Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Manage Your Compliance from One Place – Announcing Compliance Manager
Published Sep 25 2017 06:00 AM 121K Views

Compliance requirements can be complex to interpret; highly manual; difficult to track and act upon; and costly. Do you know that there are an average 201 updates per day from 750 regulatory bodies all over the world[1]? Research shows that 65% of firms ranked “design and implementation of internal processes” the biggest hurdle of GDPR compliance[2]. We know achieving organizational compliance could be very challenging. It is hard to stay up-to-date with all the regulations that matter to your organization, and to define and implement controls with limited in-house capability.

Today, we are pleased to announce a new compliance solution to help your organization to meet data protection and regulatory standards more easily when using Microsoft cloud services – Compliance Manager will enable you to manage your compliance from one place. You can sign up for the preview program today.

Compliance Manager helps you with 3 key aspects:

 

  • Enables you to perform real-time risk assessment on Microsoft cloud services 
  • Provides actionable insights to improve your data protection capabilities
  • Simplifies compliance processes through built-in control management and audit-ready reporting tools

 Compliance Manager dashboardCompliance Manager dashboard

Real-time Risk Assessment: Compliance Manager provides a summarized dashboard showing your compliance posture against the data protection regulatory requirements that matter to you when using Microsoft cloud services. In each control framework, you can get a compliance score that reflects your real-time compliance posture and helps you to make real-time risk assessments.

 

Actionable Insights: You can get rich insights into Microsoft's and your responsibility to meet compliance standards. For each Microsoft-managed control, you can see the control implementation and testing details, test date and results. For the controls you manage, you will receive recommended actions with step-by-step guidance for implementation and testing. This tool will help you better understand how to use the Microsoft cloud features to efficiently implement the controls managed by you.

 

Control management tool for customer-managed controlsControl management tool for customer-managed controls

Simplified Compliance: Compliance Manager also helps you to simplify your compliance process by providing the control management tool for you to assign tasks and collaborate across teams more efficiently. You can generate audit-ready reports with evidence in a few clicks, reducing the need to manually collect information across multiple teams. This tool will help compliance / security / privacy officers, and risk assessors to perform proactive pre-assessment and get ready for the audits.

 

Compliance Manager will be available for public preview in November 2017. To get notification when the public preview is available, sign up for the preview program here.

Check out this video to learn more about how Microsoft can help you with GDPR compliance.

 

***Update on Feb 22nd 2018: Compliance Manager is now generally available for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds. Learn more about the official product launch here.***

 

Frequently Asked Questions

1. Which cloud services are covered by the Compliance Manager?

For the preview program, Compliance Manager will cover Office 365.

We target to cover Office 365, Dynamics 365 and Azure when Compliance Manager is released. As we continue to grow our cloud services, we will expand the scope of dashboard to include them as well. Compliance Manager will not yet be available in Microsoft's unique clouds for China, Germany and Azure Gov/GGC High and DoD.

 

2. Does showing a compliance score in Compliance Manager indicate that Microsoft is a compliance expert?

The compliance score does not express an absolute measure of how compliant you are. It expresses the extent to which you have implemented controls, which can support data protection and compliance. No service can guarantee that you will be fully compliant, and the “compliance score” should not be interpreted as a guarantee in any way.

 

3. What compliance offerings, in terms of regulations, come with the Compliance Manager?

We target to cover GDPR, NIST 800-53, ISO 27001, and ISO 27018 standards when Compliance Manager is released.

 

4. Will I be able to use it for on premise services?

The current version of the dashboard will focus on tracking, implementing, and monitoring data protection and compliance on Microsoft cloud services.

 

5. How is the compliance score calculated?

Compliance score is based on the operating effectiveness of Microsoft controls and the customer controls you manage. Different controls have different levels of risk. We assign a weightage to each control based on the level of risk involved due to control failure. For example, if a control around providing information security awareness training is not fulfilled, it will create a risk to your data protection and compliance goals. However, this risk is not as great a risk as if your logical access control fails. Therefore, logical access controls will have bigger weightages in calculating compliance score than controls like security awareness training and will have bigger impact on the score. The end goal of providing you a score is to help you with your risk management decisions.   

 

6. How does the “Compliance Score” differ from “Secure Score”?

Secure score is a security analytics tool to help organizations better understand their security posture  in Office 365, while the compliance score provides a broader view of an organization’s data protection and compliance posture in the Microsoft cloud services - Azure, Dynamics 365, and Office 365. The compliance score and secure score can be associated in that compliance score is calculated across large superset of data protection and compliance controls; whereas secure score is focused on subset of configurable security controls.

 

7. Does a high or perfect score mean that I am fully compliant?

The score does not express an absolute measure of how compliant you are. It helps you understand whether you have successfully implemented your controls and if Microsoft controls are compliant. Beyond Microsoft-managed controls’ contribution to the score, a high score indicates that you have implemented more controls and that you have ascertained that the implementation is successful. This supports your goal towards being on track to be compliant.

 

8. If there are changes in regulations and / or regulation requirements, do I get an alert and is it reflected in my score?

If any changes in regulations necessitates changes into controls that support those regulations, we will update those controls and send you a notification if you subscribed to alerts for Compliance Manager. Any changes in the status of Microsoft managed controls will be reflected in your overall compliance score within 24 hours. Any changes in the status of controls managed by you will be reflected in real time in your overall compliance score.

 

9. How do I get the Compliance Manager preview?

Microsoft 365, Azure, and Dynamic 365 users (including trial users) will have access to the public preview version in November 2017.  To get notification when it's available, you can sign up for the preview program here.

 

10. How much does it cost?

As of now Compliance Manager preview version itself will be free for Microsoft 365, Azure, and Dynamics 365 users. We are still assessing the nature of the final licensing and will provide more information when closer to general availability in 2018.  

 

*Compliance Manager Preview is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager Preview should not be interpreted as a guarantee of compliance.

 

[1] Thomson Reuters – Cost of Compliance 2017

[2] http://resources.compuware.com/research-improved-gdpr-readiness-businesses-still-at-risk-of-non-complian...

 

 

20 Comments
Copper Contributor

Hello,

 

can i activate this preview feature on my Tenant from demos.microsoft.com so i can evalute its benefits ?

 

From the descrption above i believe this could be a very interesting tool to position at customers.

 

Thanks in advance

Hi Pedro,

 

We will release the public preview version on Nov 16th 2017, and you will be able to access it and evaluate it before GA next year.

We currently are still working on developing the product for preview, so there is no demo available yet, but will definitely share more information when it's close to the release date.

 

Thanks,

Tina

Copper Contributor

Hi Tina,

 

I was wondering whether the scores are calculated automatically by the tool accessing information from the cloud services that a company uses or is this report a self-servicing one? If it's an automatically generated report, are there parts where self-servicing is enabled?

Thank you for your answer in advance!

Great news ! Awaiting for the preview !

Hi Nora,

For the first version of GA release next year, it will still be self-serving. Once you implement the control and mark the test result "passed", you compliance score will reflect this change. We will consider the automation in our future roadmap.

 

Hi Nuno,

Thank you for the support! Please remember to sign up for the preview program, we will send out an email to notify you when it's available.

 

Copper Contributor

Hi Tina

Several clients are requesting this kind of portal for the control of compliance with all the compliance. FY18 is a critical year because of the many regulations that are going to have to be met.

With your permission I will start talking about Compliance Manager in my GDPR talks since it is an incentive to start generating a real demand on compliance compliance.

It is great news that Microsoft is striving to provide solutions to this part of digital transformation.

I look forward to the next news.

Hi Rafael,

 

It's great to hear the excitement about the product. I will share more information about demoing the product after the preview program goes live next week. Thank you for the support!

Copper Contributor

Hi Tina,

 

I tried to register for the Preview Program of Compliance Manager but did not receive any confirmation email.  Not sure why this should happen but I tried through a different email ID as well.  Is there any other channel through which I can sign up for the Preview Program?

 

Thanks,

Sohit

Hi Sohit,

 

I just checked the sign-up list, and your name is there (we found both emails)! We will send you a notification email on 11/16 to inform you how you can access to Compliance Manager.

 

Thanks,

Tina

Copper Contributor

This looks very interesting. I will be talking about it in a webinar I'm presenting today to draw attention to it. As per the comment from Rafael, 2018 is a key year for compliance legislation so I'm looking forward to this going GA.

Copper Contributor

You can give us the url of the webminar. It would be fantastic to be able to see your perspective on compliance.

Waiting for tomorrow to start looking at this great portal :)

Copper Contributor

Tina - Just to let you know that I registered and did get an email, so it is working. Looking forward to the preview. 

 

@Rafael Ansino Lara - thanks - I'll put the URL here when the recording is available. It's majored on addressing GDPR compliance by targeting PST files using one of our products and I mention Compliance Manager in a sentence about tools that Microsoft provides to help organisations manage their path to compliance. You're very welcome to watch and spread the good word!!!

Copper Contributor

Thank you so much, Tina !

Copper Contributor

Hi Tina,

Thanks for sharing the update on progress for the IT compliance manager which seems to be a quick and easy to use :)

During the work we have done with compliance management in different organizations we have seen that it quickly gets complicated because of the scope beyond IT and system specific controls sets.

There are often more regulations and governance frameworks for industry and region specific legislation to manage including cross dependencies (as mentioned in some of the above comments 2018 will have a lot of regulation).

Other dimensions include policies and procedures and even downstream management of changes to systems, product requirements, data or processes that stem from regulation changes - not an easy undertaking!

I would be interested in hearing your thoughts in regards to how the compliance manager fits in with the wider compliance universe?

On the RequirementONE team we have put considerable effort in to solving the above headaches on our SaaS compliance platform (deployed in Azure). We have found that it is absolutely key to having an agnostic approach (template driven) that is easy to tweak and with easy integrations. Regarding integrations it would be interesting to understand if you would be able to deliver the updates you make to the Microsoft Controls for the different frameworks via for example Microsoft Flow? Otherwise it would be great to get a sample of how your email updates look like to evaluate what is possible to parse.

Thanks for making an effort to address the compliance headaches that so many organizations are facing!

Kind regards,
- martin

@Rafael Ansino Lara the URL for the webcast is: https://info.microsoft.com/ThrivingInTheGDPRera-OnDemandRegistration.html

Sorry to inform you late.

 

@Martin Gorm Pedersen Thank you for the comment! We are still working on adding more features for Compliance Manager to help organizations to manage their compliance activities more easily in this complex compliance landscape. We will keep sharing information of the upcoming new features this year. Stay tuned! Your suggestion of leveraging Microsoft Flow is really great. We will work with our product development team to evaluate this suggestion. 

Copper Contributor

Is this project still active? If so is there an updated GA estimate?  Also, are there any plans to include NIST 800-53 contols?

@Clay Hagler, yes we will have the product GA in spring, and for Office 365, we will include NIST 800-53 controls. Thanks for asking!

Copper Contributor

Hi Tina,

When you first log into compliance manager, several assessments seem to get started automatically.

These are assessments only correct? No actions are automatically initiated, correct?

Can you confirm that that there is no impact?

 

Patrick Fryer

Hi @Patrick F, yes you are correct. The default ones are assessment tiles that enable you to get the information you need to perform assessment, but there is no action taken from Compliance Manager. We only provide you information about how Microsoft manages internal controls, and what are some solutions you can use to manage the controls that are under your responsibilities. It's self-service assessment that no actions are automatically initiated.

 

Please feel free to email you if you have any other question - juying@microsoft.com

 

Thank you!

Tina


 

Update on Feb 22nd 2018: Compliance Manager is now generally available for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds. Learn more about the official product launch here.

Version history
Last update:
‎May 11 2021 01:55 PM
Updated by: