Manage your compliance requirements with Compliance Manager

Completed

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal. Its purpose is to help organizations manage their compliance requirements with greater ease and convenience. Compliance Manager can help an organization complete the following steps in its compliance journey:

  1. Take inventory of its data protection risks.
  2. Manage the complexities of implementing controls.
  3. Stay current with regulations and certifications.
  4. Report to auditors.

Compliance Manager helps simplify compliance and reduce risk by providing:

  • Prebuilt assessments for common industry and regional standards and regulations.
  • Custom assessments to meet your unique compliance needs (available assessments depend on your licensing agreement; learn more).
  • Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
  • Detailed step-by-step guidance on suggested improvement actions. This instruction helps an organization comply with the standards and regulations that it finds most relevant. These instructions also show implementation details and audit results for actions that Microsoft manages.
  • A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

The Compliance Manager dashboard maintains these features. The dashboard:

  • Shows an organization its current compliance score.
  • Helps it see what needs attention.
  • Guides it to key improvement actions.

Understanding your compliance score

Compliance Manager awards points to an organization for completing improvement actions taken to comply with a regulation, standard, or policy. It then combines those points into an overall compliance score. Each action has a different effect on the total score, depending on the potential risks involved. The compliance score can help an organization prioritize which action to focus on to improve its overall compliance posture.

Compliance Manager determines an organization's initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.

Key elements of Compliance Manager

Compliance Manager uses several data elements to help an organization manage its compliance activities. Because Compliance Manager assigns, tests, and monitors compliance activities, it’s helpful to have a basic understanding of the key elements used in these tasks. The following sections introduce these elements.

Controls

A control is a requirement of a regulation, standard, or policy. It defines how an organization assesses and manages:

  • System configuration
  • Organizational process
  • People responsible for meeting a specific requirement in a regulation, standard, or policy

Compliance Manager tracks the following types of controls:

  • Microsoft managed controls. Controls for Microsoft cloud services, which Microsoft is responsible for implementing.
  • Your controls. Your organization implements and manages these controls. Also known as customer managed controls.
  • Shared controls. Both Microsoft and your organization manage these controls. They each share responsibility for their implementation.

Additional reading. For more information, see:

Assessments

An assessment is grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps organizations meet the requirements of a standard, regulation, or law. For example, an organization may complete all the actions in an assessment that helps to bring its Microsoft 365 settings in line with ISO 27001 requirements.

Assessments have several components:

  • In-scope services. The specific set of Microsoft services applicable to the assessment.
  • Microsoft managed controls. Controls for Microsoft cloud services, which Microsoft implements on your behalf.
  • Your controls. Your organization implements and manages these controls. Also known as customer managed controls.
  • Shared controls. Both Microsoft and your organization manage these controls. They each share responsibility for their implementation.
  • Assessment score. Shows your progress in achieving the total possible points from actions within the assessment. Both Microsoft and your organization can manage these actions.

When an organization creates assessments, it must assign them to a group. An organization can configure groups in whatever way is most logical for its business. For example, an organization may group assessments by audit year, region, solution, and teams, or some other way. Once an organization creates groups, it can filter its Compliance Manager dashboard to view its score by one or more groups.

Additional reading. For more information, see Build and manage assessments in Compliance Manager.

Templates

Compliance Manager provides templates to help organizations quickly create assessments. An organization can modify these templates to create an assessment optimized for its business needs. It can also build a custom assessment by creating a template with its own controls and actions. For example, an organization may want a template to cover:

  • An internal business process control.
  • A regional data protection standard that one of Microsoft's 325+ prebuilt assessment templates doesn't cover.

Additional reading. For more information, see:

Improvement actions

Improvement actions help centralize an organization's compliance activities. Each improvement action provides recommended guidance on how the organization can align with data protection regulations and standards. You can assign improvement actions to users in the organization to perform implementation and testing work. The improvement action can also store documentation, notes, and record status updates.

Start a premium assessments trial

The Compliance Manager premium assessments trial is a great way to quickly configure assessments that are most relevant to your organization. Microsoft's library of over 300 templates map to governmental regulations and industry standards around the world. Learn more about the premium assessments trial.

An organization can start its trial directly from Compliance Manager and set up recommended assessments by following these steps:

  1. On the Compliance Manager dashboard, the Overview tab displays a notification message about the premium assessments trial. Within this notification, select Start trial. Doing so initiates a trial activation wizard. This wizard asks questions to help Microsoft recommend assessments for your organization.
  2. On the Activate trial page, select Next to begin your free 90-day premium assessments trial and continue with creating assessments.
  3. Select one or more industries that identify your organization, and then select Next.
  4. Select one or more regions for your organization's location, and then select Next.
  5. On the Choose assessments page, select the dropdown arrow next to Recommended templates to see the list of assessments that Microsoft thinks apply to your organization. Check the boxes next to the templates you want to use for creating assessments, and then select Next.
  6. Review your final selections and select Add Recommended Assessments to create your new assessments.

Settings for automated testing and user history

The Compliance Manager settings in the Microsoft Purview compliance portal allow organizations to enable and disable automatic testing of improvement actions. The settings also allow organizations to manage the data of users assigned to improvement actions, including the ability to reassign improvement actions to a different user. Only people with a Global Administrator or Compliance Manager Administrator role can access the Compliance Manager settings.

Warning

The automated testing feature isn't available to customers in GCC High and DoD environments because Secure Score isn't available in these environments. GCC High and DoD customers must manually implement and test their improvement actions.

Set up automated testing

Compliance Manager detects signals from other Microsoft Purview solutions that an organization subscribes to, including:

  • Data lifecycle management
  • Information protection
  • Microsoft Purview Data Loss Prevention
  • Communication compliance
  • Insider risk management

In each improvement action's detail page, the Testing logic field on the Testing tab shows what other solutions require for the action to pass and earn points toward the organization's compliance score.

Compliance Manager also detects signals from complementary improvement actions. Microsoft Secure Score also monitors these actions. Compliance Manager uses these signals to automatically test certain improvement actions for an organization. Doing so helps maximize efficiency in its compliance activities. When an organization successfully tests and implements an improvement action, an organization receives the full number of points. In turn, these points get credited to the organization's overall compliance score.

Microsoft 365 enables automatic testing by default for organizations new to Compliance Manager. When an organization first deploys Microsoft 365, it takes approximately seven days to fully collect data and factor it into the organization's compliance score. When an organization turns on automated testing, the system doesn't update the action’s test date, but it does update its test status. When you create new assessments, scores automatically include Microsoft control scores and Secure Score integration.

Manage automated testing settings

The Global Administrator for an organization can change the settings for automated testing at any time. They can turn off automated testing for common improvement actions. Or, they can turn it on for individual actions. Perform the following instructions to change your automated testing settings:

  1. Select Settings in the Microsoft Purview compliance portal.
  2. On the Settings page, select Compliance Manager.
  3. Select Testing source from the navigation pane.
  4. Select the applicable button to either:
    • Turn on automatic testing for all improvement actions.
    • Turn off automatic testing for all improvement actions.
    • Turn on automatic testing by individual improvement action.
  5. If you select Turn on per improvement action, a list shows all the available improvement actions to choose from. Check the box next to any action you want automatically tested.
  6. Select Save to save your settings.

Caution

Only a Global Administrator can turn on or off automatic updates for all actions. The Compliance Manager Administrator can turn on automatic updates for individual actions, but not for all actions globally.

Additional reading. For more information, see:

Manage user history

The Manage user history settings help you quickly identify which users worked with improvement actions in Compliance Manager. The identifiable user data associated with improvement actions includes:

  • Any implementation and testing work done.
  • Documents they uploaded.
  • Any notes they entered.

Understanding and retrieving this type of data may be necessary for your organization’s own compliance needs.

The user history settings also allow you to reassign all improvement actions from one user to another. Complete the following steps to find the user history settings:

  1. Select Settings in the Microsoft Purview compliance portal.
  2. On the Settings page, select Compliance Manager.
  3. Select Manage user history on the navigation pane.

The Manage user history page displays a list of all users assigned to an improvement action. The system sorts the list by email address. Use the Search button to quickly find a specific user by typing in their email address.

To the right of each user’s email address, the Select drop-down menu provides options to:

  • Export a report. You can export an Excel file containing a list of improvement actions currently assigned to a user. The report also lists any evidence files uploaded by that user. This information can help you reassign open improvement actions. The report reflects the improvement action’s status as of its creation date. It isn't a historical report of all previous changes to its status or assignment (learn how to export a report from your improvement actions page).

  • Reassign improvement actions. You can reassign improvement actions from one user to another. When you reassign an action, the document upload history doesn't change. However, the name of the user who originally uploaded the documentation no longer appears within the improvement action. When you reassign an improvement action, the system sends an email to the new assignee. The email notifies the new assignee that the assigning authority assigned them the improvement action. The email contains a direct link into the improvement action's details page.

    Warning

    If you reassign an action that has a pending update, the direct link to the action in the reassignment email breaks if the new assignee accepts the update after reassignment. You can fix this situation by reassigning the action to the user after they accept the update. Learn more about updates to improvement actions.

  • Delete history. Deleting a user’s history removes the user as an owner of improvement actions. It also removes the user's name from all other fields in Compliance Manager. When you delete a user’s history, the improvement actions they owned don't display an Assigned to value until you assign a new user to the actions. Any documents uploaded to the improvement action show User removed in place of the deleted user’s name. Deleting user history is permanent.

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

Organizations must determine their system configuration, organizational processes, and the people responsible for meeting a specific requirement of a regulation, standard, or policy. Which element of Compliance Manager defines how an organization assesses and manages these items?