With M365 Compliance Center, Microsoft is tackling the GRC aspect of information security. GRC has been traditionally hard to measure objectively, with CISOs having to develop their own methodologies, KPIs and governance processes. Existing standards such as NIST Cybersecurity Framework, ISO 27001, etc. help as guidelines for aligning with industry standards and avoid the need to reinvent the wheel, but the ability to govern the overall effort to implement these standards and measure progress continues to be a tough challenge.
Microsoft 365 Compliance Center is attempting to aggregate a wide range of signals from Microsoft security controls and third-party solutions to put as much information as possible at CISO’s fingertips. There are a lot of moving parts so with the diagram below we are attempting to provide a visual guide on the information flow and the main Compliance Center capabilities. We expect Compliance Center to evolve rapidly, based on real-world feedback and changes in the GRC approach driven by the adoption of hybrid infrastructure.