Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s multi-cloud compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
Compliance Manager helps simplify compliance and reduce risk by providing:
Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs (available assessments depend on your licensing agreement; learn more).
Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.
A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.
The Compliance Manager overview page shows your current compliance score, helps you see what needs attention, and guides you to key improvement actions. Below is an example of the overview page:
Understanding your compliance score
Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture.
Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.
Key elements: controls, assessments, templates, improvement actions
Compliance Manager uses several data elements to help you manage your compliance activities. As you use Compliance Manager to assign, test, and monitor compliance activities, it’s helpful to have a basic understanding of the key elements: controls, assessments, templates, and improvement actions.
Controls
Control is a requirement of a regulation, standard, or policy. It defines how you assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.
The Compliance Manager tracks the following types of controls:
1. Microsoft managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing
2. Your controls: sometimes referred to as customer-managed controls, these are controls implemented and managed by your organization
3. Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing
Assessments
An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps you meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, helps to bring your Microsoft 365 settings in line with ISO 27001 requirements.
Assessments have several components:
In-scope services: the specific set of Microsoft services applicable to the assessment
Microsoft managed controls: controls for Microsoft cloud services, which Microsoft implements on your behalf
Your controls: sometimes referred to as customer-managed controls, these are controls implemented and managed by your organization
Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing
Assessment score: shows your progress in achieving the total possible points from actions within the assessment that are managed by your organization and by Microsoft
When creating assessments, you’ll assign them to a group. You can configure groups in whatever way is most logical for your organization. For example, you may group assessments by audit year, region, solution, teams within your organization, or some other way. Once you create groups, you can filter your Compliance Manager dashboard to view your score by one or more groups.
Templates
Compliance Manager provides templates to help you quickly create assessments. You can modify these templates to create an assessment optimized for your needs. You can also build a custom assessment by creating a template with your controls and actions. For example, you may want a template to cover an internal business process control, or a regional data protection standard that isn’t covered by one of our 325+ pre-built assessment templates.
Improvement actions
Improvement actions help centralize your compliance activities. Each improvement action provides recommended guidance that’s intended to help you align with data protection regulations and standards. Improvement actions can be assigned to users in your organization to perform implementation and testing work. You can also store documentation, notes, and record status updates within the improvement action.
Supported languages
Compliance Manager is available in the following languages:
English
Bahasa Indonesian
Bahasa Malay
Chinese (Simplified)
Chinese (Traditional)
Czech
Danish
Dutch
Finnish
French
German
Hebrew
Hungarian
Italian
Japanese
Korean
Norwegian
Polish
Portuguese (Brazilian)
Russian
Spanish
Swedish
Thai
Turkish