Microsoft Compliance Manager is a comprehensive compliance management solution located within the Microsoft 365 compliance center. The compliance manager is a cross-Microsoft solution that helps meet complex compliance obligations, including:
- ISO 27001
- NIST 800-53
What does Microsoft Compliance Manager do?
Microsoft Compliance Manager helps you manage your organization's compliance needs including the inventory of data protection risks, changes within your chosen regulation or certification, reporting to auditors, and more.
Microsoft Compliance Manager measures your compliance through a centralized dashboard (shown above). Based on the compliance guidelines your organization is required or chooses to meet, this tool will collect information, identify issues, and confirm your progress. Microsoft Compliance Manager can also help simplify your compliance journey by offering:
Pre-built assessments for common compliance standards
Custom assessments to meet your organization's specific compliance needs
Suggested improvements to reach compliancy
The risk-based score for your organization to understand your current compliance posture.
These specific offerings work together to build a complete and easy-to-use platform for your organization to become compliant and tighten data security.
Core Elements of Microsoft Compliance Manager
Microsoft Compliance Manager is made up of four major elements that work together to detail your compliance journey Controls
This element details the requirements in the compliance standard your organization is trying to meet. It defines how you need to assess and manage configurations, processes, and people responsible for meeting the specified requirements. The Microsoft Compliance Manager helps track these controls and divides them up into two categories: Microsoft Managed Controls, or the ones that Microsoft is responsible for implementing, and shared controls, or control that your organization and Microsoft share responsibility for. The compliance manager assesses these controls by scanning your environment, and your activity status is updated daily. This means that once you implement a control to meet your compliance requirement, the status will update the following day.
Assessments are a grouping of controls from your specified compliance standard or regulation. These include everything within the controls element plus in-scope services and assessment scores. The in-scope services are a set of Microsoft services that apply to the assessment, and the score shows the progress made on addressing controls and achieving compliance. If you complete all the controls with a specific assessment, it will bring your Microsoft setting in line with the compliance standard initially selected.
Assessments are built using templates, which can be prebuilt by Microsoft or customized to your organization's specific needs. You can choose which compliance standard your organization needs to meet. Microsoft has over 35 prebuilt templates, some of which are included and others that are premium. Some of the included templates are the Microsoft Data Protection Baseline, EU GDPR, ISO/IEC 27001:2013, and NIST 800-53, while some of the premium templates are SOC 1 and 2, PCI DSS, Privacy of Consumer Financial and Health Information Regulation, HIPAA/HITECH, FERPA, and Sarbanes-Oxley Act.
Improvement actions are the final main element of the Microsoft Compliance Manager. This feature centralizes your compliance activities and details what specific actions your organization needs to take to align you with the specified compliance regulations. These can be assigned to a specific user to complete and each improvement action can store documents, notes, and status updates within it. When an update is available for an improvement action, such as when there are regulatory changes, you will be notified via an improvement action that can either be accepted or deferred. Improvement actions directly impact and improve your compliance score.
Understanding your Compliance Score
Within the Microsoft Compliance center, you can view your organization's compliance score. Your score starts with an initial score based on the Microsoft 365 data protection baseline, then additional points are added based on the standards of your selected compliance standard, such as NIST CSF or ISO 27001.
This score is expressed as a percentage as well as points achieved out of total attainable points. These points are further broken down by customer-managed points achieved, which is based on actions that your organization took, and Microsoft-managed points achieved, which is based on actions that Microsoft took for you. At a first glance, these numbers will give you an idea of where you stand in relation to the compliance standard you are trying to meet.
Who needs Microsoft Compliance Manager?
In short, Microsoft Compliance Manager is for everyone. Whether your organization is required by law to meet compliance standards or your organization chooses to maintain regulatory compliance, Microsoft Compliance Manager can help you on your journey.
Some of the most common compliance standards and industries are:
HIPAA for health care organizations
PCI-DSS for organizations that handle or process credit card information
Sarbanes-Oxley or Gramm-Leach-Bliley for organizations that handle financial information
CCPA for organizations processing information on California residents
Regardless of whether or not your organization is required to meet a compliance standard, it is good practice for all organizations in order to keep data secure and costs low.
How to Get Started with Microsoft Compliance Manager
Microsoft Compliance Manager is available to organizations that have Office 365 or Microsoft 365 licensing. To get started, you will need to have your organization's Global administrator sign into compliance manager and set up user permissions.
Compliance Manager uses role-based access controls permissions model, which means that only users that are assigned a role can access the tool and their actions are restricted by the role assigned to them. These roles include reader, contributor, assessor, and administration, which all hold different functions from read-only, to managing assessments and tenant data.
Once roles are assigned and the templates are chosen, the real work can begin. View the dashboard to access your compliance score and improvement activities. Begin assigning or reassigning tasks to users, and enable automatic testing of improvement actions. As improvement actions are completed, you can manage the user history within that actions, such as documents uploaded, notes entered, and more.
Need help getting started with Microsoft Compliance Manager or the Microsoft Security stack? Contact us today for a free consultation