Just as Microsoft has a responsibility to process our customers’ information in a trustworthy manner, many of you have a responsibility to comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data.
To give you the foundation to achieve that compliance, Microsoft takes a two-pronged approach to help ensure that compliance controls are current and that we build and maintain a dynamic compliance framework.
First, a team of Microsoft experts works with our engineering and operations teams, as well as external regulatory bodies, to track existing standards and regulations, developing hundreds of controls for our product teams to build into our cloud services. Second, because regulations and standards are always evolving, our compliance experts also anticipate upcoming changes to help ensure continuous compliance—researching draft regulations, assessing potential new requirements, and developing corresponding controls. This approach to designing compliance controls helps ensure that they operate effectively, with stringent safeguards.
To demonstrate that these controls deliver compliance that you can rely on, Microsoft enterprise cloud services are independently validated through certifications and attestations, as well as third-party audits. In-scope services within the Microsoft Cloud meet key international and industry-specific compliance standards, such as ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1 and SOC 2. They also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses, UK G-Cloud, Singapore MTCS, and Australia CCSL (IRAP). In addition, rigorous third-party audits, such as by the British Standards Institution and Deloitte, validate the adherence of our cloud services to the strict requirements these standards mandate.
Ultimately, it is up to you to determine whether our services comply with the specific laws and regulations applicable to your business and satisfy your legal requirements. To help you make these assessments, Microsoft supplies the specifics about its security and compliance programs, including audit reports and compliance packages. Also, you can verify our implementation of the controls by requesting detailed audit results from the certifying third parties or through your Microsoft account representative.
If you are a Microsoft Office 365 customer, you can take yet another avenue to help meet your organizational compliance needs and demonstrate to auditors and regulators governance over specific information within your company. Office 365 builds in capabilities that include integrated tools for archiving important data, simplified searches for and access to content, auditing in place across the service, and data loss prevention that blocks the export of sensitive data.