The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

Microsoft 365 Compliance Assessments

What are Microsoft assessments?

According to Microsoft:
Microsoft Premium Assessments
A template is a framework of controls for creating an assessment in Compliance Manager. Our comprehensive set of templates can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data.”

These are a set of offerings that aim to help organisations analyse their compliance with a wide range of industry and regulatory frameworks.

What assessments are available?

Free assessments

Some assessments are available free of charge. For E1 & E3 licensees, the Data Protection Baseline is included:

License Assessment
Office 365 E1/A1/G1/F1 Data Protection Baseline
Microsoft 365 E3/A3/G3/F3

 

While a wider range are included with E5 level licenses:

License Assessment
Microsoft 365 E5/A5/G5 Data Protection Baseline

EU GDPR

NIST 800-53

ISO 27001

CMMC Level 1-5 (G5 only)

Custom Assessments

Microsoft 365 E5/A5/G5/F5 Compliance
Microsoft 365 E5/A5/G5/F5 eDiscovery & Audit
Microsoft 365 E5/A5/G5/F5 Insider Risk Management
Microsoft 365 E5/A5/G5/F5 Information Protection & Governance

However, the vast majority of assessments are chargeable.

What assessments are available?

Premium Assessments include:

  • 17 x ISO standards
  • PCI DSS v3.2.1
  • Motion Picture Association Content Security Best Practices
  • COBIT 5
  • Sarbanes-Oxley Act
  • HIPAA
  • Australia Privacy Act
  • EU – Directive 2006/24/EC
  • European Network and Information Security Agency (ENISA) – Cloud Computing Information Assurance Framework
  • UK Cyber Essentials
  • UK Privacy and Electronic Communications
  • Canada – Personal Health Information Protection Act (PHIPA) 2020
  • Brazil – General Data Protection Law (LGPD)
  • Japan – Act on Prohibition of Unauthorized Computer Access
  • New Zealand – Privacy Act / 2020
  • Singapore – Cybersecurity 2018

And many, many more. The full list can be seen here.

How to buy

For Commercial & GCC (Government Cloud Computing) Moderate organisations, Premium Assessments can be purchased in 3 ways:

  • Via Admin Center
  • Via CSP
  • Via Volume Licensing

While GCC High and Dept. of Defense (DoD) organisations must purchase via Volume Licensing.

Each assessment costs $2,500 (with a a 30-day trial option) and they renew annually.

Conclusion

Is this an ITAM thing? Perhaps not in the strictest sense of the word but we often talk how ITAM needs to become more involved in other parts of the business – and this represents a good opportunity to work with security et al.

To many within an organisation, “compliance” is not just license compliance but also industry regulations such as GDPR, HIPAA, and PCI-DSS. Informing your business which assessments are already included with your Microsoft licenses and what else is available is a great place to start getting out of your comfort zone a little.

Equally, this has the potential to alter your Microsoft relationship. If your organisation is spending a significant amount on these assessments and relying on Microsoft to ensure regulatory compliance, that can change dynamics and the balance of power. Perhaps certain terms will be easier to amend, or better discounts might be available…or maybe Microsoft will feel that it’s harder for you to walk away in the future – either way, it’s something for ITAM, and procurement, to be aware of.

Further Reading

 

About Rich Gibbons

Rich has been in the world of IT and software licensing since 2003, having been a software sales manager for a VAR, a Microsoft licensing endorsed trainer, and now an ITAM analyst looking at software licensing and cloud.

A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!

Connect with Rich on Twitter or LinkedIn.

Leave a Comment