Field note
UK Cyber Resilience Pledge: M365 Evidence
Signing a public pledge before assigning owners creates reputation risk instead of resilience. Build the evidence and operating rhythm first, then decide whether the declaration is honest.
The UK government's Cyber Resilience Pledge was announced in April 2026 and formally launched in the summer. It is voluntary.
Organisations that sign commit to three areas: board responsibility, NCSC Early Warning, and a risk-based approach to Cyber Essentials across the supply chain. They also commit to encourage the actions in their supply chains, publish the signed declaration within two months and publish a public progress update every year.
This is more specific than a general statement that cyber security matters.
Quick answer
Before signing, prove that the organisation can meet the stated commitments:
- Implement the actions in the Cyber Governance Code of Practice.
- Put all board members through NCSC Cyber Governance Training within three months, then annually.
- Register for NCSC Early Warning within one month.
- Register for the Cyber Essentials Supplier Check Tool within two months.
- Audit Cyber Essentials coverage across the entire supply chain and put the result before the board.
- Define a risk-based supplier requirement and exception process.
- Publish the declaration within two months, then publish an annual delivery update.
Microsoft 365 can provide part of the evidence. It cannot prove the whole pledge.
Turn board responsibility into a real pack
The Cyber Governance Code is organised around five areas: risk management, strategy, people, incident planning and recovery, and assurance and oversight.
For a Microsoft 365-dependent organisation, a quarterly board pack could include:
| Governance question | Useful evidence |
|---|---|
| Which services are critical? | Named identity, mail, files, Teams and endpoint dependencies |
| Who owns the risk? | Executive owner plus operational owners for Entra, Exchange, SharePoint, Intune and incident response |
| Are privileged paths controlled? | Current admin roles, emergency access design and recent review date |
| Can the business recover? | Incident exercise, decisions taken, recovery tests and lessons assigned |
| Are exceptions drifting? | Conditional Access exclusions, unmanaged devices, unsupported software and supplier exceptions |
| Is assurance improving? | A small set of measures with tolerance, owner and action - not a decorative score |
The Code calls for formal reporting at least quarterly and suitable metrics aligned to risk appetite. A board does not need a tour of every Microsoft portal. It needs evidence that critical risks have owners, tolerances and decisions.
Use Early Warning properly
NCSC Early Warning is a free service for UK organisations. It uses information such as public IP addresses and domain names to provide notifications about potential malicious activity.
Registration is only the start. Record:
- which legal entity registered
- which domains and public IP ranges were supplied
- who receives alerts
- who covers absence and out-of-hours escalation
- how alerts enter the incident process
- when the registered estate was last reviewed
NCSC says the service does not cover every system or vulnerability and should not be the sole source of security alerts. Treat it as another external signal, not outsourced monitoring.
Microsoft 365 domains may form part of the public asset inventory, but the organisation also needs to consider websites, VPN endpoints, public cloud services and supplier-hosted systems.
Make the supplier commitment measurable
The pledge requires registration with the Cyber Essentials Supplier Check Tool, a comprehensive audit of Cyber Essentials coverage, and a risk-based approach to requiring certification.
Build a supplier register that answers:
- What service does the supplier provide?
- Can it access Microsoft 365 data, identities or devices?
- Is it operationally critical?
- Does it hold current Cyber Essentials or Cyber Essentials Plus certification?
- What is the certificate scope and expiry date?
- If certification is absent, what risk decision and alternative assurance exist?
- Who will review the supplier before renewal?
Do not reduce the exercise to collecting logos. Certification scope and expiry matter, and a risk-based approach needs a documented reason when the requirement differs by supplier.
A 30-day preparation plan
Week 1: ownership
Name the board sponsor, operational lead, incident lead and supplier-assurance owner. Read the pledge and Code together.
Week 2: evidence
Create the critical-service map, export current Microsoft 365 admin roles and exclusions, review incident plans, and build the supplier list.
Week 3: services and training
Register the organisation for Early Warning, confirm the asset list, schedule board training, and register for the Supplier Check Tool.
Week 4: gaps and decision
Record gaps with owners and dates. Decide whether the organisation can sign now or should complete remediation first.
The pledge allows timescales after signing, but a credible organisation should know how it will meet them before making the declaration public.
Evidence to keep
Keep one owned record containing:
- signed declaration and publication URL
- board training completion dates and annual renewal dates
- Cyber Governance Code action tracker
- Early Warning registration and alert-routing test
- supplier coverage audit and certificate checks
- risk decisions for supplier exceptions
- quarterly board papers and decisions
- incident exercise and lessons log
That record turns the pledge into repeatable governance. Without it, the declaration is only marketing copy waiting to be challenged after an incident.
Related route
If the pledge review exposes gaps in identity, endpoint, patching or evidence, the Cyber Essentials Plus readiness service provides a practical technical workstream alongside board governance.
References
Related notes
30 Apr 2026 · 3 min
Related: uk cyber security, microsoft 365, phishing.
05 May 2026 · 3 min
Related: microsoft 365, security backlog, uk sme.
23 Apr 2026 · 3 min
Related: cyber essentials plus, mfa, microsoft 365.
Need help mapping this to your own tenant, controls, or assessment timeline?