In this mobile-first and cloud-first world, Microsoft is committed to build and maintain a partnership with you to meet your security, compliance, and privacy needs. When your organization’s data was on-premises, it was 100 percent your responsibility to meet all regulatory requirements. As you move your data to a Microsoft Cloud service, such as Office 365, Azure, or Dynamics 365, we partner with you to help you achieve compliance under the shared responsibility model.
To support your organization’s compliance journey when using Microsoft Cloud services, Microsoft released Compliance Manager Preview last November. Today, we are building upon this partnership by announcing thatis now generally available as an additional value for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds[1].
Compliance Manager empowers your organization to manage your compliance activities from one place with three key capabilities:
- Helps you perform on-going risk assessments, now with Compliance Score
Compliance Manager is a cross-Microsoft Cloud services solution designed to help organizations meet complex compliance obligations, including the EU GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA[2].
It enables your organization to perform on-going risk assessments for what is identified as Microsoft’s responsibilities by evaluating detailed implementation and test details of our internal controls. We are committed to be transparent about how we process and protect your data so that you can trust Microsoft and leverage the technology we provide.
We also provide you the information and tools to conduct self-assessment for your responsibilities of meeting regulatory requirements. Now with Compliance Score[3] —a new feature for Compliance Manager—you can gain visibility into your organization’s compliance stature with a risk-based score reference.
The Compliance Score is based on the operating effectiveness of internal controls managed by both Microsoft and you. Failure to implement different controls will have different levels of risk. We assign a weight to each control based on the level of risk involved when you do not implement a control or fail to pass the test of a control. From the detailed information page of each assessment, you can find an assigned risk-based score for each control item, and prioritize your tasks and make better implementation plans based on the risk involved.
- Provides you with actionable insights, now from a certification/regulation view
One of the biggest pain points we heard from organizations is finding talent with expertise in both industrial compliance and technology solutions. Most of the time, compliance personnel have in-depth knowledge of industrial regulations and standards, while IT professionals have the technology tools that help the company to protect data. Because there is lack of connections between these two areas, meeting data protection and regulatory requirements becomes a very disjointed process.
To help reduce this challenge, Compliance Manager builds the connection between the data protection capabilities and the regulatory requirements, so now you know which technology solutions you can leverage to meet certain compliance obligations.
In response to feedback from customers, this product update re-organizes the control information from the “Microsoft control framework” view (e.g. MS-control AR-0104) to a “certification controls or regulatory article” view (e.g. ISO 27001:2013: C.5.1.a). Before, one Microsoft control corresponded to one or multiple certification controls or regulatory articles, and you needed to take many actions to implement one control. In the newly updated view, you can see customer actions for each certification or regulatory control, and the specific actions recommended for each control[4].
You still have the same experience for each control, i.e., finding customer actions with step-by-step guidance to guide you through implementing internal controls and developing business processes for your organization. We will keep the preview view (MS-control view) till the end of August 2018 for you to migrate the information into the new view.
- Simplifies your journey to manage compliance activities, now with the capability to create multiple assessments for each standard and regulation
According to the report, Cost of Compliance 2017 from Thomson Reuters, 32 percent of companies spend more than 4 hours per week creating and amending audit reports. It’s very time-consuming to collect evidence and demonstrate effective control implementation for auditing activities.
Compliance Manager enables you to assign, track, and record your compliance activities, so you can collaborate across teams and manage your documents for creating audit reports more easily.
By using group functionality, you can now create multiple assessments for any standard or regulation that is available to you in Compliance Manager by time, by teams, or by business units. For example, you can create a GDPR assessment for the 2018 group and another one for the 2019 group. Similarly, you can create an ISO 27001 assessment for your business units located in the U.S. and another one for your business units located in Europe. This functionality gives you a more robust way to manage compliance activities based on your organizational needs for performing risk assessments.
We are excited to launch Compliance Manager with these updates to make it a better experience for you. We’d like to hear your feedback on the product to keep improving functionality, adding new features, and enhancing existing ones. Sign in totoday using your Azure, Dynamics 365, or Office 365 account, and give us feedback via the Feedback button at the bottom right corner of Compliance Manager. You can also learn more about Compliance Manager in this, "Simplify your compliance journey with Service Trust Portal and Compliance Manager", and on the Compliance Manager support page.
Work with a partner who knows GDPR
Microsoft works with partners globally to address customer needs around GDPR. We have several partners today offering Microsoft-based solutions that include an overall set of controls and capabilities to help customers meet their GDPR requirements. Here’s our list of global partners we currently work with to meet the growing demand for GDPR support.
Product scope[2]
You can find the coverage of regulations and standards for each Microsoft cloud service below as of February 2018:
- Office 365: Detailed information about Microsoft’s internal controls for and recommended customer actions for GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA
- Azure: Detailed information about Microsoft’s internal controls for ISO 27001 and ISO 27018
- Dynamics 365: Detailed information about Microsoft’s internal controls for NIST 800- 53; recommended customer actions for partial GDPR controls managed by organizations
[1] Note that Office 365 GCC customers can access Compliance Manager; however, users should evaluate whether to use the document upload feature of Compliance Manager, as the storage for document upload is compliant with Office 365 Tier C only. Compliance Manager is not yet available in sovereign clouds including Office 365 U.S. Government Community High (GCC High), Office 365 Department of Defense (DoD), Office 365 Operated by 21 Vianet, and Office 365 Germany.
[2] Coverage of regulations and standards in Compliance Manager varies by product. We will keep adding and updating the information in the future and our goal is to provide a similar experience of using Compliance Manager for all Microsoft Cloud services.
[3] Compliance Score is only available for Office 365 currently. Our goal is to provide Compliance Score for all Microsoft Cloud services in the near future.
[4] Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation; it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance.