Explore compliance features

Completed

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps users manage their organization’s compliance requirements with greater ease and convenience. Compliance Manager can help users throughout their compliance journey, from taking inventory of data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Watch this video to learn how Compliance Manager can help simplify how organizations manage compliance:

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet users' unique compliance needs (available assessments depend on licensing agreements).
  • Workflow capabilities to help users efficiently complete risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions to help users comply with the standards and regulations that are most relevant for their organization. For actions managed by Microsoft, users will see implementation details and audit results.
  • A risk-based compliance score to help users understand their compliance posture by measuring user progress in completing improvement actions.

The Compliance Manager dashboard shows the current compliance score, helps users see what needs attention, and guides them to key improvement actions. Below is an example of what Compliance Manager dashboard looks like: Screenshot depicts a compliance score within the Compliance Manager dashboard.

Key elements: controls, assessments, templates, improvement actions

Compliance Manager uses several data elements to help users manage their compliance activities. As they use Compliance Manager to assign, test, and monitor compliance activities, it is helpful to have a basic understanding of the key elements: controls, assessments, templates, and improvement actions.

Controls

A control is a requirement of a regulation, standard, or policy. It defines how users assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.

Compliance Manager tracks the following types of controls:

  • Microsoft-managed controls: Controls for Microsoft cloud services, which Microsoft is responsible for implementing.
  • Your controls: Sometimes referred to as customer-managed controls, these are controls implemented and managed by the organization.
  • Shared controls: These are controls that both the organization and Microsoft share responsibility for implementing.

Assessments

An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps users meet the requirements of a standard, regulation, or law. For example, users may have an assessment that, when users complete all actions within it, helps bring Microsoft 365 settings in line with ISO 27001 requirements.

Assessments have several components:

  • In-scope services: The specific set of Microsoft services applicable to the assessment.
  • Microsoft-managed controls: Controls for Microsoft cloud services, which Microsoft implements on the user's behalf.
  • Your controls: Sometimes referred to as customer-managed controls, these are controls implemented and managed by the organization.
  • Shared controls: These are controls that both the organization and Microsoft share responsibility for implementing.
  • Assessment score: Shows the progress in achieving total possible points from actions within the assessment that are managed by the organization and by Microsoft.

When creating assessments, users will assign them to a group. Users can configure groups in whatever way is most logical for the organization. For example, users may group assessments by audit year, region, solution, teams within the organization, or some other way. Once a group is created, users can filter the Compliance Manager dashboard to view their score by one or more groups.

Templates

Compliance Manager provides templates to help users quickly create assessments. Users can modify these templates to create an assessment optimized for the organization's needs. Users can also build a custom assessment by creating a template with their own controls and actions. For example, users may want a template to cover an internal business process control or a regional data protection standard that is not covered by one of our 150+ pre-built assessment templates.

Improvement actions

Improvement actions help centralize users' compliance activities. Each improvement action provides recommended guidance intended to help users align with data protection regulations and standards. Improvement actions can be assigned to users in the organization to perform implementation and testing work. Users can also store documentation, notes, and record status updates within the improvement action.