Security, Audits, and Certifications
We obtain third-party audits and certifications so you can trust our services are designed and operated with stringent safeguards.
Our goals are simple: to operate our services with the security and privacy you expect from Microsoft, and to give you accurate assurances about our security and privacy practices. We have implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Every year, we undergo third-party audits by internationally recognized auditors as an independent validation that we comply with our policies and procedures for security, privacy, continuity and compliance.
Microsoft Online Certification and Compliance Finder
§ SSAE16 SOC1 Type II
§ SOC2 Type II
§ SSAE16 SOC1 Type II
Office 365 and Dynamics 365 Data Centers and Physical Infrastructure (Provided by Microsoft Global Foundation Services)
§ SSAE16 SOC2 FISMA
This information is for general informational purposes only. This information is subject to change at any time and should not be interpreted to be a contractual commitment or guarantee on the part of Microsoft.
SSAE 16/ISAE 3402
SSAE 16 (Statement on Standards for Attestation Engagements No. 16), the successor to SAS 70, and ISAE 3402 (International Standards for Attestation Engagement No. 3402), are audit standards established by the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board of the International Federation of Accountants, respectively, and are geared towards service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, hosted data centers, application service providers (ASPs), and managed security providers. SSAE 16 and ISAE 3402 audits are independent verifications of compliance with security controls and effectiveness of security controls.
At the conclusion of an SSAE 16/ISAE 3402 service auditor's examination ("SSAE 16 audit"), the service auditor renders an opinion on the following information:
1. Whether or not the service organization's description of controls is presented fairly.
2. Whether or not the service organization's controls are designed effectively.
3. Whether or not the service organization's controls are placed in operation as of a specified date.
4. Whether or not the service organization's controls are operating effectively over a specified period of time. (SSAE 16 (SOC 1) Type II and (SOC2) Type II only).
Microsoft SSAE 16/ISAE 3402 audits are performed by qualified, independent, third-party, computer security auditors at Microsoft selection and expense.
The audit report produced includes an opinion of the controls by the external third party. Both Office 365 and Dynamics 365 have undergone SSAE 16 (SOC1) Type II and SOC2 Type II audits. More information about the standard and types of audits can be found at www.aicpa.org .
Microsoft Global Foundation Services (GFS) provides infrastructure services (datacenters and networking) for both Microsoft itself (including Office 365/Dynamics 365 services) and its customers. GFS is SAS 70 Type II certified today, and will be audited against SSAE 16 at its next regularly scheduled audit. The SSAE 16 reports for Office 365 and Dynamics 365 represent the application layer controls for these services. Together with the GFS report pertaining to the infrastructure layer, the audit reports provide an end-to-end representation of controls in place.
ISO/IEC 27001 is an information security management system (ISMS) standard, part of the ISO/IEC 27000 family of standards that address privacy, confidentiality and technical security issues and have "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization." The standards outline hundreds of potential controls and control mechanisms. ISO/IEC 27001 in particular is one of the most widely recognized certifications for a cloud service, and thus one of the most valued by our customers. ISO 27001 defines how to implement, monitor, maintain, and continually improve the ISMS. An organization may obtain an ISO 27001 certification on its ISMS, which is typically based on the ISO 27002 Information Security Standards. The Microsoft Online Services Information Security Policy aligns with ISO 27002, augmented with requirements specific to online services. ISO has been the foundation of the security approach for Office 365/Dynamics 365 and their supporting infrastructure since 2009, and Office 365/Dynamics 365 have been certified by our independent auditor, the British Standards Institution (BSI). Customers are encouraged to review the publicly available ISO standard , and the Microsoft ISO certificates are available at the BSI website .
In addition to having the BSI verify the compliance of Office 365 and Dynamics 365 with ISO/IEC 27001, we have asked the BSI to review more than 20 additional privacy controls that we built into the services to better align it with comprehensive European data protection regulations. We have taken this unique approach to help our European customers understand the protections we have put in place to help them satisfy the specific expectations of both European citizens and European regulators. M any customers consider EU privacy regulations to be the strictest in the world, so our work to align our controls with EU privacy regulations helps all customers that value data protection and privacy.
Our ISO 27001 certifications and audits by the BSI thus enable all our customers to evaluate how Microsoft meets or exceeds the standards and implementation guidance against which we are certified. The full results of BSI’s findings are included in its ISO/IEC 27001 audit reports on Office 365 and Dynamics 365, summaries of which are available to Office 365 and Dynamics 365 customers upon request.
ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII). In our most recent ISO 27001 audit, an independent auditor validated that Office 365 and Dynamics 365 have incorporated controls that comply with and are aligned with the standard’s code of practice for the protection of PII in the public cloud. The big three commitments enabled by these controls are:
§ Office 365 is “advertising-free,” so customers don’t have to worry that the data they put into Office 365 is used for advertising or marketing purposes.
§ There are defined policies for the return, transfer and secure disposal of PII.
§ Office 365 proactively discloses the identities of sub-processors and informs the customer if data is ever requested by law enforcement agencies.
All of these commitments to protect privacy are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations to meet. Our achievement of the ISO 27018 cloud security standard can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.
U.S.–EU Safe Harbor
The European Union, through the EU Data Protection Directive, has stricter privacy rules than the U.S. and most other countries. To enforce these rules, the EU generally prohibits the transfer of personal data into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification described below.
To allow for the continual flow of information required by international business, the European Commission reached agreement with the U.S. Department of Commerce, whereby U.S. organizations can self-certify as complying with the Safe Harbor principles, which track loosely to the requirements of the Directive.
For a business to legally transfer data from the EU to the U.S., the U.S. company or other organization must publicly certify that it will comply with Safe Harbor principles, which align with the EU's privacy rules. Office 365 and Dynamics 365 can transfer data from the EU to the U.S. for processing because Microsoft is Safe Harbor certified.
Customers are encouraged to review the principles of the certification through the following link, along with Microsoft certification on the Department of Commerce website: Safe Harbor Framework and Certification .
Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months.
In addition to the EU Member States, members of the European Economic Area (Iceland, Liechtenstein, and Norway) also recognize organizations certified under the Safe Harbor program as providing adequate privacy protection to justify trans-border transfers from their countries to the U.S. Switzerland has a nearly identical agreement (U.S.–Switzerland Safe Harbor) with the U.S. Department of Commerce to legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified.
Several other countries, such as Canada and Argentina, have passed comprehensive privacy laws, and the EU has cleared data transfer from the EU to those countries.
What's the most important thing for me to do to ensure the security of my data?
Evaluate our security procedures against your needs.
Office 365 and Dynamics 365’s security is world-class. However, you are responsible for determining whether our security meets your organization's requirements. It is up to you to evaluate if you have particularly sensitive data, or data that must be held to a certain level of security under regulations applicable to your industry. This data may require a specific security requirement that we do not provide.
For example, you may be in an industry in which the industry standard is for 10 character passwords - Microsoft’s standard is normally for an eight character password.
If you have questions about whether Office 365 or Dynamics 365 meets a particular security standard or requirement not discussed here, you can check the Resources section or contact Support, and we'll let you know.
Will Office 365 and Dynamics 365 comply with my company's security policy?
As multitenant services, Office 365 and Dynamics 365 are unable to agree to comply with any particular company’s security policy. However, our customers, in a broad range of industries and countries, have found our services meet their security needs. Indeed, Office 365/Dynamics 365 are based on an ISO 27001 framework to continually assess and improve the security of our services offerings.
The Microsoft Online Services Information Security Policy also incorporates additional requirements derived from best-in-class security practices and mapping of relevant international, national and state/provincial requirements.
An organization may obtain an ISO 27001 certification on its Information Security Management Systems (ISMS), which is typically based on the ISO 27002 Information Security Standard. Certification may be sought from a number of accredited agencies. Microsoft has obtained the certificate from the British Standards Institution (BSI). ISO 27001 audits provide assurance around the Information Security Management Systems. Microsoft believes that by providing transparency we allow customers to evaluate our services against their requirements and make informed decisions.
The following Office 365 services are ISO certified: SharePoint Online, Lync Online, and Exchange Online. The Dynamics 365 is ISO certified. Global Foundation Services, the infrastructure layer of the services (network and data centers) is also ISO 27001 certified. Office 365 and Dynamics 365 customers should review the ISO standard (publically available) to determine whether their security requirements are satisfied.
What other resources do Office 365 and Dynamics 365 provide to help me obtain a sufficient understanding of its security and privacy practices to determine whether Office 365/Dynamics 365 policy meets my requirements?
Office 365 and Dynamics 365 provide a number of resources to assist customers in making a determination and obtain a sufficient understanding of Microsoft policies, including the following documents:
How is SSAE 16 different from ISO 27001?
SSAE 16 is the successor to SAS 70, which has been predominantly used in the United States to provide a standard for audits of the design and effectiveness of controls .
ISO 27001 is an international standard geared towards security practices of an organization. ISO 27001 is common in Europe, Japan and some other Asian countries, but is gaining popularity in the United States. ISO 27001 stipulates a set of security controls and certifies against those controls; it is much more comprehensive in coverage than SSAE 16. ISO 27001 addresses all three aspects of security commonly referred as CIA: Confidentiality, Integrity and Availability. Organizations may be certified as compliant with ISO 27001 by a number of Accredited Registrars worldwide.
I would like a non-English language version of the Microsoft SSAE 16 audit report. Can Microsoft provide one?
Depending on the language, Microsoft may be able to provide a translation of the report at the customer’s expense, as Office 365 and Dynamics 365 do not receive SSAE 16 audit reports in languages other than English.
Office 365 and Dynamics 365’s SSAE 16 auditing firm has the ability to translate the audit report into most foreign languages upon request. Cost varies depending on the language requested, and would be paid by a requesting customer. Not every language is available. Please contact Office 365 or Dynamics 365 customer support if you need one.
Who has administrative rights to Office 365 and Dynamics 365? Are they full-time employees or are they contractors? How does Microsoft prevent administrators from accessing customer data?
Answer: See the Administrative Access section of the Trust Center to understand how Microsoft limits access to data.
Does Microsoft allow customers to audit Office 365 or Dynamics 365 controls or infrastructure?
Office 365 and Dynamics 365 readily share with our customers summaries of our independent audit reports and certifications.
These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives and serve as a practical mechanism to validate our promises for all customers. Allowing potentially thousands of customers to audit our services would not be a scalable practice and might compromise security.
Office 365 and Dynamics 365 internal monitoring includes automated compliance monitoring of infrastructure (e.g., vulnerability scans, penetration testing and testing of process and people controls). The Office 365 and Dynamics 365 third-party validation program includes independent audits that are conducted on an annual basis to provide verification of Office 365 and Dynamics 365 security posture.
Can Microsoft customize its audit for me?
No. Microsoft is not able to agree to custom audit obligations for an individual customer. The costs and potential conflicts between varying obligations make it impracticable to customize audits.
After a data breach, will Microsoft notify me?
For information about how Microsoft responds to data breaches, please see the language in your service agreement.