Last updated: January 2015
Microsoft complies with the data protection and privacy laws generally applicable to Microsoft’s provision of a cloud service. Customers are responsible for determining if Microsoft Intune, and the particular applications they intend to deploy via Intune, comply with the specific laws and regulations applicable to customers’ industry and use scenario. To help our customers comply with their own specific requirements, we put in place a comprehensive compliance framework through which we will be advancing all Intune features. Microsoft is committed to providing Intune customers with detailed information about our security compliance programs to help customers make their own regulatory assessments. However, it is ultimately up to our customers to evaluate Intune compliance programs against their own requirements to determine if our services satisfy their regulatory needs.
Intune is committed to annual certification against the ISO/IEC 27001, a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Scope: The development, test, program management, and operations of the Intune service are in scope for the current ISO/IEC 27001:2005 certification. The certificate is issued by Bureau Veritas. Customers should contact their Microsoft representative to request a copy of the certificate for Intune.
Intune has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Intune controls. The SOC 2 Type 2 audit included a further examination of Intune controls related to security and availability. Intune is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB).
Customers should contact their Microsoft representative to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Intune.
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Intune, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum. Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA). While Intune includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring their particular use of Intune complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
Customers should contact their Microsoft account representative to sign the agreement.