I was discussing our cloud security, privacy, and compliance standards today with a partner. As is usually the case, most if not all of the partner’s questions and concerns where readily answered by reviewing the available documentation on the Microsoft Trust Center. We have a great number of pages and documents available that can support you and your customer’s investigation into our security, privacy, and compliance standards. Let’s take a look at a few of the notes readily available regarding ISO 27001 for example.
ISO/IEC 27001:2013 Information Security Management Standards
The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world’s leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.
Published under the joint ISO/IEC subcommittee, the ISO/IEC 27000 family of standards outlines hundreds of controls and control mechanisms to help organizations of all types and sizes keep information assets secure. These global standards provide a framework for policies and procedures that include all legal, physical, and technical controls involved in an organization’s information risk management processes.
ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to the security of information.
The international acceptance and applicability of ISO/IEC 27001 is the key reason why certification to this standard is at the forefront of Microsoft’s approach to implementing and managing information security. Microsoft’s achievement of ISO/IEC 27001 certification points up its commitment to making good on customer promises from a business, security compliance standpoint. Currently, both Azure Public and Azure Germany are audited once a year for ISO/IEC 27001 compliance by a third party accredited certification body, providing independent validation that security controls are in place and operating effectively.
Compliance with these standards, confirmed by an accredited auditor, demonstrates that Microsoft uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.
The Service Trust Portal provides independently audited compliance reports. You can use the portal to request reports so that your auditors can compare Microsoft’s cloud services results with your own legal and regulatory requirements.
Yes. If your business requires ISO/IEC 27001 certification for implementations deployed on Microsoft services, you can use the applicable certification in your compliance assessment. You are responsible, however, for engaging an assessor to evaluate the controls and processes within your own organization and your implementation for ISO/IEC 27001 compliance.
Microsoft Azure in-scope cloud services:
API Management, App Service: Mobile Apps, App Service: Web Apps, Application Gateway, Automation, Azure Active Directory, Azure IoT Hub, Azure Resource Manager, Backup, Batch, BizTalk Services, Cloud Services, Data Catalog, Data Factory, Document DB, Event Hubs, ExpressRoute, HDInsight, Key Vault, Load Balancer, Log Analytics (formerly Operational Insights), Machine Learning, Media Services, Multi-Factor Authentication, Notification Hubs, Portal, Redis Cache, RemoteApp, Rights Management, Scheduler, Service Bus, Service Fabric, Site Recovery, SQL Database, Storage, Storage Premium, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway.
Again, this is just touching on some of the supporting information you will find at the Microsoft Trust Center. I highly recommend you visit this site to become more familiar with how this can help you and your customers address compliance and security concerns.