Achieve compliance obligations in the public sector

  • 4 minutes

To address the needs of customers across regulated markets worldwide, Azure has a comprehensive compliance portfolio. The compliance coverage is based on formal third-party certifications and other types of assurance documents to help customers meet their own compliance obligations.

Compliance coverage with Azure

Azure has the broadest compliance coverage in the industry, including key independent certifications and attestations such as ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 9001, ISO 20000-1, SOC 1/2/3, PCI DSS Level 1, PCI 3DS, HITRUST, CSA STAR Certification, CSA STAR Attestation, US FedRAMP High, Australia IRAP, Germany C5, Japan CS Gold Mark, Singapore MTCS Level 3, Spain ENS High, UK G-Cloud and Cyber Essentials Plus, and many more. The Azure compliance portfolio includes more than 100 compliance offerings spanning globally applicable certifications, US Government-specific programs, industry assurances, and country/region-specific offerings. Government customers can use these offerings when they address their own compliance obligations across regulated industries and markets worldwide.

When deploying applications to Azure that are subject to regulatory compliance obligations, customers need to be confident the cloud service provider's audit scope includes services they're using. With a high number of cloud services within the audit scope for each Azure certification, Azure offers industry-leading depth of compliance coverage. Customers can build and deploy realistic applications and benefit from wide compliance coverage provided by Azure independent third-party audits.

Azure Stack Hub also provides compliance documentation to help customers integrate Azure Stack Hub into solutions that address regulated workloads. Customers can download the following Azure Stack Hub compliance documents:

  • PCI DSS assessment report produced by a third-party Qualified Security Assessor.
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) assessment report, including Azure Stack control mapping to CCM domains and controls.
  • FedRAMP High System Security Plan (SSP) precompiled template to demonstrate how Azure Stack addresses applicable controls, Customer Responsibility Matrix for FedRAMP High baseline, and FedRAMP assessment reports produced by an independent Third-Party Assessor Organization (3PAO).

Azure Blueprints

Azure Blueprints is a service that helps automate compliance and cybersecurity risk management in cloud environments. For more information on Azure Blueprints, including production-ready blueprint solutions for ISO 27001, NIST SP 800-53, and other standards, see the Azure Blueprint guidance.

Azure compliance and certification resources are intended to help customers address their own compliance obligations with various regulations. Some governments across the world have already established cloud adoption mandates for their agencies and the corresponding regulation to encourage cloud onboarding. However, there are many government customers that operate traditional on-premises datacenters and are still creating their cloud adoption strategy. Azure's extensive compliance portfolio can help customers no matter what their cloud adoption maturity level is.

Transparency and audit

Microsoft makes all independent third-party audit reports and other related documentation available to customers to download and examine from the Service Trust Portal. It also offers a Regulator Right to Examine, a program Microsoft implemented to provide regulators with direct right to examine Azure. This right includes the ability to conduct an on-site examination, to meet with Microsoft personnel and Microsoft external auditors, and to access any related information, records, reports, and documents.

Next, let's explore a few select workloads and use cases for Azure in the public sector.