Microsoft Copilot Readiness Checklist (Free PDF, 8 pages)
No form to fill, no email required.
A 30-question pre-deployment audit Canadian businesses 10-150 employees can run before turning Microsoft 365 Copilot on — so the rollout improves productivity instead of leaking client data.
Built by Fusion Computing’s CISSP-led team. Field-tested across 38 Canadian SMB tenants in Q1 2026. Mapped to PIPEDA, PHIPA, PIPA, Quebec Law 25, and CIS Controls v8.1.
Why this matters
According to Canada’s proposed AI and Data Act (AIDA) within Bill C-27, organizations deploying AI will be expected to manage risk and maintain human oversight. A documented Copilot readiness checklist and acceptable-use policy is how an SMB shows it adopted AI responsibly.
Why this matters: Microsoft’s 2025 Canadian adoption research shows SMBs capture the most value from Copilot when access and data governance are handled before rollout, not after. Copilot inherits existing permissions, so a readiness pass on sharing is the difference between a productivity win and a data-exposure incident.
Microsoft 365 Copilot crossed 160 million paid users globally by Q1 2026, but SMB tenant adoption is still under 12%. The reason is not price. The reason is that the SharePoint Online and OneDrive permission model that worked fine before Copilot now exposes years of accumulated over-shares the moment Copilot is enabled. A new hire would never find a 2019 acquisition spreadsheet by accident; Copilot will surface it as a citation in a fluent two-paragraph summary on day three of the pilot.
This checklist is the pre-flight inventory we run with every Fusion-managed Canadian client before we enable a single Microsoft 365 Copilot license. Thirty questions across six control families — licensing, identity, SharePoint permissions, Microsoft Purview labels, data classification, and pilot scope. A Green score means you are ready to pilot. An Amber or Red score is the order we recommend you close gaps in. Across the 38 pre-Copilot audits Fusion ran in Q1 2026, 89% of Canadian SMB tenants scored Amber or Red on first run.
Download the PDF (free, no spam)
Enter your name, business email, and company. The 8-page PDF lands in your inbox in under two minutes.
Send me the Copilot Readiness Checklist
What’s inside the 8-page PDF
Microsoft Copilot readiness FAQ
Is Microsoft 365 Copilot safe to roll out for a small business?
Yes, once permissions are right. Copilot can only surface content a user already has access to, so the risk is over-broad SharePoint and OneDrive sharing, not the AI itself. Fix access first, then deploy.
What licensing does Copilot require?
Microsoft 365 Copilot requires a qualifying Microsoft 365 Business or Enterprise plan plus the Copilot add-on per user. The readiness work, permissions and data hygiene, matters more than the licence.
How long does a Copilot rollout take?
For a 10-to-150-person business, a governed rollout typically runs two to four weeks: permission cleanup, sensitivity labelling, a pilot group, then staged enablement.
What is the biggest Copilot risk?
Over-sharing. If matter or HR folders are exposed to staff who should not see them, Copilot will surface that content firm-wide. The checklist front-loads the permission audit for that reason.
A 30-question pre-deployment audit organized in six control families. Each question has a YES / NO / PARTIAL checkbox and a one-to-two-sentence “Why this matters” explanation tied to the underlying risk.
A. Licensing fit (5 questions)
- Microsoft 365 E3 / E5 / Business Premium base license confirmed for every Copilot user
- Per-user budget tracked (≈ CAD $40/user/month combined cost)
- E5 or Purview Information Protection add-on for auto-labelling at scale
- Named pilot cohort, not blanket distribution
- Microsoft 365 Apps for Enterprise build aligned across the cohort
B. Identity & Conditional Access (5 questions)
- Phishing-resistant MFA (Authenticator number-match or FIDO2) on every Copilot user
- Conditional Access blocks unmanaged devices
- Non-North-American sign-in locations blocked or step-up authenticated
- Legacy authentication (POP3, IMAP, SMTP basic) disabled at the tenant level
- Quarterly access review scheduled across SharePoint Online, OneDrive, Teams
C. SharePoint permission hygiene (5 questions)
- Tenant-wide report of “Anyone with the link” shares older than 12 months
- Default link type set to “Specific people” at the tenant policy level
- 60- or 90-day expiry on all new external sharing links
- “All Company” / “Everyone except external users” groups audited against current need
- SharePoint site collections classified Public / Private / Confidential with sensitivity inheritance
D. Microsoft Purview information labels (5 questions)
- Three Microsoft Purview sensitivity labels defined (Public, Internal, Confidential at minimum)
- Auto-labelling enabled on at least one Confidential pattern (SIN, PHI, named client)
- Confidential label restricts Copilot from including content in external summaries
- Label taxonomy signed off by CEO, CFO, or named information-governance owner
- DLP policy mirrors the label rules for outbound email and Teams chat
E. Data classification policy (5 questions)
- Written one-page data-classification policy approved by leadership
- Stated AI use policy covering Copilot for Microsoft 365 and consumer AI tools
- Records-retention rule for Copilot prompts and responses
- Privacy breach response plan covers AI-disclosure scenarios
- Policy mapped to PIPEDA, PHIPA, PIPA, Quebec Law 25, and CIS Controls v8.1
F. Pilot scope + measurement plan (5 questions)
- Named 10-25 user pilot cohort drawn from at least two business functions
- Three named use cases per pilot user with baseline measurement before enable
- Weekly check-in cadence for the first 30 days
- Documented Copilot rollback plan with named trigger and decision-maker
- Go / no-go decision points at days 30, 60, and 90 with named owners
Plus: a Green / Amber / Red scoring rubric, a 90-day remediation roadmap from a Red score, six common pitfalls Canadian SMBs hit on Copilot rollouts, and the CISSP-led 30-60-90 cadence Fusion uses for client deployments.
About the author
“Most Copilot rollouts fail on permissions, not technology. Copilot can only surface what a user already has access to, so if your SharePoint is over-shared, Copilot will expose it firm-wide on day one. Readiness is mostly about fixing access before you switch it on.”
Mike Pearlstein, CISSP is the founder and CEO of Fusion Computing, a Toronto-based managed IT provider for Canadian businesses 10-150 employees. Fusion was founded in 2012 and has been deploying and governing Microsoft 365 tenants for Canadian SMBs ever since. Mike personally holds the CISSP credential — the recognised senior-practitioner baseline for information security — and an MSc in Computer Science from the University of Guelph (2011).
This checklist was field-tested across 38 Canadian SMB tenant audits between January and April 2026. Fusion Computing is named in Canada’s 50 Best Managed IT Companies in both 2024 and 2025, holds a 4.9 average on Google Reviews, and is the CISSP-led IT partner trusted by Canadian businesses across legal, accounting, wealth management, healthcare, and professional services.
When you’ll receive the PDF
Submit the form above and the 8-page PDF lands in your inbox in under two minutes. The download link is the first thing in the email. There is no waiting period, no “we will be in touch,” no manual sales follow-up before you have the document.
You will get three short follow-up emails over the next seven days: a companion case study on day three, a 30-minute walk-through offer on day seven, and one final reminder. After that the sequence ends. Unsubscribe any time.
Want us to walk through your scorecard?
Run the checklist, then book a free 30-minute call. We’ll review your Green / Amber / Red score, explain the highest-priority gap for your tenant, and tell you whether a remediation engagement is worth the budget. No sales script, no obligation.
