Compliance policy translated into real Microsoft 365 controls.

Harrby reviews data protection, classification, retention, and governance maturity across Microsoft 365, comparing policy documentation against platform configuration and identifying gaps between stated obligations and active controls.

Harrby defines the target compliance model across classification taxonomy, DLP architecture, retention strategy, records management, insider risk scenarios, eDiscovery readiness, and reporting, aligning legal, risk, privacy, and IT inputs before configuration begins.

Harrby implements controls in stages, starting with visibility and audit mode, then increasing coverage and enforcement as patterns are understood and communicated to staff.

Harrby provides ongoing policy tuning, DLP alert triage, label usage review, retention maintenance, compliance reporting, audit evidence support, and governance change handling as the business and its obligations evolve.

Harrby conducts regular compliance posture reviews, assesses policy effectiveness, tracks Purview roadmap updates, produces framework alignment evidence, and delivers improvement recommendations aligned to emerging regulatory requirements and audit feedback.

ISO 27001, Essential Eight, SOC 2, privacy assessments, and internal audits require evidence that controls exist and are operating effectively.

Privacy reforms, breach notification pressure, and broader definitions of sensitive information all increase the need for technical controls that support privacy obligations in practice.

Information is being created, shared, and stored across Microsoft 365 faster than manual processes can keep up. Classification, retention, and DLP controls are what make governance scalable.

A regulatory enquiry, internal investigation, or legal hold reveals the organisation cannot efficiently locate, preserve, or produce relevant information. Readiness needs to be built before the next request arrives.

Government procurement panels and enterprise supplier reviews increasingly require demonstrable information governance capability. Controls need to be in place, documented, and usable as evidence.

Legal, risk, privacy, or IT teams are spending too much time manually reviewing sharing activity, chasing staff about classification, or assembling evidence from disconnected sources.

DLP rules that are too broad fire constantly and lose credibility with the business. Properly calibrated policies scoped to real risk stay useful and get used.

Boards, executive teams, and risk committees need visibility of control coverage, material issues, and posture trends across the compliance environment.

Classification, DLP, retention, insider risk, eDiscovery, and compliance reporting aligned into one connected operating model.

Fully managed, co-managed, or advisory-led matched to your internal legal, risk, privacy, and IT capability.

Business, legal, and regulatory requirements translated into Microsoft 365 and Purview controls that can be operated and evidenced.

Ongoing policy refinement, reporting, evidence support, and audit readiness built into the service.

Sensitivity labels, classification controls, and DLP policies reduce the risk of important data being handled, shared, or stored incorrectly across email, Teams, SharePoint, and OneDrive.

Retention and disposal controls are aligned to policy, regulation, and operational needs so records are retained when required and disposed of on schedule.

Microsoft 365 and Purview controls are mapped to ISO 27001, Essential Eight, privacy obligations, and audit requirements in a form that can be evidenced.

Automated controls and consistent platform settings reduce the intervention required from IT, legal, privacy, and risk teams.

Logs, configuration records, policy reports, and governance documentation are maintained as part of the service, so the response to an audit request is retrieval, not reconstruction.

Labelling guidance, policy tips, and protection controls are designed with user experience in mind so the controls are practical enough to remain in place.

Label taxonomy design, rollout strategy, auto-labelling where appropriate, client-side labelling, and ongoing usage review. Classification is the foundation for every other compliance control.

DLP design, staged rollout from audit mode to enforcement, alert analysis, and coverage across Exchange, SharePoint, OneDrive, Teams, and endpoint DLP where in scope.

Retention labels, policies aligned to your records schedule, records protection, disposition support, and lifecycle management across Microsoft 365 workloads.

Insider risk scenario configuration, unusual activity visibility, alert management, and structured escalation approaches for behaviours that present genuine organisational risk.

Content search, legal hold readiness, eDiscovery case support, and structured response processes for legal, regulatory, or internal investigation requests.

Purview reporting, control coverage metrics, DLP trend analysis, label adoption tracking, and governance summaries for operational and leadership reporting.

Structured processes for proposing, reviewing, approving, and documenting changes to compliance controls as obligations evolve.

Control records, implementation rationale, configuration notes, and framework mapping across ISO 27001, Essential Eight, Privacy Act obligations, and relevant sector requirements.

Commonwealth and State agencies, local government, and government-adjacent organisations where records management, FOI readiness, Essential Eight alignment, and PROTECTED information handling require structured, evidenced controls.

Law firms, accounting practices, consultants, and advisers handling sensitive client information under confidentiality, privilege, and sector-specific privacy obligations.

Healthcare, aged care, and community organisations managing patient communication, clinical records, and sensitive case data where lifecycle controls carry both regulatory and ethical weight.

Superannuation, mortgage, insurance, and financial planning environments operating under Privacy Act obligations, APRA prudential standards, and ASIC regulatory expectations.

Universities, TAFEs, and schools managing student records, research data, staff information, and federated identity environments with varied retention and privacy obligations.

Any organisation pursuing ISO 27001, responding to a privacy audit, qualifying for a government panel, or preparing for formal assessment where the most common finding is the gap between policy and platform evidence.

ISO 27001 certification support for a professional services firm

A legal technology firm pursuing ISO 27001 had policies in place but lacked technical evidence in Microsoft 365. No sensitivity labelling, weak DLP, inconsistent retention, and no usable audit trail for information governance.

Harrby designed the classification model, rolled out labels in stages, introduced DLP through audit mode before enforcement, aligned retention to the records schedule, and maintained evidence in a format suitable for Annex A control review.

The firm passed the Stage 2 audit with no major nonconformities related to classification or data protection and retained Harrby for ongoing evidence support and annual surveillance readiness.

Privacy Act compliance uplift before reform deadlines

A financial services business identified major volumes of personal and sensitive information across Microsoft 365 with no classification, limited DLP coverage, and retention policies that had never been configured.

Harrby used Purview data discovery to locate the highest-risk information, introduced a prioritised classification model, rolled out DLP targeting the highest-risk sharing scenarios first, configured retention for the most sensitive content types, and built a board-ready dashboard.

The highest data exposure risks were addressed within 60 days and the organisation had a defensible compliance posture with documented controls, operational reporting, and evidence of ongoing management ahead of reform commencement.

Co-managed compliance for a government-adjacent organisation

A community health organisation needed to demonstrate compliance with state government information management standards for contract renewal. Risk owned policy. IT owned the platform. Nobody owned the gap between them.

Harrby worked in a co-managed model, providing Purview design, implementation, change management, and reporting while the internal risk team retained policy ownership and approval authority. Quarterly governance reviews were established across risk, legal, IT, and Harrby.

Contract renewal was successful, the government auditor accepted Harrby's control documentation as evidence, and the organisation now has a structured governance process that did not previously exist.