only — The program summary describes the architecture but doesn't provide the operational instructions (what to do every Monday).
Nothing — the controls run automatically for 3 weeks — Controls run but monitoring doesn't. Alert notifications arrive but nobody acts on them. Incidents accumulate in the queue.
Question 8. After completing this course, what is the total weekly time commitment for maintaining your complete security program?
4-5 hours per day — constant monitoring required — The structured cadence eliminates the need for constant monitoring.
Zero — everything is automated — Alert notifications automate critical event delivery. Human judgment is required for the Monday review, incident classification, and response decisions.
30-45 minutes per week — the 15-minute Monday review plus occasional incident investigation, supplemented by monthly metric collection (30 min) and quarterly reporting (60 min). Total annual: approximately 28 hours for a complete, evidence-based security program — Correct. 28 hours per year for a documented, monitored, response-ready security program across all seven layers. This is sustainable alongside IT administration responsibilities and produces measurable outcomes reported quarterly to management.
2-3 hours per week — the monitoring and reporting add up — The structured cadence is designed to be efficient. 30-45 minutes per week is the realistic, proven time commitment.
💬
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
