ISO/IEC 27001:2013 overview
ISO/IEC 27000 family of standards provide a framework for policies and procedures that include legal, physical, and technical controls involved in an organization’s information risk management processes. ISO/IEC 27001:2013 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001:2013 helps organizations comply with numerous regulatory and legal requirements that relate to information security.
ISO/IEC 27001:2013 specifies the requirements for implementing, maintaining, monitoring, and continually improving the ISMS. ISO/IEC 27002:2013 provides guidelines and best practices for information security management; however, an organization can't get certified against ISO/IEC 27002:2013 because it isn't a management standard. The audit vehicle is ISO/IEC 27001:2013, which relies on detailed guidelines in ISO/IEC 27002:2013 for control implementation.
Azure and ISO/IEC 27001
Microsoft Azure, Dynamics 365, and other Microsoft online services undergo regular independent third-party audits for ISO/IEC 27001 compliance. You can review the Azure ISO/IEC 27001 certificate and audit report for more information.
For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to ISO/IEC 27001 compliance domains and controls:
- ISO/IEC 27001 Azure regulatory compliance built-in initiative
- ISO/IEC 27001 Azure Government regulatory compliance built-in initiative
Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each ISO/IEC 27001 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
- Azure Government
- Azure China (for more information, see Trust Center documentation)
Services in scope
For a list of Microsoft online services in audit scope, see Microsoft Azure Compliance Offerings or the Azure ISO/IEC 27001 certificate:
- Dynamics 365
- Microsoft 365
- Power Platform
For Azure DevOps, see the standalone Azure DevOps ISO/IEC 27001 certificate.
Office 365 and ISO/IEC 27001
For more information about Office 365 compliance, see Office 365 ISO/IEC 27001 documentation.
Microsoft Professional Services compliance
For more information about Microsoft Professional Services compliance, see Microsoft Professional Services documentation.
Audit reports and certificates
The Azure ISO/IEC 27001 certificate covers Azure, Dynamics 365, select Microsoft 365, and Power Platform online services. You can access Azure ISO/IEC 27001 audit documents from the Service Trust Portal (STP) Audit Reports – ISO Reports section. You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.
The Azure DevOps ISO/IEC 27001 certificate is available separately from the Service Trust Portal Audit Reports - ISO Reports section.
Frequently asked questions
Why is ISO/IEC 27001 certification important? Compliance with ISO/IEC 27001, certified by an accredited auditor, demonstrates that Azure uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.
Where can I get the Azure ISO/IEC 27001 audit documentation? For links to audit documentation, see Audit reports and certificates. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
Can I use the Azure ISO/IEC 27001 compliance assurances in my organization’s certification process? Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you're responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.
What resources does Microsoft provide to help customers with their certification process? Aside from the Azure ISO/IEC 27001 audit report and certificate, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to ISO/IEC 27001 compliance domains and controls. Azure Policy helps to enforce organizational standards and assess compliance at scale.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Microsoft Product Terms (formerly Online Services Terms)
- Microsoft Products and Services Data Protection Addendum (DPA)
- 13 Effective Security Controls for ISO 27001 Compliance
- ISO/IEC 27001:2013 (available for purchase)
- ISO/IEC 27002:2013 (available for purchase)