Describe Compliance Manager

  • 6 minutes

Microsoft Purview Compliance Manager is one of the solutions available through the Microsoft Purview portal, under the Risk & Compliance set of solutions.

Microsoft Purview Compliance Manager that helps you automatically assess and manage compliance across your multicloud environment. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Prebuilt assessments based on common regional and industry regulations and standards. Admins can also use custom assessment to help with compliance needs unique to the organization.
  • Workflow capabilities that enable admins to efficiently complete risk assessments for the organization.
  • Step-by-step improvement actions that admins can take to help meet regulations and standards relevant to the organization. Some actions are managed for the organization by Microsoft. Admins get implementation details and audit results for those actions.
  • Compliance score, which is a calculation that helps an organization understand its overall compliance posture by measuring how it's progressing with improvement actions.

The Compliance Manager dashboard shows the current compliance score, helps admins to see what needs attention, and guides them to key improvement actions.

Screenshot of the Compliance Manager overview page in the Microsoft Purview portal.

Compliance Manager uses several data elements to help manage compliance activities. As admins use Compliance Manager to assign, test, and monitor compliance activities, it’s helpful to have a basic understanding of the key elements: controls, assessments, regulations, and improvement actions.

Controls

A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.

Compliance Manager tracks the following types of controls:

  • Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.
  • Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.
  • Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.

Compliance Manager continuously assesses controls by scanning through your Microsoft 365 environment and detecting your system settings, continuously and automatically updating your technical action status.

Assessments

An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps to meet the requirements of a standard, regulation, or law. For example, an organization may have an assessment that, when completed, helps to bring the organization’s Microsoft 365 settings in line with ISO 27001 requirements.

An assessment consists of several components including the services that are in-scope, the Microsoft managed controls, your controls, shared controls, and an assessment score that shows progress towards completing the actions needed for compliance.

Compliance Manager provides templates to help admins to quickly create assessments. They can modify these templates to create an assessment optimized for their needs. All of your assessments are listed on the Assessments page of Compliance Manager.

Regulations

The Regulations page in Compliance Manager displays the list of regulations and certifications for which Compliance Manager provides control-mapping templates. Compliance Manager provides over 360 regulatory templates from which you can quickly create assessments.

Improvement actions

Improvement actions help centralize compliance activities. Each improvement action provides recommended guidance that's intended to help organizations to align with data protection regulations and standards. Improvement actions can be assigned to users in the organization to do implementation and testing work. Admins can also store documentation, notes, and record status updates within the improvement action.

Benefits of Compliance Manager

Compliance Manager provides many benefits, including:

  • Translating complicated regulations, standards, company policies, or other control frameworks into a simple language.
  • Providing access to a large variety of out-of-the-box assessments and custom assessments to help organizations with their unique compliance needs.
  • Mapping regulatory controls against recommended improvement actions.
  • Providing step-by-step guidance on how to implement the solutions to meet regulatory requirements.
  • Helping admins and users to prioritize actions that have the highest impact on their organizational compliance by associating a score with each action.

In summary, Compliance Manager helps organizations measure progress in completing actions that help reduce risks around data protection and regulatory standards.