Skip to Main Content

Compliance Score streamlines security management for Australian enterprises

At Microsoft, security, privacy and compliance are core tenets of how we empower organisations to serve their customers. Microsoft Compliance Score is a risk assessment tool that lets organisations track, assign, and verify regulatory compliance activities related to Microsoft cloud services.

Today, we’re delighted to announce that our Compliance Score has been updated so Australian organisations can use it to boost the security of their Office 365 deployments and ensure compliance with the Australian Government Information Security Manual (ISM) all the way to the Protected level of security classification. The Australian Government’s ISM outlines a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.

Compliance Score has in the past been used by international customers seeking to meet international security benchmarks such as Europe’s GDPR and US NIST; this is the first time that an Australian security and compliance benchmark has been addressed by the system.

In a nutshell, the updated Compliance Score addresses three critical security and compliance challenges for Australian organisations:

  • Continuous risk assessment – Understand on an ongoing basis an organisation’s security posture and adherence to the requirements for the Protected level of security classification as stipulated by the ISM.
  • Actionable insights – Know what organisations should consider implementing in their Office 365 environment to be at the Office 365 Protected level of security classification.
  • Built-in control mapping – Map common controls across key regulations and standards, so organisations can take one action and satisfy multiple requirements to scale the compliance program better.

For Australian organisations engaged in national critical computing, ensuring the security of their systems is paramount.

In 2018 Microsoft became the first global cloud provider to be awarded certification for Protected data by the Australian Signals Directorate for both Microsoft Azure and Office 365. Every two years an IRAP assessment of Microsoft systems is performed by an independent auditor which identifies how Microsoft conforms to the 800-plus controls required to achieve Protected certification under the Australian Cyber Security Centre’s ISM risk management framework.

Microsoft’s certification to Protected level was recently renewed through this process for the Microsoft 365 portfolio including new cloud workloads such as Microsoft Teams.

This ongoing IRAP assessment process assures customers’ peace of mind about the security of Microsoft’s clouds – but to ensure their own Office 365 tenancy is equally secure individual organisations need to also assess their tenancy against the ISM.

In the past that has been a relatively complex task.

Australian enterprises can now use Compliance Score to simplify the assessment of their Office 365 tenancy against the ISM requirements and identify what steps need to be taken to boost their security and compliance posture.

Microsoft Compliance Score, which is a risk assessment tool for Office 365 and Microsoft 365 customers, offers a centralised dashboard and easy-to-use tools to support compliance tracking of an organisation’s specific configuration of Office 365 and Intune.

Compliance Score also helps to streamline the workflow needed to boost security and provides an audit trail of progress.

Ultimately this can help accelerate an organisation’s digital transformation and reduce cost while reducing risk.

When first deployed the tool analyses the organisation’s Office 365 tenancy and provides a risk-based score showing how many of the recommended actions associated to the ISM controls have been implemented; it also identifies the actions which need to be taken to lift that score and achieve compliance.

The tool not only identifies the actions needed, it also tracks and streamlines the associated workflow. A compliance admin can use the tool to assign tasks to the IT team; once a task is complete the IT team uploads evidence of having done the work, which is then stored in Compliance Score allowing that information to be shared with security auditors on request.

This streamlines and accelerates security compliance – reducing the burden on customers and partners to identify and implement customer-specific requirements across the 800+ controls of the ISM. Ultimately this can help accelerate an organisation’s digital transformation and reduce cost while reducing risk.

Attributed to: Ann Johnson, CVP, Cybersecurity Solutions Group