To help organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data, Microsoft offers the most comprehensive set of certifications and attestations of any cloud service provider. 

    • Microsoft accomplishes this breadth of compliance offerings with a two-pronged approach:

      •   First, a team of Microsoft experts works with our engineering and operations teams, as well as external regulatory bodies, to track existing standards and regulations, developing hundreds of controls for the product teams to build into our cloud services. 

      •   Second, because regulations and standards are always evolving, our compliance experts also anticipate upcoming changes to help ensure continuous compliance—researching draft regulations, assessing potential new requirements, and developing corresponding controls. 

      To demonstrate that these controls deliver compliance you can rely on, Microsoft enterprise cloud services are independently validated through certifications and attestations, as well as third-party audits. In-scope services within the Microsoft Cloud meet key international and industry-specific compliance standards, such as ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1 and SOC 2. They also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses, UK G-Cloud, Singapore MTCS, and Australia CCSL (IRAP). In addition, rigorous third-party audits, such as by the British Standards Institution and Deloitte, validate the adherence of our cloud services to the strict requirements these standards mandate.

      Ultimately, it is up to you to determine whether our services comply with the specific laws and regulations applicable to your business. To help you make these assessments, Microsoft supplies the specifics about its security and compliance programs, including audit reports and compliance packages. Also, you can verify our implementation of the controls by requesting detailed audit results from the certifying third parties or through your Microsoft account representative.  






    Argentina PDPA
    Canadian Privacy Laws
    China GB
    China Multi Layer Protection Scheme
    China TRUCS
    CJIS
    DIACAP
    DISA
    ENISA IAF
    EU
    EU-US Privacy Shield
    FACT
    FDA
    FedRAMP
    FERPA
    FIPS
    FISMA
    GxP
    HIPAA
    irap
    IRS1075
    ITAR
    MTCS
    NIST 800-171
    NZ GCIO
    Section 508
    Spain ENS
    UK G-Cloud
    Argentina PDPA
    Canadian Privacy Laws
    China GB
    China Multi Layer Protection Scheme
    China TRUCS
    CJIS
    DIACAP
    DISA
    ENISA IAF
    EU
    EU-US Privacy Shield
    FACT
    FDA
    FedRAMP
    FERPA
    FIPS
    FISMA
    GxP
    HIPAA
    IRAP
    IRS 1075
    ITAR
    MTCS
    NIST 800-171
    NZ GCIO
    Section 508
    Spain ENS
    UK G-Cloud
    Close

    CDSA

    Microsoft Azure has passed the audit for the Content Delivery and Security Association Content Protection and Security standard for compliance with antipiracy procedures governing digital media.

    arrow
    Close

    Canadian Privacy Laws

    Microsoft Azure has implemented technical and organization security safeguards to help our customers protect individual’s privacy when they use our cloud service.

    arrow
    Close

    China GB 18030

    Microsoft Azure is certified by the China Electronics Standardization Institute as compliant with GB 18030, the encoding standard mandated by the Chinese government for the Chinese ideographic character set. Learn more (Chinese)

    Close

    China MLPS

    Microsoft Azure operated by 21Vianet adheres to Multi-Level Protection Scheme, a Chinese state cloud security standard issued by the Ministry of Public Security.Learn more (Chinese)

    Close

    CJIS

    Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics CRM Online Government adhere to the CJIS Security Policy, required to access the FBI's Criminal Justice Information Services (CJIS) database through the cloud.

    arrow
    Close

    CSA CCM

    Our Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) response details how Microsoft cloud services fulfill the security, privacy, compliance, and risk management requirements defined in the CSA CCM version 3.0.1.

    arrow
    Close

    CS Mark (Gold)

    The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Microsoft Office 365 for SaaS.

    arrow
    Close

    DISA

    Based on FedRAMP authorizations, the Defense Information Systems Agency Cloud Service Support has granted an Impact Level 4 Provisional Authorization (PA) for one Microsoft enterprise cloud service, and an Impact Level 2 PA for others.

    arrow
    Close

    EU Model Clauses

    Microsoft offers European Union Standard Contractual Clauses that provide contractual guarantees around transfers of personal data. Microsoft was the first cloud service provider to gain approval from the EU’s Article 29 Working Party for contractual commitments.

    arrow
    Close

    EU-U.S. Privacy Shield

    Microsoft complies with the EU-U.S. Privacy Shield Framework as set forth and certified to the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.

    arrow
    Close

    FDA CFR Title 21 Part 11

    Microsoft helps customers comply with US Food and Drug Administration Code of Federal Regulations Title 21 Part 11, which details security requirements for the electronic records of companies that sell food and drugs in the United States.

    arrow
    Close

    FedRAMP

    FedRAMP is mandatory for cloud services used by U.S. federal agencies. Azure maintains a FedRAMP P-ATO at the Moderate Impact Level, and Azure Government has received a P-ATO at the High Impact Level. Dynamics CRM Online Government, Office 365 and Office 365 U.S. Government have received FedRAMP ATOs at the Moderate Impact Level.

    arrow
    Close

    FERPA

    Microsoft enterprise cloud services align with the requirements of the Family Educational Rights and Privacy Act, a US federal law that protects the privacy of students’ education records.

    arrow
    Close

    FIPS 140-2

    Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise cloud services, comply with the Federal Information Processing Standard Publication 140-2, a US government standard.

    arrow
    Close

    FISC

    Microsoft Azure and Microsoft Office 365 have been independently assessed as meeting the requirements for the Center for Financial Industry Information Systems Version 8 standard security for banking computer systems in Japan.

    arrow
    Close

    IRS 1075

    Microsoft Azure Government and Microsoft Office 365 Government cloud services provide a contractual commitment that they have the appropriate controls in place to meet the requirements of US Internal Revenue Service Publication 1075.

    arrow
    Close

    ISO 22301:2012

    Microsoft is the first hyperscale cloud service provider to receive the ISO 22301 certification for business continuity management. An independent certification body, BSI, awarded it to Azure, Azure Government, Intune, and Power BI.

    arrow
    Close

    HIPAA / HITECH

    Microsoft enterprise cloud services offer customers a Health Insurance Portability and Accountability Act Business Associate Agreement that stipulates adherence to HIPAA, which regulates patient Protected Health Information in the US.

    arrow
    Close

    IRAP (CCSL)

    Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 are accredited for the Certified Cloud Services List, which identifies cloud services that have successfully completed an IRAP assessment by the Australian Signals Directorate.

    arrow
    Close

    ISO/IEC 27001

    The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally recognized information security controls defined in the ISO/IEC 27001 standard.

    arrow
    Close

    ISO/IEC 27017

    The ISO/IEC 27017:2015 certificate validates that Microsoft enterprise cloud services have implemented the internationally recognized code of practice for information security controls based on the ISO/IEC 27002 standard for cloud services.

    arrow
    Close

    ISO/IEC 27018

    Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections for the processing of personal information by cloud service providers.

    arrow
    Close

    IT Grundschutz Compliance Workbook

    Microsoft Azure Germany has published an IT Grundschutz Compliance Workbook developed by Hisolutions AG. This supports our clients in achieving their IT Grundschutz certification for solutions on Microsoft Azure Germany.

    arrow
    Close

    ITAR

    Azure Government supports customers building ITAR-capable systems on Azure Government.

    arrow
    Close

    MARS-E

    Microsoft Azure and Microsoft Azure Government comply with the Minimum Acceptable Risk Standards for Exchanges (MARS-E) for information security regulations for health-based exchanges under the Patient Protection and Affordable Care Act (ACA) of 2010.

    arrow
    Close

    MPAA

    The Motion Picture Association of America offers guidance and control frameworks for studio partners to help ensure the security of digital film assets. Microsoft Azure was the first hyperscale, multitenant cloud service to successfully complete a formal MPAA assessment.

    arrow
    Close

    MTCS

    Microsoft was the first global CSP to receive MTCS 584:2013 certification across all three MTCS security levels. Furthermore, Microsoft Azure services (IaaS and PaaS) and Microsoft Office 365 services (SaaS) were certified at Level 3 and Microsoft Dynamics CRM Online services (SaaS) were certified at Level 2.

    arrow
    Close

    NIST 800-171

    Microsoft Azure, Microsoft Azure Government, Dynamics CRM Online Government, Office 365 MT, and Office 365 US Government conform to the requirements set forth in NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

    arrow
    Close

    NZ CC Framework

    The New Zealand Government Chief Information Officer published a cloud computing framework of 100+ questions on the security, privacy, and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these questions.

    arrow
    Close

    PCI DSS Level 1 Service Provider

    Microsoft Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1, the global certification standard for organizations that accept most payment cards and store, process, or transmit cardholder data.

    arrow
    Close

    SOC 1 & 2 Type 2 Reports

    Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design and operation of its security controls.

    arrow
    Close

    SOC 1

    Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls 1 standards for design and operational security.

    arrow
    Close

    SOC 2

    Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls Type 2 standards for design and operational security.

    arrow
    Close

    SOC 3

    Microsoft Azure and Microsoft Intune in-scope services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls 3 standards for design and operational security.

    arrow
    Close

    UK G-Cloud

    The UK Crown Commercial Service has renewed the classification of Microsoft’s in-scope cloud services to Government Cloud v6, covering all four of its offerings at the OFFICIAL level.

    arrow
    Close

    Section 508 / VPATs

    Microsoft cloud services offer Voluntary Product Accessibility Templates, a standardized form documenting whether a product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.

    arrow
    Close

    DIACAP

    The US Department of Defense Information Assurance Certification and Accreditation Process was replaced with the NIST 800-37 Risk Management Framework and DoD 8510.01. Microsoft Azure demonstrates compliance through its FedRAMP accreditation.

    arrow
    Close

    ENISA IAF

    The European Network and Information Security Agency Information Assurance Framework requirements have been mapped to Microsoft Azure through the CSA CCM. Customers can refer to the CSA CCM response version 3.0.1.

    arrow
    Close

    FISMA

    Azure, Azure Government, and Office 365 Government have a Provisional Authority to Operate for FedRAMP, the successor of the Federal Information Security Management Act for US government cloud solutions.

    arrow
    Close

    SHARED ASSESSMENTS

    Microsoft demonstrates the alignment of Microsoft Azure with the Shared Assessments Program—a vendor-risk management toolset—through the CSA CCM version 3.0.1.

    arrow
    Close

    Argentina Personal Data Protection Act 25,326

    Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 have implemented the security measures in the Argentina Personal Data Protection Act. arrow

    Close

    Japan My Number Act

    The My Number Act assigns a unique number to each resident of Japan. Companies using Microsoft cloud services can be assured that Microsoft does not have standing access to My Number data. Learn more (Japanese)Learn more (English)

    Close

    China TRUCS

    Azure operated by 21Vianet in China has passed the Trusted Cloud Service certification developed by the Data Center Alliance and tested by the China Academy of Information and Communications Technology. Learn more (Chinese)

    Close

    FACT

    The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on physical and digital security to protect against theft of intellectual property. Microsoft Azure was the first multitenant public cloud to achieve FACT certification.

    arrow
    Close

    ENS Spain

    Spain's Esquema Nacional de Seguridad (National Security Framework) provides ICT security guidance to public administrations and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification—for Microsoft Azure and Microsoft Office 365.

    arrow
    Close

    GxP

    Customers can use the Azure, Azure Government, and Office 365 for applications that have requirements under Good Clinical, Laboratory and Manufacturing Practices (GxP) and US Food and Drug Administration CFR Title 21 Part 11.

    arrow
    Close

    arrow