Microsoft Achieves SOC 2 Type II and SOC 3 for Cloud and Online Services Infrastructure

Mark Estberg, Senior Director Online Services Security & ComplianceMark Estberg, Senior Director
Online Services Security & Compliance

Global Foundation Services (GFS), which builds and operates Microsoft's cloud infrastructure, has become one of the first in the industry to complete SOC 2 Type II and SOC 3 audits.

The SOC 2 is a new attestation report for service organizations that contains rigorous standards for security, availability, processing integrity, confidentiality, and privacy.   Guided by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles, SOC 2 reports are intended to establish trust and confidence with external customers regarding an organization's service delivery processes and controls. 

Building on the capabilities often included in a SOC 1 report (formerly known as SAS 70), which is designed to allow service organizations to select controls relevant to financial reporting, the SOC 2 requires service organizations to fully meet a specific set of pre-defined controls.   By obtaining a SOC 2 specific to security, Microsoft is further demonstrating its commitment to protecting both physical and logical access to its environments for its customers. 

The SOC 2 examination was performed by an independent public accounting firm which followed specific professional standards established by the AICPA.  In addition, GFS has successfully completed its SOC 1examination which followed both the Statement on Standards for Attestation Engagements (SSAE) No. 16 and International Standards for Assurance Engagements (ISAE) No. 3402 reporting standards.  Both the SOC 1 and SOC 2 examinations reviewed Microsoft's hosting, infrastructure, and operational services for managing the core IT platform that supports Microsoft Online Services.  

Since the distribution of the SOC 1 and SOC 2 report is restricted to Microsoft's current and potential customers, we have also obtained a public facing SOC 3 report which summarizes the SOC 2 audit in a general use format.  Our SOC 3 report can be accessed here.  More information AICPA can be found at



- Mark Estberg, Senior Director, Online Services Security & Compliance

Comments (0)

Skip to main content