At Microsoft, we care deeply about supporting compliance with specific standards and regulations related to data security and privacy as required by our customers in various geographies and industries. We consider compliance a core feature of our services, and we make significant investments in this area to ensure that that we are continuously innovating on compliance as we do with all the other aspects of Office 365. To this end, we are announcing two new additions to our compliance capabilities—ISO 27018 and HITRUST.
ISO 27018 compliance
We are pleased to announce that in our most recent ISO 27001 audit, an independent auditor validated that we incorporated controls that comply with the ISO 27018 standard for protection of personally identifiable information (PII) in public clouds. There are three big commitments enabled by these controls:
- Office 365 is “advertising-free,” so customers don’t have to worry that the data they put into Office 365 is used for advertising or marketing purposes;
- There are defined policies for the return, transfer and secure disposal of PII; and
- Office 365 proactively discloses the identities of sub-processors.
We are also pleased to announce that the Office 365 team, in partnership with an independent assessor, completed an assessment to evaluate our compliance with HITRUST. Viewed as an important standard by U.S. healthcare organizations, HITRUST has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. HITRUST has a rating scheme to assess an organization’s security management program where an organization’s developmental advancement is measured by one of five maturity levels. The rating is an indicator of an organization’s ability to protect information in a sustainable manner. An independent auditor evaluated the Microsoft security program overall at a Level 5 rating, which is the highest possible rating.
These two announcements further demonstrate our commitment as a cloud service provider to build privacy as a foundational component of our services.
We understand that security and compliance are extremely important to our customers so we make it a core part of how we design and manage the service. As we rapidly innovate in productivity services with Office 365, we will continue to invest in making Office 365 a service that is highly secure and compliant with global as well as regional and industry specific standards and regulations. You can learn more about security and compliance in Office 365 by visiting the Office 365 Trust Center.
Frequently asked questions
Q. What is ISO 27018?
A. ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
Q. What is HITRUST?
A. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. HITRUST leverages the concepts and rating scheme of the NISTIR 7358 standard – Program Review for Information Security Management Assistance (PRISMA) to assess an organizations security management program. The methodology is a proven and successful scalable process and approach to evaluating an organization’s information security program. The structure of a PRISMA Review is based upon the Software Engineering Institute’s (SEI) former Capability Maturity Model (CMM), where an organization’s developmental advancement is measured by one of five maturity levels. The rating is an indicator of an organization’s ability to protect information in a sustainable manner.
—Greg Roberts is the group principal program manager for Office 365 Trust Team.
—Vijay Kumar is the senior product manager for Office 365 Security and Compliance.