Common misconceptions about Microsoft Purview Compliance Manager
Microsoft Purview Compliance Manager is a cloud-based compliance management solution that provides a unified view of compliance across multiple data sources, enabling organisations to identify and prioritize compliance risks, establish controls to address them, and monitor compliance over time. In compliance manager, the compliance is tracked by addressing the 'improvement actions' which are generated by the assessments. The feature can be used to store all evidences required for the compliance management and can be used in audits.
As a Microsoft partner, we engage with many customers and we could see the compliance manager is not effectively used, mostly due to the misconceptions associated with the feature. In this article we will try to address the following common misconceptions surrounding Microsoft Purview Compliance Manager.
It is an IT admin tool
The changes in compliance manager would affect my production system
It is all about Microsoft 365 compliance tracking
It involves additional cost
It is too complex to manage
1. It is not an IT admin tool
The primary reason why Microsoft Purview Compliance Manager is overlooked is the assumption that the tool is meant to be managed by the IT admin team, who often have the least priority for compliance management and tracking. We believe that the feature should be best handled by the Information Security & Compliance team with the assistance of respective IT admins, especially when assessments are done on Microsoft products. Microsoft has provided dedicated roles for the effective delegation of compliance manager roles to relevant team members.
Please refer to my previous blog for configuring just in time access for these Microsoft purview roles.
2. The changes in compliance manager would not affect the production systems
The IT admins are reluctant to delegate roles to non-operations teams because they assume that changes made in the compliance manager would affect the production systems. The implementation details and testing status of improvement actions are updated in the system solely for compliance tracking purposes and the changes made through the compliance manager do not change any production systems configuration.
3. It is not only about Microsoft 365 compliance tracking
Another misconception about Compliance Manager is that compliance assessments can only be targeted to Microsoft 365. In fact, there are over premium 300 templates available representing almost all regulatory and certification requirements across the globe. These templates (including previews) are targeted at Microsoft 365, Microsoft Azure, and Microsoft Dynamics 365. Almost all of these templates have a 'Universal' version which is more generalized and can be used to easily track an organization's compliance across multiple products.
4. It might involve additional cost, but you might be already covered
With the recent licensing changes, 3 premium templates are included part of A5/E5/G5 licenses. These free premium templates and custom assessments are adequate for many organisations. For organisations with E3 licenses, complete the improvement actions in the assessment with free standard 'Data Protection Baseline' before venturing on to premium templates.
5. It is not so complex to manage.
The 'improvement actions' to be completed will depend on the number of assessments run in the Compliance Manager and will be reflected in the overall compliance score. To simplify management of Compliance Manager, which typically involves completing over 500 improvement actions, the following tips can be helpful:
Complete as many improvement actions as possible in one assessment before adding further assessments.
Use the Solutions tab in the Compliance Manager to see pending improvement actions for each solution. Prioritize improvement actions for solutions that are critical to the business.
Form a team and assign the right compliance manager roles. Assign the improvement actions to relevant team member
Use export and bulk upload to set 'Out of Scope' or any other desired implementation status for the improvement actions that are not applicable to the business.
Turn on automatic testing for all or applicable improvement actions.
Many organisations fail to effectively identify and realise the value of Microsoft Purview features despite having full E5 licenses for years. Infotechtion experts can help you configure all Microsoft Purview Compliance solutions based on our extensive experience with Microsoft Cloud. Feel free to contact us or request demo of purview solutions.