Some organizations tend to respond reactively to new regulatory requirements like the EU’s General Data Protection Regulation (GDPR), assessing each requirement periodically to remediate risks of non-compliance and avoid potential fines. However, the need to manage an exponentially growing amount of data and evolving data privacy regulations impose new responsibilities for organizations to find a proactive and effective way to protect their data.
With Compliance Manager, you can proactively perform assessments on security, compliance, and privacy controls across several regulations and standards. You can create an Assessment based on NIST CSF to help ensure you’ve implemented the appropriate cybersecurity controls for your Office 365 tenant; you can create an Assessment based on the Cloud Security Alliance’s Cloud Control Matrix (CSA CCM) to improve your cloud tenant’s security and compliance posture; and you can build an Assessment based on NIST 800-53, one of the largest and most stringent security control frameworks, to strengthen your tenant’s security controls. Compliance is not just an obligation, it’s also a proactive way to ensure better security for your data.
Compliance Manager also helps you to map relevant controls across global, regional, and industry regulations and standards. For instance, after you implemented and tested control EKM-01 in a CSA CCM Assessment, sixteen relevant controls in other assessments such as ISO 27018 and GDPR would also be marked as implemented and show the same collected evidence. Leveraging the mapping between regulations and standards, you can proactively reevaluate common controls and enhance them with the highest standard to keep up with the ever-changing compliance landscape.
Compliance Manager helps you map related controls across regulations and standardsWe are thrilled to announce that Compliance Manager is now expanded to offer twelve Assessments, including standards like ISO 27001, ISO 27018, NIST 800-53, NIST CSF and CSA CCM; regional standards and regulations like the GDPR and UK NHS; and industry standards and regulations like HIPAA/HITECH, FFIEC, NIST 800-171 and FedRAMP Moderate and High. Note that coverage of regulations and standards in Compliance Manager varies by product.
By default, Compliance Manager is pre-populated with a small number of sample assessments. You can add new Assessments following these instructions.
Add an Assessment to your Compliance Manager dashboard
Lastly, to help you deploy and configure Compliance Manager in your organization, we released the Compliance Manager toolkit, which provides you with a 4-step approach that helps partners and organizations to work together to successfully implement Compliance Manager. IT or compliance-staff can use the toolkit to identify stakeholders in your organizations and deploy Compliance Manager in a structured way. We also strongly encourage you to work with Microsoft partners and benefit from their in-depth product and advisory expertise. The toolkit can be downloaded at https://aka.ms/CMtoolkit.
You can learn more about Compliance Manager from this whitepaper and the product deep dive video. We hope you find this blog post helpful and please keep giving us feedback via the Feedback button in Compliance Manager or leave us a comment here.
 Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance.
 Note that Office 365 GCC customers can access Compliance Manager; however, users should evaluate whether to use the document upload feature of Compliance Manager, as the storage for document upload is compliant with Office 365 Tier C only. Compliance Manager is not yet available in sovereign clouds including Office 365 U.S. Government Community High (GCC High), Office 365 Department of Defense (DoD), Office 365 Operated by 21 Vianet, and Office 365 Germany.