We are pleased to share that Azure is the first major US cloud provider to achieve certification as a data processor for the new international standard ISO/IEC 27701 Privacy Information Management System (PIMS). The PIMS certification demonstrates that Azure provides a comprehensive set of management and operational controls that can help your organization demonstrate compliance with privacy laws and regulations. Microsoft’s successful audit can also help enable Azure customers to build upon our certification and seek their own certification to more easily comply with an ever-increasing number of global privacy requirements.
Being the first major US cloud provider to achieve a PIMS certification is the latest in a series of privacy firsts for Azure, including being the first to achieve compliance with EU Model clauses. Microsoft was also the first major cloud provider to voluntarily extend the core data privacy rights included in the GDPR (General Data Protection Regulation) to customers around the world.
PIMS is built as an extension of the widely-used ISO/IEC 27001 standard for information security management, making the implementation of PIMS’s privacy information management system a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. PIMS accomplishes this through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for GDPR compliance. In addition, any PIMS audit requires the organization to declare applicable laws/regulations in its criteria for the audit meaning that the standard can be mapped to many of the requirements under GDPR, CCPA (California Consumer Privacy Act), or other laws. This universal framework allows organizations to efficiently operationalize compliance with new regulatory requirements.
PIMS also helps customers by providing a template for implementing compliance with new privacy regulations, helping reduce the need for multiple certifications and audits against new requirements and thereby saving both time and money. This will be critical for supply chain business relationships as well as cross-border data movement.
This short video demonstrates how Microsoft complies with ISO/IEC 27701 and our compliance benefits customers.
Schellman & Company LLC issued a certificate of registration for ISO/IEC 27701:2019 that covers the requirements, controls, and guidelines for implementing a privacy information security management system as an extension to ISO/IEC 27001:2013 for privacy management as a personally identifiable information (PII) processor relevant to the information security management system supporting Microsoft Azure, Dynamics, and other online services that are deployed in Azure Public, Government cloud, and Germany Cloud, including their development, operations, and infrastructures and their associated security, privacy, and compliance per the statement of applicability version 2019-02. A copy of the certification is available on the Service Trust Portal.
Modern business is driven by digital transformation, including the ability to deeply understand data and unlock the power of big data analytics and AI. But before customers – and regulators – will allow you to leverage this data, you must first win their trust. Microsoft simplifies this privacy burden with tools that can help you automate privacy, including built-in controls like PIMS.
Microsoft has longstanding commitments to privacy, and we continue to take steps to give customers more control over their data. Our Trusted Cloud is built on our commitments to privacy, security, transparency, and compliance, and our Trust Center provides access to validated audit reports, data management capabilities, and information about the number of legal demands we received for customer data from law enforcement.