Last updated: May 2015
Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards including Australia IRAP, UK G-Cloud, and Singapore MTCS. Microsoft was also the first to adopt the uniform international code of practice for cloud privacy, ISO/IEC 27018, which governs the processing of personal information by cloud service providers.
Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties or through your Microsoft account representative.
Azure cloud services, with independently verified compliance, give you the foundation to achieve compliance for the infrastructure and applications you run in Azure. Azure customers receive detailed information about Microsoft security and compliance programs, including audit reports and compliance packages, to help you assess our services against your own legal and regulatory requirements. Our team of compliance experts also works with Microsoft engineering and operations teams, as well as external regulatory bodies, to help ensure that customer needs are met.
The Content Delivery and Security Association (CDSA) provides a Content Protection and Security (CPS) standard for compliance with antipiracy procedures governing digital media. Azure passed the CDSA audit, enabling secure workflow for content development and distribution.
Any US state or local agency that wants to access the FBI’s Criminal Justice Information Services (CJIS) database through a cloud-based solution is required to use a cloud provider that adheres to the CJIS Security Policy. Azure is the only major cloud provider that contractually commits to conformance with CJIS.
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM version 1.2.
Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data. Microsoft is the first company to receive approval from the EU’s Article 29 Working Party for contractual commitments.
The US Food and Drug Administration (FDA) Code of Federal Regulations (CFR) Title 21 Part 11 lists requirements for the security of electronic records of companies that sell food and drugs manufactured or consumed in the United States. Working with the Qualification Guideline for Microsoft Azure, which identifies the responsibilities shared by Microsoft and its customers for meeting the regulatory requirements, companies are able to demonstrate that Azure services and execution fulfill the requirements.
The Federal Risk and Authorization Management Program (FedRAMP) is a mandatory US government program that provides a standardized approach to security assessment, authorization, and monitoring for cloud services used by federal agencies. Azure has been granted a Provisional Authority to Operate from the FedRAMP Joint Authorization Board at a Moderate Impact level based upon the FIPS 199 classification.
The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student educational records. Azure’s compliance with FERPA limits the transmission of student data to third parties.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. Azure uses Microsoft cryptographic modules in the validated list published by NIST, enabling customers to configure and use Azure Virtual Network services in a way that helps meet their information encryption requirements.
The Health Insurance Portability and Accountability Act (HIPAA) is the US law that regulates patient Protected Health Information (PHI). Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to HIPAA’s security and privacy provisions.
Azure has been assessed against the Australian Government Information Security Registered Assessors Program (IRAP), which provides assurance for public sector customers that Microsoft has appropriate and effective security controls.
The ISO/IEC 27001/27002:2013 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Microsoft is the only cloud provider to adhere to the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers. ISO/IEC 27018 controls include a prohibition on the use of customer data for advertising and marketing purposes without the customer’s express consent.
Multi-Level Protection Scheme (MLPS) is based on the Chinese state standard issued by the Ministry of Public Security. Azure operated by 21Vianet adheres to this standard, which provides assurance for both the management and technical security of cloud systems.
Azure has achieved Level-1 certification with the Multi-Tier Cloud Security Standard for Singapore (MTCS SS), a standard covering areas such as data retention and sovereignty, developed under the Singapore Information Technology Standards Committee (ITSC).
The New Zealand (NZ) Government Chief Information Officer (GCIO) has published a framework of 105 questions focused on the security and privacy aspects of cloud services that are fundamentally related to data sovereignty. Microsoft New Zealand has proactively provided information showing how Microsoft Azure meets these requirements.
Azure complies with Payment Card Industry (PCI) Data Security Standards (DSS) Level 1 version 3.0, the global certification standard for organizations that accept most payment cards and store, process, or transmit cardholder data.
Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design and operation of its security controls.
Azure operated by 21Vianet is among the first cloud providers in China to pass the Trusted Cloud Service certification developed by the China Cloud Computing Promotion and Policy Forum (CCCPPF) by providing an open platform, high-quality Service Level Agreement, powerful data recovery capabilities and robust customer benefits.
The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received OFFICIAL accreditation from the UK Government Pan Government Accreditor.