Working with assessment templates in Compliance Manager

In this article: Understand how templates work and how to manage them from your assessment templates page. Get instructions for creating new templates, modifying existing templates, formatting your template data with Excel, and exporting template reports.

Important

The assessment templates that are available to your organization depends on your licensing agreement. Review the details.

Templates overview

A template is a framework for creating an assessment in Compliance Manager. They contain the controls for meeting the requirements of a certification using a certain product. Compliance Manger provides a comprehensive set of templates to help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data.

List of pre-built templates for assessments

Compliance Manager provides templates for building assessments to help you comply with various regulations and standards. View the list of templates provided by Compliance Manager. New templates are added regularly, so check the list often.

Viewing and managing templates from the assessment templates page

The assessment templates page in Compliance Manager displays a list of templates and key details. The list includes templates provided by Compliance Manager as well as any templates your organization has modified or created. You can apply filters to find a template based on certification, product scope, country, industry, who created it, and whether the template is enabled for assessment creation.

Select a template from its row to bring up its details page. This page contains a description of the template and further information about certification, scope, and controls details. From this page you can select the appropriate buttons to create an assessment, export the template data to Excel, or modify the template.

Creating and modifying templates overview

To modify an existing template or to create your own new template, you’ll use a specially formatted Excel spreadsheet (download an example) to assemble the necessary control data. After completing the spreadsheet, you import it into Compliance Manager during the process of creating or modifying a template.

Note

The spreadsheet has a specific format and schema that must be used, or it will not import correctly into Compliance Manager. The formatting instructions are below.

Required roles

Only users who hold a Global Administrator or Compliance Manager Administration role can create and modify templates. Learn more about roles and permissions.

Create a new template

To create your own new template (used for building custom assessments), follow the steps below.

  1. Go to your assessment templates page in Compliance Manager.

  2. Select Create new template. A template creation wizard will open.

  3. Choose the type of template you want to create. In this case, select Create a custom template, then select Next.

  4. At the Upload file screen, select Browse to find and upload your formatted Excel file containing all the required template data (see instructions for properly formatting your file).

  5. If there are no problems with your file, the name of the file uploaded will be displayed. Select Next to continue. (If you need to change the file, select Upload a different file).

    • If there’s an error with your file, an error message at the top explains what’s wrong. You’ll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if there’s invalid information in certain fields (refer again to the formatting instructions).
  6. The Review and finish screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select Create template. (If you need to make changes, select Back.)

  7. The last screen confirms a new template has been created. Select Done to exit the wizard.

  8. You’ll arrive at your new template’s details page, where you can create your assessment.

Formatting your template data with Excel

The Excel spreadsheet used to create templates contains four tabs, three of which are required:

  1. Template (required)
  2. ControlFamily (required)
  3. Actions (required)
  4. Dimensions (optional)

When filling out your spreadsheet with template data, the spreadsheet must include the tabs in the order listed above, otherwise your data won't successfully import to a template.

Template tab

The Template tab is required. The information in this tab provides metadata about the template. There are four required columns. The columns must retain the order on the Excel sheet as listed below. You can add your own column after the four columns to provide your own dimensions. If you do this, be sure to add them to the Dimensions tab using the instructions below.

  • title: This is the title for your template, which must be unique. It can't share a name with another template you have in Compliance Manager, including your own templates or a Compliance Manager template.

  • product: This is a required dimension. List the product associated with the template.

  • certification: This is the regulation you're using for the template.

  • inScopeServices: These are the services within the product that this assessment addresses (for example, if you listed Office 365 as the product, Microsoft Teams could be an in-scope service). You can list multiple services separated by two semi-colons.

Note

The data you insert in the product and certification cells can't be edited after you import the spreadsheet to create or customize a template. Also, a group can't contain two assessments that have the same product/certification combination. You can have multiple templates with the same product/certification combination.

ControlFamily tab

The ControlFamily tab is required. The required columns in this tab, which must follow the order provided in the sample spreadsheet, are:

  • controlName: This is the control name from the certification, standard, or regulation, which is typically some type of ID. Control names must be unique within a template. You can't have multiple controls with the same name in the spreadsheet.

  • controlFamily: Provide a word or phrase for the controlFamily, which identifies a broad grouping of controls. A controlFamily doesn't have to be unique; it can be listed more than once in a spreadsheet. The same controlFamily can also be listed in multiple templates, though they have no relation to each other. Every controlFamily must be mapped to at least one control.

  • controlTitle: Provide a title for the control. Whereas the controlName is a reference code, the title is a rich text format typically seen in the regulations.

  • controlDescription: Provide a description of the control.

  • controlActionTitle: This is the title of an action that you want to relate to this control. You can add multiple actions by separating by two semi-colons with no space in between. Every control you list must include at least one action, and the action must exist (which means you can list an action that you list on the Actions tab of the same spreadsheet, an action that exists in a different template, or an action created by Microsoft). Different controls can reference the same action.

Actions tab

The Actions tab is required. It designates improvement actions managed by your organization and not those of Microsoft, which already exist in Compliance Manager. The required columns for this tab, which must follow the order provided in the sample spreadsheet, are:

  • actionTitle: This is the title for your action and is a required field. The title you provide must be unique. Important: if you reference an action you own that already exists (such as in another template) and you modify any of its elements in the subsequent columns, those changes will propagate to the same action in other templates.

  • implementationType: In this required field, list one of the three implementation types below:

    • Operational - actions implemented by people and processes to protect the confidentiality, integrity, and availability of organizational systems, assets, data, and personnel (example: security awareness and training)
    • Technical - actions completed through the use of technology and mechanisms contained in the hardware, software, or firmware components of the information system to protect the confidentiality, integrity, and availability of organizational systems and data (example: multi-factor authentication)
    • Documentation - actions implemented through documented policies and procedures establishing and defining the controls required to protect the confidentiality, integrity, and availability of organizational systems, assets, data, and personnel (example: an information security policy)
  • actionScore: In this required field, provide a numeric score value for your action. It must be a whole number ranging from 1 to 99; it cannot be 0, null, or blank. The higher the number, the greater its value toward improving your compliance posture. The image below demonstrates how Compliance Manager scores controls:

Compliance Manager controls point values

  • actionDescriptionTitle: This is the title of the description and is required. This description title allows you to have the same action in multiple templates and surface a different description in each template. This field helps you clarify what template the description is referencing. In most cases, you can put the name of the template you're creating in this field.

  • actionDescription: Provide a description of the action. You can apply formatting such as bold text and hyperlinks. This is required field.

  • dimension-Action Purpose: This is an optional field. If you include it, the header must include the "dimension-" prefix. Any dimensions you include here will be used as filters in Compliance Manager and appear on the improvement actions details page in Compliance Manager.

Dimensions tab

The Dimensions tab is optional. However, if you reference a dimension elsewhere, you need to specify it here if it does not exist in a template you've already created or in a Microsoft template. The columns for this tab are listed below:

  • dimensionKey: list as "product", "certifications," "action purpose"
  • dimensionValue: examples: Office 365, HIPPA, Preventative, Detective

You can view your existing dimensions by going to Tenant Management and selecting the Dimensions tab. Also, anytime you export an existing template, the exported spreadsheet will have the Dimensions tab, which lists all the dimensions used in the template.

Modify a template

You may want to modify a template you’ve already created, such as to add controls, or add or remove improvement actions. The process is similar to the template creation process in that you’ll upload formatted Excel file with your template data.

However, there are particular details to be aware of as you format your file with changes to existing template data. We recommend you review these instructions carefully to ensure you don’t overwrite any existing data that you want to retain.

Template modification process steps

To modify a template, follow the steps below:

  1. From your assessment templates page, select the template you want to modify, which will bring up its details page.

  2. Select Export to Excel. An Excel file with all your template data will download. Save the file to your local machine.

  3. Make your template changes by modifying the Excel file using the instructions below.

  4. When you're done making changes to your Excel file, save the file.

  5. At your template’s details page, select Modify template to initiate the modification wizard.

  6. At the Upload file screen, select Browse to find and upload your Excel file.

  7. If there are no problems with your file, the next screen shows the name of the file uploaded. Select Next to continue (if you need to change the file, select Upload a different file).

    • If there’s a problem with your file, an error message at the top explains what’s wrong. You’ll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if there’s invalid information in certain fields.
  8. The Review and finish screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select Next.

  9. The last screen confirms that the template has been modified. Select Done to exit the wizard.

Your template will now include the changes you made. Any assessments that use this modified template will now show pending updates, and you’ll need to accept the updates to the assessments to reflect the changes made in the template. Learn more about updates to assessments.

Note

If you use Compliance Manager in a language other than English, you’ll notice that some text appears in English when you export a template to Excel. The titles of actions (both your improvement actions and Microsoft actions) must be in English to be recognized by controls. If you make changes to an action title, be sure to write it in English so that the file imports correctly.

Formatting your Excel file to modify a template

Jump to a section below to quickly find the instructions you need:

Edit the main template attributes

On the Templates tab, you can edit anything in the title column, the inScopeServices column, and in any other column you may have added. However, you can't edit anything in the product or certification columns.

Add an improvement action

  1. Go to the Actions tab. Add your information in the required fields in the first empty row underneath your existing actions.
  2. Go to your ControlFamily tab. Find the row containing the control your improvement action maps to. Add your new action to the controlActionTitle column in that row (remember to separate multiple actions in this field with two semi-colons, no space in between).
  3. Save your spreadsheet.

Edit an improvement action's information

You can change any improvement action's information except for its title. You can edit any cell from columns B onward, and when you import the file back into the template, the improvement actions in that template will now contain the updated data.

You cannot edit the actionTitle (column A) because if you do, Compliance Manager considers this to be a new improvement action. If you want to change an improvement action's name, see the instructions immediately below.

Change an improvement action’s name

If you want to change the name of an improvement action, you have to explicitly designate in the spreadsheet that you are replacing an existing name with a new name. Follow these steps:

  1. In the Actions tab of your spreadsheet, add a new column to the spreadsheet after column A.
  2. In this new column, which is now column B, put as its header in row 1: oldActionTitle.
  3. Copy the contents of column A and paste them into column B. This puts your existing improvement action titles, which are what you want to change, into column B.
  4. In column A, actionTitle, delete the old name and replace it with the new name for your improvement action.

Note that action titles, both for your improvement actions and for Microsoft actions, must be written in English in order to be recognized when referenced in controls.

Remove an improvement action

Deleting an improvement action from a row in a spreadsheet does not remove the action from the template you're editing. Instead, follow the process below:

  1. On the Actions tab, insert a new column as column A and put Operation in the header row, which is row number one.
  2. On the row for the improvement action you want to remove, put Delete in column A for that row.
  3. Ensure that this improvement action is no longer referenced by a control. Go to the ControlFamily tab and look for your improvement action's title in column F, which is controlActionTitle.
  4. When you find your improvement action listed in the controlActionTitle column, delete it.
  5. Save your spreadsheet.

When you import your spreadsheet back into the template, your action will be removed from the template. Removing an action from a template does not completely remove the action. That action can still be referenced by another template.

If you're removing the last improvement action that a control references, then you need to remove the control.

Remove a control

To remove a control, follow the same process for removing an improvement action as outlined above. In the ControlFamily tab, add an Operation column and put Delete next to the control you want to remove.

Export a template

You can export an Excel file that contains all of a template’s data. You’ll need to export a template in order to modify the template, as this will be the Excel file you edit and upload in the modification process.

To export your template, go to your template details page and select the Export to Excel button.

Note that when exporting a template you extended from a Compliance Manager template, the exported file will only contain the attributes you added to the template. The exported file won’t include the original template data provided by Microsoft. To get such a report, see the instructions for exporting an assessment report.