Describe compliance features

  • 9 minutes

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps users manage their organization’s compliance requirements with greater ease and convenience. Purview Compliance Manager can help users throughout their compliance journey. The Compliance Purview Manager supports:

  • taking inventory of data protection risks.
  • managing the complexities of implementing controls.
  • staying current with regulations and certifications.
  • reporting to auditors.

The following video explains how Purview Compliance Manager can help simplify how organizations manage compliance:

Microsoft Purview Compliance Manager Overview

Purview Compliance Manager helps simplify compliance and reduce risk by providing:

  • Prebuilt assessments for common industry and regional standards and regulations, or custom assessments to meet users' unique compliance needs (available assessments depend on licensing agreements).

  • Workflow capabilities to help users efficiently complete risk assessments through a single tool.

  • Detailed step-by-step guidance on suggested improvement actions to help users comply with the standards and regulations that are most relevant for their organization. For actions managed by Microsoft, users find implementation details and audit results.

  • A risk-based compliance score to help users understand their compliance posture by measuring user progress in completing improvement actions.

The Purview Compliance Manager dashboard includes the current compliance score, helps users understand what needs attention, and guides them to key improvement actions. The following screenshot presents the Compliance Manager dashboard.

Screenshot depicts a compliance score of 57 percent within the Purview Compliance Manager dashboard.

Key elements: controls, assessments, templates, improvement actions

Purview Compliance Manager uses several data elements to help users manage their compliance activities. As they use Purview Compliance Manager to assign, test, and monitor compliance activities, it's helpful to have a basic understanding of the key elements: controls, assessments, templates, and improvement actions.

Controls

A control is a requirement of a regulation, standard, or policy. It defines how users assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.

Purview Compliance Manager tracks the following types of controls:

  • Microsoft-managed controls: Controls for Microsoft cloud services, which Microsoft is responsible for implementing.

  • Your controls: These controls sometimes referred to as customer-managed controls. They're implemented and managed by the organization.

  • Shared controls: Both the organization and Microsoft share responsibility for implementing these controls.

Assessments

An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps users meet the requirements of a standard, regulation, or law. For example, users may have an assessment that, when users complete all actions within it, helps bring Microsoft 365 settings in line with ISO 27001 requirements.

Assessments have several components:

  • In-scope services: The specific set of Microsoft services applicable to the assessment.

  • Microsoft-managed controls: Controls for Microsoft cloud services, which Microsoft implements on the user's behalf.

  • Your controls: These controls sometimes referred to as customer-managed controls. They're implemented and managed by the organization.

  • Shared controls: Both the organization and Microsoft share responsibility for implementing these controls.

  • Assessment score: Tracks the progress in achieving total possible points from actions within the assessment managed by the organization and by Microsoft.

When users create assessments, they assign them to a group. Users can configure groups in whatever way is most logical for the organization. For example, users may group assessments by audit year, region, solution, teams within the organization, or some other way. Once a group is created, users can filter the Compliance Manager dashboard to view their score by one or more groups.

Templates

Purview Compliance Manager provides templates to help users quickly create assessments. Users can modify these templates to create an assessment optimized for the organization's needs. Users can also build a custom assessment by creating a template with their own controls and actions. For example, users may want a template to cover an internal business process control or a regional data protection standard that isn't covered by one of our 150+ prebuilt assessment templates.

Improvement actions

Improvement actions help centralize users' compliance activities. Each improvement action provides recommended guidance intended to help users align with data protection regulations and standards. Improvement actions can be assigned to users in the organization to perform implementation and testing work. Users can also store documentation, notes, and record status updates within the improvement action.