ISO/IEC 27001:2013 overview
ISO/IEC 27000 family of standards provide a framework for policies and procedures that include legal, physical, and technical controls involved in an organization’s information risk management processes. ISO/IEC 27001:2013 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001:2013 helps organizations comply with numerous regulatory and legal requirements that relate to information security.
ISO/IEC 27001:2013 specifies the requirements for implementing, maintaining, monitoring, and continually improving the ISMS. ISO/IEC 27002:2013 provides guidelines and best practices for information security management; however, an organization cannot get certified against ISO/IEC 27002:2013 because it is not a management standard. The audit vehicle is ISO/IEC 27001:2013, which relies on detailed guidelines in ISO/IEC 27002:2013 for control implementation.
Azure and ISO/IEC 27001
Microsoft Azure, Dynamics 365, and other Microsoft online services undergo regular independent third-party audits for ISO/IEC 27001 compliance. You can review the Azure ISO/IEC 27001 certificate and audit report for more information.
Moreover, Microsoft provides Azure Blueprints, which is a service that helps customers deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help customers deploy a core set of policies for any Azure-based architecture that must implement ISO/IEC 27001 controls, Azure has released the Azure Blueprint for ISO/IEC 27001. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.
- Azure Government
- Azure China (for more information, see Trust Center documentation)
Services in scope
Microsoft online services in scope are shown on the Azure ISO/IEC 27001 certificate:
- Azure (for detailed insight, see Microsoft Azure Compliance Offerings or Azure ISO/IEC 27001 certificate)
- Azure DevOps (see separate Azure DevOps ISO/IEC 27001 certificate)
- Dynamics 365 (for detailed insight, see Azure ISO/IEC 27001 certificate)
- Microsoft 365 Defender (formerly Microsoft Threat Protection, not in scope for Azure Government)
- Microsoft Bing for Commerce (not in scope for Azure Government)
- Microsoft Cloud App Security
- Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
- Microsoft Graph
- Microsoft Intune
- Microsoft Managed Desktop (not in scope for Azure Government)
- Microsoft Stream
- Microsoft Threat Experts (not in scope for Azure Government)
- Power Apps
- Power Automate (formerly Microsoft Flow)
- Power BI
- Power BI Embedded
- Power Virtual Agents (not in scope for Azure Government)
- Universal Print (not in scope for Azure Government)
Office 365 and ISO/IEC 27001
For more information about Office 365 compliance, see Office 365 ISO/IEC 27001 documentation.
Microsoft Professional Services compliance
For more information about Microsoft Professional Services compliance, see Microsoft Professional Services documentation.
Audit reports and certificates
You can access audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (login required):
Alternatively, you can access Azure ISO/IEC 27001 audit documents via the Service Trust Portal (STP) Audit Reports - ISO Reports section. You must login to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.
Azure DevOps ISO/IEC 27001 certificate is available separately from the Service Trust Portal Audit Reports - ISO Reports section.
Frequently asked questions
Why is ISO/IEC 27001 certification important? Compliance with ISO/IEC 27001, certified by an accredited auditor, demonstrates that Azure uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.
Where can I get the Azure ISO/IEC 27001 audit documentation? For links to audit documentation, see Audit reports and certificates. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
Can I use the Azure ISO/IEC 27001 compliance assurances in my organization’s certification process? Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.
What resources does Microsoft provide to help customers with their certification process? Aside from the Azure ISO/IEC 27001 audit report and certificate, Microsoft provides Azure Blueprints, which enables customers to define a repeatable set of Azure resources that implements and adheres to organization's standards and requirements. For example, Azure Blueprints provides policies to help customers comply with ISO/IEC 27001 requirements. The Azure ISO/IEC 27001 blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement ISO/IEC 27001 controls. Two additional ISO 27001 blueprint samples are available that can help you deploy a foundational architecture and an App Service Environment / Azure SQL Database workload.