Last updated: July 2015
Microsoft complies with the data protection and privacy laws generally applicable to Microsoft’s provision of a cloud service. Customers are responsible for determining if Microsoft Intune, and the particular applications they intend to deploy via Intune, comply with the specific laws and regulations applicable to customers’ industry and use scenario. To help our customers comply with their own specific requirements, we put in place a comprehensive compliance framework through which we will be advancing all Intune features. Microsoft is committed to providing Intune customers with detailed information about our security compliance programs to help customers make their own regulatory assessments. However, it is ultimately up to our customers to evaluate Intune compliance programs against their own requirements to determine if our services satisfy their regulatory needs.
Intune is committed to annual certification against the ISO/IEC 27001, a broad international information security standard. The ISO/IEC 27001:2013 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Scope: The development, test, program management, and operations of the Intune service are in scope for the current ISO/IEC 27001:2013 certification. The certificate is issued by Bureau Veritas. Customers should contact their Microsoft representative to request a copy of the certificate for Intune.
Intune has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Intune controls. The SOC 2 Type 2 audit included a further examination of Intune controls related to security and availability. Intune is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB).
Customers should contact their Microsoft representative to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Intune.
G-Cloud is a U.K. Government initiative and Procurement Framework to promote government-wide adoption of cloud computing. The G-Cloud Framework includes a Digital Marketplace where public-sector organizations and eligible government-funded independent organizations can compare and procure cloud-based services.
Microsoft was the first and only major cloud provider to be assured against the G-Cloud’s Pan Government Accreditation Scheme as part of the initial tranche of G-Cloud Suppliers. The Pan Government Accreditation Scheme has been replaced by assertions against the Cloud Security Principles. This doesn’t change either the evidence we produce or the standards that we adhere to under our accreditation.
Microsoft Intune is compliant with the 14 Cloud Security Principles, followed by a sampled verification audit performed by the UK Government Digital Service (GDS), a branch of the Cabinet Office.
Microsoft Intune is available to UK Government customers under the latest version of the G-Cloud Framework (v6). As such, UK Government customers can utilize Microsoft Intune to store and process OFFICIAL data, which makes up the vast majority of UK Government data. In addition, there are over 450 Microsoft partners appointed to the G-Cloud Framework that leverage Microsoft’s cloud services. These Microsoft partners can also directly assert Microsoft compliance with the 14 Cloud Security Principles in their own services or applications.
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Intune, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum. Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA). While Intune includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring their particular use of Intune complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.
Customers should contact their Microsoft account representative to sign the agreement.