Cybersecurity remains a critical management issue in the era of digital transforming. In April, Brad Smith, President and Chief Legal Officer of Microsoft, published a blog post to discuss a Cybersecurity Tech Accord, and to reinforce the importance of supporting an open, free, and secure Internet. As Brad mentions in his post, one of the core principles of the proposed Tech Accord is to empower users, customers, and developers to strengthen cybersecurity protection.

As part of our work on this principle, we are continuing to build and enhance the Assessments available in Compliance Manager to help organizations implement and verify security controls for their Microsoft cloud tenant.


NIST CSF CSA NHS dashboard.JPGNew available Assessments in Compliance Manager

With the July release of Compliance Manager, we are announcing the availability of new and updated Assessments for Office 365 and Azure:

  • National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) for Office 365: NIST CSF is a set of standards, best practices, and recommendations that can help organizations enhance their cybersecurity at the organizational level. Organizations can follow the customer actions provided in the NIST CSF Assessment to configure and assess their Office 365 environment.
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM) for Office 365: CSA has defined the Cloud Control Matrix, which provides best practices to help ensure a more secure cloud computing environment. Potential cloud customers can use this Assessment to make informed decisions when transitioning their IT operations to the cloud. Office 365 customers can leverage the recommended customer actions to strengthen their cloud security controls.
  • UK National Health Service (NHS) for Azure: NHS in England provided a single standard that governs the collection, storage, and processing of patient data. Organizations can evaluate Microsoft’s internal controls and see how they adhere to the requirements and review their responsibilities for controls.
  • Health Insurance Portability and Accountability Act (HIPAA)/ Health Information Technology for Economic and Clinical Health (HITECH) Act for Office 365: We also added HITECH controls into the HIPAA Assessment.

You can create these new Assessments in Compliance Manager today. To learn about how to add new Assessments, please see the support documentation.


Since we released Compliance Manager in February, many companies have begun using it as part of their overall compliance process. We’d like to share one such story with you. Watch this video and see how the biggest stadium in France uses Compliance Manager to protect confidential data with Microsoft 365:



If you are not familiar with Compliance Manager, you can download this white paper to learn more. We will continue to add Assessments for Microsoft Cloud services, so keep watching the Security, Privacy, and Compliance blog.

Senior Member



I don't see the CSA or CIS controls when I log in, are they available yet?

Hi @Jeff Warren - you can follow the instruction to add CSA CCM assessment for Office 365. Let me know if you have any question! Thanks!

Regular Visitor

Thanks for the help.


Currently for O365, when for Azure?


And when will CIS be available?



Hi @jeff warren - We don't have an ETA to share for Azure or CIS assessment yet. However, we will have some new announcements early next year that might help with your needs in these areas. Stay tuned! Thank you. 

Occasional Visitor



Any update on availability of  Cloud Security Alliance Cloud Controls Matrix (CSA CCM) Assessment  for Azure?


Looks like its available for Office 365, but not yet for Azure

Senior Member


I came across this in a recent search:
and the third party product is located at:
My question is then, is the road map for MSFT CM based on an incremental release of common controls hub product
Is MSFT customising it to some extent or just filtering out non-specific MSFT content?
Wouldn't it be easier if MSFT published and maintained Microsoft specific content, made available free, and allowed the user to import into CCH and then we can choose the free or paid for CCH versions and extend to relevant frameworks?

Hi @AwieNel - we don't have an estimated time for Azure CSA CCM assessment yet, but I did send this feedback to the product team. Thank you for letting us know.


Hi @Jeff Warren - while the CCH provides the control mapping, Compliance Manager provides more than just the mapping but the detailed information of each control including how Microsoft implemented and tested controls and the recommended actions for organizations to implement their own controls. You can easily track the control progress and leverage the workflow in Compliance Manager as well. CM is our focus product to help organization to perform risk assessments on Microsoft Cloud and it's included in all commercial subscription plan, so as long as you have an AAD account, you can access it without paying additional cost. Hope this is helpful and please feel free to send me a message/email if you want to learn more information about CM vs. CCH. Thank you.