The Microsoft 365 Maturity Model – Governance, Risk, and Compliance Competency

Overview of the Concepts [tl;dr]

Organizations face increasing complexity and change in regulatory environments, calling for a more structured approach for managing Governance, Risk, and Compliance (GRC).

The Governance, Risk, and Compliance Competency is focused on helping an organization reduce risk and improve compliance effectiveness by implementing a framework for compliance and risk management.

Governance, Risk and Compliance framework

Definition of this competency

Governance is the system of rules, practices, and processes an organization uses to direct and control its activities. Many governance activities arise from external standards, obligations and expectations. It also provides a framework for attaining a company's objectives and encompasses most areas management, from action plans and internal controls to performance measurement and corporate disclosure.

Risk enables an organization to evaluate all relevant business and regulatory risks and controls and monitor mitigation actions in a structured manner.

Compliance refers to the country/region, state or federal laws or even multi-national regulations such as GDPR regulations that an organization must follow. These regulations define what types of data must be protected, what processes are required under the legislation, and what penalties are issued to organizations that fail to comply.

For Microsoft 365, this means implementing specific policies, operational processes, and technical controls to protect the data in Microsoft and cover some or all of using, storing, sharing, disclosing, erasing and destruction of data. The data should also be secured appropriately to guard against loss, theft and misuse.

Smaller organizations may only need to comply with the baseline general data protection rules that apply to every organization. Other organizations must comply with industry-specific and/ or country/region specific regulations which may overlap and/or conflict.

Example compliance regulations are:

• CCPA (California Consumer Privacy Act; USA)
• GDPR (General Data Protection Regulation; Europe)
• HIPAA (Health Insurance Portability and Accountability Act; USA)
• PCI DSS (Payment Card Industry Data Security Standard; international)
• SOX (Sarbanes–Oxley Act; US)

Compliance is not the same as security, but security should be considered when building your plan as effective security is frequently a compliance requirement. Compliance requires only that the legally mandated minimum standards are met whereas data security covers all the processes, procedures and technologies that define how you look after sensitive data and guard against breaches.

To address the gap between compliance and security many organizations also follow compliance and regulatory frameworks, such as COBIT, ISO 27001, or ITIL. These provide guidelines and best practices to meet regulatory requirements, improve processes, strengthen security, and achieve other business objectives (such as adopting a ‘cloud-first’ strategy).

Evolution of this competency

See the Maturity Model for Microsoft 365 - Introduction for definitions of the Maturity Model levels.

Level 100 - Initial

At level 100 maturity an organization does not believe that governance and compliance is important to its overall objectives.

Management does not consider investing in the Governance, Risk, and Compliance (GRC) related systems necessary for the overall business strategies. In addition, the organization does not assess the business impact of its vulnerabilities and it does not understand the risks involved due to these vulnerabilities.

Organizations at level 100 maturity pay little attention to compliance and are characterized by the absence of policies and procedures for information/ data compliance of governance.

The organization addresses compliance in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of GRC. Management does not invest in a compliance framework, technology controls, or employee training to meet baseline standards for managing risks and remaining compliant with regulations and standards.

Initial level characteristics include:

People and Culture (100)

• The leadership team do not believe that compliance is fundamental to their overall objectives. It is a means to an end.
• Compliance obligations and risks are not understood.
• No individual or department is responsible for governance, risk and compliance, nor is it clear where these activities are taking place on a devolved basis
• Roles, training, and competencies needed for compliance are not developed. Employees are not aware of how compliance impacts their daily work.

Process (100)

• No process for keeping up with regulations that may affect their market and industry.
• GRC processes and controls are either absent or ad hoc or out of date.
• Risks assessments not undertaken.
• Compliance and governance obligations are not reviewed or monitored
• There is ad-hoc implementation and response to incidents (reactive).
• Compliance controls and evidence is ad hoc or does not exist.

Technology (100)

• No standardized storage location for documentation and supporting evidence.
• No technical controls in place to support compliance.

Impacts (100)

Due to the lack of policies, controls and user training to support information/ data compliance in Microsoft 365 the organization is at risk of:

• Overlooking changes and/or additions to existing compliance requirements.
• Employees accidentally exposing sensitive data to third parties.
• Employees stealing information of value, such as customer lists or proprietary trade secrets.
• Consequences such as data breaches, erosion of customer trust, severe fines and other penalties due to non-compliance with regulations.
• Elevated eDiscovery costs.

Level 200 - Managed

At level 200 maturity an organization tends to believe governance and compliance is a series of boxes to check.

At this maturity level organizations acknowledge compliance regulations and standards. However, organizations may take a ‘tick box’ approach to Governance, Risk and Compliance (GRC). Policies have been written, intended to avoid the damages that level 100 organizations can face, but the polices are not enforced in the organization.

Managed level characteristics include:

People and Culture (200)

• Leadership understands and accepts the importance of governance and compliance but has not driven it into the organization nor recognized it as a business enabler.
• Some policies have been written but are not enforced or comprehensively adopted.
• No formal compliance roles in place or roles have been allocated but without suitable training or assessment of competence. Governance, Risk and Compliance relies on individuals being responsible for actions and approaches in their own areas.
• No formal GRC training; communication is ad hoc or occurs in response to a GRC event. Most employees are not aware of how governance, risk and compliance impact their daily work.

Process (200)

• Governance and compliance management is local, uncoordinated or sporadic It is dependent on individual people to action and monitor.
• Processes exist but are manual and lack standardization, making it hard to measure their effectiveness, enforce them or obtain an overview of activity and status.
• Limited collaboration between compliance and operational teams. Often compliance is an afterthought.
• Response to incidents is reactive /ad hoc, lacking consistency, formality and may result in ineffective actions.
• Risk management is perceived as a process.

Technology (200)

• Storage locations for documentation and supporting evidence are inconsistent and fragmented.
• Basic technical controls may exist but may not be appropriately implemented to ensure compliance.
• There is a tendency to focus on email rather than a wider view of content and processes that need to be compliant.
• Technical controls to manage retention and deletion exist, however there are minimal processes to implement these effectively; retention and deletion is largely a manual, ad hoc activity, though there may be reminders and triggers in processes to act as prompts.

Impacts (200)

At this level you can expect the following:

• Employees see compliance as painful and "extra" to their day job.
• The organization is unaware of new and changing compliance laws and regulations so unaware of any new, increasing, or decreasing compliance risks.
• Organizations do not know what sensitive data they have, where it is, who can access it, and its risk of exposure. This makes it difficult to apply effective policies and controls to protect the most critical data assets. Organizations will retain nothing or everything ‘just in case’.
  • Information clutter and duplication degrades productivity.
  • The organization remains at risk from both deleted/lost information and from ‘over-retained’ information
• Action is only taken after a major violation or ‘near miss’ has occurred, to show they are trying to meet compliance standards. Even then, it is implemented as a tactical response to a serious problem, rather than a strategy for permanent improvement.
• Discovery exercises are costly and complex as no specialist tools are used.

Level 300 - Defined

At level 300 maturity, an organization believes compliance is essential to the business. They begin to affect a ‘top-down’ cultural change in working to incorporate governance, risk and compliance-led practices. It’s understood that it is the job of executives to enforce adoption and training among managers, and the job of managers to do so with their staff.

A baseline compliance framework is implemented with a standardized set of policies and controls.

Processes measured and controlled

Defined level characteristics include:

People and Culture (300)

• The leadership team see compliance as essential to business continuity and may value the rigor as a business improvement tool.
• Compliance roles and responsibilities are assigned to accountable individuals, who have been trained but may lack expertise and experience. They understand the importance of the role and will reach out, reactively to legal and other experts for guidance and counsel.
• Where GRC sits across multiple departments and activities in the organization individuals with those roles will coordinate their activities, possibly through a Compliance committee or similar mechanism.
• A Compliance framework, in some form, has been documented and communicated to process owners. However, the implementation decisions are left to local business and system owners so GRC initiatives are managed in silos.
• Compliance activities are frequently event driven, such as an audit or a regulatory deadline.
• Training, education, and awareness are run annually. Staff have a broad awareness of their responsibilities.
• The organization invests significant time on stakeholder education, ensuring that the new ways of working together and the value of risk and adopting compliant processes are understood. However, commitment to upholding standards varies across the organization.

Process (300)

• There are staff with a role that includes monitoring regulatory updates and translating them into new company policies. In large organizations or those in industries with strong compliance needs, example roles may include Director of Compliance, General Counsel, Senior Information Risk Officer, Data Protection Officer). In smaller organizations it is likely to sit with members of the executive team or the functional head of departments with strong compliance alignment. This is in addition to staff dedicated to security measures (for example a Chief Information Security Officer).
• The organization measures and assesses controls and activity, but largely at an individual or devolved level.
• Risk level is periodically reviewed & updated.
• Limited information and records available for audit, these are generally specific to the function rather than providing an aggregated or holistic vie.
• There is limited or misplaced confidence that all governance and compliance risks are known and managed.
• There are systems, tools and processes for managing the Governance, Risk and Compliance processes. While these vary according to the standards and requirements imposed, they may include: training and knowledge content; risk, issue and status logs; asset and impact lists; action plans; processes for reviews and updates; systematic audits and assessments, staff training and competency logs.
• Strong content management tools and processes that include effective lifecycle management are in place.

Technology (300)

• Has a central (digital) system of record for compliance. However, usage varies across the organization and local solutions may be in use.
• Software solutions are used but typically in a tactical manner, without a thought for a broader set of requirements. This results in multiple systems to manage individual governance, risk and compliance initiatives, each operating in its own silo.
• Governance, risk and compliance controls are implemented but are reliant on the user to apply the right controls to the right content.
• Technical controls to manage retention and deletion are in use and are generally effective for recognized classes of content (e.g. finance and HR files). A degree of automation supports this, reducing user burden and driving some level of consistency.
• Use of automated tagging, sensitivity labelling and policies is not broadly or well implemented, though it may be being piloted.

Impacts (300)

At this level:

• The organization starts to build a compliance culture with roles and responsibilities being defined.
• A Governance, Risk and Compliance framework, consisting of strategy, policies, processes, controls, technologies and staff competence, is implemented. However, implementation is uncoordinated and siloed
• Employees start to understand the impact of non-compliance in their job roles.
• eDiscovery investigations are still complex and costly as multiple versions of data exist
• Not all Governance, Risk and Compliance risks are addressed and there are frequently unknown risks.
• There are processes for dealing with finding, breaches and risks, however there are gaps and a tendency to be reactive.

Level 400 - Predictable

At level 400 maturity an organization’s approach to governance and compliance becomes more well defined and acts as a foundation for activity, the focus shifts from extensive written procedures to empowering individual employees to make informed decisions to reinforce the company’s compliance culture. This occurs as a by-product of establishing a culture with high compliance awareness. The Compliance framework is now tailored to include an up-to-date and accurate catalog of information and data laws, regulations, and policies by country/region and is readily accessible to all relevant employees. An overarching Governance, Risk, and Compliance process, through control, definition, enforcement, and monitoring, has the ability to coordinate and integrate these initiatives. Proactive rather than reactive

Predictable level characteristics include:

People and Culture (400)

• The leadership team sees value in continuously improving the governance, risk and compliance program. Governance, risk and compliance are factored into all business decisions and GRC is represented at board level.
• Dedicated teams and individuals are in place with clearly defined roles and responsibilities. The limits of competency are understood, with supporting metrics, and reflected in defined decision making authority for accountable individuals. Processes are in place to support GRC decision making when these limits are reached, with defined access to legal and other expert external advisors. Compliance and operations teams work in partnership to assess risk and compliance.
• Compliance workloads are reduced through standardization, process improvements and use of technology.
• Policy communications are routine and semi-automated. Most employees understand the importance of risk and compliance and their role in protecting the organization.
• Training, education, and awareness includes annual training matched to business needs. Who has been trained in what is tracked.
• Regular training needs analysis for compliance training is undertaken to identity gaps and improve content.

Process (400)

• Conversations about risks and compliance are held at all levels of the organization and compliance is embedded into business processes.
• Organization wide processes and policies are streamlined & simplified, they are reviewed and updated as needed according to an approved schedule.
• Process metrics are in place, controls monitored, and compliance is measured.
• Feedback processes are used to improve consistency.
• There are mechanisms to continuously assess compliance control and process gaps to prevent compliance failures.
• A data architecture has been implemented to govern which data is collected, how it is used, where it is stored, how long it is stored when it is destroyed
• Business continuity planning and disaster recovery plans are well developed, maintained and tested.

Technology (400)

• Productivity and analytical tools are in place to make tracking tasks, reporting and collaboration easy.
• Compliance controls are automated and tailored to different usage scenarios.
• There is a central digital system of record to manage compliance program and to store evidence.
• There is an auditable history of data activities with an understanding of how it can help support effective Governance, Risk and Compliance.
• Content can be shared across organizational boundaries enabling efficient and secure collaboration with partners, clients, and other third parties without loss of control or governance.
• Compliance specific solutions purchased to manage compliance requirements.
• Integrated dashboards, balanced scorecards etc. are available to executives and across the organization as needed.

Impacts (400)

At this level

• Everyone in the company at all levels shares accountability for following a higher standard.
• Compliance is embedded in the culture of the organization so all employees understand the importance of compliance and their role in protecting the organization. Policies are understood and the reasons behind the policies are clearly explained. Engagement is high at this level because all members of the organization are now responsible for the success of the program.
• Data investigation become simpler due to advanced tools and only the right data being retained.

Level 500 - Optimizing

At level 500 maturity, an organization believes that taking a strategic approach to governance and compliance will actively support business goals as opposed to serving merely as a function of risk mitigation.

Metrics are reviewed regularly & updated as needed; results monitored & processes continuous improvement.

Compliance is embedded in the organization and business activities are ‘compliant by design’.

Organizations at this level use technology strategically to gain operational efficiencies, greater visibility into their operations, reduce risks, and drive down compliance costs. Tools are integrated in order to monitor controls and gain insights into their governance, risk and compliance program.

Optimizing level characteristics include:

People and Culture (500)

• Leadership team sees value in achieving compliance as providing a strategic advantage to the organization.
• The dedicated compliance team now includes a focus on strategy, is future looking, proactively identifying emerging regulation and market change to understand the impact, risks and opportunities for the business; these are fed into the board as a basis for strategic decision making. Process improvement and continuous professional development for the accountable people is embedded int eh GRC and executive functions.
• Collaboration between the compliance team, security team, operations teams, and system owners to ensure systems (e.g., data storage and processing systems) are secure and compliant by design.
• Compliance workload shifts from administrative to strategic (due to automation).
• Decision-makers becoming risk seeking rather than risk adverse, knowing that they can and must manage the risks they identify.
• There is a pervasive compliance culture where all employees understand the importance of compliance and their role in protecting the organization.

Process (500)

• Compliance and risk are coordinated across upstream and downstream processes / requirements to ensure consistency.
• The organization proactively reviews and updates risk and compliance metrics to address gaps and prevent compliance failures. Results are monitored & used for continuous improvement.
• Processes and controls and reporting are automated and centralized
• Independent information security compliance standards such as ISO/IEC 27001 are used to benchmark best practice and align security and compliance.
• Metrics are used to measure and improve collaboration outcomes and these metrics are clearly connected to business strategy.
• Compliance embedded in strategic planning as well as in daily strategic and tactical decision-making.
• Business continuity planning and disaster recovery are regularly tested.
• Compliance processes and practices are externally audited.

Technology (500)

• Compliance and DLP rules are comprehensively applied and enforced.
• Controls are automated and subject to continuous improvement
• Tailored compliance controls with policy enforcement are implemented to provide different levels of protection during collaboration depending on sensitivity, risk, and environment.
• The organization invests in compliance management solutions that encompass multiple systems.

Impacts (500)

At this level, the governance, risk and compliance controls are aligned to the organizations risk appetite. Employees, managers, and executives understand their responsibility to the organization to ensure the success of the compliance program. Honesty, accountability, respect, and leadership are principles of these organizations, and transparency is a default.

Compliance maturity is benchmarked against industry best practice.

Scenarios

TBD - please submit suggestions or role plays for this

Cost & benefit

Many characteristics can be delivered using the M365 platform to develop Governance and Compliance solutions and processes, especially using SharePoint, Microsoft Teams, Power Automate etc. available with any Business or Enterprise license. The native compliance capabilities of M365, such as those in the Compliance Center, do depend on the Microsoft 365 licensing level. While there is not a direct mapping, a useful guide is provided below. Some functionality requires additional licenses.

Download the Microsoft 365 Comparison table to see which security and compliance features are available with each option.

Common toolsets

Organizations have different compliance needs depending on the national, regional and industry-specific standards they need to comply with. Microsoft 365 provides a set of integrated capabilities that you can use to help you manage end-to-end compliance scenarios. The 4 groups of compliance and risk management capabilities are listed in the following section. Capabilities that require an E5 license are marked with an asterisk (*).

Information protection

• Customer key*
• Data Loss prevention
• Data Loss prevention for Teams DLP*
• Hold your own key*
• Message encryption
• Advanced message encryption*
• Multi geo (extra)
• Sensitive information types*
• Sensitivity labels
• Sensitivity labels for automated labelling*

Information governance

• Records management*
• Retention labels
• Retention labels for automated labelling*
• Retention policies
• Retention policies for rules based policies*

Insider risk management

• Communications compliance*
• Customer lock box*
• Information barriers*
• Insider risk management*
• Privacy Management*
• Privileged access management*

eDiscovery and Audit

• Audit* for Advanced Audit
• Cloud app discovery
• Compliance Manager
• Compliance Manager custom assessments*
• eDiscovery for Advanced eDiscovery*
• Litigation hold
• Microsoft Defender for Cloud Apps (MCAS)*
• Search

The available compliance capabilities in your tenant will depend on your Microsoft 365 licensing. Some of the functionality requires additional licenses. Download the Microsoft 365 Comparison table to see what security and compliance features you have with your licensing.

Resources to learn more

• Microsoft 365 compliance documentation | Microsoft Docs
• Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs
• Get started with the Microsoft Service Trust Portal - Microsoft 365 Compliance | Microsoft Docs
• Microsoft Purview compliance portal

Conclusion

Achieving compliance is not a project. It is an ongoing process that needs embedding into the culture of the organization. Regulations continually change, your environment is always changing, and the operating effectiveness of a control may break down. Regular monitoring and reporting are a must, and guidance on exactly what “regular monitoring” entails is also outlined within each framework.

---

Principal authors:

• Nikki Chapple
• Simon Hudson, MVP
• Mike Cox

---

The MM4M365 core team has evolved over time. These are the people who have been a part of it.

Core team:

• Emily Mancini, MVP, UXMC
• Marc D Anderson, MVP
• Sharon Weaver
• Simon Hudson, MVP
• Simon Doy, MVP

Emeritus:

• Sadalit (Sadie) Van Buren

---