In keeping with our commitment to provide customers the utmost transparency, we have released a detailed overview of how Office 365 controls map to the security, privacy, compliance and risk management controls defined in the Cloud Security Alliance Cloud Control Matrix (CSA CCM).
The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, associations, governments and corporate and individual members who are dedicated to defining and raising awareness of best practices that help ensure a secure cloud computing environment. The CSA CCM Security, Trust & Assurance Registry (STAR) is considered the gold standard while performing risk assessment and due diligence against cloud service providers. As part of our efforts to provide customers with in-depth insights into our security, compliance and privacy controls, we regularly publish self-assessments of Microsoft Azure, Microsoft Dynamics CRM Online and Office 365.
The CCM details operational concepts and principles relating to security and privacy that span 16 IT operational domains (shown below). The mapping document clearly demonstrates how the Office 365 controls address the CSA operational concepts and recommendations as noted below. We hope this helps you efficiently perform your Office 365 due diligence when evaluating Office 365, onboarding Office 365 or renewing your subscriptions.
CSA CCM — IT cloud domains
|Application and interface security||Audit assurance and compliance|
|Business continuity management and operational resilience||Change control and configuration management|
|Datacenter security||Data security and information lifecycle management|
|Encryption and key management||Governance and risk management|
|Human resources||Identity and access management|
|Infrastructure and virtualization security||Interoperability and portability|
|Mobile security||Threat and vulnerability management|
|Supply chain management, transparency and accountability||Security incident management, eDiscovery and cloud forensics|
The CCM standardizes security and operational risk management controls and procedures and seeks to normalize security expectations, cloud taxonomies and terminologies, as well as generally improve security measures implemented in the cloud. The CCM responses included in the document also align with our ISO 27001, 27018 and SOC attestations and are scoped to the following Office 365 services that are hosted in Microsoft datacenters:
- Exchange Online
- Exchange Online Protection
- SharePoint Online including OneDrive for Business
- Skype for Business
- Office Online
- Office Services Infrastructure
- Suite User Experience
- Domain Name Service
- Security Workload Environment
You can download the document at Office 365 Mapping of Cloud Security Alliance Cloud Control Matrix. If you are interested in more in-depth security, compliance and privacy-related information about Microsoft Cloud Services (Office 365, Microsoft Azure and Microsoft Dynamics CRM Online), sign in to the Service Trust Portal—onboarding instructions for the Service Trust Portal are at O365 Service Trust.
Feel free to send feedback and comments on the Office 365 Mapping of CSA CCM to firstname.lastname@example.org.
—Office 365 CXP and Trust team