Microsoft partners with customers to help them address a wide range of international, country, and industry-specific regulatory requirements. By providing customers with compliant, independently verified cloud services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run in Azure. Microsoft provides Azure customers with detailed information about our security and compliance programs, including audit reports and compliance packages, to help customers assess our services against their own legal and regulatory requirements.
In addition, Microsoft has developed an extensible compliance framework that enables it to design and build services using a single set of controls to speed up and simplify compliance across a diverse set of regulations and rapidly adapt to changes in the regulatory landscape.
ISO/IEC 27001:2005 Audit and Certification
Azure is committed to annual certification against the ISO/IEC 27001:2005, a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
ISO Scope: The following Azure features are in scope for the current ISO audit: Cloud Services (including Fabric and RDFE), Storage (Tables, Blobs, Queues), Virtual Machines (including with SQL Server), Virtual Network, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Workflow, Multi-Factor Authentication, Active Directory, Right Management Service, SQL Database, (version 11.0.9164.000 and higher), and HDInsight. This includes the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, and support for these features. Also included are Power BI for Office 365 and Power Query Service.
The certificate issued by the British Standards Institution (BSI) is publically available.
SOC 1 and SOC 2 SSAE 16/ISAE 3402 Attestations
Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Azure controls. The SOC 2 Type 2 audit included a further examination of Azure controls related to security, availability, and confidentiality. Azure is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).
Scope: The following Azure features are in scope for the current SOC 1 Type 2 and SOC 2 Type 2 attestations: Cloud Services (includes stateless Web, and Worker roles), Storage (Tables, Blobs, Queues), Virtual Machines (includes persistent virtual machines for use with supported operating systems) and Virtual Network (includes Traffic Manager).
Customers should contact their Microsoft representative to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Azure.
Cloud Security Alliance Cloud Controls Matrix
Azure has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which are included in that report. This combined approach is recommended by the American Institute of Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting needs of the majority cloud services users.
The CSA CCM is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. By having completed an assessment against the CCM, Azure offers transparency into how its security controls are designed and managed with verification by an expert, independent audit firm.
Detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM is also published in the CSA’s Security Trust and Assurance Registry (STAR). A detailed paper discussing Azure’s compliance with the specific controls in the CCM can be found here.
In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how it addresses various risk, governance, and information security frameworks and standards, including the CSA CCM.
Federal Risk and Authorization Management Program (FedRAMP)
Azure has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow US federal, state, and local governments to more rapidly realize the benefits of the cloud using Azure.
FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Scope: The following Azure features are in scope for the FedRAMP JAB P-ATO: Cloud Services (Web and Worker roles), Storage (Tables, Blobs, Queues, Drives), Virtual Machines (includes persistent virtual machines), SQL Databases and Virtual Network (includes Traffic Manager).
Government agencies can request the Azure FedRAMP security package.
Payment Card Industry (PCI) Data Security Standards (DSS) Level 1
Azure is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standards (DSS) as verified by an independent Qualified Security Assessor (QSA), allowing merchants to establish a secure cardholder environment and to achieve their own certification.
The PCI DSS is an information security standard designed to prevent fraud through increased controls around credit card data. PCI certification is required for all organizations that store, process or transmit payment cardholder data. Customers can reduce the complexity of their PCI DSS certification by using compliant Azure services.
Scope: The Information Security Management System (ISMS) for Azure, including infrastructure, development, operations and support for Compute, Data Services, App Services and Network Services are in scope for the PCI DSS Attestation of Compliance.
The Azure PCI Attestation of Compliance and Azure Customer PCI Guide are available for immediate download.
United Kingdom G-Cloud Impact Level 2 Accreditation
In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore. The IL2 rating will benefit a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require 'protect' level of security for data processing, storage and transmission.
Scope: The following Azure features are in scope for the IL2 accreditation: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Virtual Network.
HIPAA Business Associate Agreement (BAA)
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.
Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or an Azure only EA enrollment in place with Microsoft. The Azure only EA does not depend on seat size, rather on an annual monetary commitment to Azure that allows a customer to obtain a discount over pay as you go pricing.
Prior to signing the BAA, customers should read the Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details Azure provisions for handling security breaches. While Azure includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring their particular use of Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
Scope: The following Azure features are covered by the current HIPAA BAA: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Virtual Network.
Customers should contact their Microsoft account representative to sign the agreement.
Family Educational Rights and Privacy Act (FERPA)
FERPA imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records. Educational organizations can use Windows Azure to process data, such as student education records, in compliance with FERPA. Microsoft will only use Customer Data to provide organizations with the Windows Azure service and will not scan Customer Data for advertising purposes.