email-svg
Get in touch
info@canadiancyber.ca

From 12 Spreadsheets to 1 ISMS Sharepoint Platform

A mid-sized Canadian services firm was managing ISO 27001 and SOC 2 compliance across 12 spreadsheets, shared drives, and email threads. Audit prep took weeks, policies lacked version control, and evidence was scattered everywhere. By consolidating everything into a SharePoint ISMS portal, they reduced audit preparation time by 50%, automated policy reviews, centralized their risk register, and transformed compliance from chaos into clarity. This case study shows exactly how they did it and what changed.

Main Hero Image

From 12 Spreadsheets to 1 Portal: How a Canadian Services Firm Tamed Its Compliance Chaos

Policies in folders. Risk registers in Excel. Evidence everywhere. Here is how one mid-sized enterprise consolidated dozens of tracking tools into a single SharePoint ISMS and cut audit prep time by 50%.

The Problem Wasn’t the Deadline. It Was the Spreadsheets.

“Please provide the latest approved access control policy and evidence of its last review.”

It seemed like a simple request. The kind auditors make every day.

For the compliance lead at a mid-sized Canadian professional services firm let’s call them North Ridge Consulting it triggered a three-day nightmare.

Which version was final? (There were seven in the folder.)

Who approved it? (The filename said “approved,” but there was no timestamp.)

Was it reviewed on time? (The review date was buried in someone’s calendar.)

By the time the evidence was assembled, the auditor had moved on to the next request and trust had eroded.

This wasn’t a failure of effort. It was a failure of systems.

North Ridge Consulting had everything a growing firm needs: ISO 27001 certification, a dedicated compliance team, and well-intentioned employees.
But their ISMS ran on 12 spreadsheets, 4 shared drives, and countless email chains .

And it was starting to crack.

Company Snapshot

Detail Information
Industry Professional Services (Consulting)
Size 200–300 employees
Frameworks ISO 27001, SOC 2
Compliance team 2 full-time + fractional support
Before state Spreadsheets, folders, email
After state SharePoint ISMS portal

The Breaking Point

The moment of truth came during an internal audit prep session. A simple request for access control evidence took three people and two days to fulfill .

Leadership gathered for a post-mortem.

The compliance lead said: “We have the evidence. We just can’t find it.”

The IT manager said: “We spend more time documenting than securing.”

The CFO asked: “How much is this costing us in productivity?”

No one had a good answer. But everyone knew the number was too high.

The firm faced a choice: buy an expensive GRC tool, or build something inside the Microsoft 365 tools they already owned .

They chose the latter and partnered with Canadian Cyber to make it happen .

The “Before” State: 12 Spreadsheets and Chaos

Before the transformation, North Ridge’s compliance program ran on:

Tool Purpose Problem
Excel (6 files) Risk register, evidence logs, asset inventory No version control, only one owner could edit
Shared drives Policy storage Duplicates, no approval tracking
Email Approvals, reviews, communication No audit trail, lost in inboxes
Word docs Procedures, guidelines Unknown versions, no ownership
Calendars Review reminders Missed dates, no escalation
Individual hard drives Evidence storage Inaccessible to auditors, no backup

The hidden cost: Compliance tasks that should have taken minutes took hours. Evidence that should have been centralized was scattered. And every audit began with panic .

The real cost: Leadership estimated the team spent 20–30 hours per month just managing compliance not improving it .

The Decision: Build Inside Microsoft 365

North Ridge evaluated several options:

  • Standalone GRC tools: Powerful but expensive and required separate logins
  • More spreadsheets: Cheap but already failing
  • SharePoint ISMS: Leveraged existing Microsoft 365 licenses, integrated with Teams, and kept data inside their tenant

They chose the SharePoint route and engaged Canadian Cyber to design and deploy an ISMS portal aligned to ISO 27001 and SOC 2 .

The Implementation: From Files to a Living ISMS

Phase 1: The Portal (Week 1–2)

Canadian Cyber built a dedicated SharePoint site that became the single source of truth for everything compliance :

  • Policies and procedures in controlled libraries
  • Risk register as a SharePoint list (no more Excel)
  • Evidence repository organized by control
  • Audit findings tracker
  • Management review archive

Navigation was designed around how teams actually work—not how auditors think .

Phase 2: Policy Management (Week 3–4)

The policy library was transformed :

Before After
Folders with unknown versions Version history enabled
No clear owners Owner column required
Review dates in calendars Review date metadata + automated alerts
Email approvals Approval workflows in SharePoint
Manual acknowledgements Read confirmation tracking

What changed: Policy reviews stopped being calendar guesses and became automatic workflows .

Phase 3: Risk Register Goes Live (Week 5)

The Excel risk register passed between team members for years—was replaced with a SharePoint list .

New capabilities:

  • Risks categorized by severity, owner, and status
  • Real-time views (Critical risks, Risks by owner)
  • Historical tracking (no more overwritten files)
  • Links to controls and evidence

The impact: Leadership could now see risk posture at a glance without asking for an updated spreadsheet .

Phase 4: Evidence That Takes Care of Itself (Week 6–8)

The biggest win was evidence management .

Instead of scrambling before audits, evidence was collected continuously:

Evidence Type Before After
Access reviews Emailed spreadsheets Quarterly workflow + auto-stored
Training records Manual tracking LMS integration via Power Automate
Vulnerability scans Screenshots saved randomly Auto-export to evidence folder
Policy acknowledgements “We think everyone read it” Timestamped records per employee

The shift: Evidence collection went from “audit-time panic” to a predictable routine .

Phase 5: Collaboration Without Chaos (Week 8–10)

Permissions were configured so that :

  • Control owners could edit their evidence
  • Auditors could read everything
  • Leadership saw dashboards, not raw data
  • Employees could acknowledge policies in one click

IT, HR, Operations, and Leadership now worked in the same portal without stepping on each other’s toes .

The “After” State: One Portal, Endless Visibility

Twelve months after implementation, North Ridge’s compliance program looked entirely different.

Quantitative Results

Metric Before After Improvement
Audit prep time 3–4 weeks 1–2 weeks 50% reduction
Policy review compliance ~60% 100% Zero missed reviews
Evidence collection Manual scramble Continuous 70% less manual effort
Risk register updates Quarterly Real-time Always current
Internal audit duration 5 days 3 days 40% faster
Stakeholder fatigue High Low Teams work in parallel

Qualitative Results

From the Compliance Lead:
“For the first time, ISO 27001 feels manageable—not overwhelming. We stopped chasing documents and started improving security.”

From the IT Manager:
“Auditors noticed immediately. Evidence was consistent, approvals were traceable, and ownership was clear. They spent less time auditing our process and more time validating our controls.”

From the CEO:
“I used to dread security questionnaires from enterprise prospects. Now I send them a link to our trust portal. Deals move faster.”

The Metrics That Matter

Beyond the operational wins, North Ridge tracked business outcomes:

Outcome Result
Enterprise deals unblocked 3 deals previously stalled by security questions closed within 6 months
Cyber insurance premium Reduced by 12% after demonstrating structured program
Employee confidence 88% of employees reported feeling “confident” in security roles (up from 41%)
Leadership visibility Real-time dashboard replaced quarterly update meetings

The bottom line: The SharePoint ISMS paid for itself in the first enterprise deal it helped close .

Why It Worked: The Canadian Cyber Difference

North Ridge didn’t just buy a template. They partnered with Canadian Cyber to build a system designed for how compliance actually works .

Need Solution
Structure One portal, one navigation, one source of truth
Automation Reviews, approvals, reminders all automated
Visibility Ownership, status, progress visible to leadership
Audit readiness Evidence collected continuously, not during panic
Scalability Designed to grow with the business (more employees, more frameworks)

The 3 Lessons Every Growing Company Should Learn

1. Spreadsheets Don’t Scale

They work for 20 employees. They fail at 200 . The cost isn’t the software—it’s the hours your team spends wrestling with versions, chasing approvals, and hunting for evidence .

2. You Already Own the Tools

Most mid-sized companies already pay for Microsoft 365. The question isn’t whether to buy new software—it’s whether to configure what you already have .

3. Culture Follows Structure

When systems are messy, compliance feels like a burden. When systems are clean, compliance becomes part of how work gets done . North Ridge’s 88% employee confidence score didn’t come from training—it came from clarity.

Is Your Compliance Program Ready for a Transformation?

You don’t need to wait for an audit near-miss to make a change.

Ask yourself:

  • Can you find your current approved policies in under 60 seconds?
  • Do you know which controls are owned by whom?
  • Is your evidence collection continuous or chaotic?
  • How much time does your team spend managing compliance vs. improving it?

If the answers make you uncomfortable, you’re in good company. Most growing companies feel the same way.

The difference is what they do next.

The 15-Minute ISMS Assessment

You do not need to guess whether your compliance systems are ready to scale.

Book 15 minutes with our team.

We will review your current tools, processes, and pain points.

We will tell you:

  • How much time your team is losing to manual compliance work
  • One workflow you can automate this week that saves 10+ hours/month
  • What a SharePoint ISMS would look like for your specific business

This is not a sales pitch. It is a diagnostic.

Because the best time to fix your compliance systems was before the next audit.

Book an ISMS Assessment

About Canadian Cyber

Canadian Cyber helps mid-sized enterprises transform compliance from chaos to clarity. We design SharePoint-based ISMS portals that centralize policies, automate evidence, and keep teams audit-ready year-round.

We don’t sell software. We sell structure.

Let’s build yours.

Results Snapshot

Metric Before After
Audit prep time 3–4 weeks 1–2 weeks
Policy review compliance ~60% 100%
Evidence collection Manual Continuous
Enterprise deals unblocked 0 3
Employee confidence 41% 88%
Stakeholder fatigue High Low

Ready to Replace Spreadsheets with Structure?

If your compliance team spends more time searching than securing, it is time for change.

Book a Discovery Call

Explore the ISMS SharePoint Platform

About Canadian Cyber

Canadian Cyber helps mid-sized enterprises transform compliance from chaos to clarity.
We design SharePoint-based ISMS portals that centralize policies, automate evidence,
and keep teams audit-ready year-round.

We don’t sell software. We sell structure.

Stay Connected With Canadian Cyber

Follow us

 

Related Post

blog thum
2026
Feb

Driving Adoption

You launched a new ISMS portal policies, evidence, workflows yet teams still default to email and spreadsheets. This guide shows how to drive ISMS platform adoption with champions, role-based training, automated nudges, leadership involvement, and simple metrics so your ISMS becomes the system of record, not another ignored tool.
blog thum
2026
Feb

On-Prem vs. Cloud Compliance Solutions

Choosing between cloud vs on-premises ISMS is one of the most important compliance decisions you’ll make. Your ISMS holds risk registers, audit evidence, and sensitive security data so where should it live? This guide compares Microsoft 365 cloud ISMS with on-prem deployment across security, cost, compliance, scalability, and audit readiness to help you make a confident, risk-based decision.
blog thum
2026
Feb

The Future of ISMS Platforms

The future of ISMS platforms is moving fast away from annual checklists and toward real-time compliance. In 2026 and beyond, the winners won’t be the teams with the biggest compliance headcount. They’ll be the teams with AI-native testing, continuous controls monitoring, and API-first integration that turns operational signals into audit-ready evidence automatically. This guide breaks down the three trends rebuilding compliance in real time and how to prepare your ISMS program so risk is visible, controls stay verified, and audits stop being a fire drill.
blog thum
2026
Feb

ISMS Automation for Small Compliance Teams

ISMS automation for small teams is no longer optional it’s survival. If you’re a solo compliance officer juggling policies, risk registers, vendor reviews, and audit evidence, this guide shows how automation transforms your ISMS from manual chaos into a self-running system. Learn how workflows, dashboards, and Microsoft 365 tools eliminate repetitive tasks, reduce burnout, and deliver enterprise-grade compliance without hiring a larger team.
blog thum
2026
Feb

From 12 Spreadsheets to 1 ISMS Sharepoint Platform

A mid-sized Canadian services firm was managing ISO 27001 and SOC 2 compliance across 12 spreadsheets, shared drives, and email threads. Audit prep took weeks, policies lacked version control, and evidence was scattered everywhere. By consolidating everything into a SharePoint ISMS portal, they reduced audit preparation time by 50%, automated policy reviews, centralized their risk register, and transformed compliance from chaos into clarity. This case study shows exactly how they did it and what changed.
blog thum
2026
Feb

From DevOps to DevSecOps

SOC 2 doesn’t require you to slow down your CI/CD pipeline—it requires you to prove it’s secure. In this guide, we break down how to embed SOC 2 controls directly into your cloud-native CI/CD workflow, including change management, access controls, automated security testing, and audit-ready evidence collection. If you’re moving from DevOps to DevSecOps and preparing for SOC 2, this article shows how to turn your pipeline into a continuous compliance engine without sacrificing velocity.
blog thum
2026
Feb

Top 5 SOC 2 Myths Debunked

SOC 2 myths keep good companies stuck thinking it’s too expensive, too complex, or impossible without perfect security. In this guide, we debunk the top 5 SOC 2 myths with real-world clarity on costs, encryption expectations, readiness, and what auditors actually look for. If you’re delaying SOC 2 because you “don’t feel ready,” this article will show why you may already be closer than you think and how to move forward without panic.
blog thum
2026
Feb

Incident Response Plans and SOC 2

SOC 2 does not expect zero incidents it expects readiness. In this guide, we break down what a SOC 2 incident response plan must include, what auditors actually review, and how testing, documentation, and clear roles determine whether you pass with confidence or face costly findings. If you're preparing for SOC 2, this article shows how to turn your incident response process into real resilience not just a compliance checkbox.
blog thum
2026
Feb

Should You Use a Compliance Automation Platform for SOC 2?

Compliance automation platforms like Vanta, Drata, and Secureframe promise to automate up to 90% of your SOC 2 work but what does that really mean? In this guide, we break down exactly what a SOC 2 compliance automation platform can handle (evidence collection, continuous monitoring, control mapping) and where human expertise is still critical (risk assessment, control design, incident response, and audit defense). If you’re deciding between “tools only” or a hybrid approach with a vCISO, this article gives you a practical framework to choose the right balance for your tech stack, risk profile, and growth stage.