Use Compliance Manager in the Service Trust Portal - Preview

This article describes a preview feature that may not be available to everyone, and is subject to change. Note this preview feature isn't available in Office 365 operated by 21Vianet and Office 365 Germany.

The new Compliance Manager in the Microsoft Service Trust Portal (STP) provides tools to track, implement, and manage the auditing controls to help your organization reach compliance with security or data protection industry standards when measured against Microsoft cloud services, such as Office 365 and Microsoft Azure. It helps the person who oversees the data protection strategy for your organization (sometimes called a data protection officer) to manage the compliance and risk assessment process.

Compliance Manager:

  • Combines the detailed information provided by Microsoft to auditors and regulators as part of various third-party audits of Microsoft ‘s cloud services against various standards (such as International Organization for Standardization 27001:2013 and ISO 27018:2014) and information that Microsoft compiles internally for its compliance with regulations (such as the EU General Data Protection Regulation or GDPR) with your own self-assessment of your organization’s compliance with these standards and regulations.

  • Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals.

  • Provides a secure repository for you to upload and manage evidence and other artifacts related to your compliance activities.

  • Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.

Important: Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance.

Contents

Assessments in Compliance Manager

Accessing Compliance Manager

Assigning permissions to Compliance Manager

Adding an Assessment

Managing the assessment process

Managing Action Items

Exporting information from an Assessment

Archiving an Assessment

Assessments in Compliance Manager

The core component of Compliance Manager is called an Assessment. An Assessment combines a Microsoft cloud service (such as Office 365) with a certification standard or data protection regulation (such as ISO 27001:2013 or the GDPR). Assessments enable you to discern your organization's data protection and compliance posture against the selected industry standard for the selected Microsoft cloud service. Assessments are completed by the implementation of the controls that map to the standard being assessed.

The structure of an Assessment is based on the responsibility that is shared between Microsoft and your organization for assessing security and compliance risks in the cloud and for implementing the data protection safeguards specified by a compliance standard, a data protection standard, a regulation, or a law.

  • Microsoft managed controls   For each cloud service, Microsoft implements and manages a set of controls as part of Microsoft's compliance with various standards and regulations. These controls are organized into control families and organized into Microsoft's internal control framework. For each Microsoft managed control, Compliance Manager provides details about how Microsoft implemented the control, along with how and when that implementation was tested and validated by an independent third-party auditor.

    Here's an example of the Microsoft managed controls in the Accountability, Audit, and Risk control family from an Assessment of Office 365 against ISO 27001:2013.

    Details of Microsoft managed controls in the Compliance Manager
    1. The ID number of the control from Microsoft's internal compliance framework.

    2. The section or article number from the standard or regulation that has been mapped to the selected MS Control ID.

    3. A description of the section or article from the standard or regulation that has been mapped to the selected MS Control ID.  For each control, you can click More to see additional information, including details about Microsoft's implementation of the control and details about how the control was tested and validated by an independent third-party auditor.

    4. Information about the implementation status of a control, the date the control was tested, who performed the test, and the test result.

  • Customer managed controls   This collection of controls are those that are managed by your organization. Your organization is responsible for implementing these controls as part of your compliance process for a given standard or regulation. Use the customer managed controls to implement the recommended actions suggested by Microsoft as part of your compliance activities. Your organization can use the prescriptive guidance and recommended Customer Actions in each customer managed control to manage the implementation and assessment process for that control.

    Customer managed controls in Assessments also have built-in workflow management functionality that you can use to manage and track your organization's progress towards completing the Assessment. For example, a Compliance Officer in your organization can assign an Action Item to an IT admin who has the responsibility and necessary permissions to perform the actions that are recommended for the control. When that work is complete, the IT admin can upload evidence of their implementation tasks (for example, screenshots of configuration or policy settings) and then assign the Action Item back to the Compliance Officer to evaluate the collected evidence, test the implementation of the control, and record the implementation date and test results in Compliance Manager. For more information, see the Managing the assessment process section in the article.

    Here's an example of the customer managed controls in the Identification and Authentication control family from an Assessment of Office 365 against ISO 27001:2013.

    Details of customer managed controls in the Compliance Manager
    1. The ID number of the control from Microsoft's internal compliance framework and the section or article number from the standard or regulation that has been mapped to the MS Control ID.

    2. A description of the section or article from the standard or regulation that has been mapped to the selected MS Control ID.  When you click More, you'll be provided with recommended Customer Actions, along with fields that let you to provide implementation and test plan details for your organization.

    3. Action Items can be assigned to a person to implement and/or validate the control. When you assign an Action Item, you can send an email notification that includes recommended Customer Actions, along with the ability to add notes.

    4. Status is used to track your organization's implementation progress. 

    5. Test Date and Test Result are used by assessors to specify the test result and the date when the control was tested.

Return to top

Accessing Compliance Manager

The Compliance Manager dashboard gives you the tools to assign, track, and record compliance and assessment-related activities, and to help your organization cross team barriers to achieve your organization’s compliance goals. You access Compliance Manager from the STP. For preview, anyone with a Microsoft account in your organization can access Compliance Manager.

  1. Go to https://aka.ms/STP, which resolves to https://servicetrust.microsoft.com.

  2. Sign in with your Office 365 or Azure Active Directory (Azure AD) user account.

  3. In the Service Trust Portal, click Compliance Manager.

    Click Compliance Manager to open it
  4. When the Non-Disclosure Agreement is displayed, read it, and then click Agree to continue. You'll only have to do this once, and then the Compliance Manager dashboard is displayed. To get you started, we've added the following Assessments by default:

    • Office 365 and GDPR (EU General Data Protection Regulation)

    • Office 365 and ISO 27001:2013 (information security standard)

      Note: Compliance Manager Preview also enabled you to create an Assessment for Office 365 and ISO 27018:2014 (personal data protection standard).

    The default control frameworks in the Compliance Manager
  5. Click Help icon in Compliance Manager Help to take a short tour of Compliance Manager.

  6. Click the Assessment name to open it and view the Microsoft and customer managed controls associated with the Assessment, along with a list of the cloud services that are in-scope for the Assessment.

    The components of a assessment in the Compliance Manager
    1. This section shows the individual cloud services that are in-scope for the assessment.

    2. This section contains Microsoft managed controls. Related controls are organized by control family. Click a control family to expand it and display individual controls.

    3. This section contains customer managed controls, which are also organized by control family. Click a control family to expand it and display individual controls.

    4. Displays the total number of controls in the control family, and how many of those controls have been assessed. A key capability of Compliance Manager is tracking your organization's progress on assessing the customer managed controls.

Return to top

Assigning permissions to Compliance Manager

By default, everyone in your organization with an Office 365 or Azure AD account has access to Compliance Manager and can perform any action in Compliance Manager. To change the default permissions, at least one user must be added to each Compliance Manager role (see the following instructions). After a user is added to a role, the default permissions are removed and only users have been added to a role will be able to access Compliance Manager and perform the actions allowed by that role.

Note: To control who can access and perform actions in Compliance Manager, a user must be added to each role to change the default behavior. For example, if you add a user to the role that lets users manage Assessments, only members of that role can manage Assessments. Similarly, if you don't add a user to the role that lets users read the data in Assessments, then all users in your organization can access Compliance Manager and read data in any Assessment.

The following table describes each Compliance Manager permission and what it allows the user do. The table also indicates the role that each permission is assigned to.

Compliance Manager Reader

Compliance Manager Contributor

Compliance Manager Assessor

Compliance Manager Administrator

Portal Admin

Read data   Users can read but not edit data.

Check mark

Check mark

Check mark

Check mark

Check mark

Edit data   Users can edit all fields, except the Test Result and Test Date fields.

Check mark

Check mark

Check mark

Check mark

Edit test results   Users can edit the Test Result and Test Date fields.

Check mark

Check mark

Check mark

Manage assessments   Users can create, archive, and delete Assessments.

Check mark

Check mark

Manage users   Users can add other users in their organization to the Reader, Contributor, Assessor, and Administrator roles. Only those users with the Global Administrator role in your organization can add or remove users from the Portal Admin role.

Check mark

To add a user to a Compliance Manager role:

  1. Go to https://servicetrust.microsoft.com.

  2. Sign in with your Office 365 or Azure Active Directory user account.

  3. In the Service Trust Portal, click Settings.

  4. In the Select Role drop-down list, click the role that you want to add users to.

    Click Select Role to display a list of Compliance Manager roles that you can add users to
  5. Click Add Icon Add, add a user to the role, and then click Save.

    Users added to the each role are listed on the Select Role page.  You can select a user and click Delete to remove them from the selected role.

Return to top

Adding an Assessment

To add an Assessment to Compliance Manager:

  1. In the Compliance Manager dashboard, click Add Icon Add Assessment.

  2. On the Add a Standard Assessment page, choose a Microsoft cloud service to assess for compliance from the Select Product drop down list, and then click Next. Note that only Office 365 is available in Compliance Manager Preview.

  3. Select one or more standards/regulations for the Assessment.

    The information displayed for the selected standard/regulation will apply to the cloud service selected in step 2. Note that only ISO 27001:2013, ISO 27018:2014, and the GDPR are available in Compliance Manager Preview.

    Note: Compliance Manager Preview doesn't include implementation details for all of Microsoft's internal controls that have been mapped to the GDPR. Additional implementation details for Microsoft managed controls that have been mapped to the GDPR will be added to Compliance Manager throughout the preview period.

  4. In the Name the Assessment field, provide a unique name for the Assessment, which will be displayed on the Compliance Manager dashboard.

  5. Click Add to Dashboard to create the Assessment.

    When an Assessment is displayed on the Compliance Manager dashboard, it will show the overall progress of the Assessment, along with details about when it was created and when it was last modified.  It also shows the Assessment Users, which include the creator of the Assessment and other users who've been assigned Actions Items. 

  6. Click the Assessment name to open it, and view the details of the Assessment.

Return to top

Managing the assessment process

The creator of an Assessment is initially the only Assessment User. For each customer managed control, you can assign an Action Item to a person in your organization so that person becomes an Assessment User who can perform the recommended Customer Actions, and gather and upload evidence. When you assign an Action Item, you can choose to send an email to the person that contains details including the recommended Customer Actions and the Action Item priority. The email notification includes a link to the Action Items dashboard, which lists all Action Items assigned to that person.

Here's a list of tasks that you can perform using the workflow features of Compliance Manager.

The workflow management features in a customer managed control
  1. Assign an Action Item to a user     You can assign an Action Item to a person to implement the requirements of a standard or regulation, or to test, verify, and document your organization's implementation requirements. When you assign an Action Item, you can choose to send an email to the person that contains details including the recommended Customer Actions and the Action Item priority. You can also unassign or reassign an Action Item to a different person.

  2. Manage documents   Customer managed controls also have a place to manage documents that are related to performing implementation tasks and for performing testing and validation tasks. Anyone with permissions to edit data in Compliance Manager can upload documents by clicking Manage Documents. After a documented has been uploaded, you can click Manage Documents to view and download files.

  3. Provide implementation and testing details   Every customer managed control has an editable field where users can add implementation details that document the steps taken by your organization to meet the requirements of the standard or regulation, and to validate and document how your organization meets those requirements.

  4. Set status   Set the Status for each item as part of the assessment process. Available status values are Implemented, Alternative Implementation, Planned, and Not in Scope.

  5. Enter test date and test result   The person with the Compliance Manager Assessor role can verify that proper testing performed, review the implementation details, test plan, test results, and any uploaded evidence, and then set the Test Date and Test Result. Available test result values are Passed, Failed-Low Risk, Failed-Medium Risk, and Failed-High Risk.

Managing Action Items

The people involved in the assessment process in your organization can use Compliance Manager to review the customer managed controls from all Assessments for which they are users. When a user signs in to Compliance Manager and opens the Action Items dashboard, a list of Action Items assigned to them is displayed. Depending on the Compliance Manager role assigned to the user, they can provide implementation or test details, update the Status, or assign Action Items.

Exporting information from an Assessment

You can export an Assessment to an Excel file, which can be reviewed by compliance stakeholders in your organization, and provided to auditors and regulators.

Return to top

Archiving an Assessment

When you have completed an Assessment and no longer need it for compliance purposes, you can archive it. When an Assessment is archived, it's removed from Assessments dashboard. If necessary, you can reactivate an Assessment if you need to modify it.

To archive an assessment, click Actions > Archive Assessment on the Assessment tile. To view archived Assessments, check the Show Archived checkbox.

See also

Return to top

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×