Microsoft released Compliance Manager Preview, after initially announcing the new service during Ignite 2017 in late September. It is, for now at least, a free service for existing Office 365 customers, that aims to provide a management interface for organization’s compliance management activities.
To start uusingCompliance Manager Preview, access the service on the Service Trust portal as a Office 365 administrator.
After agreeing to the terms of usage during beta, you can take a tour of Compliance Manager or go directly to configuring the settings and viewing your compliance reports.
I chose to run the tool in one of my test tenants, before activating it in my production tenants. As such, most of the reports looks clean, as there is little data to worry about for now. Here’s the initial view in one of my test tenants.
I’m being offered a compliance overview for the ISO 27001:2013 and GDPR. The former is a well-known specification for information security management systems and General Data Protection Regulation is a data protection act within EU.
Under Action Items, I will be getting assigned tasks for actually implementing and becoming compliant with the different specifications. As the preview is still very fresh, I do not have any action items that I’ve set myself or the tool would have created.
By clicking on GDPR in Assessments, I can start drilling down to the actual compliance settings and items. There’s a total of 118 assessed controls for GDPR and about 60 percent was initially assessed in my tenants. The assessment seems to cover all major Office 365 workloads, including SharePoint Online, Exchange Online, Skype for Business, and Microsoft Teams. Even Sway and Streams are included, which I’m a bit surprised as they are often the ones to receive such functionality last.
Microsoft manages 71 controls of the 118 and as a customer, I can manage the rest.
Below is an example of a Microsoft assessed control, which passed for my Office 365 tenant.
For my tenant, I can now start assigning tasks to an assessment of the remaining controls. I started with access control, which is the first on the list.
By clicking on Assign, I can assign this control to be assessed by a user and track how the assessment is being tested within my organization.
Later, when the assigned user has performed the assessment, he or she can change the status of the custom control as implemented or something else. Finally, I can ask the user to record a test date, which will help me keep track of my assessments.
I can also include necessary and relevant documents to follow the assessment. This will inevitably help in the future, when I need to do periodic re-assessment and I can now follow the history trail for previous assessments and their justifications.
Initial use of the service seems quite straight-forward. Using the assessment list is a bit slow and opening different assessment seems to take a few extra moments to reveal the details.
As an administrator for several Office 365 tenants, I’m already seeing this as a huge and beneficial service. At the same time, I also anticipate that to walk through all the 40 something customer controls will not be a quick task but rather a separate project that draws from multiple expertizes and people within an organization. In that sense, the assessment tool is very helpful but for now, much of Compliance Manager could be done with a fancy Excel sheet. The tool still seems helpful, especially if the organization has access to Cloud App Security, a separate tool from Office 365 that provides a comprehensive list of GDPR statuses and reports from third-party cloud services.
In addition to the two existing assessments, there’s also support for ISO 27018:2014. I trust Microsoft will be adding support for additional assessments, as well as Microsoft Azure and on-premises workloads in the future too.