Microsoft Purview is a family of solutions that help organizations govern, protect, and manage data. In this fourth installment of the Purview tools series, dive into Microsoft Compliance Manager, including tips for using it effectively to keep your organization’s data compliant and secure.
Compliance is no longer just ticking boxes. It’s transformed into an interesting challenge. Now it’s about being the guardians of sensitive information and staying ahead of regulations.
But the responsibility doesn’t stop at just following rules and regulations; it demands our constant vigilance and proactive measures.
Microsoft Purview Compliance Manager can help with your organization’s compliance efforts. From assessing data protection risks to managing controls, staying current with evolving regulations and certifications, and reporting to auditors—in this article, we’ll explore it all.
Let’s dive into how Microsoft Compliance Manager can help you thrive in the world of compliance.
Table of contents
What is the Microsoft Purview Compliance Manager
Microsoft Compliance Manager helps your organization track progress in reducing risks related to data protection and regulatory compliance. It’s important, especially if you use Microsoft Teams with sensitive and regulatory information.
By using Compliance Manager, you make your workspace safer and follow the necessary rules and standards. This way, you reduce the chances of losing important data when using Microsoft Teams.
Features and capabilities
I’ll guide you through some of the key features of Microsoft Compliance Manager, including:
Assessments: Microsoft Compliance Manager helps you check if your company follows important rules and regulatory requirements. You can see how well you meet standards like GDPR or HIPAA.
Compliance score: It gives you a number that shows how good your company is at following the rules. The higher the number, the better your compliance.
Automatic and manual testing: Some checks are done automatically, using data from Microsoft 365 services. Others need you to provide information or evidence yourself.
Evidence management: You can keep all the documents and proof that show your company is following the rules in one place.
Premium templates: There are ready-made templates for different rules and regulations. They make it easier to see if your company is doing everything it needs to do.
Assessments
Microsoft Compliance Manager helps your organization track progress with assessments. These assessments ensure you follow data protection rules set by compliance, security, privacy, and data protection standards and laws.
In the assessments, Microsoft takes actions to protect your data, and you complete them by following the specified Microsoft managed controls. The default assessment is based on the Microsoft data protection baseline. This baseline includes important rules for data protection and management, taken from different sources, including:
- NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
- ISO (International Organization for Standardization)
- FedRAMP (Federal Risk and Authorization Management Program)
- GDPR (General Data Protection Regulation of the European Union)
You can also create your own assessments based on other regulations. We’ll explore custom and premium assessments later. For now, let’s focus on managing and monitoring Compliance Manager from the Microsoft 365 compliance center. Keep reading!
How to manage and monitor Compliance Manager
Microsoft Purview Compliance Manager offers assessment right within the Microsoft 365 compliance center. It’s like your central hub for managing and keeping an eye on your Purview Compliance Manager solution. When you first open it in the Microsoft Purview Administration Center, you’ll see your compliance score breakdown right away. Easy peasy.
Your compliance score is calculated based on two parts:
- It’s about how you’ve implemented Compliance controls within Microsoft 365. That means how effectively you use the built-in tools and features to stay compliant.
- Microsoft plays its part, too, by implementing Compliance controls as a cloud service provider. They ensure their services are up to par to help you maintain compliance.
Microsoft almost always scores 100% in this area. So, you can feel confident that they have your back. This allows you to focus on your own controls specific to your organization’s needs.
If you’re curious about how to boost your Compliance score even further, click on the “Improvement actions” tab. There, you’ll find actionable steps you can take to enhance your compliance efforts.
These are the actions that are relevant to your organization:
Use this menu to assign the implementation to a colleague, view implementation details, and add evidence. The evidence can be detected automatically or added manually by the assigned colleague.
For actions that require manual testing, you need to update the action(s) manually by clicking on the three dots and on “Update actions.”
You download the action list to Excel:
This allows you to manually update the status in the implementationStatus field and re-upload the Excel file:
Custom and premium assessments
Microsoft provides 368 regulations for assessment. You can also create custom assessments based on existing regulations.
Once you roll out an assessment, you can use the “Update action” feature. Just add your actions to the Excel file and re-upload it. For example, my colleagues at InSpark created a custom assessment for information protection in the Dutch government sector this way.
Microsoft categorizes most of these assessments as premium templates, which means they come with a price tag. You can buy Compliance Manager premium templates if you have a subscription that includes a Microsoft Exchange Online license. They’re worth it if your organization needs to meet certain regulations. Getting a premium template means your organization gets a blueprint on how to follow a specific regulation better.
You might be thinking, “Are there any free templates that come by default?” Well, this Microsoft documentation has all the info you’re looking for!
Ensure your organization has the proper licensing for Microsoft Purview Compliance Manager
If you want to unlock Microsoft Compliance Manager, here’s the scoop: check if your organization has the right licenses. Compliance Manager is available with Office 365 and Microsoft 365 licenses. And if you’re rolling with the US Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) crew, it’s all yours too. As for assessments and management capabilities, that depends on your licensing agreement.
Compliance score and automated testing
Achieving a high score and being compliant: Striving for a high score in Purview Compliance Manager is great, but it’s not a guaranteed stamp of perfect compliance. Think of it as a helpful gauge, not the whole story. It provides insights and progress tracking, but true compliance involves more than just numbers – it’s about processes, training, and adapting to changes. Purview Compliance Manager is your ally, but staying compliant requires ongoing effort and a bigger perspective.
Testing source: Compliance Manager offers options for how to test improvement actions. My suggestion? Go automated. It’s a time-saver. Automate testing and monitoring of key improvement actions, without the manual effort, allowing you to maximize efficiency in your compliance activities.
Bottom line: Regulations are continuously evolving, complex, extensive, and difficult to implement. This is a challenge for organizations that must comply with regulations. Imagine deciphering Microsoft services for compliance – not fun. Enter Microsoft Purview Compliance Manager.
Using the default assessment or acquiring additional premium templates, you review your existing configuration and receive improvements. Microsoft should focus on making it more user-friendly and amp up the promotion for the Compliance Manager. This Purview service is and will continue to be incredibly valuable for various organizations.
Check out my related articles in this series on Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention, and Microsoft Purview Data Lifecycle Management in Teams.
Jasper Oosterveld is a Microsoft MVP and Data Security Consultant specializing in Microsoft Purview and Microsoft 365. With great passion, he inspires and helps you implement compliance, governance, and adoption within Microsoft Teams and SharePoint. Interested in learning from him? He loves to share his expertise and love for Microsoft products!