What Inquilion provides
Inquilion provides independent governance assurance over Microsoft 365 configuration. This includes assessment, reporting, and ongoing assurance services as described on this website and in individual engagement letters.
Inquilion does not provide: legal advice or legal opinions; audit certification or compliance certification; penetration testing, vulnerability scanning, or technical security assessment; remediation, configuration changes, or operational IT services; guarantees of security, data protection compliance, or breach prevention.
Governance reports are provided for the purpose of informing board-level oversight. They are not intended as, and should not be relied upon as, a substitute for professional legal, audit, or regulatory advice.
Independence from delivery
Inquilion operates independently from IT delivery, configuration, and remediation. Reports identify governance findings and frame questions for the board to put to management. Inquilion does not direct, advise on, or carry out remediation activity. This independence is structural and absolute.
Where Inquilion identifies that controls or dependencies sit outside the Microsoft 365 boundary, the board is informed. The scope of each assessment is defined in the engagement letter and the governance report clearly states what has, and has not, been assessed.
Assessment methodology
The Inquilion assessment methodology, including governance domains, individual checks, scoring thresholds, RAG rating criteria, and regulatory framework mapping logic, is proprietary to Inquilion and Bentlebury Limited.
The methodology is subject to ongoing development. Governance domains, assessment checks, regulatory framework coverage, and report format may be updated at any time to reflect changes in the Microsoft 365 platform, the regulatory landscape, or governance best practice.
Website descriptions of the methodology, including domain names, report previews, and scope summaries, reflect the methodology at the time of publication and may not precisely match the methodology applied at the time of a specific engagement. The engagement letter and the governance report define the actual scope and methodology applied.
Governance reports
Inquilion governance reports are point-in-time assessments. They reflect the configuration state of the Microsoft 365 environment at the time of assessment.
A governance report does not: guarantee the ongoing security or compliance of the environment; certify that the organisation meets any specific regulatory standard; replace the need for ongoing management oversight, operational monitoring, or periodic reassessment; create any warranty or assurance that the environment will not be subject to a security incident.
A Green RAG rating in any domain indicates that the assessed configuration meets the governance baseline at the time of assessment. It does not indicate that the domain is immune to risk or that no further action is required.
Standing assurance engagements provide ongoing monitoring and trend reporting. Point-in-time assessments provide a snapshot. The engagement letter specifies which model applies.
Assessment access and data handling
Inquilion assessments are conducted using read-only access to the Microsoft 365 tenant. No configuration is changed, no data is modified, and no remediation is performed during the assessment.
Assessment data is processed in accordance with the Inquilion Privacy Policy. Client data is not shared with third parties, used for marketing, or retained beyond the period required to deliver and support the engagement. Specific data handling arrangements are defined in the engagement letter.
Read-only access is provisioned by the client for the duration of the assessment and revoked upon completion. Inquilion does not retain standing access to client environments outside of standing assurance engagements, where access arrangements are defined in the engagement letter.
Information on this website
The content on this website is provided for general information about Inquilion's governance assurance services. It does not constitute an offer, a contract, or professional advice.
Service descriptions, methodology summaries, regulatory framework references, and report previews are illustrative and reflect the position at the time of publication. They may be updated at any time without notice.
Case study references to third-party organisations (such as Knights of Old, LastPass, and Jaguar Land Rover) are based on publicly available information and are used to illustrate governance principles. Inquilion was not involved with these organisations and makes no claim about what its involvement would or would not have changed.
Proprietary methodology
The Inquilion assessment methodology, governance domains, check frameworks, scoring models, regulatory mapping logic, report templates, and all associated intellectual property are owned by Bentlebury Limited.
No part of the methodology may be reproduced, reverse-engineered, or used to create a competing service without the express written permission of Bentlebury Limited.
Governance reports are provided for the client's internal governance use. They may be shared with the client's board, audit committee, regulators, and insurers as required. They may not be published, distributed commercially, or used for marketing purposes without written consent.
About Bentlebury Limited
Inquilion is a governance assurance service of Bentlebury Limited.
Bentlebury Limited, registered in England and Wales. Company number 13706629.
Head office: 120 Regent's Pavilion, Summerhouse Road, Moulton Park, Northampton, NN3 6BF
Registered office: 149 Park Avenue North, Northampton, NN3 2HY
Telephone: 01604 346046 | Email:
These terms were last updated in March 2026.