We are in the middle of a digital revolution where information is a strategic asset, hybrid working is the norm and protecting your information assets is crucial to maintaining trust and meeting compliance requirements. As a result, organisations are now seeking external certifications such as ISO27001, Cyber Essentials or NIST 800-53 to manage compliance risks and to provide assurance of their overall information security and compliance posture.
Microsoft Purview Compliance Manager is a great solution to demystify the complexities of compliance by offering templates, improvements actions and risk-based reporting.
Compliance Manager was of great use when leading CloudWay through its ISO27001 certification.
Read on to see how Compliance Manager can support your compliance journey.
What is Microsoft Purview Compliance Manager?
You can manage your organisation’s compliance requirements more efficiently and conveniently with Microsoft Purview Compliance Manager. Compliance Manager includes pre-built assessment templates for global, regional and industry regulations, such as ISO 27001, GDPR, NIST 800-53 and HIPAA.
How does Microsoft Purview Compliance Manager support your compliance journey?
Compliance Manager assists you throughout your compliance journey from inception to continuous improvement by providing:
- Pre-built assessment or custom templates
- Baseline your information security risks using the compliance score
- Common control mapping across multiple regulations and assessments
- Guidance on recommended improvement actions for implementing controls
- Clear ownership of improvement actions (Microsoft managed & organisation managed)
- Risk-based scores to help prioritise your activities
- Reports and dashboards to measure your progress in completing the improvement actions
- Assignment of improvement activities to other users
- The export & import of improvement actions to work offline
- Regular updates on changes to regulations and certifications
- Reporting to auditors
- Continuous review, monitoring and maintenance of your compliance posture
- Automatic testing for some improvement actions
What are the Microsoft Purview Compliance Manager pre-built assessment templates?
Compliance Manager includes over 300 pre-built assessment templates for global, regional and industry regulations, such as ISO 27001, GDPR, NIST 800-53, and a Data Protection baseline template. View Microsoft’s complete list of assessment templates. Each Assessment contains:
- Controls: Specific requirements from the regulation, standard, or policy.
- Improvement actions: Detailed guidance on implementing the controls.
- Assessment score: Points achieved by completing actions within that Assessment.
- Ownership of actions in a shared responsibility model.
For each certification, you can select assessment templates for Microsoft 365, Azure, and Dynamics 365, or you can use the universal template that provides generic advice for use with other solutions.
How do I create an assessment from a template?
You can add assessments from the Assessment tab by clicking Add Assessment and then choosing your template. Then give it a name and decide if you want to group your assessments together or separately. Having your assessments in one group has the advantage of updating all the scores when you update a shared improvement action. However, if you have your assessments in different groups, then updating an improvement action only updates the assessments in that group.
In my scenario, I chose the ISO/IEC 27001:2013 assessment template for Microsoft 365, which includes a section on how to use Microsoft 365 solutions to implement the actions. However, when working with non-Microsoft systems, select the universal template to see the system agnostic best practice guidance on implementing the controls.
What are the Microsoft Purview Compliance Manager Controls?
Each Assessment describes the control requirements for the specific regulation, standard, or policy.
The Controls tab in the Assessment shows a graph of the implementation status of the control families.
The detailed list of controls shows:
- Status of the related controls
- Cross-reference to the related control id
- Point achieved to date
- Summary of your managed improvement actions
- Summary of Microsoft Improvement actions.
For example, the screenshot below shows the controls within the Cryptography control group.
What are ‘Microsoft actions’ and ‘Your Improvement actions’?
Microsoft 365 is a Software-as-a-Service solution that uses a shared responsibility model for security and compliance:
- Microsoft manages controls relating to physical infrastructure, security, and networking.
- You manage the controls relating to your data
- Shared responsibility for endpoint, identity and access
The Assessment contains all controls for the regulation, standard, or policy. However, Microsoft is responsible for physical infrastructure, security, and networking, so these controls are labelled as ‘Microsoft-managed’ actions. This allows you to focus on Your improvement actions and controls.
What are Improvement Actions and how are they scored?
Improvement actions provide guidance and recommendations for implementing controls.
From your Assessment, open the You improvement actions tab to see a list of improvement actions you are responsible for.
Each improvement action has a risk-based score ranging from 1 to 27 points; the higher the points, the more significant the risk. The diagram below illustrates how the risk base score is calculated.
How do I manage my Improvement Actions?
Improvement actions track your progress towards implementing the controls. This is the heart of your compliance journey, where you see each action’s current progress. Improvement actions are assigned to users in your organisation to perform implementation and testing work. You can also store documentation, notes, and record status updates within the improvement action. Each action shows
- Risk-based score
- Managed by (Microsoft or yourself0
- Implementation status
- Test status
- Information on how to implement
- For the Microsoft-specific templates, specific information on how to implement using Microsoft solutions.
- Supporting documentation
- Action assigned to
- Tested by
Some improvement actions are automatically tested. However, manually tested actions are assigned to a user and manually updated.
For stakeholders who do not have access to the Compliance Admin Center, you can export improvement actions to an Excel file to work offline. Then once the changes have been made you can upload the spreadsheet back into Compliance Manager to bulk upload the updates. See blog post for more details Do you know you can now upload your improvements actions into the Microsoft Purview Compliance Manager – Nikki Chapple.
How do I measure my Microsoft Purview Compliance Manager posture?
Compliance Manager has several dashboards where you can view your Assessment progress. The Compliance Manager Overview tab shows a summary of all your assessments. It shows:
- Compliance score across all assessments
- Your points achieved out of the total possible points
- Microsoft managed points achieved out of the total possible points
- Key improvement actions
- Solutions that affect your score
- Compliance score breakdown
The overview helps track your progress over time. The more improvement actions you implement, the higher your score becomes.
The overview is excellent if you are only working on one assessment. However, if you are working with multiple assessments and need to see progress for a specific assessment, select your assessment from the Assessment tab to view the progress page.
While working on our ISO27001 certification, I wanted to track the progress of the ISO 27001-related improvement actions and exclude any improvement actions related to the Data Protection baseline assessment. Therefore, I tracked progress via the ISO 27001 assessment rather than the Overview dashboard.
At the beginning of our ISO27001 certification process, the dashboard was helpful for baselining our compliance posture. All manually tested actions have a status of ‘None’. The automatically tested actions have one of the following statuses: in progress, passed or failed. The key improvement actions show the actions with the highest risk score. This provided a prioritised list to allow the project to ‘hit the road’ running.
Another helpful activity is to review the improvement actions and identify any actions that are out of scope of your deployment. If you mark these items as ‘out of scope’ then these are removed from the reporting and your overall score will decrease.
Review the assessment progress to track your improvements over time and to prioritise improvement actions with the highest risk score.
How can I keep track of regulation changes?
Microsoft monitors the regulations and standards for any changes that impact the improvement actions. Any changes to the improvement actions are flagged as ‘Pending update’ so you can review the changes. Microsoft also update assessments when Microsoft functionality changes.
The pending changes are visible from both the Assessment tab and the Improvement Actions tab.
In the Assessment tab, I can see which assessments have pending changes. By selecting a specific assessment, I can review the total number of changes and accept the update. If I need to keep a record of changes, I have the option to export the current and new templates.
In the Improvement actions tab, I can see all Improvement Actions with pending changes. By selecting a specific Improvement Action I have the opportunity to review the change details and accept the update.
Can I be notified when Improvement Actions are updated?
A critical aspect of any compliance certification is keeping track of progress. I can set up alert policies to send emails based on:
- score change
- assignment change
- implementation status change
- test status change
- evidence changes
Compliance Manager has a default alert policy which sends an email when there are changes in improvement action.
Using mapping software to plan long journeys to unfamiliar locations is commonplace. You enter your start and end locations and when you want to go. Then the mapping software recommends optimal routes for the different transport options and times of the day.
You decide on the route, waypoints, mode of transport and timings based on your circumstances and attitude to risk. As your journey starts, you plot your journey details in your navigation system, which creates the optimum route to your destination. The navigation system monitors the route and traffic information and provides updates to your routes if the conditions change. You do not commence your journey if you do not know the route, the distance or how long it will take.
Why would a compliance journey be any different? Your compliance journey has a start and an end and needs a ‘digital map’ to guide you to your goal. In this scenario, your ‘digital map’ is Compliance Manager.
- The destination = Compliance Manager pre-built assessment template for ISO/IEC 27001:2013
- The start = Baseline Microsoft 365 current compliance posture using the Compliance Manager ISO 27001 assessment
- The recommended routes = Compliance Manager Improvement actions
- Journey tracking = Compliance Manager Improvement Actions updates
The only difference with a compliance journey is that it never ends; it is a journey of continuous improvement that builds your maturity over time.