Skip to main content
Help Centre

Help Centre

Plain-English answers to the questions we hear most often from UK businesses looking at Certaria. If you cannot find what you need here, contact support.

Last updated: 15 April 2026

What is Certaria?

Certaria is an ISO 27001 information security management system for UK small businesses on Microsoft 365. It installs into your own Microsoft tenant, reads security evidence from the Microsoft 365 tools you already use, and walks you through certification step by step. Your data never leaves your environment.

Getting Started

From install to first scan, the whole process takes under an hour.

  1. 01

    Install from AppSource

    Your Microsoft 365 Global Administrator approves the install. Certaria deploys into your tenant as a managed solution.

  2. 02

    Grant consent

    Certaria requests a small number of read-only Microsoft Graph permissions so it can see your security data. Your admin approves them once.

  3. 03

    Run the Onboarding Wizard

    A guided setup creates your risk register, Statement of Applicability, and first round of control ownership assignments.

  4. 04

    Run your first Readiness Scan

    Certaria reads your Microsoft 365 security data and shows you how many of the 93 ISO 27001 controls already have evidence. Most customers find 31 to 37 before they have entered anything.

Top 10 Questions

01 How much does Certaria cost?

Standard is £399 per month, Business is £499 per month. You will also need two Power Apps Premium licences from Microsoft (around £33 per month total) for your information security administrators. Annual billing saves approximately 17%. Full cost breakdown on the pricing page.

02 Do I need Microsoft 365 Business Premium?

Yes. Certaria is not compatible with Microsoft 365 Business Basic or Standard. Business Premium or higher is required.

03 Why do I need two Power Apps Premium licences?

Your information security administrators use the full Certaria Power App interface. Everyone else uses Certaria through the Microsoft Teams agent under licences you already have.

04 Where is my data stored?

Inside your own Microsoft 365 tenant. Certaria deploys as a managed solution. Talastron has no standing access to your tenant or your data.

05 What Microsoft Graph permissions does Certaria need?

A small number of read-only scopes for security data: Secure Score, device management, conditional access, sensitivity labels, audit logs, and directory data. All read-only. Your Global Administrator approves them once during installation.

06 How long does it take to get certified?

From install to being ready for Stage 2 audit typically takes 3 to 6 months depending on your starting point. Customers with existing security hygiene finish faster.

07 Does Certaria cover SOC 2 or Cyber Essentials?

Not in version 1. Certaria covers ISO 27001:2022 only. Other frameworks are on the roadmap.

08 Can I cancel?

Yes. Monthly billing has no minimum term. Annual billing runs for 12 months and renews unless cancelled.

09 What happens to my data if I cancel?

Your data stays in your tenant. You own it. Uninstalling Certaria removes the managed solution but does not delete your ISMS records. You can export them first or leave them in place.

10 Is Certaria actually used by its maker?

Yes. Talastron Ltd uses Certaria to run its own information security management system and is pursuing ISO 27001 certification through it.

Plain-English Glossary

ISMS
Information Security Management System. The full set of policies, processes, people, and technology you use to protect information.
ISO 27001:2022
The international standard that defines what a good ISMS looks like. Contains 93 security controls in Annex A.
Annex A
The list of 93 security controls in ISO 27001:2022 that you are expected to implement, or justify not implementing.
Statement of Applicability
Your documented decision about which Annex A controls apply to you and which do not. Your auditor reads this first.
Clauses 4 to 10
The management-system parts of ISO 27001:2022 (context, leadership, planning, support, operation, evaluation, improvement). These sit alongside Annex A.
Surveillance audit
The annual audit after you are certified, checking that your ISMS still works. Certification is not a one-time event.
Microsoft Graph API
The Microsoft interface that lets Certaria read security signals from your Microsoft 365 tenant. Read-only, with your consent.

Still stuck? Our support team responds to all queries within one UK working day.

Contact Support