ENISA Information Assurance Framework

About the ENISA Information Assurance Framework

The European Network and Information Security Agency (ENISA) is a center of network and information expertise. It works closely with EU member states and the private sector to provide advice and recommendations on good cybersecurity practices. ENISA also supports the development and implementation of EU policy and law relating to national information security.

The Information Assurance Framework (IAF) is a set of assurance criteria that organizations can review with cloud service providers to ensure that they sufficiently protect customer data. The IAF is intended to help organizations assess the risk of adopting cloud services, better compare the offers from different cloud services, and reduce the assurance burden on cloud service providers.

Microsoft and the ENISA IAF

The ENISA Information Assurance Framework is based on the broad classes of controls from ISO/IEC 27001, the international information security management standard, and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1. The CCM
is a controls framework covering fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service provider (CSP).

For the CSA STAR self-assessment, Microsoft submitted a report documenting Microsoft Azure compliance with the CSA CCM. (Microsoft also publishes a completed Consensus Assessments Initiative Questionnaire (CAIQ) for Azure.) That self-assessment
of compliance aligns it with the ENISA IAF.

Azure compliance is listed on the CSA STAR Registry, a free publicly accessible registry where CSPs publish their CSA-related assessments. There, Azure also maintains a formal CSA STAR Certification and CSA STAR Attestation.

Because these self-assessment reports are publicly available, Azure customers gain visibility into Microsoft security practices and can compare various CSPs using the same baseline.

Microsoft in-scope cloud platforms & services

  • Azure
  • Office 365

Azure, Dynamics 365, and ENISA IAF

For more information about Azure, Dynamics 365, and other online services compliance, see the Azure ENISA IAF offering.

Office 365 and ENISA IAF

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Azure Active Directory, Azure Information Protection, Bookings, Compliance Manager, Delve, Exchange Online, Exchange Online Protection, Forms, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Defender for Office 365, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Cloud App Security, Office 365 Groups, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Yammer Enterprise

Resources