Manage365 Docs

Evidence export

A single click that produces an auditor-ready ZIP for a tenant. Useful for ISO 27001, SOC 2, APRA CPS 234, and straightforward annual security reviews.

What's inside

The ZIP contains:

  • Latest scan per framework — Essential Eight, APRA CPS 234, CIS M365. Each as both a human-readable PDF and a raw JSON blob with every per-strategy finding and evidence reference.
  • 90-day audit log — CSV + JSON. Every state-changing action by your techs or by the platform itself in the window. SHA-256 chained so tampering is detectable.
  • Conditional Access snapshot — JSON export of every CA policy at the moment of bundle generation, so the auditor can diff against what's live.
  • Tenant metadata — display name, default domain, industry, MSP owner, GDAP relationship status, licence summary.
  • Attestation cover page — PDF with MSP business name, ABN, export timestamp, export user, scan dates, and a SHA-256 hash of the bundle contents. Sign this page if your client requires it.

How

  1. Open the tenant's Compliance tab.
  2. Click Download evidence bundle. Generation typically takes 5–10 seconds per tenant.
  3. The ZIP is streamed to your browser; nothing is stored server-side after the download completes (generated on-demand). If you need to re-issue, generate again — contents reflect the state at that moment.

Scheduling

Enterprise tier supports scheduled evidence exports — e.g. the bundle is generated on the 1st of every month, stored to your configured S3 / Azure Blob target, and the MSP owner is notified. Configure in Settings → Reports.

What this isn't

  • Not a GRC system. Manage365 produces the technical evidence; policy and procedure documents live elsewhere.
  • Not a penetration-test report. The bundle describes controls, not attacker perspective.
  • Not a legal opinion on compliance. Auditors decide whether the evidence is sufficient for a given framework.