Compliance Manager is now available

Compliance Manager is a cross-Microsoft-cloud services feature designed to help organizations meet complex compliance obligations, including GDPR, ISO 27001, ISO 27018, NIST 800-53, and HIPAA. Compliance Manger is rolling out and has been moved from Public Preview to General Availability.

How to access Compliance Manager?

Users can access Compliance Manager by signing into their Office 365, Dynamics 365, or Azure user account via the Service Trust Portal. This new compliance solution is designed to help organizations meet their data protection and regulatory requirements while using Microsoft cloud services. Compliance Manager enables users to perform on-going risk assessments, gain actionable insights to improve data protection capabilities, and simplifies compliance processes through its built-in control management and audit-ready reporting tools.

Compliance Manager is now generally available for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds. Note that Office 365 GCC customers can access Compliance Manager, however, you should evaluate whether to use the document upload feature of compliance manager, as the storage for document upload is currently compliant with Office 365 Tier C only.

What do I need to do to prepare for this change?

By default, everyone in your organization with an Office 365, Dynamics 365 or Azure user account has access to Compliance Manager and can perform any action in Compliance Manager. To change the default permissions, at least one user must be added to each Compliance Manager role (see the instructions on our support page linked from Additional Information below). After a user is added to a role, the default permissions are removed and only users that have been added to a role will be able to access Compliance Manager and perform the actions allowed by that role.

Once you log into Compliance Manager you will see a number of assessments and what Microsoft has completed for the various assessments.  You will also see what controls your organization are responsible for.  You can export the assessment to excel if you need to provide it for an auditor or wish to save it for retention purposes.

Once in an assessment, you can update what your organization is doing to meet the requirements for the various supported standards.  This gives you the ability to track your compliance activities.  Some organization may already have GRC tracking software but they will find this tool useful if for no other reason to see the results of Microsoft Managed controls.

If Microsoft allowed you to have an assessment for your on-premises systems.  Like a blank questionnaire, clients could use it might be able to replace a GRC app for some companies.

When updating the Customer Managed Controls you have the ability to upload documents, lookup the related controls, assign an assessor, a test date and document the test results.

Microsoft provides you with detailed guidance for customer actions and allows you to document your control implementation details along with a test plan and any response to the assessment.

There is a Compliance Score that, “is a new intelligent scoring feature that is calculated based on an analysis of industry standard control components. Compliance Manager analyzes controls for their the impact to the confidentiality, availability, and integrity of protected data, as well as external drivers in order to weigh controls based on their impact.”

We think this is a great tool especially for small to medium businesses and local governments.  Most often these smaller organizations don’t have formal governance practices or necessary skills in-house.  This tool could help them develop those processes. We also see this as a great tool or internal auditors to use. It gives businesses a place to document the testing methods and results.