ENISA IAF overview

The European Union Agency for Cybersecurity (ENISA) is the EU agency dedicated to achieving a high common level of cybersecurity across Europe. It works closely with EU member states and the private sector to provide advice and recommendations on good cybersecurity practices. ENISA also supports the development and implementation of EU policy and law related to national information security.

The ENISA Cloud Computing Information Assurance Framework (IAF) is a set of assurance criteria that organizations can review with cloud service providers (CSPs) to ensure they have sufficient protections in place for customer data. The IAF is intended to assess the risk of cloud adoption and reduce the assurance burden on CSPs.

Azure and ENISA IAF

Microsoft Azure aligns to the IAF by way of Azure's adherence to the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which maps CCM domains and controls to IAF assurance criteria. Azure maintains the following CCM-based assurances:

To review the CCM control mapping to ENISA IAF, you can download the CSA Cloud Controls Matrix (CCM).


CSA CCM v3.0.1 provides control mapping to ENISA IAF. It is expected that the new CCM v4 will be updated to include this mapping as well.

The CSA Security, Trust, Assurance, and Risk (STAR) registry is a free, publicly accessible registry where CSPs can publish their CSA STAR assessments. Azure publishes a CSA STAR self-assessment based on the CSA Consensus Assessments Initiative Questionnaire (CAIQ), which is a set of more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices. Self-assessment reports are publicly available, thereby helping you gain visibility into the security practices of CSPs, and compare various CSPs using the same baseline.


  • Azure

Attestation documents