Accessing and using the Office 365 Service Assurance information
By David Branscome, Partner Technical Architect
When partners work on customer requests for proposal (RFPs) for Office 365 and Azure, they often have questions about Microsoft datacenters. Customers that get frequent audits will need to provide specific evidence that their data is securely stored. Partners can easily provide such evidence by accessing information on the Office 365 Portal. On the portal, the Service Assurance Center, within the Security and Compliance section, has information that partners will need. In this post, I have provided details on accessing and using the Service Assurance information.
Service Assurance user permissions
Not everyone with an account in Office 365 needs to see their organization’s security configuration. A compliance officer with no special permissions in Office 365 would see something like this:
Here is how to grant permissions to users who need to be able to access the Service Assurance Center:
1. Log in to the Office 365 portal with Global Admin credentials
2. Go to the Security and Compliance app and select Permissions
3. In Permissions, check the box for Service Assurance User
4. Select Edit role group and in the Members area, click on Edit
5. Select Choose members to add people who should have these permissions
6. Click Add and then find the user
7. Finish the wizard and you’ll see the user as a member of the Service Assurance User permissions group
8. When the user logs in again, he or she will be able to go to https://protection.office.com/ and see the Service Assurance Center
Service Assurance Center experience
Once you have the necessary permissions, you can start exploring information in the Service Assurance Center. You can start by looking at all the controls and audited elements.
Let’s say you want to see how Office 365 meets ISO 27001 standards. The first thing I’d recommend is to go to the Settings area and define the region – in our case, Europe. You’ll also need to select at least one of the industries, the regulations of which would be relevant to your search, then click Save.
As the green box indicates, you can now go into the Compliance Reports, Trust Documents and Audited Controls and review the content for the relevant region and industry.
If you look in the Compliance Reports area, you’ll see the listing of certificates that Microsoft cloud datacenters have achieved. You can click on and download these certificates.
For example, if I expand the ISO reports section and scroll down, I can find and download a report named “Office 365 Germany ISO 27001 ISO 27017 and ISO 27018 Audit Assessment Report”. This is the final report stating that Office 365 meets the expectations for compliance.
This report doesn’t tell me what was tested as part of the process. For that, I can go to the Audited Controls section, where I can find and download the ISO 27018-2014 audit report.
In this case, the report is an Excel spreadsheet that includes the title of the control, implementation and testing details, when it was tested, and who performed the testing. This level of detail is usually sufficient for a customer’s audit team to be reassured of Microsoft’s compliance with the standard.
If you want to change the scope of the controls (region, industry, etc.), you can change the parameters in the Settings tab.
The trusted cloud
Microsoft is constantly working on achieving, maintaining and exceeding compliance standards to secure customer data and make our cloud the most trusted cloud in the world. The Service Assurance section of Office 365 is one evidence of that effort. Make sure to take advantage of it!
Additionally, check out the resources in the Microsoft Trust Center for information about General Data Protection Regulation (GDPR), security, protection of user’s personally identifiable information, and the Microsoft commitment to providing customers with the controls necessary to secure their environment and user identities.