ISO 22301:2012 Business Continuity Management Standard
ISO 22301 overview
The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. The ISO formed the TC 223 Societal Security technical committee to develop standards for protecting society, including organizations, if catastrophes such as a natural disaster, major terrorist attack, or the shutdown of power grids occur.
Published in 2012 by the technical committee, ISO 22301:2012 is the first international standard for management systems that help ensure business continuity. ISO 22301 is the premium standard for business continuity, and certification demonstrates conformance to rigorous practices to prevent, mitigate, respond to, and recover from disruptive incidents.
Microsoft and ISO 22301
Microsoft is the first hyperscale cloud service provider to receive the ISO 22301 certification for business continuity management. An independent certification body awarded this certification to Microsoft Azure, Microsoft Azure Government, Microsoft Office 365 (including Commercial, Government, and Education offerings), Microsoft Cloud App Security, Microsoft Intune, and Microsoft Power BI after a stringent audit covering all aspects of their business continuity processes. The audit covered the in-scope services listed below and Azure management features, the Azure Portal, and the systems used to monitor, operate, and update the in-scope services.
Microsoft in-scope cloud services
- Azure, Azure Government, and Azure Germany
- Microsoft Cloud App Security
- Dynamics 365, Dynamics 365 Government, and Dynamics 365 Germany
- Microsoft Defender Advanced Threat Protection
- Microsoft Graph
- Microsoft Healthcare Bot
- Microsoft Managed Desktop
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365 Commercial, Government, and Education
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Power BI Embedded
Audits, reports, and certificates
- Azure, Dynamics 365, and Online Services: ISO22301 Certificate
- Azure, Dynamics 365, and Online Services: ISO22301 Assessment Report
- BSI 22301 Microsoft Office 365 Certificate
- BSI 22301 Microsoft Office 365 Stage 2 Addendum
- Office 365 ISO 22301 Stage 2 Report
Frequently asked questions
Why is Microsoft compliance with ISO 22301 important?
ISO 22301 is a certification used by enterprises and governmental organization to show their commitment to serving their customers by achieving the highest available international standard for business continuity management. ISO 22301 is a comprehensive standard that demonstrates the highest level of commitment to business continuity and disaster preparedness.
Where can I get the ISO 22301 audit reports and scope statements for Microsoft services?
The Service Trust Portal provides independently audited compliance reports, so that your auditors can compare Microsoft's cloud services results with your own legal and regulatory requirements.
Can I use ISO 22301 compliance of Microsoft services in my organization’s certification?
Yes. If your business requires ISO 22301 certification for implementations deployed on Microsoft services, you can use the Azure and Office 365 certifications in your compliance assessment. You are responsible, however, for engaging an assessor to evaluate the controls, processes, and implementation for ISO 22301 compliance within your own organization and for your own applications.
Use Microsoft Compliance Manager to assess your risk
Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.
- ISO 22301:2012 standard (for purchase)
- Azure resiliency technical guidance (Explains the Azure shared responsibility model for business continuity.)
- Microsoft Common Controls Hub Compliance Framework
- Microsoft Online Services Terms
- Microsoft Enterprise Business Continuity Management Program Description
- Compliance Score
- Compliance on the Microsoft Trust Center