As the pace of digital transformation accelerates, organizations face greater risks associated with data, users, devices, and applications. More than half of risk management decision makers state that IT and cybersecurity risks are their biggest concern Now, more than ever, it is critical for IT professionals to have the knowledge and tools to effectively assess and monitor risk.
For many organizations trying to meet compliance requirements, it can be overwhelming to know where to start and what to implement. To help you prioritize and take risk-informed actions to manage compliance, we are thrilled to introduce Microsoft Compliance Manager, now generally available to all Microsoft cloud services customers today.
Compliance Manager simplifies compliance and helps reduce risk. Compliance Manager translates complex regulatory requirements to specific controls and through compliance score, provides a quantifiable measure of compliance. As Glenn McLellan, Manager at Frost Bank, put it: “Compliance Manager took the mystery out of compliance for us.” To learn more about how Frost Bank used Compliance Manager and Microsoft Teams to exceed their business objectives, see this video.
Compliance Manager offers intuitive compliance management, a vast library of scalable assessments, and built-in automation.
The complexity of regulations makes it challenging for organizations and IT administrators to know specific actions they can take to meet their compliance requirements. Compliance Manager provides easy, guided onboarding (Figure 1 below) and supports twenty four languages.
Figure 1: Guided onboarding in Compliance Manager
With simple design that works out of box, IT admins and Compliance / Audit Officers can quickly collaborate to address compliance. With Compliance Manager, you don’t need to be an expert in complex regulations like the General Data Protection Regulation (GDPR) to know the actions you can take to improve compliance effectiveness. Compliance Manager now combines the functionality of compliance score and the existing Compliance Manager solutions, making it a single portal for end-to-end compliance management.
Very often the lack of a central platform to map all technical controls leads to ‘compliance management using Excel,’ which isn’t ideal. Compliance Manager provides access to a vast library of 150+ assessment templates (Figure 2 below) – from global regulations such as the GDPR, PCI-DSS, COBIT 5, to regional assessments such as Brazil’s LGPD data protection law and Malaysia’s Personnel Data Protection Act. Industry-specific assessments such as HITRUST and Cybersecurity Maturity Model Certification (CMMC) are also covered. Compliance Manager now provides you the ability to quickly customize these assessments to meet your unique business requirements. For example, if you are currently tracking compliance of your SAP application in an Excel file, you can bring that into Compliance Manager.
Figure 2: Assessment templates in Compliance Manager
Compliance management can be tedious, and organizations often find it difficult to know their degree of compliance with specific regulations. Translating ever-changing regulatory requirements into specific actions and controls is also challenging and not all organizations have the resources to do this accurately. Point-in-time assessments (e.g., for quarterly/semi-annual/annual audits) also mean that organizations tend to have ‘blind spots’ between these assessment windows. To help you with these challenges, Compliance Manager comes built-in with the following capabilities:
Compliance score: With compliance score you get a clear quantified assessment of compliance (Figure 3 below). You can also obtain your compliance score for a specific regulation or standard (e.g., NIST 800-53) or for a specific category (e.g., ‘Protect information’).
Figure 3: Compliance score in Compliance Manager provides a risk-based score
Control mapping: With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up-to-date with the evolving compliance landscape. Efficiency in achieving compliance and prioritizing actions to meet multiple regulations and standards is a must-have for organizations but is challenging. At Microsoft, we have a team of subject matter experts building and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Compliance Manager so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Compliance Manager, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicative work.
Continuous regulatory updates: All Compliance Manger assessments are kept up-to-date per evolving regulations and standards. You can see updates to assessments that you are using and get control on when you accept these updates, helping your compliance program stay current.
Figure 4: Example of assessment template update giving users the option to accept update
Continuous assessments: Compliance Manager scans through your environment and detects your system settings, automatically updating some of your technical control status. For example, if you configured a Multi factor authentication in the Azure Active Directory (AAD) portal, Compliance Manager can detect the setting and reflect that in the control details. Conversely, if you haven’t created Multi factor authentication, then Compliance Manager can flag that as a recommended action for you to take. We expect to extend this capability of automatic updates to additional controls in the future. With the ongoing control assessment, you can begin to proactively maintain compliance, instead of reactively fixing settings following an audit.
Microsoft Secure Score is designed to help security and IT professionals find opportunities improve their security posture against threats and cyber-attacks. You can learn more about Secure Score here
Compliance Manager is generally available to Microsoft 365 and Office 365 customers today.
If you already have Microsoft 365 E1/E3 or Office 365 E1/E3 subscription you can get started on your data protection journey by leveraging the default Data Protection Baseline assessment. Assessments for GDPR, ISO 27001 and NIST 800-53 are included for Microsoft 365 E5 or Office 365 E5 subscribers If you don’t have the Microsoft 365 E5 suite you can sign up for a trial. ￼
To learn more about Microsoft Compliance and access technical training, visit the Virtual Hub today.
Compliance Manager is a powerful solution to help you simplify compliance and reduce risk. We look forward to hearing your feedback and stay tuned for additional innovation in Compliance Manager!
On behalf of Microsoft Compliance Manager v-Team - Thank you!
Principal PM Manager, Microsoft 365 Security, Risk, and Compliance Engineering
 Source: Gartner (Risk management market landscape web survey)