In my last blog I provided some insights into the Microsoft Service Trust Portal and Compliance Manager. In this blog I want to dig a bit deeper into the Compliance Manager Assessments. As we know, Assessments apply to one of the Microsoft cloud services and either a standard (for example ISO-27001-2013) or a regulation (for example GDPR). The Compliance Manager dashboard shows a snapshot of all current Assessments. As you can see from the below image, a compliance score is provided against these Assessments to provide an overview of your organisation’s compliance posture.
Figure 1 – Compliance Manager Dashboard (Image Credit: Microsoft)
When you open an assessment, you are shown the Microsoft cloud services that are covered by the assessment and the Microsoft Managed Controls and Customer Managed Controls. So, what are these Managed Controls you may ask? Good question. Microsoft the Managed Controls sections to provide detailed information on the standard or regulation covered by the assessment. If we look at the for the Office 365 Microsoft service and the GDPR regulation (Let’s pick something making the news right now!), we can see that the controls assessed are divided into five areas. This is the same for both the Microsoft Managed Controls and the Customer Managed Controls.
Figure 2 – Compliance Manager Assessment (Image Credit: Dan Snape)
For the Microsoft Managed Controls, expanding an area shows which articles in the GDPR legislation the control applies to, how Microsoft complies with that control and information on compliance auditing, including how the control is tested, when the test occurred and who did the testing.
Figure 3 – Microsoft Managed Control (Image Credit: Dan Snape)
The Customer Managed Controls section is similar but you need to do a lot of the heavy lifting – Microsoft doesn’t do the compliance work for you.. Looking again at the Office 365 GDPR Assessment, you’ll see similar information on the control and details of the GDPR articles to which the control applies but here you need to add the information on how your organisation implements the control and validates that implementation.
Figure 4 – Customer Managed Control (Image Credit: Dan Snape)
The Customer Actions section is where this tool is worth its weight in gold. By using plain English to describe the intent of the control and the actions your organisation needs to take, you are provided a simple set of compliance actions without having to wade through mountains of legislation or standards documentation. As you work through the Customer Managed Controls, you update the current status and implementation date, set the details of any test results and the date the tests were performed and upload any appropriate documents, increasing your organisation’s compliance score as you go. You can even assign the control to other people in your organisation so that they manage the end to end process for that control.
When the auditors, regulators, senior management, or any other risk and compliance stakeholders in your organisation come knocking on your door, Compliance Manager includes an Excel export feature that enables you to create reports on the assessment details. You can also include all the supporting documentation that has been uploaded for controls in the reports.
In summary, with the a feature of Compliance Manager, you get instructions on how to go about complying with the a, be it a piece of legislation or a standard, as well as a portal to track compliance, including storing any related documentation. But don’t forget the fine print: Microsoft will not legally guarantee compliance if you follow their instructions, so seek legal advice if you need to. As always, please feel free to reach out if you have any questions or need some assistance.
