Explore compliance terms and requirements

In this unit, you learn about the types of compliance offerings that are available on Azure.

As Tailwind Traders moves to running its applications in the cloud, it wants to know how Azure adheres to applicable regulatory compliance frameworks. The company asks:

  • How compliant is Azure when it comes to handling personal data?
  • How compliant are each of Azure's individual services?

Microsoft's online services build upon a common set of regulatory and compliance controls. Think of a control as a known good standard that you can compare your solution against to ensure security. These controls address today's regulations and adapt as regulations evolve.

Which compliance categories are available on Azure?

Although there are many more, the following image shows some of the more popular compliance offerings that are available on Azure. These offerings are grouped under four categories: Global, US Government, Industry, and Regional.

A screenshot of some of the Azure compliance offerings grouped under categories of Global, US Government, Industry, and Regional.

To get a sense of the variety of the compliance offerings available on Azure, let's take a closer look at a few of them.

While not all of these compliance offerings will be relevant to you or your team, they show that Microsoft's commitment to compliance is comprehensive, ongoing, and independently tested and verified.

Criminal Justice Information Service

Any US state or local agency that wants to access the FBI's Criminal Justice Information Services (CJIS) database is required to adhere to the CJIS Security Policy.

Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security Policy. Microsoft adheres to the same requirements that law enforcement and public safety entities must meet.

Cloud Security Alliance STAR Certification

Azure, Intune, and Microsoft Power BI have obtained Cloud Security Alliance (CSA) STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider's security posture.

STAR Certification is based on achieving International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM). This certification demonstrates that a cloud service provider:

  • Conforms to the applicable requirements of ISO/IEC 27001.
  • Has addressed issues critical to cloud security as outlined in the CCM.
  • Has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.

European Union Model Clauses

Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU.

Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data. Meeting this standard ensures that Azure customers can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI).

Azure offers customers a HIPAA Business Associate Agreement (BAA), which stipulates adherence to certain security and privacy provisions in HIPAA and the HITECH Act. To assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.

International Organization of Standards/International Electrotechnical Commission 27018

Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, which covers the processing of personal information by cloud service providers.

Multi-Tier Cloud Security Singapore

After rigorous assessments conducted by the Multi-Tier Cloud Security (MTCS) Certification Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications:

  • Infrastructure as a service (IaaS)
  • Platform as a service (PaaS)
  • Software as a service (SaaS)

Microsoft is the first global cloud solution provider to receive this certification across all three classifications.

Service Organization Controls 1, 2, and 3

Microsoft-covered cloud services are audited at least annually against the Service Organization Controls (SOC) report framework by independent third-party auditors.

The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.

National Institute of Standards and Technology Cybersecurity Framework

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks.

Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits. Microsoft cloud services certified according to the FedRAMP standards.

Additionally, through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.

United Kingdom Government G-Cloud

The United Kingdom (UK) Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK government.