Microsoft Compliance Score (preview)
Microsoft Compliance Score helps to simplify the way you manage compliance and reduce compliance risks through a user-friendly experience. Compliance Score is available for public preview in the Microsoft 365 compliance center.
In this article: Read this article to understand what Compliance Score is and how to set it up for your organization.
Learn about updates: We published several updates in the April 2020 release. Visit the Compliance Score release notes to see what's new and known issues with the preview version of Compliance Score.
What is Compliance Score
Microsoft Compliance Score is a preview feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture. It calculates a risk-based score measuring your progress in completing actions that help reduce risks around data protection and regulatory standards.
You can use Compliance Score as a tool to track all of your risk assessments. It provides workflow capabilities to help you efficiently complete your risk assessments through a common tool.
If you currently use Compliance Manager, you'll notice that Compliance Score is now a standalone feature with a simpler, more user-friendly design to help you manage compliance more easily.
The main Compliance Score page is your custom dashboard. It shows your current score, helps you see what needs attention, and guides you to actions to improve your score. Your Compliance Score dashboard will look like this:
Simplified compliance management
Compliance Score helps simplify compliance management by providing:
- Continuous assessments: automatically scans through your Microsoft 365 environments to detect and monitor the effectiveness of data protection controls in your system
- Recommended actions: provides recommendations and step-by-step guidance for how to implement controls to maximize your score
- Built-in control mapping: helps you stay current with the evolving compliance landscape by providing a built-in common control framework
Recommendations from Compliance Score and Compliance Manager should not be interpreted as a guarantee of compliance. It is up to you to evaluate and validate the effectiveness of customer controls per your regulatory environment. These services are currently in preview and subject to the terms and conditions in the Online Services Terms. See also Microsoft 365 licensing guidance for security and compliance.
Relationship to Compliance Manager
Think of Compliance Score as a simplified version of Compliance Manager. While the two exist as distinct yet integrated tools, Compliance Score makes it easier to monitor your overall compliance posture and take steps to improve it.
Compliance Score shares the same backend with Compliance Manager, so any data you may already have in Compliance Manager will show in Compliance Score.
Some functionality remains solely in Compliance Manager during public preview, such as managing assessments and creating templates. We recommend beginning all of your compliance management activities in Compliance Score. When you come to functions handled by Compliance Manager, you'll be guided to that tool. For that reason, some of this documentation directs you to Compliance Manager topics.
Learn more about the relationship between Compliance Score and Compliance Manager in the Compliance Score release notes.
Understanding your score
Compliance Score gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes common industry regulations and standards. While this score is a good starting point for assessing your compliance posture, Compliance Score becomes more powerful once you add assessments that are more relevant to your organization.
For example, if your organization belongs to the financial services industry, you may want to add the FFIEC assessment. If your organization belongs to the healthcare industry, you can add the HIPAA/HITECH assessment. Learn how to add assessments in Compliance Manager.
Learn more about how your compliance score is calculated and continuously monitored.
Key components: controls, assessments, templates, groups
Compliance Score uses several components to help you manage your compliance activities. As you use Compliance Score to assign, test, and monitor compliance activities, it's helpful to have a basic understanding of the key components: controls, assessments, templates, and groups.
A control defines how you assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or internal policy.
Compliance Score tracks two types of controls:
- Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing
- Customer-managed controls: controls managed by your organization, which you're responsible for implementing
An assessment is an evaluation of a template that initiates the scoring process for your organization. Assessments group the actions necessary to meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, brings your Office 365 settings in line with ISO 27001 requirements.
Compliance Score provides your organization with an initial assessment based on the Microsoft 365 data protection baseline. This assessment is a recommendation for reducing your data protection and compliance risks (learn more).
Assessments have several components:
- In-scope services: the specific set of Microsoft services applicable to the assessment
- Microsoft-managed controls: controls that Microsoft implemented and tested
- Customer-managed controls: controls that you manage
- Assessment score: the percentage of the points achieved by completing actions within that assessment
Compliance Score displays your assessments and how they factor into your overall score. However, during public preview you will be directed to Compliance Manager to manage your assessments.
View detailed instructions for managing assessments in Compliance Manager.
Compliance Score provides pre-configured templates for assessments. You can also create a Custom Assessment by adding your own controls and actions to a pre-configured template. For example, you can create a template for your business process control, or a template for a regional data protection or compliance standard that isn't covered by one of the pre-configured templates. By bringing your own templates into Compliance Score, you can track not only Microsoft cloud assessments, but also any other risk assessments in scope for your organization.
The pre-configured templates for Compliance Score are:
- Brazil General Data Protection Law (LGPD)
- California Consumer Privacy Act (CCPA) (preview)
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) 3.0.1
- Dubai Information Security Resolution (DGISR)
- European Union GDPR
- Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet
- FedRAMP Moderate
- HIPAA / HITECH
- IRAP / Australian Government ISM (preview)
- ISO 27001:2013
- ISO 27018:2014
- ISO 27701:2019
- Microsoft 365 Data Protection Baseline
- NIST 800-53 Rev. 4
- NIST 800-171
- NIST Cybersecurity Framework (CSF)
- SOC 1
- SOC 2
View detailed instructions for creating templates, which occurs in Compliance Manager.
Groups allow you to organize assessments in a way that is logical to you. For example, you may choose to group assessments by year, compliance standard, service, teams within your organization, or some other way.
When two different assessments in the same group share customer-managed actions, updates you make to the implementation details, testing, and status for the action in one assessment will automatically synchronize to the same action in any other assessment in the group. Synching actions in this way unifies the assigned improvement actions across the group and reduces duplicating work.
Next step: begin setup
Learn how to sign in, set up permissions, and configure updates and dashboard views at Compliance Score setup.