Solution Atlas
SpecialisedUser storyConsultative playbook

Our compliance posture is reactive — we need continuous evidence, not annual fire drills

The compliance team produces audit responses manually each year. Compliance Manager could produce continuous attestation against SOC 2, ISO 27001, PCI, NIST CSF, and similar frameworks — but it is not configured and no one owns the cadence.

Trigger
Audit fatigue; expanding compliance framework scope.
Good outcome
Compliance Manager baselines live for the active framework set, continuous attestation operational, audit response automated.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Annual audit fire drill consumes weeks of staff time
  • ·Compliance posture is point-in-time, not continuous
  • ·Compliance framework scope expanding (SOC 2, ISO 27001, PCI, NIST CSF, etc.)
  • ·Compliance Manager licensed but not configured
  • ·No named owner of the continuous attestation cadence

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.Which compliance frameworks are you currently audited against, and which are coming next?

    WhySizes the baseline scope. Multi-framework customers benefit most from Compliance Manager.

    Listen for: “SOC 2 and ISO 27001 today, NIS2 next year” · “PCI is being added” · “GDPR continuous”

  2. 2.How long does annual audit preparation take, and what does it cost in staff time?

    WhyQuantifies the pain in staff cost.

    Listen for: “three to four weeks every year” · “we pull people off projects” · “audit is the dread season”

  3. 3.Is Compliance Manager licensed today, and if so, who owns it?

    WhyOften "licensed but not configured" — the engagement starts there.

  4. 4.How do you currently produce control evidence — screenshots, scripts, manual collection?

    WhySurfaces the evidence gap. Continuous attestation replaces screenshots with control signals.

  5. 5.Who would own the continuous attestation cadence — Compliance, Risk, or IT?

    WhyCritical ownership question. Without a named owner, the baseline drifts.

  6. 6.What is the regulator or auditor relationship like — adversarial, collaborative, or mixed?

    WhyShapes how aggressive the evidence posture should be. Adversarial relationships need stronger audit-defensibility.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Compliance posture produced manually each year. Compliance team performs evidence collection (screenshots, exports, scripts) ahead of each audit. Multiple frameworks (SOC 2, ISO 27001, PCI, NIST CSF) each have their own preparation cycle. No continuous attestation. Compliance Manager often licensed but not configured. Audit fatigue is high and rising.

Typical concerns

  • ·Annual audit consumes weeks of staff time
  • ·Evidence collection is manual and repetitive
  • ·Posture is point-in-time, not continuous
  • ·Framework scope expanding faster than capacity
  • ·No named owner of the continuous attestation cadence

Capability gaps

  • ·Continuous control attestation
  • ·Multi-framework mapping (one control set, many frameworks)
  • ·Evidence automation from Defender for Cloud + Purview
  • ·Compliance Manager configuration and cadence
  • ·Auditor-ready continuous reporting
Target architecture

Compliance Manager baselined for the active framework set with continuous attestation. Controls mapped once and inherited across frameworks (SOC 2, ISO 27001, PCI, NIST CSF, etc.). Defender for Cloud and Purview feed control evidence automatically — control status updates as posture changes. Quarterly compliance review cadence operational with named owner. Audit response shifts from fire drill to standing report. Continuous improvement scores demonstrate posture trend.

Key capabilities

  • Continuous control attestation
  • Multi-framework control inheritance
  • Automated evidence from Defender + Purview
  • Compliance score trending
  • Auditor-ready continuous reporting

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Framework prioritisation — single primary vs multi-framework parallel

    Single primary framework first

    When it fitsAudit pressure on one framework dominant; single-framework baseline acceptable.

    Trade-offsOther frameworks still manual; full value of Compliance Manager deferred.

    Multi-framework parallel

    When it fitsMultiple audits ongoing; control inheritance value is high.

    Trade-offsLarger initial configuration effort.

    Custom framework built from regulatory text

    When it fitsSector-specific framework (financial services, healthcare) not in Compliance Manager out of the box.

    Trade-offsBuild effort; ongoing maintenance as regulation evolves.

    Default recommendationSingle primary framework for the trial — typically SOC 2 or ISO 27001 — then inherit to ISO 27001, PCI, NIST CSF in phase two.

  2. Decision 2.Evidence automation depth — Compliance Manager built-ins vs custom assessments vs hybrid

    Compliance Manager built-ins only

    When it fitsTenant configuration is the bulk of evidence; native assessments cover most controls.

    Trade-offsCustom controls (legacy systems, on-prem) still manual.

    Custom assessments for non-tenant controls

    When it fitsSignificant on-prem or non-Microsoft estate; controls span multiple environments.

    Trade-offsCustom assessment build effort.

    Hybrid — built-ins plus targeted custom

    When it fitsMost customers. Built-ins for tenant controls; custom for the gaps.

    Trade-offsTwo-track maintenance.

    Default recommendationHybrid — built-ins for tenant controls; custom assessments for the top non-tenant gaps identified in discovery.

  3. Decision 3.Cadence ownership — Compliance-led vs Risk-led vs IT-led

    Compliance-led

    When it fitsStrong compliance function; cadence is part of the compliance calendar.

    Trade-offsCompliance may lack the technical depth to interpret control failures.

    Risk-led

    When it fitsOperational risk team owns the framework set; integrates with broader risk management.

    Trade-offsIT and Compliance still need to engage on remediation.

    IT-led with Compliance review

    When it fitsIT operates the controls; Compliance reviews the score.

    Trade-offsRisk of IT optimising for green scores rather than defensibility.

    Default recommendationCompliance-led cadence with IT operational responsibility for remediation. Risk function reviews at the quarterly cadence.

Low-risk trial — proof of value

60-day Compliance Manager baseline for primary framework

8 weeks

Compliance Manager configured for one primary framework (typically SOC 2 or ISO 27001). All tenant-level assessments enabled. Defender for Cloud and Purview signal integration live. Initial compliance score baselined. Quarterly cadence designed with named owner from Compliance. Two-page auditor-ready report produced from Compliance Manager as the deliverable artefact. Top three control gaps documented with remediation plan.

Success criteria

  • Compliance Manager score baselined for primary framework
  • Defender for Cloud + Purview evidence flowing automatically
  • Quarterly cadence designed with named owner
  • Auditor-ready report produced from Compliance Manager

InvestmentCompliance Manager is included with Microsoft 365 E5 / E5 Compliance. Trial assumes existing E5 licensing. Implementation effort estimated ~€5–10k one-time for the baseline; ongoing run rate inside existing licensing.

Proof metrics

  • ·Compliance Manager score for primary framework above the agreed threshold
  • ·Audit preparation time reduced 50%+ for the trial framework
  • ·Continuous evidence flowing for at least 70% of controls
  • ·Auditor or assessor accepts Compliance Manager report in dry run

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Posture signals from Defender for Cloud feed Compliance Manager continuously — turning control attestation into a live signal, not an annual exercise.

Why for this story

Data-control evidence (classification coverage, retention enforcement) flows into Compliance Manager from Purview. Without Purview, data-handling controls remain manual.

Back to Risk management & assurance