SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Compliance Manager Control Mapper
description: Map Microsoft Purview Compliance Manager controls to ISM, Essential Eight, SOCI and the Privacy Act to produce a prioritised gap list.
---
# Compliance Manager Control Mapper
> **TL;DR:** This skill reads your Microsoft Purview Compliance Manager assessments and improvement actions, then maps each tenant control to the ISM, Essential Eight, SOCI and the Privacy Act, producing a ranked gap list so you can see where your Microsoft 365 tenant is non-compliant and what to fix first.
## What does Compliance Manager measure in your Microsoft 365 tenant?
Microsoft Purview Compliance Manager continuously scores the configuration of your Microsoft 365 and Microsoft Entra tenant against regulatory assessments built from templates. Each assessment is made up of controls, and each control links to one or more improvement actions that map to settings such as Conditional Access policies, Data Loss Prevention (DLP) rules, retention labels and Microsoft Entra identity protection. This skill reads those signals to align your technical controls with Australian frameworks rather than relying on a single vendor score.
## When should you run this skill?
- "Show me which Essential Eight controls my tenant already covers in Compliance Manager."
- "Map our Purview controls to the ISM before the next audit."
- "Where are the gaps between our Compliance Manager assessments and the Privacy Act?"
- "Which improvement actions are still failing or not yet implemented?"
- "Do we have SOCI-relevant controls covered for our critical infrastructure obligations?"
- "Give me a prioritised remediation list ranked by risk and framework impact."
- "Prepare a control-mapping summary for the security steering committee."
## How this skill works, step by step
1. Connect read-only to Microsoft Purview Compliance Manager and enumerate the active regulatory assessments in the tenant.
2. Retrieve each control and its linked improvement actions, including the current implementation and test status.
3. Read the achieved and remaining compliance points reported by Compliance Manager for every control.
4. Cross-reference each control against the ISM, the Essential Eight, the SOCI obligations and the Privacy Act using a maintained mapping table.
5. Flag any control that is not implemented, failed its automated test, or has no corresponding framework coverage as a gap.
6. Derive a risk score per gap by combining the control's remaining points, its assessed severity and the number of frameworks it affects.
7. Prioritise the gap list so the highest-impact, multi-framework controls surface first.
8. Compile the findings into a structured table and a summary for reporting.
## Output format
The skill produces a gap-mapping table and a short summary. Each row shows one control, its mapped frameworks, its current status and the derived risk score.
| Control | Compliance Manager status | ISM control | Essential Eight | SOCI / Privacy Act | Risk score |
| --- | --- | --- | --- | --- | --- |
| Require multifactor authentication | Implemented | ISM-1173 | Multi-factor authentication | SOCI risk management | Low |
| Restrict Microsoft Office macros | Not implemented | ISM-1488 | Configure macro settings | Privacy Act APP 11 | High |
Summary of what the report contains:
- Total controls assessed and the count flagged as gaps.
- Gaps grouped by framework (ISM, Essential Eight, SOCI, Privacy Act).
- The top remediation priorities ranked by risk score.
- Controls with no framework coverage that may need a custom mapping.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant, assessments or improvement actions. It only reads configuration and scoring data to build the mapping and gap list.
This skill does NOT:
- Modify, complete or reassign any improvement action in Compliance Manager.
- Change Conditional Access, DLP, retention or any Microsoft Entra setting.
- Create, edit or delete regulatory assessments or custom templates.
- Export tenant data outside the reporting surface you run it in.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Compliance Manager premium assessment templates (ISM, Essential Eight, SOCI, Privacy Act and other regulatory templates) | Microsoft 365 E5 Compliance, or the Microsoft 365 E5 Compliance add-on |
| Compliance Manager default Data Protection Baseline only | Microsoft 365 E3 (or any tenant with the Microsoft Purview compliance portal) |
### Least-privilege roles
- Compliance Manager Reader — read-only access to assessments, controls and improvement actions.
- Global Reader — tenant-wide read access if a Purview-scoped role is not assigned.
### Microsoft Graph permissions (read-only)
- Compliance Manager does not expose a read API through Microsoft Graph. This skill is run through the Microsoft Purview compliance portal (or exported assessment and improvement-action data), so no Microsoft Graph scopes are required.
## Sources and compliance
- [Microsoft Purview Compliance Manager](https://learn.microsoft.com/en-us/purview/compliance-manager)
- [Compliance Manager assessments](https://learn.microsoft.com/en-us/purview/compliance-manager-assessments)
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Maps improvement actions to Essential Eight controls such as multi-factor authentication and restricting Microsoft Office macros, and to ISM controls where genuine.
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Compliance Manager Control Mapper
TL;DR: This skill reads your Microsoft Purview Compliance Manager assessments and improvement actions, then maps each tenant control to the ISM, Essential Eight, SOCI and the Privacy Act, producing a ranked gap list so you can see where your Microsoft 365 tenant is non-compliant and what to fix first.
What does Compliance Manager measure in your Microsoft 365 tenant?
Microsoft Purview Compliance Manager continuously scores the configuration of your Microsoft 365 and Microsoft Entra tenant against regulatory assessments built from templates. Each assessment is made up of controls, and each control links to one or more improvement actions that map to settings such as Conditional Access policies, Data Loss Prevention (DLP) rules, retention labels and Microsoft Entra identity protection. This skill reads those signals to align your technical controls with Australian frameworks rather than relying on a single vendor score.
When should you run this skill?
- “Show me which Essential Eight controls my tenant already covers in Compliance Manager.”
- “Map our Purview controls to the ISM before the next audit.”
- “Where are the gaps between our Compliance Manager assessments and the Privacy Act?”
- “Which improvement actions are still failing or not yet implemented?”
- “Do we have SOCI-relevant controls covered for our critical infrastructure obligations?”
- “Give me a prioritised remediation list ranked by risk and framework impact.”
- “Prepare a control-mapping summary for the security steering committee.”
How this skill works, step by step
- Connect read-only to Microsoft Purview Compliance Manager and enumerate the active regulatory assessments in the tenant.
- Retrieve each control and its linked improvement actions, including the current implementation and test status.
- Read the achieved and remaining compliance points reported by Compliance Manager for every control.
- Cross-reference each control against the ISM, the Essential Eight, the SOCI obligations and the Privacy Act using a maintained mapping table.
- Flag any control that is not implemented, failed its automated test, or has no corresponding framework coverage as a gap.
- Derive a risk score per gap by combining the control’s remaining points, its assessed severity and the number of frameworks it affects.
- Prioritise the gap list so the highest-impact, multi-framework controls surface first.
- Compile the findings into a structured table and a summary for reporting.
Output format
The skill produces a gap-mapping table and a short summary. Each row shows one control, its mapped frameworks, its current status and the derived risk score.
| Control | Compliance Manager status | ISM control | Essential Eight | SOCI / Privacy Act | Risk score |
|---|---|---|---|---|---|
| Require multifactor authentication | Implemented | ISM-1173 | Multi-factor authentication | SOCI risk management | Low |
| Restrict Microsoft Office macros | Not implemented | ISM-1488 | Configure macro settings | Privacy Act APP 11 | High |
Summary of what the report contains:
- Total controls assessed and the count flagged as gaps.
- Gaps grouped by framework (ISM, Essential Eight, SOCI, Privacy Act).
- The top remediation priorities ranked by risk score.
- Controls with no framework coverage that may need a custom mapping.
Scope and safety
This skill is read-only by default and makes no changes to your tenant, assessments or improvement actions. It only reads configuration and scoring data to build the mapping and gap list.
This skill does NOT:
- Modify, complete or reassign any improvement action in Compliance Manager.
- Change Conditional Access, DLP, retention or any Microsoft Entra setting.
- Create, edit or delete regulatory assessments or custom templates.
- Export tenant data outside the reporting surface you run it in.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Compliance Manager premium assessment templates (ISM, Essential Eight, SOCI, Privacy Act and other regulatory templates) | Microsoft 365 E5 Compliance, or the Microsoft 365 E5 Compliance add-on |
| Compliance Manager default Data Protection Baseline only | Microsoft 365 E3 (or any tenant with the Microsoft Purview compliance portal) |
Least-privilege roles
- Compliance Manager Reader — read-only access to assessments, controls and improvement actions.
- Global Reader — tenant-wide read access if a Purview-scoped role is not assigned.
Microsoft Graph permissions (read-only)
- Compliance Manager does not expose a read API through Microsoft Graph. This skill is run through the Microsoft Purview compliance portal (or exported assessment and improvement-action data), so no Microsoft Graph scopes are required.
Sources and compliance
- Microsoft Purview Compliance Manager
- Compliance Manager assessments
- ASD Essential Eight Maturity Model
- Maps improvement actions to Essential Eight controls such as multi-factor authentication and restricting Microsoft Office macros, and to ISM controls where genuine.
- Output in Australian English.
Last updated on