Compliance Manager templates list

In this article: View the comprehensive list of templates available for creating assessments in Compliance Manager.

Important

The assessment templates that are available to your organization depend on your licensing agreement. Review the details.

Overview

Microsoft Compliance Manager provides a comprehensive set of templates for creating assessments. These templates can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data.

Templates are added to Compliance Manager as new laws and regulations are enacted. Compliance Manager also updates its templates when the underlying laws or regulations change. Learn more about how to review and accept updates.

List of templates and where to find them

Below is the complete list of templates in Compliance Manager. The links in the template names below take you to related documentation about that standard, regulation, or law.

Where to find your templates

To review the templates available to your organization, go to your Assessment templates page. Learn more about how to view and manage your templates.

Included templates

One or more of these templates will be available based on your licensing agreement. The Data Protection Baseline template is included for all users.

Note

For US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers: the Cybersecurity Maturity Model Certification (CMMC) Levels 1 through 5 templates are included, in addition to the templates listed above.

Premium templates

These templates may be purchased by your organization.

Global

  • Guidelines and Functional Requirements for Electronic Records Management Systems (ICA Module 2) (Microsoft 365)
  • ISO 15489-1:2016 (Microsoft 365)
  • ISO 16175-1:2020 (Microsoft 365)
  • ISO 19791 - Information technology — Security techniques — Security assessment of operational systems (Microsoft 365)
  • ISO 22301:2019 (Microsoft 365)
  • ISO 23081-1:2017 (Microsoft 365)
  • ISO 27005:2018 (Microsoft 365)
  • ISO 27017:2015 (Microsoft 365)
  • ISO 27034-1 Information technology — Security techniques — Application security (Microsoft 365)
  • ISO 27799: 2016, Health informatics — Information security management in health (Microsoft 365)
  • ISO 28000 – Specifications for Security Management Systems for the Supply Chain (Microsoft 365)
  • ISO 31000:2018 (Microsoft 365)
  • ISO 55001 – Asset management -- Management systems--Requirements (Microsoft 365)
  • ISO IEC 80001-1:2010 (Microsoft 365)
  • ISO/IEC 27001:2013
  • ISO/IEC 27018:2019 (Microsoft 365)
  • ISO/IEC 27033-1:2015 (Microsoft 365)
  • ISO/IEC 27701:2019 (Microsoft 365)
  • System and Organization Controls (SOC) 1
  • System and Organization Controls (SOC) 2

Industry

US Government

  • Appendix III to OMB Circular No. A-130 - Security of Federal Automated Information Resources
  • CFR - Code of Federal Regulations Title 21, Part 11, Electronic Records, Electronic Signatures (Microsoft 365)
  • Children's Online Privacy Protection Rule (COPPA) (Microsoft 365)
  • CMMC Level 1, Level 2, Level 3, Level 4, Level 5 (Microsoft 365)
  • CMS Information Systems Security and Privacy Policy (IS2P2) (Microsoft 365)
  • Computer Fraud and Abuse Act (CFAA) (Microsoft 365)
  • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Microsoft 365)
  • Criminal Justice Information Services (CJIS) Security Policy (Microsoft 365)
  • Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software - FDA (Microsoft 365)
  • Cybersecurity Maturity Model Certification (CMMC) Levels 1 through 5 (Microsoft 365)
  • DFARS (Microsoft 365)
  • e-CFR - Identity Theft Rules (Microsoft 365)
  • Electronic Code of Federal Regulations - Part 748.0 and Appendix A (Microsoft 365)
  • FDIC Privacy Rules (Microsoft 365)
  • Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet (Microsoft 365, Intune)
  • FedRAMP Moderate (Microsoft 365)
  • FedRAMP SSP High Baseline (Microsoft 365)
  • Freedom of Information Act (FOIA) (Microsoft 365)
  • FTC Privacy of Consumer Financial Information (Microsoft 365)
  • Gramm-Leach-Bliley Act, Title V, Subtitle A, Financial Privacy (Microsoft 365)
  • HIPAA/HITECH (Microsoft 365, Intune)
  • HITRUST (Microsoft 365)
  • Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection (Microsoft 365)
  • IRS - Revenue Procedure 98-25 Automated Records (Microsoft 365)
  • IRS-P1075 (Microsoft 365)
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 (Microsoft 365)
  • National Archives Universal Electronic Records Management (ERM) Requirements (Microsoft 365)
  • NIST 800-37 (Microsoft 365)
  • NIST 800-53 rev.5 (Microsoft 365)
  • NIST 800-63 Digital Identity Guidelines (Microsoft 365)
  • NIST 800-78-4: Cryptographic Algorithms and Key Sizes for Personal Identity Verification (Microsoft 365)
  • NIST 800-137A -- Assessing Information Security Continuous Monitoring (ISCM) Programs (Microsoft 365)
  • NIST 800-171 (Microsoft 365)
  • NIST 800-184: Guide for Cybersecurity Event Recovery (Microsoft 365)
  • NIST CSF (Microsoft 365)
  • NIST Privacy Framework
  • NIST SP 1800-5 IT Asset Management (Microsoft 365)
  • NIST Special Publication 1800-1 Securing Electronic Health Records on Mobile Devices (Microsoft 365)
  • NIST Special Publication 800-128 (Microsoft 365)
  • NIST Special Publication 800-210: General Access Control Guidance for Cloud Systems (Microsoft 365)
  • Sarbanes-Oxley Act
  • SEC 17-4(a) (Microsoft 365)
  • United States of America Privacy Act (Microsoft 365)
  • US - Clarifying Lawful Overseas Use of Data (CLOUD) Act (Microsoft 365)
  • US - Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Microsoft 365)
  • US - Department of Energy (DOE) Assistance to Foreign Atomic Energy Activities (Microsoft 365)
  • US - Family Educational Rights and Privacy Act (FERPA)
  • US - Federal Information Security Modernization Act of 2014 (FISMA) (Microsoft 365)
  • US - Protecting and Securing Chemical Facilities From Terrorist Attacks Act (Microsoft 365)

US States and Territories

  • Alabama - Policy 621: Data Breach Notification - DRAFT (Microsoft 365)
  • Alaska - Chapter 48 - Personal Information Protection Act (Microsoft 365)
  • Arizona - Notification of Breaches in Security Systems (Microsoft 365)
  • Arkansas Code Title 4, Subtitle 7, Chapter 110, Personal Information Protection Act (Microsoft 365)
  • California - Civil Code Section 1798
  • California - Database Breach Act (California SB 1386)
  • California - Education Code-EDC, Title 3, Division 14, Part 65, Chapter 2.5- Social Media Privacy
  • California - Privacy Rights Act (CPRA) (Microsoft 365)
  • California - SB-327 Information Privacy: Connected Devices (Microsoft 365)
  • California Consumer Credit Reporting Agencies Act (Microsoft 365)
  • California Consumer Privacy Act (CCPA) (Microsoft 365)
  • Colorado Protections for Consumer Data Privacy (Microsoft 365)
  • Colorado Revised Statutes, Section 6-1-716, Notice of Security Breach (Microsoft 365)
  • Connecticut - Display and Use of Social Security Numbers and Personal Information (Microsoft 365)
  • Connecticut General Statutes - General Provisions for state contractors who receive confidential information (Microsoft 365)
  • Connecticut Information Security Program to Safeguard Personal Information (Microsoft 365)
  • Connecticut State Law - Breach of security re computerized data containing personal information (Microsoft 365)
  • D.C. Law 16-237 - Consumer Personal Information Security Breach Notification Act (Microsoft 365)
  • Delaware - Student Data Privacy Protection Act (Microsoft 365)
  • Delaware Computer Security Breaches- Commerce and Trade Subtitle II - 12B-100 to 12B-104
  • Florida Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information (Microsoft 365)
  • Georgia (US) Personal Identity Protection Act (Microsoft 365)
  • Guam's Notification of Breaches of Personal Information (Microsoft 365)
  • Hawaii - Security Breach of Personal Information Chapter 487N
  • Idaho Identity Theft (Microsoft 365)
  • Illinois (740 ILCS 14/1) Biometric Information Privacy Act (Microsoft 365)
  • Illinois Personal Information Protection Act (Microsoft 365)
  • Indiana Disclosure of Security Breach (Microsoft 365)
  • Iowa - Student Personal Information Protection Act (Microsoft 365)
  • Iowa Code. Title XVI. Chapter 715C. Personal Information Security Breach Protection (Microsoft 365)
  • Kansas Consumer Information, Security Breach Statute (Microsoft 365)
  • Kentucky Data Breach Notification (Microsoft 365)
  • Louisiana Database Security Breach Notification Law (Act No. 382) (Microsoft 365)
  • Maine - Act to Protect the Privacy of Online Consumer Information
  • Maine - Notice of Risk to Personal Data (Microsoft 365)
  • Code of Maryland State Government - Protection of Information by Government Agencies (Microsoft 365)
  • Maryland Personal Information Protection Act - Security Breach Notification Requirements, HB 1154 (Microsoft 365)
  • Maryland's Student Data Privacy Act (Microsoft 365)
  • Massachusetts - 201 CMR 17.00: Standards For The Protection Of Personal Information Of Residents Of The Commonwealth
  • Massachusetts Data Breach Notification Law 93H section 1-6 (Microsoft 365)
  • Michigan Identity Theft Protection Act (Microsoft 365)
  • Mississippi Security Breach Notification (Microsoft 365)
  • Montana - Impediment of Identity Theft (Microsoft 365)
  • Nebraska's Data Protection and Consumer Notification of Data Security Breach Act (Microsoft 365)
  • Nevada Chapter 603A - Security and Privacy of Personal Information (Microsoft 365)
  • Nevada Senate Bill 220 Online Privacy Law (Microsoft 365)
  • New Hampshire Right to Privacy Act (Microsoft 365)
  • New Jersey Security Breach Disclosure (Microsoft 365)
  • New Mexico Chapter 57 - Privacy Protection (Article 57-12B-1 through 4) (Microsoft 365)
  • New Mexico Consumer Information Privacy Act (Microsoft 365)
  • New Mexico's Data Breach Notification Act (Microsoft 365)
  • New York - 23 NYCRR Part 500 (Microsoft 365)
  • New York City Administrative Code - Security Breach Notification (Microsoft 365)
  • New York General Business Law - Data Security Breach Notification and Data Security Protections (Microsoft 365)
  • New York Privacy Act - DRAFT (Microsoft 365)
  • North Carolina - Identity Theft Protection Act (Microsoft 365)
  • North Dakota Chapter 51-30 Notice of Security Breach for Personal Information (Microsoft 365)
  • Ohio - Security Breach Notification (Microsoft 365)
  • Ohio Data Protection Act 2018 (Microsoft 365)
  • Oklahoma Security Breach Notification Act (Microsoft 365)
  • Oregon Consumer Identity Theft Information Protection Act (Microsoft 365)
  • Pennsylvania Breach of Personal Information Notification Act (Microsoft 365)
  • Puerto Rico - Citizen Information on Data Banks Security Act (Microsoft 365)
  • Rhode Island - Identity Theft Protection Act (Microsoft 365)
  • South Carolina - Breach Notification (Microsoft 365)
  • South Dakota - Notice of Breach (Microsoft 365)
  • Tennessee 47-18-2107 Release of Personal Consumer Information (Microsoft 365)
  • Texas - Identity Theft Enforcement and Protection Act (Microsoft 365)
  • Texas Privacy Policy to Protect Social Security Numbers (Microsoft 365)
  • Utah Consumer Credit Protection Act (Microsoft 365)
  • Utah Electronic Information or Data Privacy (Microsoft 365)
  • Vermont - Act on Data Privacy and Consumer Protection (Microsoft 365)
  • Virginia Breach of Personal Information Act (Microsoft 365)
  • Washington DC - Consumer Security Breach Notification Standard (Microsoft 365)
  • West Virginia - Breach of Security of Consumer Information (Microsoft 365)
  • Wisconsin Security Breach Notification (Microsoft 365)

Regional

Asia-Pacific Countries

  • Asia Pacific Economic Cooperation (APEC) Privacy Framework
  • Australia - ASD Essential 8 (Microsoft 365)
  • Australia - National Archives Act
  • Australia - Public Records Office Victoria Recordkeeping Standards (Microsoft 365)
  • Australia - Spam Act 2003 (Microsoft 365)
  • Australia Privacy (Credit Reporting) Code (Microsoft 365)
  • Australia Privacy Act (Microsoft 365)
  • Australian Energy Sector Cyber Security Framework (AESCSF) (Microsoft 365)
  • Australian Information Security Registered Assessor Program (IRAP) Version 3 (Microsoft 365)
  • Australian Prudential Regulation Authority CPS (Microsoft 365)
  • Victorian Protective Data Security Standards V2.0 (VPDSS 2.0) (Microsoft 365)
  • Information Management Standard for Australian Government - National Archives of Australia (NAA) (Microsoft 365)
  • China - Personal Information Security Specification (Microsoft 365)
  • Cybersecurity Law of the People's Republic of China (Microsoft 365)
  • Hong Kong - Personal Data (Privacy) Ordinance (Microsoft 365)
  • India Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules
  • India - Information Technology Act (Microsoft 365)
  • Reserve Bank of India Cyber Security Framework (Microsoft 365)
  • Indonesia - Law 11/2008 (Microsoft 365)
  • Japan - Act on Prohibition of Unauthorized Computer Access (Microsoft 365)
  • Japan - Common Model of Information Security Measures for Government Agencies and Related Agencies (Microsoft 365)
  • Japan - Common Standards for Information Security Measures for Government Agencies and Related Agencies (Microsoft 365)
  • Japan Privacy Mark - JIS Q 15001 : 2017 (Microsoft 365)
  • Japanese Act on the Protection of Personal Information (Law No. 57 of 2003) (Microsoft 365)
  • Korea - Credit Information Use And Protection Act (Microsoft 365)
  • Korea - The Act on Promotion of Information and Communications Network Utilization and Data Protection (Microsoft 365)
  • Korea Personal Information Protection Act (Microsoft 365)
  • Malaysia - Personal Data Protection Act (PDPA) (Microsoft 365)
  • Malaysia Risk Management in Technology (RMiT) (Microsoft 365)
  • Myanmar - Law Protecting the Privacy and Security of Citizens
  • Nepal - Right to Information Act
  • New Zealand - Privacy Act / 2020 (Microsoft 365)
  • New Zealand - Public Records Act (Microsoft 365)
  • New Zealand - Reserve Bank BS11 Outsourcing Policy (Microsoft 365)
  • New Zealand - Telecommunications Information Privacy Code (Microsoft 365)
  • New Zealand Health Data Retention Policy (Microsoft 365)
  • New Zealand Health Information Privacy Code (Microsoft 365)
  • New Zealand Health Information Security Framework (HISF) (Microsoft 365)
  • New Zealand Information Security Manual (NZISM)
  • Pakistan - Electronic Data Protection Act - DRAFT (Microsoft 365)
  • Philippines BSP Information Security Management Guidelines (Microsoft 365)
  • Philippines Data Privacy Act of 2012 (Microsoft 365)
  • Singapore - ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers (Microsoft 365)
  • Singapore - Banking Act (Cap.19)
  • Singapore - Cybersecurity 2018 (Microsoft 365)
  • Singapore - IMDA IoT Cyber Security Guide (Microsoft 365)
  • Singapore - Monetary Authority of Singapore Technology Risk Management Framework (Microsoft 365)
  • Singapore - Multi-Tier Cloud Security (MTCS) Standard (Microsoft 365)
  • Singapore - Personal Data Protection Act / 2012 (Microsoft 365)
  • Singapore Spam Control Act (Microsoft 365)
  • Taiwan - Implementation Rules for the Internal Audit and Internal Control System of Electronic Payment Institutions - 2015 (Microsoft 365)
  • Taiwan - Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking
  • Taiwan - Regulations Governing Approval and Administration of Financial Information Service Enterprises Engaging in Interbank Funds Transfer and Settlement (Microsoft 365)
  • Taiwan - Regulations Governing the Standards for Information System and Security Management of Electronic Payment Institutions (Microsoft 365)
  • Taiwan Personal Data Protection Act (PDPA) (Microsoft 365)
  • Thailand PDPA (Microsoft 365)
  • Trade Secrets Act of The Republic of China (Microsoft 365)
  • Law of The Republic of Uzbekistan on Personal Data (Microsoft 365)
  • Vietnam - Consumer Rights Protection Law (Microsoft 365)
  • Vietnam - Law of Cybersecurity (Microsoft 365)
  • Vietnam - Law of Network Information Security
  • Vietnam - Law on Information Technology (Microsoft 365)

Europe, Middle East, and Africa (EMEA)

  • Albania - The Law on the Protection of Personal Data No. 9887
  • Austrian Telecommunications Act 2003 (Microsoft 365)
  • Armenia - Law of the Republic of Armenia on the Protection of Personal Data (Microsoft 365)
  • Belarus Law On Information, Informatization and Protection of information (Microsoft 365)
  • Belgium - Act on the Protection of Natural Persons with Regard to the Processing of Personal Data (Microsoft 365)
  • Belgium NBB Dec 2015 (Microsoft 365)
  • Bosnia and Herzegovina Law on the Protection of Personal Data
  • Botswana - Data Protection Act (Microsoft 365)
  • Bulgaria Law for Protection of Personal Data 2002 (Microsoft 365)
  • Central Bank of Kuwait Cybersecurity Framework (Microsoft 365)
  • Cyprus The Processing of Personal Data Law (Microsoft 365)
  • Czech - Act No. 110/2019 Coll. on Personal Data Processing - 2019 (Microsoft 365)
  • Czech - On Cyber Security and Change of Related Acts (Act on Cyber Security) - Act No. 181 (Microsoft 365)
  • Denmark - The Data Protection Act (Microsoft 365)
  • Denmark - Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment
  • Directive 2013/40/EU Of The European Parliament And Of The Council (Microsoft 365)
  • Dubai - Health Data Protection Regulation (Microsoft 365)
  • Dubai Consumer Protection Regulations (Telecommunications Regulatory Authority)(Microsoft 365)
  • Dubai ISR (Microsoft 365)
  • Estonia - Personal Data Protection Act (Microsoft 365)
  • Estonia - The system of security measures for information systems (Microsoft 365)
  • EU - Directive 2006/24/EC (Microsoft 365)
  • EU - ePrivacy Directive 2002 58 EC (Microsoft 365)
  • EudraLex - The Rules Governing Medicinal Products in the European Union (Microsoft 365)
  • European Network and Information Security Agency (ENISA) - Cloud Computing Information Assurance Framework (Microsoft 365)
  • Finland - Data Protection Act (Microsoft 365)
  • Finnish Criteria for Assessment of Information Security of Cloud Services
  • France - The Data Protection Act (Microsoft 365)
  • Georgia Law on Personal Data Protection (Microsoft 365)
  • Germany - Annotated text of the Minimum Requirements for Risk Management (Microsoft 365)
  • Germany - Cloud Computing Compliance Controls Catalog (C5) (Microsoft 365)
  • Germany - Federal Data Protection Act (Microsoft 365)
  • Germany - Supervisory Requirements for IT in Financial Institutions (BAIT) (Microsoft 365)
  • Ghana - Data Protection Act (Microsoft 365)
  • Ireland Data Protection Act (Microsoft 365)
  • Israel - Privacy Protection (Transfer of Data to Databases Abroad) Regulations (Microsoft 365)
  • Israel Privacy Law (Microsoft 365)
  • Jordan Cloud Platforms & Services Policy (Microsoft 365)
  • Kenya Data Protection Act (Microsoft 365)
  • Luxembourg Act (Microsoft 365)
  • Malta - Data Protection Act (Microsoft 365)
  • Mauritius Data Protection Act 2004 (Microsoft 365)
  • Republic of Moldova Law on Personal Data Protection (Microsoft 365)
  • Montenegro - Law on Personal Data Protection (Microsoft 365)
  • Nigeria Data Protection Regulation (Microsoft 365)
  • Oman - Electronic Transactions Law (Microsoft 365)
  • Qatar Cloud Security Policy
  • Romania - Data Protection Law 190/2018 (Microsoft 365)
  • Russia - Federal Law 149-FZ On Information, Information Technology and Information Security
  • Russian Federation Federal Law Regarding Personal Data (Microsoft 365)
  • South Africa Consumer Protection ACT 68 2008 (Microsoft 365)
  • South Africa Electronic Communications and Transactions Act, 2002 (Microsoft 365)
  • South Africa - Promotion of Access to Information Act (Microsoft 365)
  • South African POPIA (Microsoft 365)
  • Slovakia Act on the Protection of Personal Data (Microsoft 365)
  • Spain - Nation Security Framework (Microsoft 365)
  • Switzerland - Federal Act on Data Protection (FADP) (Microsoft 365)
  • Turkey - KVKK Protection of Personal Data 6698 (Microsoft 365)
  • UAE - Federal Decree Law on Combating Cyber Crimes (Microsoft 365)
  • UAE - Federal Law Concerning Electronic Transactions and Commerce
  • UAE - Federal Law No 2 of 2019 On the Use of the Information and Communication Technology (ICT) in Health Fields (Microsoft 365)
  • UAE - NESA Information Assurance Standards (Microsoft 365)
  • UAE Regulatory Policy TRA - Internet of Things (Microsoft 365)
  • UAE's Federal Decree Law Regulating the Telecommunications Sector (Microsoft 365)
  • Uganda - The Data Protection and Privacy Act (Microsoft 365)
  • UK - Cyber Security for Defence Suppliers Standard 05-138 (Microsoft 365)
  • UK - The Offshore Petroleum Activities Regulations / 2011 (Microsoft 365)
  • UK Cyber Essentials (Microsoft 365)
  • UK Data Protection Act (Microsoft 365)
  • UK Data Retention Act (Microsoft 365)
  • UK Privacy and Electronic Communications (Microsoft 365)
  • Ukraine - Protection of Personal Data Law (Microsoft 365)
  • Yemen - Yemen Law of the Right of Access to Information (Microsoft 365)

Latin America

  • Antigua and Barbuda - Data Protection Act /2013 (Microsoft 365)
  • Bahamas - Data Protection Act (Microsoft 365)
  • Barbados - Data Protection Bill 2019 (Microsoft 365)
  • Barbados - Electronic Transactions Act (Microsoft 365)
  • Bermuda - Electronic Transaction Act (Microsoft 365)
  • Saint Lucia Data Protection Act (Microsoft 365)
  • Trinidad and Tobago Data Protection (Act 13 of 2011) (Microsoft 365)

North America

  • Canada - Breach of Security Safeguards Regulations (Microsoft 365)
  • Canada - British Columbia - Information Privacy & Security - FOIPPA (Microsoft 365)
  • Canada - Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guide (Microsoft 365)
  • Canada - Personal Health Information Protection Act (PHIPA) 2020 (Microsoft 365)
  • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA) (Microsoft 365)
  • Canada - Protected B
  • Canada Cybersecure - Baseline Cyber Security Controls for Small and Medium Organizations (Microsoft 365)
  • CAN-SPAM Act (Microsoft 365)
  • Mexico - Federal Consumer Protection Law (Microsoft 365)
  • Mexico - Federal Law on Protection of Personal Data Held by Private Parties (Microsoft 365)

South America

  • Argentina - Personal Data Protection Act 25.326 (Microsoft 365)
  • Brazil - Consumer Protection Code Law No. 8078 (Office 365)
  • Brazil - General Data Protection Law (LGPD) (Microsoft 365)
  • Colombia - Decree No. 1377/2013 (Microsoft 365)
  • Colombia - External Circular Letter 007 of 2018 (Microsoft 365)
  • Colombia - Law 1266/2008- Habeas Data Act (Microsoft 365)
  • Peruvian Legislation Law 29733 Law of Data Privacy Protection