Well folks, it’s July, and I personally can’t think of any more exciting way to kick things off than a rousing discussion of Microsoft Compliance Manager!
Hello? Still there?
I’ve been a fan of Compliance Manager since it was first introduced back in 2017. In those days, it wasn’t really heavily advertised and didn’t include a huge amount of assessment templates, and in many ways was just a quick frame-up way of pre-assessing against GDPR.
But critically, it was launched with (and in) the Service Trust portal, which is still a pretty important location for Microsoft documentation today. Did you know you can’t audit Microsoft? Well you can’t, but they do audit themselves, and they make the results of those audits available for customers. And you can use those same documents to meet your auditor’s requirements. You can also breeze through some of their documentation on sleepless nights. It’s a great resource for insomniacs.
Compliance Manager, though, was interactive. For the tracked assessments (there were maybe 10 in the early days), you could enter details about how you’d met your requirements for individual controls, and track those actions across different templates that had the same requirements. You could then reassign the control to a tester for verification, and even upload documentation as attachments if simple text didn’t suffice. And two versions later, it still does the same thing today, but with a lot more insight.
Initially the tool had no visibility into your actual Microsoft environment, so it was reliant on an admin to say ‘yeah we’ve done that’ and an auditor to verify. Now, though, we have direct integration with Secure Score, so we can hand over the verification and testing to automation for many of the controls, greatly easing the burden of figuring out where to start and where to focus efforts (new customers and new assessments will now be automatically synced with Secure Score, though it may take up to 7 days for existing assessments to fully update after enabling automated testing).
And the tool now looks a whole lot like Secure Score, making it easy to transition between the two interfaces. We get the same Overview/Improvement Actions main tabs, with key improvement actions front and center in both, but obviously where Secure Score is focused on actions that will improve your security posture, Compliance Manager is focused on those that meet your legal requirements. And those actions will change from one customer to the next, so those key actions are individualized to the organization and the assessments they’ve purchased and activated.
The core assessments of GDPR, ISO 27001, NIST 800-53, and the included “Data Protection Baseline” remain free, and you can modify those to include custom controls and requirements, but there are now well over 300 premium templates that are updated constantly as the laws themselves evolve.
And? AND? Compliance Manager is now available to DoD, GCC, and GCC High. Woohoo!
If you're even half as excited as I am about tracking compliance, I really hope you'll join me on our July webinar (Thursday July 22 @ noon EDT) to explore the solution in greater depth.
You can register for it here - https://www.synergy-technical.com/events/microsoft-compliance-manager
By: Adrian Amos