Answer your customer’s questions around Security, Privacy and Compliance for Office 365


Woody Walton 2010

Woody Walton


Perhaps not all customers will ask these questions, but a fair portion will ask some, even in the SMB space that our archetypical partner serves.   In the past year I have been supporting our distribution partners (Ingram Micro, Tech Data, Synnex, and D&H) with their respective cloud efforts relative to Office 365, BPOS, etc.  They handle literally thousands of calls from partners around sales, technical, and resource related hurdles they are experiencing around Microsoft Online Services.  Many of these questions end up being fielded by my team or others within Microsoft.  As soon as this new document was posted, I immediately made sure that my contacts at our distributors were made aware of this great resource as it relates to Security, Privacy, and Compliance for Office 365.  …Then I figured why not cut to the chase and share it more broadly with you, the partner directly.

The recently released document is entitled Standard Response to Request for Information – Security and Privacy and can be downloaded in either PDF or DOCX form here.

The title page of the document calls out “Office 365”, if you have not understood the context from the title of my blog post you have it now! Winking smile

In the introduction the document states:

In this document we provide our customers with a detailed overview of how Microsoft Online Services fulfill the security, privacy, compliance, and risk management requirements as defined in the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM). Note that this document is intended to provide information on how Microsoft Online Services operate. Customers have a responsibility to control and maintain their environment once the service has been provisioned (i.e. user access management and appropriate policies and procedures in accordance with their regulatory requirements).

This should give the basic gist of what it covers, but an examination of the table of contents gives a thorough drilldown on the areas we expressly provide security, compliance, or privacy information on:

  • How Office 365 is Delivered: The Services Stack
  • ISO Certifications for the Microsoft’s Online Services Stack
  • Compliance
  • Data Governance
  • Facility
  • Human Resources
  • Information Security
  • Legal
  • Operations
  • Risk Management
  • Release Management
  • Resiliency
  • Security Architecture


The figure below illustrates the Office 365 Services Stack outlined in the Standard Response to Request for Information – Security and Privacy document.  Notice this is for the standard service (multi-tenant) offering.  …the service is managed by the Microsoft Global Foundation Services group  They provide infrastructure services to both Microsoft customers as well as for Microsoft Online Services group.  The Microsoft Online Services Group provides the application suite and data layer customers take advantage of.



As you can see, this is a must have document; one you should have at hand for any requirements conversation with any customer.  It is nice to have this information all in place, rather than digging around for hours trying to get an answer.  Please use it and check for updates every so often.


Thanks and regards,


Woody Walton

Comments (0)

Skip to main content