ISO/IEC 27001:2013 Information
Security Management Standards
Azure Dynamics CRM
Online
Helpful information
Audit cycle
BSI audits Microsoft cloud services
once a year.
The ISO 27000 Directory
www.27000.org/index.htm
ISO/IEC 27001:2013 standard
Purchase it at
aka.ms/Iso-catalogue.
Compliance certificates
Azure:
aka.ms/Azure-BSI-Cert
Dynamics CRM Online:
aka.ms/Dynamics-CRM-
Online-Cert
Office 365:
aka.ms/Office365-Cert
BSI case study
Microsoft Sets a High Bar for
Information Security
pages.bsigroup.com/l/73472/
2015-07-24/v9btr
Microsoft Online Services Terms
aka.ms/Online-Services-Terms
Microsoft Cloud for Government
aka.ms/govt-cloud
Microsoft Cloud Trust Center
www.microsoft.com/trustcenter
For more information
Customers: Contact your
Microsoft account representative.
Potential customers: Go to
support.microsoft.com/contactus.
Intune Office 365 Dynamics CRM Office 365
Online Government U.S. Government
The International Organization for Standardization (ISO) is an independent
nongovernmental organization and the worlds largest developer of
voluntary international standards. The International Electrotechnical
Commission (IEC) is the worlds leading organization for the preparation and
publication of international standards for electrical, electronic, and related
technologies. Published under the joint ISO/IEC subcommittee, the
ISO/IEC 27000 family of standards outlines hundreds of controls and control
mechanisms to help organizations of all types and sizes keep information
assets secure. These global standards provide a framework for policies and
procedures that include all legal, physical, and technical controls involved in
an organizations information risk management processes.
ISO/IEC 27001 is a security standard that formally specifies an Information
Security Management Systems (ISMS) that is intended to bring information
security under explicit management control. Being a formal specification
means that it mandates specific requirements, defining how to implement,
monitor, maintain, and continually improve the ISMS. It also specifies a set
of best practices that include requirements for documentation, divisions of
responsibility, availability, access control, security, auditing, and corrective
and preventive measures. Certification to ISO/IEC 27001 helps organizations
comply with numerous regulatory and legal requirements that relate to the
security of information.
The international acceptance and applicability of ISO/IEC 27001one of the
most widely recognized certifications for a cloud serviceis a key reason
why certification to this standard is a foundation of Microsofts approach to
information security. In 2009, the company received its first ISO/IEC 27001
certification for Microsoft Cloud Infrastructure and Operations (formerly
Global Foundation Services), which provides datacenters and networking
for Microsoft cloud services. Currently, Microsofts cloud infrastructure and
solutions are audited once a year for ISO/IEC 27001 compliance by the
British Standards Institution (BSI), an accredited certification body, providing
independent validation that Microsoft has implemented security controls
end-to-end.
In addition, Microsofts cloud services were the first to adopt ISO/IEC
27018:2014, the first international code of practice for cloud privacy. This
extension of the ISO 27001 standard sets a uniform international approach
to protecting the privacy of personal data in the cloud, and governs the
handling of personally identifiable information (PII) by cloud services
providers acting as PII processors.
 Frequently asked questions
Q. Why is compliance with ISO/IEC 27001 important?
Compliance with these standards, confirmed by an accredited auditor, demonstrates that
Microsoft uses internationally recognized processes and best practices to manage the
infrastructure and organization that support and deliver its cloud services. The certificate
validates that Microsoft has implemented the guidelines and general principles for initiating,
implementing, maintaining, and improving the management of information security.

Q. Where can I get the ISO/IEC 27001 audit reports and scope statements for Microsoft cloud
services?
To request copies, customers can contact their Microsoft account representative; potential
customers can go to support.microsoft.com/contactus.

Q. Which services are in scope for ISO/IEC 27001?

Certified services include:
Microsoft Azure: Virtual Machines, Cloud Services, Batch, Web Apps, Mobile Services,
Notification Hub, Storage (Blobs, Tables, Queues), SQL Database, Virtual Network,
Traffic Manager, Workflow Manager, ExpressRoute, Service Bus, BizTalk Services, Active
Directory, Multi-Factor Authentication, Rights Management Service, Media Services, and
Scheduler.

Microsoft Dynamics CRM Online and Microsoft Dynamics CRM Online Government.
Microsoft Intune.
Microsoft Office 365 and Microsoft Office 365 U.S. Government: Exchange Online,
Exchange Online Archiving, Exchange Online Protection, Advanced Threat Protection,
SharePoint Online, OneDrive for Business, Project Online, Skype for Business Online,
Office Online, and Yammer.

Q. Does Microsoft run annual tests for infrastructure failures?

Yes. The annual ISO/IEC 27001 certification process for the Microsoft Cloud Infrastructure and
Operations group includes an audit for operational resiliency.

Q. Can I leverage the ISO/IEC 27001 compliance of Microsofts cloud services in my

organizations certification?
Yes. If your business requires ISO/IEC 27001 certification for implementations deployed
on Azure, you can use the applicable certification in your compliance assessment. You
are responsible, however, for engaging an assessor to evaluate your implementation for
compliance and for the controls and processes within your own organization.

Q. Where do I start my organizations own ISO/IEC 27001 compliance effort?

Adopting ISO/IEC 27001 is a strategic commitment. As a starting point, consult the
ISO/IEC 27000 Directory.