Compliance Manager scoring
Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. It is up to you to evaluate and validate the effectiveness of customer controls per your regulatory environment. These services are subject to the terms and conditions in the Product Terms. See also Microsoft 365 licensing guidance for security and compliance.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Understanding your compliance score
The Compliance Manager dashboard displays your overall compliance score. This score measures your progress in completing recommended improvement actions within controls. Your score can help you understand your current compliance posture. It can also help you prioritize actions based on their potential to reduce risk.
A score value is assigned at these levels:
Improvement action: Each action has a different impact on your score depending on the potential risk involved. See Action types and scoring below for details.
Assessment: This score is calculated using improvement action scores. Each Microsoft action and each improvement action managed by your organization is counted once, regardless of how often it's referenced in a control.
The overall compliance score is calculated using action scores, where each Microsoft action is counted once, each technical action you manage is counted once, and each non-technical action you manage is counted once per group. This logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization. You may notice that this can cause your overall compliance score to differ from the average of your assessment scores. Read more below about how actions are scored.
Initial score based on Microsoft 365 data protection baseline
Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).
Your initial score is calculated according to the default Data Protection Baseline assessment provided to all organizations. Upon your first visit, Compliance Manager is already collecting signals from your Microsoft 365 solutions. You see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.
Because every organization has specific needs, Compliance Manager relies on you to set up and manage assessments to help minimize and mitigate risk as comprehensively as possible.
Action types and scoring
Improvement actions have points that are awarded when you complete the requirements for implementation. Your action status is updated on your dashboard within 24 hours of a change being made. Once you follow a recommendation to implement a control, you’ll typically see the control status updated the next day.
Points are awarded per action per assessment. For example, if an action is worth 10 points but it appears in two assessments, the action is worth 20 points overall for your tenant.
Actions for services supported by Microsoft Defender for Cloud
An improvement action’s overall score is based on the average of scores received by its subscriptions. Each subscription is scored based on the status of the relevant virtual resources.
For example, consider an action with two subscriptions, A and B. Subscription A has 0 out of 1 resource completed, and subscription B has 1 out of 2 resources completed. The subscription scores are: A is 0%, B is 50%. The two subscription scores are averaged to get the overall action score of 25%.
Technical and nontechnical actions
The scoring impact of technical and nontechnical actions is as follows:
Technical actions: Points are granted once per action, regardless of how many groups the action belongs to.
Nontechnical actions: Points are applied to your compliance score at a group level. This means that if an action exists in multiple groups, you receive the action’s point value each time you implement it within a group.
Example of how technical and non-technical actions are scored:
Let's say you have a technical action worth 3 points that exists in 5 groups, and you have a nontechnical action worth 3 points that exists in the same 5 groups.
If you successfully implement the technical action, the total number of points you receive is 3. This is because you only need to implement the action once for your tenant. The implementation and test status for the technical action will show the same in all instances of that action, in every group it belongs to.
If you successfully implement the nontechnical action in each of the 5 groups, the total number of points you receive is 15. This is because you need to implement the action in each group. The implementation and test status for the nontechnical action will differ across groups because the action is implemented separately within each of its groups.
This scoring logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization.
How score values are determined
Actions are assigned a score value based on whether they’re mandatory or discretionary, and whether they’re preventative, detective, or corrective.
Mandatory and discretionary actions
Mandatory actions can't be bypassed, either intentionally or accidentally. An example of a mandatory action is a centrally managed password policy that sets requirements for password length, complexity, and expiration. Users must follow these requirements to access the system.
Discretionary actions rely upon users to understand and adhere to a policy. For example, a policy requiring users to lock their computer when unattended is a discretionary action because it relies on the user.
Preventative, detective, and corrective actions
Preventative actions address specific risks. For example, protecting information at rest using encryption is a preventative action against attacks and breaches. Separation of duties is a preventative action to manage conflict of interest and guard against fraud.
Detective actions actively monitor systems to identify irregular conditions or behaviors that represent risk, or that can be used to detect intrusions or breaches. Examples include system access auditing and privileged administrative actions. Regulatory compliance audits are a type of detective action used to find process issues.
Corrective actions try to keep the adverse effects of a security incident to a minimum, take corrective action to reduce the immediate effect, and reverse the damage if possible. Privacy incident response is a corrective action to limit damage and restore systems to an operational state after a breach.
Each action has an assigned value in Compliance Manager based on the risk it represents: