Risk management overview
How does Microsoft assess and manage risk across the enterprise?
Risk management is the process of identifying, assessing, and responding to threats or events that can impact Company or customer objectives. Risk management at Microsoft is designed to anticipate new threats and provide ongoing security for our cloud systems and the customers who use them.
Microsoft's risk management align to the Enterprise Risk Management (ERM) framework. ERM enables the overall enterprise risk management process and works with management across the enterprise to identify and ensure accountability for Microsoft's most significant risks.
Microsoft ERM enables common risk management principles across the enterprise so business units can independently facilitate consistent and comparative risk assessments. This coordination gives Microsoft the ability to aggregate and report risk information in a consolidated manner for management. ERM provides business units in Microsoft with common methodologies, tools, and goals for the risk management process. Microsoft 365 and other engineering groups and business units use these tools to conduct individual risk assessments as part of their own risk management programs under the guidance of ERM.
How do Microsoft online services work with ERM?
Each online service follows ERM guidance to manage risks across Microsoft services. The program focuses on aligning the ERM framework with existing Microsoft engineering, service operations, and compliance processes, making the Risk Management program more effective and efficient. Each online service's risk management activities ultimately roll up into and inform the ERM process.
As part of risk assessment activities, each online service analyzes design and operating effectiveness of controls implemented as part of the Microsoft Controls Framework (Framework). The Framework is a rationalized set of controls that, when properly implemented along with supporting compliance activities, allows engineering teams to comply with key regulations and certifications.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to risk management.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27001/27002 Statement of Applicability Certificate |
A.5: Information security policies | December 3, 2021 |
| ISO 27017 Statement of Applicability Certificate |
A.5: Information security policies | December 3, 2021 |
| ISO 27018 Statement of Applicability Certificate |
A.5: Information security policies | December 3, 2021 |
| ISO 22301 Certificate |
6.1.1: Determining risks and opportunities 6.1.2: Addressing risks and opportunities |
June 21, 2021 |
| SOC 1 SOC 2 SOC 3 |
SOC2-26: Annual risk assessment | September 30, 2021 November 12, 2021 November 12, 2021 |
Office 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP | CA-2: Security assessments CA-5: Plan of action and milestones RA-3: Risk assessment |
September 24, 2021 |
| ISO 27001/27002/27017 Statement of Applicability Certification (27001/27002) Certification (27017) |
A.5: Information security policies | March 2022 |
| SOC 1 | CA-03: Risk management | September 30, 2021 |
| SOC 2 | CA-02: Governance, risk, and compliance team responsibilities CA-03: Risk management CA-17: Microsoft security policy CA-24: Internal risk assessment |
September 30, 2021 |
Saran dan Komentar
Kirim dan lihat umpan balik untuk