Explore the Microsoft 365 information security policy
Business units and product groups at Microsoft are responsible for implementing the security policies, standards, and requirements of the Microsoft Security Policy and Standards Program. Microsoft 365 documents these security implementations in the Microsoft 365 Information Security Policy. This policy aligns with the Microsoft Security Policy and governs the Microsoft 365 information system, including all Microsoft 365 environments and all resources involved in the collection, processing, maintenance, use, sharing, dissemination, and disposal of data.
Scope
The purpose of the Microsoft 365 Information Security Policy is to enable Microsoft 365 to operate according to best practices, achieve the corporate objective of building and maintaining customer trust, comply with regulatory requirements and customer commitments, and support public promises with respect to the confidentiality, integrity, and availability of Microsoft 365 services.
The Microsoft 365 information system includes the following components governed by the Microsoft 365 Information Security Policy:
- Infrastructure: The physical and hardware components of Microsoft 365 systems (facilities, equipment, and networks)
- Software: The programs and operating software of Microsoft 365 systems (systems, applications, and utilities)
- People: The personnel involved in the operation and use of Microsoft 365 systems (developers, operators, users, and managers)
- Procedures: The programmed and manual procedures involved in the operation of Microsoft 365 systems
- Data: The information generated, collected, and processed by Microsoft 365 systems (transaction streams, files, databases, and tables)
All Microsoft 365 information system components are governed by the Microsoft 365 Information Security Policy.
Microsoft 365 Control Framework
The Microsoft 365 Information Security Policy is supplemented by the Microsoft 365 Control Framework. The Microsoft 365 Control Framework details the minimum-security requirements for all Microsoft 365 services and information system components and references the legal and corporate requirements behind each control. The framework includes control activity names, descriptions, and guidance to ensure effective control implementations by service teams. Microsoft 365 uses the control framework to track evidence of control implementations for internal and external reporting.
The Control Framework consists of 18 objectives in the following key domain areas:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical Access (PE)
- Security Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Roles and responsibilities
Each service team within Microsoft 365 designates individuals responsible for driving compliance with the Microsoft 365 Information Security Policy, implementing relevant security controls, and verifying that controls have been implemented properly. The table below briefly summarizes roles with important responsibilities for driving alignment with the Microsoft 365 Information Security Policy.
| Role | Description of responsibilities |
|---|---|
| Information System Security Officer | Individual responsible for maintaining the operational security posture of the information system. |
| GRC Compliance Officer | Individual responsible for defining minimum security requirements and verifying these requirements are met by Microsoft 365. |
| EVP, Experience + Devices | Top manager responsible for setting strategic direction for the Engineering Group, including security and compliance objectives. |
| Service Team Compliance Champs | Specialists in each service team who assist service team members in implementing policy and standard requirements. |
| Service Team Members | Members of service teams responsible and accountable for implementing policy and standard requirements. |
Microsoft 365 Control Framework updates
The Microsoft 365 Trust team works to maintain the internal Microsoft 365 Control Framework on an ongoing basis. Several scenarios may require the Trust team to update the control framework, including: changes in relevant regulations or laws, emerging threats, penetration test results, security incidents, audit feedback, and new compliance requirements. When a framework change is required, the Trust team identifies key stakeholders responsible for approving and implementing the change to ensure it is feasible and will not cause unintended issues with Microsoft 365 services. Once the Trust team and relevant stakeholders agree on what the change requires, the workloads responsible for implementing the change set target completion dates and work to implement the change within their respective services. After implementation targets have been met, the Trust team updates the control framework with the new or updated controls.
Exception process
All exceptions to the Microsoft 365 Information Security Policy must have a legitimate business justification and be approved by an appropriate governance entity within Microsoft 365. Exceptions must also have service team management approval and be documented in the Microsoft 365 risk management tool. Depending on the scope of the exception and the potential risk it represents, approval for exceptions may need to be obtained from a corporate vice president or higher. Exceptions are entered into the Microsoft 365 risk management tool, where they are reviewed and approved for continued relevance.