- 7 minutes to read
ISO/IEC 27001 overview
The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world's largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world's leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.
Published under the joint ISO/IEC subcommittee, the ISO/IEC 27000 family of standards outlines hundreds of controls and control mechanisms to help organizations of all types and sizes keep information assets secure. These global standards provide a framework for policies and procedures that include all legal, physical, and technical controls involved in an organization's information risk management processes.
ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to the security of information.
Microsoft and ISO/IEC 27001
The international acceptance and applicability of ISO/IEC 27001 is the key reason why certification to this standard is at the forefront of Microsoft's approach to implementing and managing information security. Microsoft's achievement of ISO/IEC 27001 certification points up its commitment to making good on customer promises from a business, security compliance standpoint. Currently, both Azure Public and Azure Germany are audited once a year for ISO/IEC 27001 compliance by a third-party accredited certification body, providing independent validation that security controls are in place and operating effectively.
Learn about the benefits of ISO/IEC 27001 on the Microsoft Cloud: Download the ISO/IEC 27001:2013
Microsoft in-scope cloud platforms & services
- Azure, Azure Government, and Azure Germany
- Azure DevOps Services
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Dynamics 365, Dynamics 365 Government, and Dynamics 365 Germany
- Microsoft Graph
- Microsoft Healthcare Bot
- Microsoft Managed Desktop
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
- Office 365 Germany
- OMS Service Map
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Power BI Embedded
- Power Virtual Agents
- Microsoft Professional Services
- Microsoft Stream
- Microsoft Threat Expert
- Microsoft Translator
- Microsoft Viva Topics
- Windows 365
Azure, Dynamics 365, and ISO 27001
For more information about Azure, Dynamics 365, and other online services compliance, see the Azure ISO 27001:2013 offering.
Office 365 and ISO 27001
Office 365 environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Office 365 applicability and in-scope services
Use the following table to determine applicability for your Office 365 services and subscription:
|Commercial||Access Online, Azure Active Directory, Azure Communications Service, Compliance Manager, Customer Lockbox, Delve, Exchange Online, Exchange Online Protection, Forms, Griffin, Identity Manager, Lockbox (Torus), Microsoft Defender for Office 365, Microsoft Teams, Microsoft Viva Topics, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Customer Portal, Office 365 Microservices (including but not limited to Kaizala, ObjectStore, Sway, Power Automate, PowerPoint Online Document Service, Query Annotation Service, School Data Sync, Siphon, Speech, StaffHub, eXtensible Application Program), Office 365 Security & Compliance Center, Office Online, Office Pro Plus, Office Services Infrastructure, OneDrive for Business, Planner, PowerApps, Power BI, Project Online, Service Encryption with Microsoft Purview Customer Key, SharePoint Online, Skype for Business, Stream|
|GCC||Azure Active Directory, Azure Communications Service, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Microsoft Viva Topics, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream|
|GCC High||Azure Active Directory, Azure Communications Service, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business|
|DoD||Azure Active Directory, Azure Communications Service, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, Power BI, SharePoint Online, Skype for Business|
Office 365 audits, reports, and certificates
Office 365 cloud services are audited at least annually against the ISO 27001:2013 standard.
Office 365 assessments and reports
- Office 365: ISO 27001, 27018, and 27017 Audit Assessment Report
- Office 365: ISO 27001, 27018, and 27017 Statement of Authority (SOA)
- Office 365: Information Security Management System (ISMS)—Statement Of Applicability for Security and Privacy
- Office 365 Germany: ISO 27001, 27017, and 27018 Audit Assessment Report
Frequently asked questions
Why is Office 365 compliance with ISO/IEC 27001 important?
Compliance with these standards, confirmed by an accredited auditor, demonstrates that Microsoft uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.
Where can I get the ISO/IEC 27001 audit reports and scope statements for Office 365 services?
The Service Trust Portal provides independently audited compliance reports. You can use the portal to request reports so that your auditors can compare Microsoft's cloud services results with your own legal and regulatory requirements.
Are annual tests run for Office 365 infrastructure failures?
Yes. The annual ISO/IEC 27001 certification process for the Microsoft Cloud Infrastructure and Operations group includes an audit for operational resiliency. To view the latest certificate, select the link below.
- Microsoft 365 and Office 365 certificate: ISO/IEC 27001:2013 certificate for Microsoft Cloud Infrastructure and Operations
Where do I start my organization's own ISO/IEC 27001 compliance effort?
Adopting ISO/IEC 27001 is a strategic commitment. As a starting point, consult the ISO/IEC 27000 Directory.
Can I use the ISO/IEC 27001 compliance of Office 365 services in my organization's certification?
Yes. If your business requires ISO/IEC 27001 certification for implementations deployed on Microsoft services, you can use the applicable certification in your compliance assessment. You are responsible, however, for engaging an assessor to evaluate the controls and processes within your own organization and your implementation for ISO/IEC 27001 compliance.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager has a pre-built assessment for this regulation for Enterprise E5 customers. Find the template for building the assessment in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.
- Mapping Microsoft Cyber Offerings to: NIST Cybersecurity (CSF),CIS Controls, and ISO27001:2013 Frameworks
- The ISO/IEC 27000 Directory
- ISO/IEC 27001: 2013 standard (for purchase)
- Microsoft sets a high bar for information security (BSI case study)
- Microsoft Common Controls Hub Compliance Framework
- Microsoft Online Services Terms
- Microsoft Cloud for Government
What is ISO IEC 27001 2013 Information Security Management Standards? ›
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.Why is ISO 27001 not enough? ›
A key issue is that ISO 27001 is a management standard, not a security standard. It provides a framework for the management of security within an organization, but does not provide a 'Gold Standard' for security, which, if implemented, will ensure the security of an organization.Does Microsoft have ISO 27001? ›
Yes. The annual ISO/IEC 27001 certification process for the Microsoft Cloud Infrastructure and Operations group includes an audit for operational resiliency.How do I pass ISO 27001 certification? ›
- 1) Prepare.
- 2) Establish the context, scope, and objectives.
- 3) Establish a management framework.
- 4) Conduct a risk assessment.
- 5) Implement controls to mitigate risks.
- 6) Conduct training.
- 7) Review and update the required documentation.
ISO 27001 is the global standard for effective information management. It helps organisations avoid potentially costly security breaches. ISO 27001-certified organisations can show customers, partners and shareholders that they have taken steps to protect data in the event of a breach.Is ISO 27001 compliance mandatory? ›
Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others also want to get certified to reassure customers and clients.Do I need to be ISO 27001 compliant? ›
Its component standards, such as ISO/IEC 27001:2013, are designed to help organizations implement, maintain and continually improve an information security management system (ISMS). Compliance with ISO 27001 is not mandatory.Can you fail an ISO 27001 audit? ›
If you fail an ISO audit, you may face the risk of certified status removal. External audits reveal major non-conformances that the organisation needs to address. Sometimes it may detect issues with the quality management system you were unaware of.Is Microsoft teams ISO 27001 compliant? ›
Microsoft Teams is built on the Microsoft 365 hyper-scale, enterprise-grade cloud, delivering the advanced security and compliance capabilities our customers expect. Teams is Tier D-compliant. This includes the following standards: HIPAA, ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, and EU Model Clauses (EUMC).What security system does Microsoft use? ›
Windows Security is built-in to Windows and includes an antivirus program called Microsoft Defender Antivirus. (In early versions of Windows 10, Windows Security is called Windows Defender Security Center).
Does Microsoft Azure comply with ISO 27001? ›
Compliance with ISO/IEC 27001, certified by an accredited auditor, demonstrates that Azure uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services.Is ISO 27001 exam difficult? ›
How difficult is ISO 27001 certification? There's nothing inherently difficult about ISO 27001 beyond what you need to maintain good information security. If you are already practise good information security, the ISO will help you frame and improve it over time. If you don't then it will tell you how.Is ISO 27001 an open book exam? ›
The exam is an open book exam (use of ISO standard copy is permitted). Passing grade is 70%. This is a self-study exam.How hard is ISO 27001 certification? ›
ISO 27001 certification is bloody difficult…
Strangely enough though, it actually looks fairly simple, as the ISO 27001 standard itself is only 30-odd pages long and only 114 controls. However, for every 1 of those controls, there are an average of 4 additional aspect to consider from the NINETY-odd page ISO 27002.
In short, ISO 27001 is a set of standards for managing risk related to information security. It covers policies, procedures, training, monitoring, auditing, incident response, and communications.What are the ISO 27001 requirements? ›
- 4.1 – Understanding the Organisation and its Context. ...
- 4.2 – Understanding the Needs and Expectations of Interested Parties. ...
- 4.3 – Determining the Scope of the Information Security Management System. ...
- 4.4 – Information Security Management System.
ISO 27001 is the international standard for information security. Its framework requires organisations to identify information security risks and select appropriate controls to tackle them. Those practices are outlined in Annex A of ISO 27001, which contains 114 controls divided into 14 domains.What are the 5 basic security principles? ›
The U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the protection of confidentiality, integrity, availability, authenticity, and non-repudiation of user data.What are the five 5 components of information security? ›
It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.What is ISO 27001 compliance with security policies and standards? ›
The "ISO 27001 A. 18.2. 2: Compliance with Security Policies and Standards" report is related to the managers that shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
Is ISO compliance mandatory? ›
ISO compliance isn't mandatory; there is no “ISO regulation,” so no regulatory imperative to comply. But ISO compliance standards are trusted by organizations from across the world, making ISO compliance a boost to business reputation as well as to operations.Is ISO 27001 certification worth it? ›
It will protect your reputation from security threats
The most obvious reason to certify to ISO 27001 is that it will help you avoid security threats. This includes both cyber criminals breaking into your organisation and data breaches caused by internal actors making mistakes.
How many mandatory requirements are needed for ISO 27001? According to Compleye's at-a-glance list, there are 8 requirements for ISO 27001 certification: Implement a security management system (ISMS) Conduct a risk assessment.How do I pass the ISO 27001 lead auditor exam? ›
- International standard ISO 27001: 2013 assists the business to improve its information security reputation and increase its economic value in the marketplace. ...
- Appoint an ISO 27001 champion.
- Check Your Permission Rights.
- Conduct training.
- Risk Assessment.
- Monitor Suppliers, Vendors, and certification's activities.
How Often Do You Renew ISO 27001 Certification? The ISO 27001 certification must be renewed every three years or the organization will risk the certification becoming invalid. The ISMS, however, must be maintained throughout the three years.What are the most challenging aspects of ISO 27001 2013 implementation? ›
- Risk assessment.
- Ownership of the project.
- Lack of project planning.
- Stakeholder investment.
- Gap Analysis and communication.
ISO 27001 consists of 114 controls (included in Annex A and expanded on in ISO 27002) that provide a framework for identifying, treating, and managing information security risks.What is the primary focus of the ISO 27001 2013 standard? ›
The ISO 27001 standard, more formally known as ISO/IEC 27001:2013 Information Security Management, focuses primarily on the implementation and management of an information security management system (ISMS).What is the goal of the standard ISO 27001 2013? ›
The primary goal of the ISO 27001 regulation is to guide organizations into creating, implementing, and enforcing an ISMS. This ISMS describes the controls, processes, and procedures that the company has put in place to ensure the confidentiality, integrity, and availability of the data in its possession.What are the three principles of ISO 27001? ›
The ISO 27001 standard provides a framework for implementing an ISMS, safeguarding your information assets while making the process easier to manage, measure, and improve. It helps you address the three dimensions of information security: Confidentiality, Integrity, and Availability.
What are the 6 stages of the ISO 27001 certification process? ›
- Phase one: create a project plan. ...
- Phase two: define the scope of your ISMS. ...
- Phase three: perform a risk assessment and gap analysis. ...
- Phase four: design and implement policies and controls. ...
- Phase five: complete employee training. ...
- Phase six: document and collect evidence.
ISO 27001, includes a risk assessment process, organisational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring and reporting guidelines.What are the main steps to the ISO 27001 security process? ›
- Step 1: Assemble an implementation team. ...
- Step 2: Develop the implementation plan. ...
- Step 3: Initiate the ISMS. ...
- Step 4: Define the ISMS scope. ...
- Step 5: Identify your security baseline. ...
- Step 6: Establish a risk management process. ...
- Step 7: Implement a risk treatment plan.
Some of the mandatory ISO 27001 documents and records: ISMS Scope document. Information Security Policy. Risk Assessment Report.