Microsoft Compliance Manager
Microsoft has released Compliance Manager for general availability this week. The feature was made available in Public Preview in November 2017, (see MC125028). According to Microsoft, “Compliance Manager is a cross-Microsoft-cloud services feature designed to help organizations meet complex compliance obligations, including GDPR, ISO 27001, ISO 27018, NIST 800-53, and HIPAA.”
To access the feature, you can log in to the Service Trust Portal at https://servicetrust.microsoft.com/ with your Azure, Office 365 or Dynamics 365 account.
This feature allows organizations to see Microsoft’s audit report, track your compliance efforts, gain guidance on how to protect customer data. “Compliance Manager enables users to perform on-going risk assessments, gain actionable insights to improve data protection capabilities, and simplifies compliance processes through its built-in control management and audit-ready reporting tools.”
This is a great feature and important for IT governance, risk management, and compliance. These tasks in the past were difficult to track. Microsoft has simplified them to increase organizational effectiveness for their clients. I appreciate Microsoft transparency with placing audit reports online for clients to access. Other cloud service providers have made me have to sign an NDA before they would grant access to the reports. If you are going to use a cloud service provider you need to know that they are addressing the risks that affect your business and with the Service Trust Portal this task is easier.
Once you log into Compliance Manager you will see a number of assessments and what Microsoft has completed for the various assessments. You will also see what controls your organization are responsible for. You can export the assessment to excel if you need to provide it for an auditor or wish to save it for retention purposes.
Once in an assessment, you can update what your organization is doing to meet the requirements for the various supported standards. This gives you the ability to track your compliance activities. Some organization may already have GRC tracking software but they will find this tool useful if for no other reason to see the results of Microsoft Managed controls.
If Microsoft allowed you to have an assessment for your on-premises systems. Like a blank questionnaire, clients could use it might be able to replace a GRC app for some companies.
When updating the Customer Managed Controls you have the ability to upload documents, lookup the related controls, assign an assessor, a test date and document the test results.
Microsoft provides you with detailed guidance for customer actions and allows you to document your control implementation details along with a test plan and any response to the assessment.
There is a Compliance Score that, “is a new intelligent scoring feature that is calculated based on an analysis of industry standard control components. Compliance Manager analyzes controls for their the impact to the confidentiality, availability, and integrity of protected data, as well as external drivers in order to weigh controls based on their impact.”
I think this is a great tool especially for small to medium businesses and local governments. Most often these smaller organizations don’t have formal governance practices or necessary skills in-house. This tool could help them develop those processes. I also see this as a great tool or internal auditors to use. It gives them a place to document the testing methods and results.
Aside from the Compliance Manager, the Service Trust Portal has links to the following:
Compliance Manager is not yet available in sovereign clouds including the United States Department of Defense (DoD), Office 365 Operated by 21 Vianet, and Office 365 Germany.