Roadmap for Information Protection & Governance?

Brass Contributor



We are starting on an Information Protection & Governance journey at our org, and we are putting together a high level roadmap.


There would naturally be multiple iterations of this, but when looking for a high level roadmap - what do you think of this?:


  1. Compliance Management
  2. Information Protection
  3. Insider Risk Management
  4. Communication Compliance
  5. Information Governance
  6. Records Management
  7. Discover & Respond (eDiscovery)


Thank you,



2 Replies

 Great question! 


I checked with a lead Engineer, and his feedback on this topic is that most Customers deploy in this order: 


  1. Information Protection - MIP
    1. DLP
    2. Sensitivity Labels/ AIP Scanner
  2. D&R (eDiscovery)
  3. MIG (Information Governance)
  4. IRM (Insider Risk Management)

The rationale given is that deploying MIP first enables richer signals to IRM. 


The engineer informed that often, customers will deploy D&R and MIG together, as they are similar in theme. 


Lastly, D&R before IRM because D&R features help with the IRM escalations or investigations. 


When you're ready to get started with your deployment, the MIP Setup Guide in the M365 Admin Center gives a simplified list of deployment steps, offering step-by-step guidance and automation.


Actually a good approach. But if i might add i would suggest setting up some default DLP rules that capture everything you do, but are put in monitor mode. That way you can capture sensitive data withing your environment. For example a document that contains gdpr related information that is copied to USB. Once you have this information you can then continue to define the actions you want to allow/deny in your environment.

Once you have all that you can then start configuring the solutions proposed by kentmitchell.