Microsoft and FISC
Microsoft engaged outside assessors to validate that Microsoft Azure and Microsoft Office 365 meet the FISC Version 8 requirements. Microsoft provided evidence of compliance in each of the following areas:
- Datacenter guidelines for buildings and computer rooms, power, air conditioning, datacenter, and facilities monitoring.
- Operational guidelines for organizations, training, access control, system development, and auditing.
- Technical guidelines for measures to improve the reliability of hardware and software, and for countermeasures against security risks including data protection, prevention against unauthorized use, threat detection, and disaster recovery.
Financial institutions can rely on this evaluation of the compliance of these three areas for the in-scope infrastructure and platform services of Azure, Office 365, and Microsoft Cloud App Security.
Learn about the benefits of FISC on the Microsoft Cloud.Download the FISC Japan backgrounder
The Center for Financial Industry Information Systems (FISC) is a not-for-profit organization established by the Japanese Ministry of Finance in 1984 to promote security in banking computer systems in Japan. Some 700 corporations in Japan are supporting members, including major financial institutions, insurance and credit companies, securities firms, computer manufacturers, and telecommunications enterprises.
In collaboration with its member institutions, the Bank of Japan, and the Financial Services Agency (a government organization responsible for overseeing banking, securities and exchange, and insurance in Japan), the FISC created guidelines for the security of banking information systems. These include basic auditing standards for computer system controls, contingency planning in the event of a disaster, and the development of security policies and standards encompassed in more than 300 controls.
Although the application of these guidelines in a cloud computing environment is not required by regulation, most financial institutions in Japan that implement cloud services have built information systems that satisfy these security standards, and it can be very difficult to justify diverging from them. (The latest guidelines, Version 8 Supplemental Revised, issued in 2015, added two revisions relating to the use of cloud services by financial institutions and countermeasures against cyberattack.)
Conformance with this framework is not required by regulation, and not audited or otherwise validated by the FISC.
Assess your GDPR compliance
Find out if your organization meets personal data protection requirements. Take our quick, interactive 10-question evaluation to assess your readiness to comply with the GDPR today.Take the assessment
Frequently asked questions
Banks and other financial institutions in Japan that want to validate their approach to system security, reliability, and auditing, and align with established best practices in Japan, follow the FISC guidelines.
The FISC has published two reports from its Council of Experts:
A copy of the completed assessment framework is available to customers who have signed a nondisclosure agreement with Microsoft by contacting their account representative. Potential customers can make a request at support.microsoft.com/contactus.
You can also see security references (in Japanese) from third parties who have evaluated the FISC compliance of Microsoft cloud services.
Yes. However, although Microsoft responses to this framework are confirmed compliant by third parties, customers are responsible for validating the compliance of solutions they have implemented on Azure or Office 365.