Microsoft Compliance Score (Preview)
Microsoft Compliance Score helps to simplify the way you manage compliance and reduce compliance risks through a user-friendly experience. Compliance Score is now available for public preview in the Microsoft 365 compliance center. Read this article to understand what Compliance Score is, how it can help you manage compliance for your organization, and how to get started.
What is Compliance Score
Microsoft Compliance Score is a preview feature in the Microsoft 365 compliance center to help you understand your organization’s compliance posture. It calculates a risk-based score measuring your progress in completing actions that help reduce risks around data protection and regulatory standards.
You can use Compliance Score as a tool to track all of your risk assessments. It provides workflow capabilities to help you efficiently perform and complete your risk assessments through a common tool.
If you currently use Compliance Manager, you’ll notice that Compliance Score is now a standalone feature with a simpler, more user-friendly design to help you manage compliance more easily.
The main Compliance Score page is your custom dashboard. It shows your current score, helps you see what needs attention, and guides you to actions to improve your score. This is what your Compliance Score dashboard will look like:
Simplified compliance management
Compliance Score helps simplify compliance management by providing:
- Continuous assessments: automatically scans through your Microsoft 365 environments to detect and monitor the effectiveness of data protection controls in your system
- Recommended actions: provides recommendations and step-by-step guidance for how to implement controls to maximize your score
- Built-in control mapping: helps you stay current with the evolving compliance landscape by providing a built-in common control framework
Compliance Score does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Recommendations from Compliance Score and Compliance Manager should not be interpreted as a guarantee of compliance. This service is currently in preview and is subject to the terms and conditions in the Online Services Terms.
Relationship to Compliance Manager
Think of Compliance Score as a simplified version of Compliance Manager. While the two exist as distinct yet integrated tools, Compliance Score makes it easier to monitor your overall compliance posture and take steps to improve it.
Compliance Score shares the same backend with Compliance Manager, so any data you may already have in Compliance Manager will show in Compliance Score.
During public preview, some functionality remains solely in Compliance Manager, such as managing assessments and creating templates. We recommend beginning all of your compliance management activities in Compliance Score. When you come to functions handled by Compliance Manager, you will be guided to that tool. For that reason, some of this documentation directs you to Compliance Manager topics.
Learn more about the relationship between Compliance Score and Compliance Manager in the Compliance Score release notes.
Understanding your score
Compliance Score gives you an out-of-the-box score based on the Microsoft 365 data protection baseline, which is a set of controls that includes common industry regulations and standards. While this score is a good starting point for assessing your compliance posture, Compliance Score becomes more powerful for you once you add assessments that are more relevant to your organization.
For example, if your organization belongs to the financial services industry, you may want to add the FFIEC assessment. If your organization belongs to the healthcare industry, you can add the HIPAA/HITECH assessment. Learn how to add assessments in Compliance Manager.
Learn more about how your compliance score is calculated and continuously monitored.
Key components: controls, assessments, templates, groups
Compliance Score uses several components to help you manage your compliance activities. As you use Compliance Score to assign, test, and monitor compliance activities, it’s helpful to have a basic understanding of these key components. This diagram shows the relationships among them:
A control defines how you assess and manage system configuration, organizational process, and people accountability to meet a specific requirement of a regulation, standard, or internal policy.
Compliance Score tracks two types of controls:
- Microsoft-managed controls: these are controls for Microsoft cloud services, which Microsoft is responsible for implementing
- Customer-managed controls: these are controls managed by your organization, which you are responsible for implementing
An assessment is an evaluation of a template that initiates the scoring process for your organization. Assessments group the actions necessary to meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, brings your Office 365 settings in line with ISO 27001 requirements.
By default, Compliance Score provides your organization with an assessment based on the Microsoft 365 data protection baseline, a recommendation for reducing your data protection and compliance risks (learn more).
Assessments include several components:
- In-scope services: the specific set of Microsoft services applicable to the assessment
- Microsoft-managed controls: controls that Microsoft implemented and tested
- Customer-managed controls: controls that you manage
- Assessment score: the percentage of the points achieved by completing actions within that assessment
Compliance Score displays your assessments and how they factor into your overall score. However, during public preview you will be directed to Compliance Manager to manage your assessments.
View detailed instructions for working with assessments in Compliance Manager.
Compliance Score provides pre-configured templates for assessments. Compliance Score also allows you to create templates for your own assessments to suit your needs. For example, you can create a template for your business process control, or a template for a regional data protection or compliance standard that isn’t covered by one of the pre-configured templates. By creating your own templates, you can create custom assessments to ensure that Compliance Score tracks not only Microsoft cloud assessments, but also any other risk assessments in scope for your organization.
You can create new templates by copying an existing template, or by importing controls information from an Excel file. View detailed instructions for creating templates in Compliance Manager.
The pre-configured templates for Compliance Score are:
- ISO 27001: 2013
- ISO 27018: 2014
- NIST 800-53 Rev. 4
- NIST 800-171
- NIST Cybersecurity Framework (CSF)
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) 3.0.1
- Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet
- HIPAA / HITECH
- FedRAMP Moderate
- European Union GDPR
- California Consumer Privacy Act (CCPA)- Preview
- Microsoft 365 Data Protection Baseline
During public preview, go to Compliance Manager to create and manage your templates.
Groups allow you to organize assessments in a way that is logical to you. For example, you may choose to group assessments by year, compliance standard, service, teams within your organization, or some other way.
When two different assessments in the same group share customer-managed actions, the completion of implementation details, testing, and status for the action in one assessment automatically synchronizes to the same action in any other assessment in the group. This unifies the assigned improvement actions across the group and reduces duplicating work.
Learn how to create groups in Compliance Manager.
Sign in, set up permissions, and learn about your Compliance Score dashboard in Compliance Score setup.