Skip to main content

Understand how Microsoft cloud services protect your data and how you can manage data security and compliance for your cloud services.

FAQ and White Papers Pen Test and Security Assessments Compliance Guides
View answers to frequently asked questions and white papers providing you insights into Microsoft cloud services Security, Privacy, and Compliance.
Azure - Helping Organizations Become Compliant with the EU GDPR NEW This white paper is designed to help you understand how Microsoft Azure can support you in your preparation for GDPR. 2017-05-31
Microsoft Cloud - Accelerate GDPR Compliance with the Microsoft Cloud Understand Microsoft's GDPR commitment and how can you partner with Microsoft to become compliant with GDPR 2017-05-15
Azure - NERC CIPs and Cloud Computing This white paper discusses common security and isolation concerns pertinent to the electric power utility industry, as well as compliance considerations for NERC (North American Electric Reliability Corporation) CIPs data and workloads deployed to Azure or Azure Government. 2017-05-09
Microsoft Cloud - Supporting your EU GDPR Compliance Journey This whitepaper Addresses the challenges of a mobile-first cloud-first world with Microsoft EMS 2017-05-01
Microsoft Cloud - Overview of General Data Protection Regulation (GDPR) This white paper serves as an introduction to GDPR and its key concepts. 2017-05-01
Microsoft Cloud - Guide to enhancing privacy and addressing GDPR with Microsoft SQL Platform This whitepaper discusses the data protection in Microsoft SQL to help address GDPR requirements. 2017-05-01
Dynamics 365 - Security Incident Management Describes the security incident management process used by Microsoft for Dynamics 365. 2017-04-26
Azure - Data Classification for Cloud Readiness This paper is primarily intended for consultants, security specialists, systems architects, and IT professionals who are responsible for planning application or infrastructure development and deployment for their organizations. 2017-04-11
Microsoft Cloud - Assessing Risk in the Microsoft Cloud and Getting Answers to Your Top Questions Get answers to top security, compliance, and privacy questions around Microsoft Cloud. Understand how to perform effective and efficient risk assessment on Microsoft cloud. 2017-04-04
Microsoft Cloud - Deutschland The Data Trustee Model and Cloud Control Center Understand Microsoft Cloud Germany and a description of German data trustee. Learn how operating, controlling, and monitoring is provided in the Microsoft Cloud Germany. Understand the compliance roadmap for the German cloud. 2017-03-28
Office 365 - Defending Against Denial-of-Service Attacks (Japanese) This document talks generally about different types of attacks and how Microsoft defends Office 365 and its network against those attacks. Office 365 uses defense-in-depth security principles to protect against internal and external risks. The network--the communication layer between clients and Office 365--is one of the biggest targets of malicious attacks. This document is in Japanese. 2017-03-27
Office 365 - Security Incident Management (Japanese) This document provides details on how Microsoft handles security incidents in Office 365. This document is in Japanese. 2017-03-27
Office 365 - Data Resiliency (Japanese) This document describes how Microsoft prevents customer data from becoming lost or corrupt in Exchange Online, SharePoint Online, and Skype for Business, and how Office 365 protects customer data from malware and ransomware. This document is in Japanese. 2017-03-20
Office 365 - Tenant Isolation (Japanese) This document describes how Microsoft implements logical isolation of customer data in a tenant within the Office 365 multi-tenant environment. Japanese Version. 2017-03-20
Office 365 - Compliance Framework for Industry Standards and Regulations To help customers with their compliance needs related to Office 365, we have created a compliance framework that is designed to give customers visibility into Office 365 compliance with global, regional and industry standards, and details how customers can control Office 365 services based on compliance needs. 2017-03-07
Azure - Standard Response for Request for Information - Compliance Privacy and Security This response document helps address standard Requests for Information - RFI with which we empower customers to evaluate different offerings in the market place today. Through the mappings available in the CSA-CCM, we can illustrate how Azure has implemented security and privacy controls aligned to other international standards such as ISO-IEC 27001, US Government frameworks including FedRAMP, and industry certifications such as PCI DSS. 2017-03-05
Office 365 - Content Encryption Customer content within Office 365 is protected by a variety of technologies and processes, including various forms of encryption. This document provides details supporting various forms of content encryption in Office 365. 2017-01-23
Office 365 - Data Resiliency This document describes how Microsoft prevents customer data from becoming lost or corrupt in Exchange Online, SharePoint Online, and Skype for Business, and how Office 365 protects customer data from malware and ransomware. 2017-01-09
Office 365 - Security Incident Management This document provides details on how Microsoft handles security incidents in Office 365. 2016-11-29
Azure - Cloud Security Diagnostic Tool This tool was developed to facilitate and expedite risk assessments relating to Microsoft's Azure Services. 2016-11-14
Office 365 - Tenant Isolation This document describes how Microsoft implements logical isolation of customer data in a tenant within the Office 365 multi-tenant environment. 2016-11-09
Office 365 - Administrative Access Controls Provides details on how Microsoft approaches administrative access and the controls that are in place to safeguard the services and processes in Office 365. 2016-09-09
Office 365 - Data Resiliency in Japanese This document describes how Microsoft prevents customer data from becoming lost or corrupt in Exchange Online, SharePoint Online, and Skype for Business, and how Office 365 protects customer data from malware and ransomware. Japanese version. 2016-09-02
Microsoft Cloud - Security Policy in Japanese Microsoft Security Policy applicable across all Microsoft business units including Azure Dynamics CRM Online and Office 365. Japanese version. 2016-09-02
Office 365 - ISO 27001:2013 and ISO 27018:2014 Aligned FAQ in Japanese This document primarily focuses on addressing questions regarding centralized risk management controls that underpin service level or application risk management functionality. This version is in Japanese. 2016-09-02
Office 365 - Controlling Access to Office 365 and Protecting Content on Devices This document describes the Conditional Access (CA) features in Microsoft Office 365 and Microsoft Enterprise Mobility + Security (EMS), and how they are designed with built-in data security and protection to keep company data safe, while empowering users to be productive on the devices they love. It also provides guidance on how to address common concerns around data access and data protection using Office 365 features. 2016-08-25
Office 365 - Privacy This document describes Microsoft's privacy policies, standards, and practices with respect to Office 365. 2016-08-16
Microsoft Cloud - Enterprise Business Continuity Management (EBCM) Program At Microsoft we recognize that the unexpected can and does occur—from simple situations to major outages. This document summarizes the measures Microsoft has taken in order to respond to major or significant business disruptions with an effective and comprehensive enterprise business continuity and disaster recovery program. 2016-08-09
Office 365 - Controlling Access to Office 365 and Protecting Content on Devices Describes the Conditional Access features in Office 365 and Enterprise Mobility and Security, and how they are designed with built-in data security and protection to keep company data safe, while empowering users to be productive on the devices they love. 2016-07-20
Office 365 - Controlling Access and Protecting Content on Devices Describes the Conditional Access features in Office 365 and Enterprise Mobility and Security, and how they are designed with built-in data security and protection to keep company data safe, while empowering users to be productive on the devices they love. 2016-07-18
Microsoft Cloud - Enterprise Business Continuity Management (EBCM) Policy Microsoft has established an Enterprise-wide Business Continuity, Disaster Recovery and Service Resilience Program with sponsorship and support from Executive Leadership and the Board of Directors. This Policy defines the scope, objectives, accountabilities and structure of Microsoft’s global Business Continuity, Disaster Recovery and Service Resilience Program. This document outlines at a high level the structure and components of that program. 2016-07-01
Office 365 - Auditing and Reporting features This document describes the various auditing and reporting features available in Office 365 and Microsoft Azure Active Directory (Azure AD). This document also provides an overview of internal logging that is available to authorized Microsoft engineers for detection, analysis, troubleshooting, and providing Office 365 services. 2016-06-27
Office 365 - ISO 27001:2013 and ISO 27018:2014 Aligned FAQ This document primarily focuses on addressing questions regarding centralized risk management controls that underpin service level or application risk management functionality. 2016-06-17
Office 365 - Defending Office 365 Against Denial-of-Service Attacks Discusses different types of Denial Of Service attacks and how Microsoft defends Azure, Office 365, and their networks against these attacks. 2016-05-24
Microsoft Cloud - Security This paper provides insight into what IT architects need to know about security and trust in Microsoft cloud services and platforms. 2016-04-29
Office 365 - Self-Service Handling of Data Spills This document reviews the spillage support provided by Office 365, the tools available to customers, and the configuration settings that should be reviewed in environments that are prone to data spills. 2016-03-23
Azure - Data Classification for Cloud Readiness This paper is primarily intended for consultants, security specialists, systems architects, and IT professionals who are responsible for planning application or infrastructure development and deployment for their organizations. 2016-03-23
Microsoft Cloud - Security Policy Microsoft Security Policy applicable across all Microsoft business units including Azure Dynamics CRM Online and Office 365. 2016-01-31
Office 365 - Risk Management Lifecycle This document provides overview of how Office 365 identifies, evaluates, and manages risks identified. 2015-03-31
View penetration testing and security assessments performed on Microsoft’s cloud services.
Microsoft Intune - Infrastructure Pen Test NEW Security Innovation performed two security assessments of Microsoft Intune management solution on behalf of Microsoft between April 5th and May 5th 2017. This report summarizes these assessments. 2017-06-14
Microsoft Intune - Infrastructure Pen Test Remediation Plan NEW Security Innovation performed two security assessments of Microsoft Intune management solution on behalf of Microsoft between April 5th and May 5th 2017. This report summarizes remediation plan based on these assessments. 2017-06-13
Office 365 - Third-Party Vulnerability Assessment of Office 365 - 2017 NEW Report from third-party vulnerability testing of Office 365 in January 2017. 2017-06-09
Office 365 - End of Year Security Report and Pen Test Summary for 2016 Office 365 is designed to provide strong protection of all customer data stored within its services and workloads. This document details the security and legal-related improvements made to Office 365 during the calendar year that enables customers and partners to meet legal requirements surrounding independent verifications and audits of Office 365. 2017-03-28
Dynamics 365 - Penetration Testing and Security Assessment This report provides the results of the activities performed during penetration test and provides records of the security tests conducted. The test procedures included automated and manual system vulnerability testing and were designed to obtain an accurate representation of the security posture of the selected target. 2016-11-30
Dynamics 365 - Penetration Testing and Security Assessment This report provides the results of the activities performed during penetration test and provides records of the security tests conducted. The test procedures included automated and manual system vulnerability testing and were designed to obtain an accurate representation of the security posture of the selected target. 2016-11-30
Azure - Penetration Test Findings Status This report provides updated status of findings as part of Azure Penetration Test performed earlier. 2016-08-24
Office 365 - End of Year Security Report and Pen Test Summary Office 365 is designed to provide strong protection of all customer data stored within its services and workloads. This document details the security and legal-related improvements made to Office 365 during the calendar year that enables customers and partners to meet legal requirements surrounding independent verifications and audits of Office 365. 2016-03-09
Azure - Penetration Test Report This report provides the results of the activities performed during penetration test and provides records of the security tests conducted. The test procedures included automated and manual system vulnerability testing and were designed to obtain an accurate representation of the security posture of the selected target. 2016-02-22
Office 365 - Security Assessment Summary Microsoft contracted 3rd party assessor to conduct a security assessment of Office 365 cloud solution. This report is intended to provide information and insights into the findings from assessment. 2015-07-17
Review compliance guides to understand how you can leverage Microsoft Cloud Services to manage your data security and compliance.
Azure - Cloud Platform Hardening Guide NEW This document is meant for those who may be deploying a burst rending system or migrating an existing instance to Azure. While Azure provides a variety of benefits, it is the responsibility of the deploying party to configure Azure properly to ensure that security goals are achieved. This report consists of a high level design analysis followed by a more focused look at the security controls for the Microsoft Azure cloud platform. 2017-06-16
Microsoft Cloud - NIST CSF Risk Assessment Checklist NEW This risk assessment guide is designed to help your organization prepare for the risk assessment described in the Presidential executive order dated May 11 2017 and to help you understand your organizations security posture. 2017-06-14
Office 365 - Audited Controls NIST 800_53A Rev 4 This spreadsheet provides information about Microsoft Office 365 controls, implementation details, and audit test procedures for NIST 800-53 standard. Combining this information with audit reports, FAQ's and whitepaper available from this portal, will help you to perform your own risk assessment or due diligence on Office 365 services 2017-03-24
Office 365 - Audited Controls ISO 27018:2014 This spreadsheet provides information about Microsoft Office 365 controls, implementation details, and audit test procedures for ISO 27018 standard. Combining this information with audit reports, FAQ's and whitepaper available from this portal, will help you to perform your own risk assessment or due diligence on Office 365 services 2017-03-07
Office 365 - Audited Controls ISO 27001:2013 This spreadsheet provides information about Microsoft Office 365 controls, implementation details, and audit test procedures for ISO 27001 standard. Combining this information with audit reports, FAQ's and whitepaper available from this portal, will help you to perform your own risk assessment or due diligence on Office 365 services 2017-03-07
Office 365 - Control Companion Preview User Guide To help you meet your security and compliance objectives, Microsoft has developed Office 365 Control Companions. The Office 365 Control Companions are Microsoft Excel workbooks designed to help security and compliance officers (and other professionals who understand control frameworks such as ISO or FedRAMP) to locate the Office 365 features that map to those the controls and help you to comply with these controls. This is user guide to understand how to use ISO and FedRAMP control companions. 2017-02-17
Office 365 - Control Companion - ISO Preview To help you meet your security and compliance objectives, Microsoft has developed Office 365 Control Companions. The Office 365 Control Companions are Microsoft Excel workbooks designed to help security and compliance officers (and other professionals who understand control frameworks such as ISO or FedRAMP) to locate the Office 365 features that map to those the controls and help you to comply with these controls. This is ISO Controls Companion. 2017-02-17
Office 365 - Control Companion - FedRAMP Preview To help you meet your security and compliance objectives, Microsoft has developed Office 365 Control Companions. The Office 365 Control Companions are Microsoft Excel workbooks designed to help security and compliance officers (and other professionals who understand control frameworks such as ISO or FedRAMP) to locate the Office 365 features that map to those the controls and help you to comply with these controls. This is FedRAMP Controls Companion. 2017-02-06
Office 365 - Customer Security Considerations User Guide This document is a companion guide for the Office 365 Customer Security Considerations workbook. The Office 365 Customer Security Considerations workbook is designed to provide organizations with quick access to the security and compliance features in Office 365 and considerations for using them. 2017-01-06
Office 365 - Customer Security Considerations Workbook The Office 365 Customer Security Considerations workbook is designed to provide organizations with quick access to the security and compliance features in Office 365 and considerations for using them. 2017-01-06
Azure - HIPAA HITECH Implementation Guide This guide was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Azure. The intended audience for this guide includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. 2016-11-30
Microsoft Cloud - Microsoft's Approach Enabling Compliance to FCA Finilized Cloud Guidance Microsoft Approach to the United Kingdom Financial Conduct Authority Finalised Cloud Guidance 2016-11-22
Office 365 - Cloud Risk Assessment Tool Microsoft is developing services and tools that enable customers to conduct thorough and meaningful risk assessments prior to consuming Microsoft's cloud services. To further assist regulated financial services customers, Microsoft has collaborated with Ernst & Young LLP (EY) to develop this Cloud Risk Assessment Tool (“Risk Assessment Tool”) to facilitate and expedite risk assessments relating to Microsoft’s Office 365 services. 2016-11-22
Azure - FFIEC Cloud Security Diagnostic workbook companion This document is a companion document to the Microsoft Azure - Financial Services Cloud Security Diagnostic workbook, which is based on a common control framework consisting of 19 security domains, and has been designed to align security requirements against applicable financial services regulations 2016-11-18
Microsoft Cloud - Azure and Office 365 BIR-2012 Baseline Coverage User Guide_Dutch This document summarizes how can your organization can leverage report that demonstrates Microsoft Office 365 and Azure compliance with Baseline Informatiebeveiliging Rjiksdienst standard BIR. 2016-11-04
Microsoft Cloud - Azure and Office 365 NEN7510-2011 Standard Coverage User Guide This document summarizes how can your organization can leverage report that demonstrates Microsoft Office 365 and Azure compliance with NEN 7510 2016-11-02
Office 365 - Mapping of Cloud Security Alliance (CSA) Cloud Control Matrix in Japanese In this document, we provide a detailed overview of how Office 365 maps to the security privacy compliance and risk management controls defined in the Cloud Security Alliance's Cloud Control Matrix. Japanese version. 2016-09-02
Azure - Family Educational Rights and Privacy Act (FERPA) Compliance Framework Mapping The purpose of this document is to assist Microsoft’s customers in satisfying FERPA compliance framework requirements. 2016-08-01
Azure - Payment Card Industry (PCI) - Data Security Standard (DSS) - Responsibility Matrix As a Level 1 Service Provider, Microsoft Azure allows for their customers to satisfy specific PCI DSS requirements through Azure's Attestation of Compliance. This documents provide guidance to customers on responsibilities of Azure and customers in satisfying PCI DSS requirements. 2016-06-16
Azure - CDSA Content Protection & Security (CPS) Standard implementation Guide This document describes controls in Azure to provide CPS-compliant content protection and security for your organization’s IT requirements, as well as describes how to create, protect, and operate digital media services such as on-demand streaming. 2016-06-16
Azure - HIPPA Implementation Guidance This guide was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Azure. The intended audience for this guide includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. 2016-06-16
Microsoft Cloud - Response to Australian Prudential Regulation Authority's (APRA) Information paper on Cloud Following the structure and topics outlined in APRA’s Information Paper this document provides a detailed response to each issue raised and demonstrate how Australian financial services organizations can move to Microsoft cloud services in a manner consistent with APRA’s guidance. 2016-04-19
Microsoft Cloud - Regulatory Compliance and Auditing for Financial Services Customers Regulatory Compliance and Auditing for Financial Services Customers 2016-04-11
Azure - Cloud Security Alliance - Consensus Assessments Initiative Questionnaire (CAIQ) This document was developed to assist customers who are interested in the Consensus Assessments Initiative Questionnaire (CAIQ): a set of more than 140 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices 2016-04-06
Azure - A Practical Guide to Designing Secure Health Solutions using Microsoft Azure This document was developed to assist customers who are interested in Health Insurance Portability and Accountability Act of 1996 and (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to understand the relevant capabilities of Azure. 2016-03-23
Azure - Motion Picture Association of America (MPAA) Common Guidelines MPAA guidelines provide customers with a set of best practices for creating, processing, storing, and distributing digital assets. Service providers such as Azure who undergo the formal assessment can provide an additional layer of assurance that content uploaded to the cloud will be managed in accordance with established industry requirements for encryption, authentication, access control, and resiliency, among others. 2016-03-01
Azure - Supplier Security and Privacy Program Inventory Microsoft is committed to protecting the confidentiality and integrity of Microsoft personal and sensitive information. If your Company/Organization handles the types of data described on this form, on Microsoft's behalf, compliance with the Microsoft Supplier Data Protection Requirements is required. 2016-02-26
Azure - Supplier Security and Privacy Program Data Protection Requirements If your Company/Organization handles the types of data described on this form, on Microsoft's behalf, compliance with the Microsoft Supplier Data Protection Requirements is required. This document details supplier requirements to meet compliance with Microsoft Data Protection requirements. 2016-02-26
Azure - Supplier Security and Privacy Assurance Program (SSPA) Guide The purpose of this guide is to assist suppliers in preparing for the third-party attestation engagements (audits) as called for in the SSPA program guide. 2016-02-26
Azure - FDA 21 CFR Part 11 Qualification Guideline The purpose of this document is to assist Microsoft’s life science customers in establishing a qualification strategy for Microsoft Azure. This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the regulatory requirements of FDA 21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex 11 Computerized Systems (Annex 11). 2016-01-28
Azure - 13 Effective Security Controls for ISO 27001 Compliance This paper provides insight into how organizations can use thirteen security principles to address critical security and compliance controls, and how these controls can fast track an organization’s ability to meet its compliance obligations using cloud-based services. 2016-01-01
Office 365 - Mapping of Cloud Security Alliance (CSA) Cloud Control Matrix In this document, we provide a detailed overview of how Office 365 maps to the security privacy compliance and risk management controls defined in the Cloud Security Alliance's Cloud Control Matrix. 2015-12-15
Azure - Center for Financial Industry Information Systems (FISC) Security Reference This document was developed to assist customers who are interested in complying with Center for Financial Industry Information Systems (FISC) 2015-11-01
Microsoft Cloud - Response to New FISC (The Center for Financial Industry Information Systems) Guidelines in Japan in Japanese This document explains how Microsoft addresses the risks and requirements described in the Revised Guidelines, and it describes features, controls, and contractual commitments that FSI customers can use to meet the requirements in the Revised Guidelines. 2015-10-14
Microsoft Cloud - Response to New FISC (The Center for Financial Industry Information Systems) Guidelines in Japan This document explains how Microsoft addresses the risks and requirements described in the Revised Guidelines, and it describes features, controls, and contractual commitments that FSI customers can use to meet the requirements in the Revised Guidelines. 2015-10-13