In this Ask the Admin, I’ll look at how Microsoft’s new service can help organizations meet compliance requirements.
Earlier this week, I attended an event hosted by Microsoft announcing its new Compliance Manager for Microsoft 365. While the presentation was geared towards Microsoft 365’s unique approach to GDPR, the EU General Data Protection Regulation comes into force May 25th next year, Compliance Manager will be made available to all customers of Microsoft’s cloud services.
Microsoft views GDPR as a way to drive digital transformation and has responded by creating Compliance Manager to help organizations in that process. EU GDPR differs from current legislation. Organizations must comply, even if the data controller and processor are located outside the EU because it is important to note the location of the data subject. Because of the pending new legislation, Microsoft has updated Office 365 to comply. And as part of that effort, Compliance Manager passes on Microsoft’s knowledge about GDPR, and other standards and regulations, to customers to help them achieve compliance.
For more detailed information on GDPR, see What You Need to Know About the EU General Data Protection Regulation on Petri.
Microsoft 365 fits into the picture by providing end-to-end data governance and protection of sensitive data. Not just on Microsoft’s servers in the cloud but also on end-user devices and on-premise servers. And this is the part that Office 365 alone cannot provide because Microsoft 365 Enterprise brings together Office 365, Windows 10 Enterprise, and the Enterprise Mobility + Security suite.
Aidan Finn provides a good summary of Microsoft 365 in Understanding Microsoft 365 on Petri.
Like Office 365 Secure Score, Compliance Manager provides a score that shows compliance posture by looking at over a thousand controls in Microsoft’s services. Compliance Manager analyzes the organization’s environment, gives it a score, and then recommends how to remediate any highlighted issues. In addition to Microsoft’s out-of-the-box controls, organizations can also add their own.
Compliance Manager’s dashboard shows your compliance scores for selected regulations and standards. You can drill down to get detailed information on controls, their status, and how to remediate any issues. Audit-ready reports provide evidence that controls have been implemented, alleviating the need to collect information from different systems.
Each technical control provided Microsoft is mapped to a certification control for the selected regulation, like GDPR. Information is provided about whether the control is implemented when it was last tested, and by whom. You can assign controls that need to be implemented to a member of IT staff, set a priority, and optionally send a notification by email.
Compliance Manager is a simple tool but it looks like it will be valuable for organizations trying to manage the compliance minefield. And not just those struggling with GDPR, Microsoft is aiming to provide support for NIST 800-53, ISO 27001, and ISO 27018 when the tool reaches general availability. But there’s no magic bullet when it comes to compliance. As Microsoft points out, no tool can guarantee one hundred percent compliance. But Compliance Manager can help make the process of achieving compliance easier.
Compliance Manager preview was released November 16th. For more detailed technical information about Compliance Manager and to sign up for the preview program, see Microsoft’s website here.