ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Foundation
1. Vision, strategy and governance leadership Without a vision and a steering team, the governance plan disintegrates into isolated IT settings. This section measures whether a strategic frame exists and who decides about SPO.
1.1 Is there a documented vision / strategy for SharePoint Online? L0 Ad hoc No vision exists; SPO appeared as part of M365 and is used ad hoc. L1 Reactive IT has an informal idea, but it is not written down or shared. L2 Proactive Vision is documented, signed off by a sponsor, shared with key stakeholders. L3 Optimised Vision is published on a governance site, linked to the corporate digital workplace strategy, reviewed periodically. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
1.2 Is there a steering committee / governance committee for M365 and SPO? Optional for SMB L0 Ad hoc No steering committee. L1 Reactive Occasional ad hoc meetings between IT and 1–2 business people. L2 Proactive Formal committee (IT + business + Security/Compliance), meeting at least quarterly. L3 Optimised Committee with a clear charter, agenda, decision rights, escalation to the executive level, decisions documented. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
1.3 Are decision rights clear — who decides, and how do you escalate conflicts? L0 Ad hoc Whoever shouts the loudest decides. L1 Reactive IT decides, but without a formal mandate. L2 Proactive Decision rights are defined for typical situations (who approves exceptions, who approves new features). L3 Optimised Full RACI matrix for decisions, escalation path, documentation of key decisions. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Foundation
2. Roles and responsibilities When nobody is accountable, sites end up without an owner, permissions sprawl, and content goes stale.
2.1 Do Site Owners have clearly defined responsibilities? L0 Ad hoc "Site owner" is a technical concept; nobody knows what they are supposed to do. L1 Reactive Owners are assigned, but their responsibilities are not written down anywhere. L2 Proactive A "What a Site Owner does" document exists (permissions, sharing, retention, attestations) and is shared. L3 Optimised Responsibilities are part of the job description or onboarding pack; mandatory training before the role is granted. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
2.2 Is there a RACI matrix for the key processes (provisioning, sharing, retention, incidents)? Optional for SMB L0 Ad hoc No RACI; everything is ad hoc. L1 Reactive RACI for 1–2 processes, mostly informal. L2 Proactive RACI covers the main processes (provisioning, permissions, sharing, retention). L3 Optimised RACI for all key processes, reviewed periodically, tied to the governance plan. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
2.3 How many tenant-level admins (Global Admin, SharePoint Admin) do you have, and is least-privilege applied? L0 Ad hoc Most of the IT team has Global Admin; no role separation. L1 Reactive There are several admins, but the roles are not split (SP Admin, Compliance Admin, etc.). L2 Proactive Roles split by responsibility; numbers limited. L3 Optimised PIM (Privileged Identity Management) JIT/JEA, max. 2–4 Global Admin accounts, periodic access reviews. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Foundation
3. Policies, standards and guidance A policy is a binding rule; guidance is a recommendation. Without distinguishing the two and publishing them, users get lost.
3.1 Is there a consolidated governance plan, and is it published so that users can find it? L0 Ad hoc No governance plan exists, or there is a PDF in someone's folder. L1 Reactive A plan exists, but it is in a document users have to search for. L2 Proactive The plan is published on a governance SharePoint site and linked from relevant places. L3 Optimised The governance site contains the plan + training material + FAQ + a feedback channel; navigation integrated into the intranet. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
3.2 Do you have naming conventions for sites, M365 Groups, Teams and files? L0 Ad hoc No conventions; everything is "however people want it". L1 Reactive Recommendations exist, but they are not technically enforced. L2 Proactive M365 Groups Naming Policy is active (prefix/suffix/blocked words); rules for sites in documentation. L3 Optimised Fully technically enforced (Entra Naming Policy, custom provisioning workflow); rules for files in authoring guidance. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
3.3 Is there a process for exceptions to your policies? Optional for SMB L0 Ad hoc Exceptions are not handled — "we just do it". L1 Reactive Exceptions are agreed ad hoc, never recorded. L2 Proactive An exception process exists (form, approver, register). L3 Optimised Exceptions are recorded with an expiry and an owner, reviewed periodically; dashboard. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Structure
4. Information architecture Without good IA users "cannot find anything", search breaks down and Copilot returns nonsense.
4.1 Do you have a defined global navigation (App Bar) and home site? L0 Ad hoc No home site, App Bar default, navigation chaotic. L1 Reactive Home site exists, but it is not connected to navigation. L2 Proactive A designed home site + App Bar configured with global links. L3 Optimised App Bar + home site + Viva Connections + audience targeting in navigation. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
4.2 Do you have a hub site strategy (HR, Finance, IT, business units, projects…)? Optional for SMB L0 Ad hoc No hub sites; only flat site collections. L1 Reactive 1–2 hubs created, but inconsistent. L2 Proactive Hub sites for key areas, hub owners, rules for site association. L3 Optimised Multi-level hub-to-hub association, hub-scoped search, hub design system. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
4.3 Do you use taxonomy and managed metadata (term store, content types)? Optional for SMB L0 Ad hoc Folders only; no metadata. L1 Reactive Free text columns, used locally. L2 Proactive Term store with organisationally approved terms; content types for the main content types. L3 Optimised Enterprise content type hub, automated tagging (Syntex), refiners in search. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Structure
5. Provisioning and site lifecycle Uncontrolled site creation and forgotten sites are the largest source of content sprawl and security risk.
5.1 How does a new SharePoint site or M365 Group / Team come into existence? L0 Ad hoc Anyone can create one, anytime, with no process. L1 Reactive Self-service is enabled; no approval, no metadata. L2 Proactive Self-service with a form (Power Automate / Forms), an approver, automatic owner and category assignment. L3 Optimised Fully automated workflow, ITSM integration, site templates by purpose, post-provisioning attestation. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
5.2 Have you enabled the M365 Groups Expiration Policy? L0 Ad hoc Not enabled — groups never expire. L1 Reactive Enabled with a very long horizon (e.g. 730 days), no follow-up. L2 Proactive Enabled with a sensible horizon (180–365 days), notifications work, auto-renewal based on activity. L3 Optimised Enabled per segment (sensitive groups have a shorter life), automated escalation, reporting. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
5.3 Do you use SAM Site Lifecycle Management policies (inactive site, ownership, attestation)? Optional for SMB L0 Ad hoc We do not have SAM, or no policies are configured. L1 Reactive We have SAM, but only ad hoc reports — no active policies. L2 Proactive Active inactive-site policy + ownership policy in simulation/active mode. L3 Optimised Full policy set (inactive + ownership + attestation) in active mode, automated actions, dashboard. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
5.4 Do you have a defined process for site archival and decommissioning? Optional for SMB L0 Ad hoc Sites are never deleted; they only accumulate. L1 Reactive Things get deleted occasionally; no formal process. L2 Proactive A defined process (who approves, how it is backed up, how users are notified). L3 Optimised Microsoft 365 Archive deployed, integrated with legal hold, reporting on archived sites. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Structure
6. Content management Bad content management = broken search, duplicates, stale information for Copilot.
6.1 Do users have clear rules on where to store what (OneDrive vs. SharePoint vs. Teams chat vs. e-mail)? L0 Ad hoc No rules; everyone stores wherever they want. L1 Reactive A general recommendation exists, but it is not shared. L2 Proactive Rules are in governance materials and training; users know them. L3 Optimised Rules are reinforced by automated classification and Copilot guidance (e.g. "this file belongs in a Teams channel"). N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
6.2 Do you use content types and structured metadata in libraries? Optional for SMB L0 Ad hoc Libraries use folders only; no metadata. L1 Reactive A few custom columns locally; inconsistent. L2 Proactive Centrally managed content types for key content types (contracts, invoices, project documents). L3 Optimised Enterprise content type hub, automated tagging through Syntex / Power Automate, refiners in search. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
6.3 Have you set a versioning policy in libraries? L0 Ad hoc Default settings; nobody is paying attention. L1 Reactive Default 500 versions, but on some libraries it has been set to a low value (a risk). L2 Proactive Versioning is consciously set per library type; documented. L3 Optimised Versioning + content approval + check-out where it makes sense; monitored. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Trust
7. Security, identity and permissions Permissions tend to sprawl. Broken inheritance + EEEU + direct sharing = an attack surface that Copilot makes visible.
7.1 Are permissions managed exclusively through groups (Microsoft Entra security groups, M365 Groups), or are they assigned directly to users? L0 Ad hoc Most permissions are assigned directly to users. L1 Reactive A mix of direct assignments and groups; no formal rule. L2 Proactive A "groups only" policy with occasional exceptions. L3 Optimised Strictly through groups (security/M365), Site Access Reviews validate this, technically enforced. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
7.2 Do you have visibility into sites with broken permission inheritance, EEEU sharing and Anyone links? Optional for SMB L0 Ad hoc We have no idea how many such sites we have. L1 Reactive We sense it is a problem, but we have no numbers. L2 Proactive We periodically generate DAG reports (SAM); we know the numbers. L3 Optimised DAG reports + automated alerts + remediation workflow + Site Access Reviews. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
7.3 Do you have Conditional Access policies for SharePoint Online? L0 Ad hoc No Conditional Access policies for SPO. L1 Reactive Basic MFA, but not specifically for SPO. L2 Proactive CA for SPO (MFA, device compliance, location), session controls. L3 Optimised Advanced CA (sign-in risk, app protection, RAC for sensitive sites), reviewed periodically. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
7.4 Do you run regular Site Access Reviews? Optional for SMB L0 Ad hoc No access reviews. L1 Reactive Occasional ad hoc checks during audits. L2 Proactive Planned access reviews, delegated to site owners (Entra ID Governance / SAM). L3 Optimised Automated cyclically, escalation when not completed, integrated with offboarding. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Trust
8. External sharing and B2B collaboration External sharing is the most visible risk and the most common business need. The goal is not to ban it, but to target it.
8.1 What is the tenant-level external sharing setting in SPO? L0 Ad hoc Anyone (anonymous links), no expiry. L1 Reactive Anyone, but with expiry. L2 Proactive New and existing guests (B2B via Entra), no anonymous links for sensitive data. L3 Optimised Differentiated per site (Existing guests for sensitive, New & existing for the rest), strict default at site level. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
8.2 What is the default sharing link type, and is it restricted? L0 Ad hoc Default "Anyone with the link, can edit"; no expiry. L1 Reactive "Anyone, view only"; no expiry. L2 Proactive Default "People with existing access" or "Specific people"; anonymous links expire in 30–90 days. L3 Optimised Per-site override for intranet (Existing access) vs. project sites (Specific people); restrictive defaults. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
8.3 Do you restrict sharing by domain or security group? Optional for SMB L0 Ad hoc No restrictions; anyone can share with anyone. L1 Reactive Only problematic domains blocked (ad hoc). L2 Proactive Allowlist of partner domains + restriction to a security group of who can share externally. L3 Optimised Cross-tenant access settings in Entra, granular control per organisation, periodic allowlist reviews. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
8.4 Do guests (B2B) have automatic expiry? Optional for SMB L0 Ad hoc Guests stay in the tenant forever. L1 Reactive Occasional manual cleanup. L2 Proactive Guest Expiration Policy enabled (e.g. 60–180 days); reauthentication via verification code. L3 Optimised Full Entra ID Governance access lifecycle, access packages, periodic access reviews for guests. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Trust
9. Information protection, compliance and retention GDPR, NIS2, sector regulations — they all touch SPO data. Without retention you either delete things you must not, or you keep things forever.
9.1 Do you have a defined data classification (e.g. Public / Internal / Confidential / Restricted)? Optional for SMB L0 Ad hoc No classification. L1 Reactive Classification exists on paper, but it is not applied. L2 Proactive Classification rolled out; sensitivity labels defined and published. L3 Optimised Classification + auto-labelling (trainable classifiers); container labels on sites and M365 Groups. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
9.2 How deeply are sensitivity labels deployed in SPO/OneDrive? Optional for SMB L0 Ad hoc Not used. L1 Reactive Labels exist, but users do not use them. L2 Proactive Manual labelling is used; default labels for selected libraries. L3 Optimised Auto-labelling policies for sensitive info types, container labels, integrated with DLP and Copilot. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
9.3 Do you have retention policies for SharePoint, OneDrive and Teams? L0 Ad hoc No retention policies. L1 Reactive Only basics (e.g. retention for the whole tenant for X years). L2 Proactive Differentiated policies (per location, per content type); retention labels for exceptions. L3 Optimised Full Purview Data Lifecycle Management framework, records management for high-value content, disposition review. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
9.4 Do you have active DLP policies for SPO/OneDrive (and Copilot if applicable)? Optional for SMB L0 Ad hoc No DLP. L1 Reactive DLP pilot for 1–2 info types (e.g. card numbers). L2 Proactive DLP policies for the main sensitive types (PII, finance, IP); policy tips for users. L3 Optimised Full DLP framework + DLP for Copilot + integration with Insider Risk Management + Adaptive Protection. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
9.5 Are you ready for eDiscovery and audit (legal hold, search, export)? Optional for SMB L0 Ad hoc We have never done it; we do not know how. L1 Reactive eDiscovery Standard, informal procedure. L2 Proactive eDiscovery Premium deployed, audit log retention 1 year+, documented procedure. L3 Optimised Periodic drills, integrated with the legal team, audit log retention into SIEM. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Experience
10. Search and discoverability Search is the largest entry point into content and the foundation for Copilot. What search cannot find, Copilot cannot use.
10.1 Is Microsoft Search consciously configured (start page, scopes, verticals)? Optional for SMB L0 Ad hoc Default settings; nothing tweaked. L1 Reactive A few small tweaks; no strategy. L2 Proactive Search verticals, result types and scopes defined per persona / hub. L3 Optimised Fully curated search experience, audience targeting, Graph connectors for non-M365 systems. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
10.2 Do you maintain promoted results / bookmarks / acronyms / Q&A? Optional for SMB L0 Ad hoc Not used. L1 Reactive A few bookmarks, ad hoc. L2 Proactive Bookmarks + acronyms + Q&A for typical questions; periodically maintained. L3 Optimised An owner + dashboard, integrated with helpdesk data (frequent questions → bookmarks). N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
10.3 Do you track search analytics (top queries, no-result queries) and use them to improve? Optional for SMB L0 Ad hoc We do not track them. L1 Reactive Occasional look at the default reports. L2 Proactive Periodic review; top no-result → create bookmarks / content. L3 Optimised Search analytics feed the IA roadmap; KPI for search success rate. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Experience
11. UX, branding and accessibility A consistent look builds trust and reduces cognitive load. Accessibility is often a legal requirement.
11.1 Do you have consistent brand standards applied to the intranet and SP sites? L0 Ad hoc Default theme; no branding. L1 Reactive Custom theme applied in places; inconsistent. L2 Proactive Brand standards defined; theme + Org Assets Library (logos, photos) applied to key sites. L3 Optimised Design system + site templates + Viva Connections branding + multilingual. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
11.2 Do you use site templates / site designs to standardise new sites? Optional for SMB L0 Ad hoc Not used; every site is built from scratch. L1 Reactive A few ad hoc templates. L2 Proactive A set of templates for typical scenarios (department, project, external collaboration). L3 Optimised Templates with a lifecycle (Proposal → Active → Knowledge Capture → Archive); automated through Power Automate. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
11.3 Do you test accessibility (WCAG 2.1/2.2 AA) of intranet pages and templates? L0 Ad hoc We do not test; we do not know how we are doing. L1 Reactive Occasional check, visual only. L2 Proactive Authors have guidance; the accessibility checker is used at publication time. L3 Optimised Periodic accessibility audit (internal/external), reporting, mandatory fix before publication. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
11.4 Do you support multilingual content (multi-language pages, translation workflow)? Optional for SMB L0 Ad hoc Single language; not needed. L1 Reactive Manual translations, scattered across sites. L2 Proactive Multi-language pages (modern SPO), translation workflow. L3 Optimised Full framework + audience targeting by language + integration with a translation service. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Experience
12. Customisation, development and Power Platform Customisation unlocks value, but without governance Power Platform turns into shadow IT.
12.1 Is there a customisation policy (what is allowed: configuration / branding / no-code / SPFx / pro-code)? Optional for SMB L0 Ad hoc No policy; anyone can do anything. L1 Reactive Informal rules within IT. L2 Proactive A documented policy; approval process for SPFx and the App Catalog. L3 Optimised Full ALM (dev/test/prod), code review, dependency scanning, deployment monitoring. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
12.2 Do you have governance for Power Platform (environments, DLP policies, maker role)? Optional for SMB L0 Ad hoc The default environment is the wild west; no DLP. L1 Reactive A few dedicated environments, but no DLP. L2 Proactive Environment strategy (dev/test/prod, dedicated environments for SPO forms), DLP policies defined. L3 Optimised Power Platform CoE, Center of Excellence Starter Kit, monitoring, citizen developer programme. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
12.3 Do you have visibility into which non-Microsoft applications access SPO content? Optional for SMB L0 Ad hoc We have no visibility. L1 Reactive Occasional look at Entra Enterprise applications. L2 Proactive App Insights (SAM) reports; restrict site creation by apps. L3 Optimised Full app governance programme, approval for new apps, monitoring + alerting. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Value
13. Microsoft 365 Copilot and Agent governance Copilot exposes everything that was "security through obscurity". Without preparation: blocked rollout or an incident. _This section is only relevant if you have Copilot or are planning to._
13.1 Have you run a Copilot readiness assessment (Content Management Assessment in SAM, or DSPM Data Risk Assessment in Purview)? L0 Ad hoc Not done. L1 Reactive A pilot of the assessment, but no action taken. L2 Proactive Assessment done; identified high-risk sites remediated. L3 Optimised Periodic (quarterly) assessment, dashboard, continuous remediation. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
13.2 Do you use Restricted Content Discovery (RCD) or Restricted SharePoint Search (RSS) for sensitive sites? L0 Ad hoc Not used; everything is in Copilot grounding. L1 Reactive A few sites manually flagged, but no system. L2 Proactive Identified high-risk sites have RCD active, documented procedure. L3 Optimised A "strict" strategy (RSS allowlist) or "protect" strategy (RCD per risk), reviewed periodically. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
13.3 Do you govern SharePoint agents (who can build them, on which data, monitoring)? L0 Ad hoc No governance; agents are created without control. L1 Reactive IT knows about it, but has no monitoring tool. L2 Proactive Agent Insights report (SAM), periodic review, sensitivity labels respected. L3 Optimised Full agent lifecycle, approval for company agents, cost monitoring, Purview audit. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Operations
14. Monitoring, audit and reporting What is not measured cannot be managed. Without audit you cannot investigate an incident or prove compliance.
14.1 How regularly do you watch native admin reports (SPO Admin Center, M365 Usage)? L0 Ad hoc Never. L1 Reactive Someone occasionally takes a look during a problem. L2 Proactive Monthly review; ownership defined (who looks). L3 Optimised Automated reporting into Power BI / Sentinel; dashboard for stakeholders. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
14.2 Do you use SAM Data Access Governance reports (sharing links, permissions, EEEU, sensitivity labels)? Optional for SMB L0 Ad hoc We do not have SAM, or we do not use it. L1 Reactive Occasional ad hoc reports. L2 Proactive Periodic reporting; AI Insights generates recommendations and they are acted upon. L3 Optimised Automation through PowerShell, integrated with remediation workflow, KPI tracking. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
14.3 Do you stream audit logs (Purview Audit) into SIEM (Sentinel) or another security tool? Optional for SMB L0 Ad hoc Audit logs stay in Purview, basic retention only. L1 Reactive Occasional export for an audit. L2 Proactive Audit log retention 1 year+, alert policies for key events. L3 Optimised Streaming into Sentinel/SIEM, correlation with other Microsoft 365 / Defender signals, hunt queries. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
14.4 Do you have a governance KPI dashboard (e.g. in Power BI, or directly in M365)? Optional for SMB L0 Ad hoc No dashboard. L1 Reactive Occasional Excel reports for management. L2 Proactive Regular dashboard with KPIs (permissions, sharing, lifecycle, adoption). L3 Optimised Real-time dashboard for IT + executives, drill-down, benchmarking. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Operations
15. Backup, recovery and business continuity Microsoft protects the platform, not user-caused losses. The 93-day recycle bin is not enough for most compliance scenarios.
15.1 What backup strategy do you have for SPO/OneDrive/Teams? L0 Ad hoc We rely only on the recycle bin; no further backups. L1 Reactive Recycle bin + versioning awareness amongst users. L2 Proactive Microsoft 365 Backup or 3rd-party backup (Veeam/AvePoint/Rubrik); retention to compliance. L3 Optimised A multi-layer strategy (M365 Backup + 3rd-party + offsite); tested periodically. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
15.2 Do you have defined RPO (Recovery Point Objective) and RTO (Recovery Time Objective)? Optional for SMB L0 Ad hoc We do not. L1 Reactive We have a vague "fast" expectation, informally. L2 Proactive RPO/RTO defined per data classification; documented. L3 Optimised Measured, tested, validated; SLAs with business owners. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
15.3 Do you run regular DR tests (disaster recovery)? Optional for SMB L0 Ad hoc Never. L1 Reactive A one-off test when the backup solution was rolled out. L2 Proactive An annual test; results and learnings documented. L3 Optimised A test plan per scenario (mass delete, compromised account, region outage), regular, integrated with incident response. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
15.4 Do you have a defined process for what happens to a leaving employee's OneDrive? L0 Ad hoc It either stays forever, or it is deleted at random. L1 Reactive IT handles it manually after the manager asks. L2 Proactive A defined offboarding workflow; X days retention; delegation to the manager. L3 Optimised Automated workflow through Entra ID Lifecycle Workflows, integrated with HR system, audited. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
People
16. Adoption, training and support Without adoption, even the best governance plan is useless. Adoption is the governance "last mile".
16.1 Do you have an adoption strategy with defined scenarios and success criteria? L0 Ad hoc No strategy; just a rollout. L1 Reactive A communication campaign at launch; nothing afterwards. L2 Proactive A strategy with persona scenarios, communication plan, training. L3 Optimised Full change management framework (Prosci/ADKAR), executive sponsorship, long-term campaign. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
16.2 Is there a champions network (a network of business ambassadors)? Optional for SMB L0 Ad hoc No; IT is alone. L1 Reactive A few enthusiasts, unstructured. L2 Proactive A formal champions programme, regular meetings, recognition. L3 Optimised A fully structured programme with role, KPIs, mentoring; integrated into onboarding. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
16.3 Is there regular training for Site Owners? L0 Ad hoc No training. L1 Reactive Occasional ad hoc workshops. L2 Proactive Mandatory onboarding for new Site Owners (permissions, sharing, retention basics). L3 Optimised A structured course with certification, annual refresh, tied to roles in Entra. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
16.4 Do you measure adoption metrics and use them to iterate? Optional for SMB L0 Ad hoc Not tracked. L1 Reactive Occasional look at the M365 Adoption Score. L2 Proactive Regular reporting (MAU, content engagement, search success), feedback from champions. L3 Optimised Full adoption dashboard, NPS, correlated with business metrics, quarterly review. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Step 9 of 10
Migration, KPIs ⓘ For your size (up to 100 users) we have marked some questions as optional — fill in only those that are relevant for you.
Operations
17. Migration and platform evolution Migration is an opportunity (and a requirement) for a governance reset. The platform evolves; the governance plan has to keep up.
17.1 Do you still have file shares, on-prem SharePoint or other systems to migrate into SPO? L0 Ad hoc Yes, lots of them; no migration plan. L1 Reactive Yes, some; vague idea of migration. L2 Proactive Migration is running in planned waves; governance is addressed up front. L3 Optimised Almost everything is in M365; the rest is on a planned sunset; hybrid governance is sorted. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
17.2 Is somebody actively watching the Microsoft 365 Roadmap and Message Center? Optional for SMB L0 Ad hoc Nobody. L1 Reactive IT occasionally reacts to breaking changes. L2 Proactive A designated owner, monthly review, communication with area owners. L3 Optimised An innovation backlog, evaluation of new features, pilot programme via Targeted release. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
17.3 Do you have a tenant or selected users in Targeted release for piloting new features? Optional for SMB L0 Ad hoc Standard release, no pilot. L1 Reactive We sense it exists, but we do not use it. L2 Proactive Targeted release for IT and champions, formal pilot process. L3 Optimised Full release management, validation, communication plan for every new feature. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Value
18. Measurement, KPIs and continuous improvement KPIs give you the arguments for investment, prove value, and show where the governance plan diverges from reality.
18.1 Do you have a defined set of governance KPIs (health, adoption, compliance, value)? Optional for SMB L0 Ad hoc No KPIs. L1 Reactive A few ad hoc metrics. L2 Proactive A defined KPI set (governance health + adoption + compliance), measured periodically. L3 Optimised KPIs integrated with business metrics, executive dashboard, target setting per quarter. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
18.2 Is there a quarterly governance review (committee + KPIs + roadmap)? Optional for SMB L0 Ad hoc No. L1 Reactive Occasional informal meetings. L2 Proactive A regular quarterly meeting, agenda, action items, follow-up. L3 Optimised A formal QBR (Quarterly Business Review) with executive stakeholders, documentation, public commitments. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
18.3 Do you have an active user feedback loop (surveys, focus groups, Site Owner sentiment)? Optional for SMB L0 Ad hoc No feedback loop. L1 Reactive Occasional survey. L2 Proactive Regular NPS / pulse survey, feedback from champions, action on the results. L3 Optimised Continuous feedback (Viva Pulse, Forms Pro), correlated with adoption data, transparent action plan. N/A Don't know / Not applicable I cannot judge this question, or it does not apply to our environment.
Step 10 of 10
Closing and priorities The last step. A short summary of what you filled in, plus your specific pain points and the horizon for our collaboration.
Your answers contain sensitive information about your organisation. We store them in a private repository only the EasyPortal 365 team can access. Read more in our privacy policy. Privacy policy →
