Anda di halaman 1dari 2

ISO/IEC 27001:2013 Information

Security Management Standards

Azure Dynamics CRM Intune Office 365 Dynamics CRM Office 365
Online Online Government U.S. Government

The International Organization for Standardization (ISO) is an independent

nongovernmental organization and the worlds largest developer of
Helpful information voluntary international standards. The International Electrotechnical
Commission (IEC) is the worlds leading organization for the preparation and
publication of international standards for electrical, electronic, and related
Audit cycle technologies. Published under the joint ISO/IEC subcommittee, the
BSI audits Microsoft cloud services ISO/IEC 27000 family of standards outlines hundreds of controls and control
once a year. mechanisms to help organizations of all types and sizes keep information
assets secure. These global standards provide a framework for policies and
The ISO 27000 Directory procedures that include all legal, physical, and technical controls involved in
an organizations information risk management processes.
ISO/IEC 27001:2013 standard
Purchase it at ISO/IEC 27001 is a security standard that formally specifies an Information Security Management Systems (ISMS) that is intended to bring information
Compliance certificates security under explicit management control. Being a formal specification
Azure: means that it mandates specific requirements, defining how to implement, monitor, maintain, and continually improve the ISMS. It also specifies a set
of best practices that include requirements for documentation, divisions of
Dynamics CRM Online: responsibility, availability, access control, security, auditing, and corrective
Online-Cert and preventive measures. Certification to ISO/IEC 27001 helps organizations
comply with numerous regulatory and legal requirements that relate to the
Office 365: security of information.

BSI case study The international acceptance and applicability of ISO/IEC 27001one of the
Microsoft Sets a High Bar for most widely recognized certifications for a cloud serviceis a key reason
Information Security why certification to this standard is a foundation of Microsofts approach to
information security. In 2009, the company received its first ISO/IEC 27001
certification for Microsoft Cloud Infrastructure and Operations (formerly
Microsoft Online Services Terms Global Foundation Services), which provides datacenters and networking for Microsoft cloud services. Currently, Microsofts cloud infrastructure and
solutions are audited once a year for ISO/IEC 27001 compliance by the
Microsoft Cloud for Government British Standards Institution (BSI), an accredited certification body, providing
independent validation that Microsoft has implemented security controls
Microsoft Cloud Trust Center end-to-end.
In addition, Microsofts cloud services were the first to adopt ISO/IEC
For more information 27018:2014, the first international code of practice for cloud privacy. This
Customers: Contact your extension of the ISO 27001 standard sets a uniform international approach
Microsoft account representative.
to protecting the privacy of personal data in the cloud, and governs the
Potential customers: Go to handling of personally identifiable information (PII) by cloud services providers acting as PII processors.
Frequently asked questions
Q. Why is compliance with ISO/IEC 27001 important?
Compliance with these standards, confirmed by an accredited auditor, demonstrates that
Microsoft uses internationally recognized processes and best practices to manage the
infrastructure and organization that support and deliver its cloud services. The certificate
validates that Microsoft has implemented the guidelines and general principles for initiating,
implementing, maintaining, and improving the management of information security.

Q. Where can I get the ISO/IEC 27001 audit reports and scope statements for Microsoft cloud
To request copies, customers can contact their Microsoft account representative; potential
customers can go to

Q. Which services are in scope for ISO/IEC 27001?

Certified services include:
Microsoft Azure: Virtual Machines, Cloud Services, Batch, Web Apps, Mobile Services,
Notification Hub, Storage (Blobs, Tables, Queues), SQL Database, Virtual Network,
Traffic Manager, Workflow Manager, ExpressRoute, Service Bus, BizTalk Services, Active
Directory, Multi-Factor Authentication, Rights Management Service, Media Services, and

Microsoft Dynamics CRM Online and Microsoft Dynamics CRM Online Government.
Microsoft Intune.
Microsoft Office 365 and Microsoft Office 365 U.S. Government: Exchange Online,
Exchange Online Archiving, Exchange Online Protection, Advanced Threat Protection,
SharePoint Online, OneDrive for Business, Project Online, Skype for Business Online,
Office Online, and Yammer.

Q. Does Microsoft run annual tests for infrastructure failures?

Yes. The annual ISO/IEC 27001 certification process for the Microsoft Cloud Infrastructure and
Operations group includes an audit for operational resiliency.

Q. Can I leverage the ISO/IEC 27001 compliance of Microsofts cloud services in my

organizations certification?
Yes. If your business requires ISO/IEC 27001 certification for implementations deployed
on Azure, you can use the applicable certification in your compliance assessment. You
are responsible, however, for engaging an assessor to evaluate your implementation for
compliance and for the controls and processes within your own organization.

Q. Where do I start my organizations own ISO/IEC 27001 compliance effort?

Adopting ISO/IEC 27001 is a strategic commitment. As a starting point, consult the
ISO/IEC 27000 Directory.