Microsoft 365 Compliance Assessments
What are Microsoft assessments?
According to Microsoft:
“A template is a framework of controls for creating an assessment in Compliance Manager. Our comprehensive set of templates can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data.”
These are a set of offerings that aim to help organisations analyse their compliance with a wide range of industry and regulatory frameworks.
What assessments are available?
Some assessments are available free of charge. For E1 & E3 licensees, the Data Protection Baseline is included:
|Office 365 E1/A1/G1/F1||Data Protection Baseline|
|Microsoft 365 E3/A3/G3/F3|
While a wider range are included with E5 level licenses:
|Microsoft 365 E5/A5/G5||Data Protection Baseline
CMMC Level 1-5 (G5 only)
|Microsoft 365 E5/A5/G5/F5 Compliance|
|Microsoft 365 E5/A5/G5/F5 eDiscovery & Audit|
|Microsoft 365 E5/A5/G5/F5 Insider Risk Management|
|Microsoft 365 E5/A5/G5/F5 Information Protection & Governance|
However, the vast majority of assessments are chargeable.
What assessments are available?
Premium Assessments include:
- 17 x ISO standards
- PCI DSS v3.2.1
- Motion Picture Association Content Security Best Practices
- COBIT 5
- Sarbanes-Oxley Act
- Australia Privacy Act
- EU – Directive 2006/24/EC
- European Network and Information Security Agency (ENISA) – Cloud Computing Information Assurance Framework
- UK Cyber Essentials
- UK Privacy and Electronic Communications
- Canada – Personal Health Information Protection Act (PHIPA) 2020
- Brazil – General Data Protection Law (LGPD)
- Japan – Act on Prohibition of Unauthorized Computer Access
- New Zealand – Privacy Act / 2020
- Singapore – Cybersecurity 2018
And many, many more. The full list can be seen here.
How to buy
For Commercial & GCC (Government Cloud Computing) Moderate organisations, Premium Assessments can be purchased in 3 ways:
- Via Admin Center
- Via CSP
- Via Volume Licensing
While GCC High and Dept. of Defense (DoD) organisations must purchase via Volume Licensing.
Each assessment costs $2,500 (with a a 30-day trial option) and they renew annually.
Is this an ITAM thing? Perhaps not in the strictest sense of the word but we often talk how ITAM needs to become more involved in other parts of the business – and this represents a good opportunity to work with security et al.
To many within an organisation, “compliance” is not just license compliance but also industry regulations such as GDPR, HIPAA, and PCI-DSS. Informing your business which assessments are already included with your Microsoft licenses and what else is available is a great place to start getting out of your comfort zone a little.
Equally, this has the potential to alter your Microsoft relationship. If your organisation is spending a significant amount on these assessments and relying on Microsoft to ensure regulatory compliance, that can change dynamics and the balance of power. Perhaps certain terms will be easier to amend, or better discounts might be available…or maybe Microsoft will feel that it’s harder for you to walk away in the future – either way, it’s something for ITAM, and procurement, to be aware of.
- Assessment list – https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-templates-list?view=o365-worldwide
- Assessment info – https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-assessments?view=o365-worldwide
- Assessment templates – https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-templates-list?view=o365-worldwide#premium-templates
- Privacy management – https://docs.microsoft.com/en-us/microsoft-365/compliance/privacy-management-setup?view=o365-worldwide
About Rich Gibbons
A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!
Connect with Rich on Twitter or LinkedIn.