Learn about the Microsoft policy framework

  • 3 minutes

Security and compliance efforts across Microsoft are governed by the Microsoft Policy Framework. The Microsoft Policy Framework is an enterprise-wide governance program to manage corporate and regulatory policies, ensuring alignment with compliance obligations and customer commitments. The Microsoft Policy Framework includes standards, policies, and procedures, all of which work together to protect the confidentiality, integrity, and availability of our services.

Microsoft Policy Framework

The Microsoft policy governance framework consists of the following elements:

  • Standards of Business Conduct (SBC): The SBC contains Microsoft's commitment to ethical business practices and complying with the law. The SBC is overseen by the Audit Committee of the Board of Directors and administered by the Office of Legal Compliance.
  • Corporate Policies: Corporate policies are mandatory requirements for employee conduct derived from the SBC or a legal or accounting obligation. The Corporate Policy Committee approves corporate policies, their categories, and the executive leaders of each policy category.
  • Corporate Procedures: Corporate procedures set forth the mandatory steps employees must take to comply with the policy. Corporate procedures are created by the owners of corporate policies.

Microsoft's standards, policies, and procedures align with and are informed by industry standards, such as the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). Policy framework documentation is updated on a regular cadence to ensure our framework remains aligned with external guidance. Framework documentation is stored in a central location accessible to all employees from our intranet and is organized by category and subject to enable frequent consultation.

The Microsoft Policy Framework includes various policies and procedures. One example of a corporate policy is Microsoft's Privacy Policy for protecting customer and personal data. The Framework also includes the Microsoft Security Policy and Standards Program, which provides security objectives, standards, and requirements that must be implemented across the enterprise. While we will focus on the Microsoft Security Policy and Standards Program in the following units, keep in mind that this is just one of many corporate policies maintained and enforced within the Microsoft Policy Framework.