Using Compliance Manager to strengthen your Office 365 tenant data protection and compliance

by | Apr 23, 2018 | Collaboration | 0 comments

Corporate compliance has become very complex and is continually evolving; it seems to have almost a life of its own. Compliance Manager helps reign in this dynamic enigmatic entity by providing a unified, centralized, comprehensive, and plethoric source of information. This, in turn, provides leverage for meeting desired corporate compliance in accordance with Microsoft recommendations and industry standards.

So what is it really? Compliance Manager is a dashboard that provides a summary of your data protection and compliance status along with recommendations to improve them. You should note that this is only a recommendation; it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager should not be interpreted as an ironclad guarantee of compliance.

The core component of Compliance Manager is an Assessment. This Assessment combines a Microsoft cloud service (such as Office 365, Azure, or Microsoft Dynamics) with a certification standard or data protection regulation (such as ISO 27001:2013 and GDPR). Assessments help you to discern your organization’s data protection and compliance posture against the selected industry standard for the selected Microsoft cloud service.

Key Features

Compliance Manager helps you through 3 key features. It:

  • Enables you to perform real-time risk assessments on Microsoft cloud services
    • Compliance Manager provides a summarized dashboard showing your compliance posture against the data protection regulatory requirements that matter to you when using Microsoft cloud services. In each control framework, you can get a compliance score that reflects your real-time compliance posture and helps you to make real-time risk assessments.
  • Provides actionable insights to improve your data protection capabilities
    • You can obtain rich insights into Microsoft’s and your responsibility to meet compliance standards. For each Microsoft-managed control, you can see the control implementation and testing details, test date, and results. For the controls you manage, you will receive recommended actions with step-by-step guidance for implementation and testing. This tool will help you better understand how to use the Microsoft cloud features to efficiently implement the controls managed by you.
  • Simplifies compliance processes through built-in control management and audit-ready reporting tools
    • Compliance Manager helps you to simplify your compliance process by providing a control management tool for you to assign tasks and collaborate across teams more efficiently. You can generate audit-ready reports with evidence in a few clicks, reducing the need to manually collect information across multiple teams. This tool will help compliance / security / privacy officers, and risk assessors to perform proactive pre-assessment and get ready for the audits.

There are additional features of Compliance Manager that are worth noting as well:

  • You can easily access this feature, like other Office 365 service management portals, from any browser:

  • The following Assessments are enabled by default:
    • Office 365 and GDPR (EU data protection regulation)
    • Office 365 and ISO 27001:2013 (information security standard)
    • Office 365 and ISO 27018:2014 (data protection for personally identifiable information or PII)
    • Azure and ISO 27001:2013
    • Azure and ISO 27018:2014
    • HIPAA
    • NIST 800-53
    • NIST 800-171.

The Compliance Management dashboard has an associated Compliance Score for each default grouping standard.  This helps both track environment compliance progress and prioritize the auditing controls that will reduce your organization’s exposure to risk. It also can be customized to add standard framework groups (like GDPR).

  • Comprehensive descriptions for recommendations regarding certification control compliance, including the list of all the Office 365 services under the umbrella of this granular advisement tool:

  • Role-Based Access Control (RBAC) assignment for the targeted user

NOTE: By default, everyone in your organization with an Office 365 or Azure AD account has access to Compliance Manager and can perform any action in Compliance Manager. The following leverages customization of role delegation using RBAC methodology:

  • In the Service Trust Portal, click Settings → Select Role drop-down list, click the role that you want to add users to → Click +Add, add a user to the role, and then click Save.
  • The result of Assignment of Task & RBAC Role to a user that can review and advise on tasks in their action items:

  • Compliance Manager also provides a secure documentation repository where you can upload and manage evidence and other artifacts related to your compliance activities. It also provides richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization.  These can then be provided to auditors, regulators, and other compliance stakeholders.
  • Customer Managed Control:

Sound enticing? Need more information? Email We are happy to help. Thanks for reading and good luck!