Microsoft maintains a team of security, privacy, and compliance experts who help Azure meets its own compliance obligations. The compliance team also represents the "customer voice," working with Microsoft engineering and operations teams as well as external regulatory bodies to help ensure customers' needs are met.
Microsoft invests heavily in the development of robust and innovative compliance processes. The Microsoft compliance framework for online services maps controls to multiple regulatory standards. This enables Microsoft to design and build services using a common set of controls, streamlining compliance across a range of regulations today and as they evolve.
Microsoft compliance processes also make it easier for customers to achieve compliance across multiple services and meet their changing needs efficiently. Together, security-enhanced technology and effective compliance processes enable Microsoft to maintain and expand a rich set of third-party certifications. These help customers demonstrate compliance readiness to customers, auditors, and regulators.
As part of its commitment to transparency, Microsoft shares third-party verification results with its customers.
For more details on the scope of compliance certifications, visit the Azure Trust Centre. It is important to note that Microsoft generally treats verifications as a baseline and frequently goes far beyond them in its commitment to deliver trustworthy, compliance-ready services.
Microsoft participates in industry-wide transparency initiatives, especially through its association with the Cloud Security Alliance (CSA).
An independent industry organization, the CSA has developed a controls framework called the Cloud Controls Matrix (CCM).
The CCM provides organizations with:
that incorporates cloud services. Microsoft publishes information about how it addresses the CSA CCM in the publically accessible CSA Security, Trust & Assurance Registry (STAR).
Microsoft gives Complyfile free tools that help us achieve compliance on our own terms such as the Cloud Risk Decision Framework and Cloud Risk Assessment models, both of which are based on the globally-recognized Enterprise Risk Management standard ISO 31000.
Organizations wishing to evaluate their IT security state, evaluate the benefits of cloud computing, and plan for adoption can use the Cloud Security Readiness Tool. Using the answers to a few short questions, it generates a report tailored to the needs of the organization.