[Preview]: Australian Government ISM PROTECTED |
This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative. |
42 |
8.7.0-preview |
[Preview]: CMMC 2.0 Level 2 |
This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc2l2-initiative. |
231 |
2.16.0-preview |
[Preview]: Motion Picture Association of America (MPAA) |
This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init. |
32 |
4.5.0-preview |
[Preview]: NIS2 |
The NIS2 Directive enhances the cybersecurity and resilience of critical infrastructure and digital services across the European Union, ensuring a higher level of protection against cyber threats. |
239 |
1.0.0-preview |
[Preview]: Reserve Bank of India - IT Framework for Banks |
This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfbanks-initiative. |
153 |
1.17.0-preview |
[Preview]: Reserve Bank of India - IT Framework for NBFC |
This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Non-Banking Financial Companies (NBFC) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfnbfc-initiative. |
121 |
2.13.0-preview |
[Preview]: Sovereignty Baseline - Global Policies |
The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies |
5 |
1.1.0-preview |
[Preview]: SWIFT CSP-CSCF v2020 |
This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init. |
49 |
6.5.0-preview |
[Preview]: SWIFT CSP-CSCF v2021 |
This initiative includes policies that address a subset of the SWIFT Customer Security Program's Customer Security Controls Framework v2021 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2021-init. |
124 |
4.12.0-preview |
ACAT for Microsoft 365 Certification |
App Compliance Automation Tool for Microsoft 365 (ACAT) simplifies the process to achieve Microsoft 365 Certification, see https://aka.ms/acat. This certification ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. This initiative includes policies that address a subset of the Microsoft 365 Certification controls. Additional policies will be added in upcoming releases. |
16 |
1.1.0 |
APRA CPS 234 2019 |
Australian Prudential Regulation Authority (APRA) standard for managing information security risks in regulated entities. |
18 |
1.0.0 |
Brazilian General Data Protection Law (LGPD) 2018 |
Brazil's comprehensive data protection law, regulating the processing of personal data. |
19 |
1.0.0 |
Canada Federal PBMM |
This initiative includes policies that address a subset of Canada Federal PBMM controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/canadafederalpbmm-init. |
47 |
8.6.0 |
Canada Federal PBMM 3-1-2020 |
Security standards for Canadian federal systems, ensuring the confidentiality, integrity, and availability of sensitive information. |
209 |
1.0.0 |
CIS Azure Foundations v2.1.0 |
Security guidance for Microsoft Azure, providing best practices to enhance security posture. |
31 |
1.0.0 |
CIS Controls v8.1 |
Globally recognized cybersecurity best practices, offering actionable steps to protect against cyber threats. |
182 |
1.0.0 |
CIS Microsoft Azure Foundations Benchmark v1.1.0 |
The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.1.0 controls. For more information, visit https://aka.ms/cisazure110-initiative |
154 |
16.9.0 |
CIS Microsoft Azure Foundations Benchmark v1.3.0 |
The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.3.0 controls. For more information, visit https://aka.ms/cisazure130-initiative |
169 |
8.13.0 |
CIS Microsoft Azure Foundations Benchmark v1.4.0 |
The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.4.0 controls. For more information, visit https://aka.ms/cisazure140-initiative |
168 |
1.12.0 |
CIS Microsoft Azure Foundations Benchmark v2.0.0 |
The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v2.0.0 controls. For more information, visit https://aka.ms/cisazure200-initiative |
205 |
1.5.0 |
CMMC Level 3 |
This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/cmmc-initiative. |
149 |
11.11.0 |
CSA CSA Cloud Controls Matrix v4.0.12 |
Cybersecurity framework by the Cloud Security Alliance (CSA), offering security controls specifically for cloud environments. |
222 |
1.0.0 |
Cyber Essentials v3.1 |
UK certification scheme to protect against common cyber threats through basic security controls. |
112 |
1.0.0 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 |
Focuses on protecting Controlled Unclassified Information (CUI) in defense contracting with advanced security controls. |
218 |
1.0.0 |
EU 2022/2555 (NIS2) 2022 |
Enhances cybersecurity across the EU with security measures and incident reporting for critical sectors. |
200 |
1.0.0 |
EU General Data Protection Regulation (GDPR) 2016/679 |
Comprehensive data protection law regulating personal data processing within the EU. |
313 |
1.0.0 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 |
Standards by the FBI to secure criminal justice information, covering data access, transmission, and storage. |
236 |
1.0.0 |
FedRAMP High |
FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp |
716 |
17.17.0 |
FedRAMP Moderate |
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit https://www.fedramp.gov/documents-templates/ |
647 |
17.16.0 |
FFIEC CAT 2017 |
Assessment tool for financial institutions to measure cybersecurity preparedness, from the FFIEC. |
141 |
1.0.0 |
HITRUST CSF v11.3 |
A comprehensive security and privacy framework for managing compliance in industries like healthcare and finance. |
237 |
1.0.0 |
HITRUST/HIPAA |
Health Information Trust Alliance (HITRUST) helps organizations from all sectors-but especially healthcare-effectively manage data, information risk, and compliance. HITRUST certification means that the organization has undergone a thorough assessment of the information security program. These policies address a subset of HITRUST controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2 |
597 |
14.8.0 |
IRS1075 September 2016 |
This initiative includes policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/irs1075-init. |
49 |
8.6.0 |
ISO 27001:2013 |
The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init |
453 |
8.6.0 |
ISO/IEC 27001 2022 |
International standard for managing information security via an Information Security Management System (ISMS). |
63 |
1.0.0 |
ISO/IEC 27002 2022 |
Provides specific guidance on implementing controls for information security, complementing ISO 27001. |
162 |
1.0.0 |
ISO/IEC 27017 2015 |
Cloud-specific extension to ISO 27001, providing security guidelines for cloud service providers and customers. |
102 |
1.0.0 |
NCSC Cyber Assurance Framework (CAF) v3.2 |
UK framework providing cybersecurity guidance for critical national infrastructure to protect systems and data. |
83 |
1.0.0 |
New Zealand ISM |
NZISM v3.8. The New Zealand Information Security Manual (NZISM) details processes and controls essential for the protection of all New Zealand Government information and systems. This initiative includes policies that address a subset of NZISM controls. Additional policies will be added in upcoming releases. For full details on controls, please refer to https://www.nzism.gcsb.govt.nz/ism-document. This policy set includes definitions that have a Deny effect by default. |
210 |
1.7.0 |
NIST 800-171 R3 |
Guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. |
227 |
1.0.0 |
NIST CSF v2.0 |
Risk-based approach to managing cybersecurity threats, offering guidance for improving cybersecurity practices. |
112 |
1.0.0 |
NIST SP 800-171 Rev. 2 |
The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171 |
446 |
15.16.0 |
NIST SP 800-53 R5.1.1 |
Comprehensive security and privacy controls framework for U.S. federal information systems and organizations. |
244 |
1.0.0 |
NIST SP 800-53 Rev. 4 |
National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r4-initiative |
717 |
17.16.0 |
NIST SP 800-53 Rev. 5 |
National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nist800-53r5-initiative |
702 |
14.16.0 |
NL BIO Cloud Theme |
This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls. |
239 |
1.10.0 |
NL BIO Cloud Theme V2 |
This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls. |
260 |
2.2.0 |
NZISM v3.7 |
New Zealand's Information Security Manual, providing security guidance for government agencies. |
231 |
1.0.0 |
PCI DSS v4 |
The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data. These policies address a subset of PCI-DSS v4 controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/pci-dss-3-2-1 |
273 |
1.6.0 |
PCI DSS v4.0.1 |
Payment Card Industry Data Security Standard, focusing on protecting credit card transaction data. |
218 |
1.0.0 |
PCI v3.2.1:2018 |
This initiative includes policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/pciv321-init. |
31 |
6.5.0 |
RMIT Malaysia |
This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative. |
191 |
9.14.0 |
Sarbanes Oxley Act 2022 |
U.S. federal law aimed at improving corporate transparency and accountability, including provisions for cybersecurity and IT controls. |
92 |
1.0.0 |
SOC 2 Type 2 |
A System and Organization Controls (SOC) 2 is a report based on the Trust Service Principles and Criteria established by the American Institute of Certified Public Accountants (AICPA). The Report evaluates an organization's information system relevant to the following principles: security, availability, processing integrity, confidentiality and privacy. These policies address a subset of SOC 2 Type 2 controls. For more information, visit https://docs.microsoft.com/azure/compliance/offerings/offering-soc-2 |
308 |
1.11.0 |
SOC 2023 |
Service Organization Control reports that ensure organizations manage sensitive data securely and comply with trust service criteria. |
243 |
1.0.0 |
Sovereignty Baseline - Confidential Policies |
The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies |
22 |
1.1.0 |
Spain ENS |
This initiative includes policies that address National Security Scheme (ENS) controls specifically for the 'CCN-STIC 884'. This policy set includes definitions that have a Deny effect by default. |
861 |
1.5.0 |
SWIFT CSP-CSCF v2022 |
SWIFT's Customer Security Programme (CSP) helps financial institutions ensure their defences against cyberattacks are up to date and effective, to protect the integrity of the wider financial network. Users compare the security measures they have implemented with those detailed in the Customer Security Controls Framework (CSCF). These policies address a subset of SWIFT controls. For more information, visit https://docs.microsoft.com/azure/governance/policy/samples/swift-cscf-v2021 |
328 |
2.9.0 |
SWIFT Customer Security Controls Framework 2024 |
Ensures secure transactions for organizations using SWIFT, the global financial messaging service. |
212 |
1.0.0 |
UK OFFICIAL and UK NHS |
This initiative includes audit and virtual machine extension deployment policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/ukofficial-init and https://aka.ms/uknhs-init. |
46 |
9.6.0 |