ENISA Information Assurance Framework

About the ENISA Information Assurance Framework

The European Network and Information Security Agency (ENISA) is a center of network and information expertise. It works closely with EU member states and the private sector to provide advice and recommendations on good cybersecurity practices. ENISA also supports the development and implementation of EU policy and law relating to national information security.

The Information Assurance Framework (IAF) is a set of assurance criteria that organizations can review with cloud service providers to ensure that they sufficiently protect customer data. The IAF is intended to help organizations assess the risk of adopting cloud services, better compare the offers from different cloud services, and reduce the assurance burden on cloud service providers.

Microsoft and the ENISA IAF

The ENISA Information Assurance Framework is based on the broad classes of controls from ISO/IEC 27001, the international information security management standard, and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1. The CCM
is a controls framework covering fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service provider (CSP).

For the CSA STAR self-assessment, Microsoft submitted a report documenting Microsoft Azure compliance with the CSA CCM. (Microsoft also publishes a completed Consensus Assessments Initiative Questionnaire (CAIQ) for Azure.) That self-assessment
of compliance aligns it with the ENISA IAF.

Azure compliance is listed on the CSA STAR Registry, a free publicly accessible registry where CSPs publish their CSA-related assessments. There, Azure also maintains a formal CSA STAR Certification and CSA STAR Attestation.

Because these self-assessment reports are publicly available, Azure customers gain visibility into Microsoft security practices and can compare various CSPs using the same baseline.

Microsoft in-scope cloud services

Audits, reports, and certificates

Microsoft attests to Azure compliance with the CSA CCM framework based on self-assessment, aligning services with the