The Association of Banks in Singapore (ABS) has issued the ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers (ABS Guidelines). The ABS Guidelines contain information security guidance for service providers who deliver services to financial institutions operating in Singapore. The guidelines specify the baseline organizational controls that service providers must implement in cloud outsourcing arrangements, particularly for workloads with material impact. The Outsourced Service Provider's Audit Report (OSPAR) is the framework that external auditors use to validate the service provider's controls against the criteria specified in the ABS Guidelines.
An independent third-party auditor approved by ABS performed a rigorous audit of the security capabilities of Azure, Dynamics 365, and other Microsoft online services to assess their compliance with the ABS Guidelines. The auditor attested that Microsoft cloud services security controls were suitably designed to meet the applicable ABS controls criteria and that these controls operated effectively during the year-long testing period.
Achieving the ABS OSPAR attestation demonstrates that the security controls for Microsoft in-scope services meet the ABS Guidelines, putting these services on the official list of OSPAR audited outsourced service providers that can be downloaded from the ABS outsourcing landing page. OSPAR attestation for Azure, Dynamics 365, and other Microsoft online services provides assurance to financial services customers with facilities in Singapore that Microsoft meets the high ABS requirements for deploying compliant financial services solutions.
Services in scope
For a list of Microsoft online services in audit scope, see Microsoft Azure Compliance Offerings or the Azure + Dynamics 365 OSPAR report:
- Dynamics 365
- Microsoft 365
- Power Platform
The Azure + Dynamics 365 OSPAR report covers Azure, Dynamics 365, select Microsoft 365, and Power Platform online services. You can access the Azure + Dynamics 365 OSPAR report from the Service Trust Portal (STP) Audit Reports – GRC Assessment Reports section. You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.
Frequently asked questions
What is a material outsourcing arrangement and why is the definition important? An outsourcing arrangement is material if a service failure or breach:
- Has the potential to materially affect a financial firm's business operations or ability to manage risk and comply with applicable laws and regulations; or
- If it involves customer information, and any unauthorized access or disclosure, loss, or theft of customer information, has a material impact on a firm's customers. The definition of customer information expressly excludes securely encrypted information.
This definition is important because certain provisions of the Monetary Authority of Singapore (MAS) Outsourcing Guidelines apply only to 'material outsourcing arrangements'. These provisions include an obligation to perform annual reviews, mandatory contractual clauses addressing audit rights, and ensuring that outsourcing outside of Singapore doesn't affect MAS supervisory efforts.
Where can I get the Azure OSPAR audit documentation? For links to audit documentation, see Audit reports. You must have an existing Azure subscription or free Azure trial account to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Association of Banks in Singapore (ABS)
- ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers
- Monetary Authority of Singapore (MAS)
- Microsoft Cloud for financial services
- Azure solutions for the finance industry
- Microsoft financial services resources on Service Trust Portal
- Microsoft Cloud financial services compliance program