Microsoft maintains a team of security, privacy, and compliance experts who help Azure meets its own compliance obligations. The compliance team also represents the “customer voice,” working with Microsoft engineering and operations teams as well as external regulatory bodies to help ensure customers’ needs are met.
Microsoft invests heavily in the development of robust and innovative compliance processes. The Microsoft compliance framework for online services maps controls to multiple regulatory standards. This enables Microsoft to design and build services using a common set of controls, streamlining compliance across a range of regulations today and as they evolve.
Microsoft compliance processes also make it easier for customers to achieve compliance across multiple services and meet their changing needs efficiently. Together, security-enhanced technology and effective compliance processes enable Microsoft to maintain and expand a rich set of third-party certifications. These help customers demonstrate compliance readiness to customers, auditors, and regulators. As part of its commitment to transparency, Microsoft shares third-party verification results with its customers.
Azure is certified for ISO 27001, a broad international information security standard, and undergoes annual audits for ISO compliance. Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type 2, attesting to the design and operating effectiveness of its controls. In addition, Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to security, availability, and confidentiality. Azure undergoes annual SOC audits.
Azure has also obtained many industry-specific certifications, including:
- Payment Card Industry (PCI) Data Security Standard (DSS): Azure has been validated for PCIDSS compliance by an independent Qualified Security Assessor (QSA). Designed to help prevent fraud through increased controls involving credit card data, certification is required for all organizations that store, process, or transmit credit card information. Customers can reduce the complexity of their PCI-DSS certification by using compliant services on Azure. Security, Privacy, and Compliance in Microsoft Azure Microsoft Azure
- United States FedRAMP: Azure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it meets FedRAMP security standards.
- In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore.
- Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH): To help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).
For more details on the scope of compliance certifications, visit the Azure Trust Center. It is important to note that Microsoft generally treats verifications as a baseline and frequently goes far beyond them in its commitment to deliver trustworthy, compliance-ready services.
Cloud Security Alliance.
Microsoft participates in industry-wide transparency initiatives, especially through its association with the Cloud Security Alliance (CSA). An independent industry organization, the CSA has developed a controls framework called the Cloud Controls Matrix (CCM). The CCM provides organizations with a standards-based, industry-vetted, framework that incorporates cloud services. Microsoft publishes information about how it addresses the CSA CCM in the publically accessible CSA Security, Trust & Assurance Registry (STAR).
Cloud Risk Assessment Tools.
Microsoft gives customers free tools that help them achieve compliance on their own terms such as the Cloud Risk Decision Framework and Cloud Risk Assessment models, both of which are based on the globally-recognized Enterprise Risk Management standard ISO 31000. Organizations wishing to evaluate their IT security state, evaluate the benefits of cloud computing, and plan for adoption can use the Cloud Security Readiness Tool. Using the answers to a few short questions, it generates a report tailored to the needs of the organization.