Governance, risk, and compliance overview

How does Microsoft provide effective security governance across the enterprise?

Microsoft understands that effective security policies must be implemented consistently across the enterprise to protect Microsoft information systems and customers. Security policies must also account for variations in business functions and information systems to be universally applicable. To meet these requirements, Microsoft implements a comprehensive security governance program as a part of the Microsoft Policy Framework. Security governance falls under the Microsoft Security Policy (MSP).

The MSP organizes Microsoft's security policies, standards, and requirements so they can be implemented across all Microsoft engineering groups and business units. Individual business units are responsible for specific implementations of Microsoft security policies. For example, Microsoft 365 documents its security implementations in the Microsoft 365 Information Security Policy and the related Microsoft 365 Control Framework. Azure and Dynamics 365 document their security implementations in the Standard Operating Procedures (SOPs) and the Azure Control Framework. These security implementations align with the goals and objectives of the MSP.

Microsoft's security governance program is informed by and aligns with various regulatory and compliance frameworks. Security requirements are constantly evolving to account for new technologies, regulatory and compliance requirements, and security threats. Because of these changes, Microsoft regularly updates our security policies and supporting documents to protect Microsoft systems and customers, meet our commitments, and maintain customer trust.

How do Microsoft online services implement the Microsoft Security Policy (MSP)?

Microsoft 365 documents security implementations in the Microsoft 365 Information Security Policy. This policy aligns with the Microsoft Security Policy and governs the Microsoft 365 information system, including all Microsoft 365 environments and all resources involved in the collection, processing, maintenance, use, sharing, dissemination, and disposal of data. Similarly, Azure and Dynamics 365 use the Microsoft Security Policy to govern their information system.

The information systems include the following components governed by the Microsoft 365 Information Security Policy (for Microsoft 365) and the Microsoft Security Policy (for Azure and Dynamics 365):

  • Infrastructure: The physical and hardware components of Azure, Dynamics 365, and Microsoft 365 systems (facilities, equipment, and networks)
  • Software: The programs and operating software of Azure, Dynamics 365, and Microsoft 365 systems (systems, applications, and utilities)
  • People: The personnel involved in the operation and use of Azure, Dynamics 365, and Microsoft 365 systems (developers, operators, users, and managers)
  • Procedures: The programmed and manual procedures involved in the operation of Azure, Dynamics 365, and Microsoft 365 systems
  • Data: The information generated, collected, and processed by Azure, Dynamics 365, and Microsoft 365 systems (transaction streams, files, databases, and tables)

The Microsoft 365 Information Security Policy is supplemented by the Microsoft 365 Control Framework. The Microsoft 365 Control Framework details the minimum-security requirements for all Microsoft 365 services and information system components. It also references the legal and corporate requirements behind each control. The framework includes control activity names, descriptions, and guidance to ensure effective control implementations by service teams. Microsoft 365 uses the control framework to track control implementations for internal and external reporting. Similarly, Azure and Dynamics 365 record control implementations in the Azure Control Framework.

How do online services limit and track exceptions to established policies and procedures?

All exceptions to the Control Frameworks must have legitimate business justification and be approved by an appropriate governance entity within each online services team. Depending on the scope of the exception and the potential risk it represents, approval for exceptions may need to be obtained from a corporate vice president or higher. Exceptions are managed in a tracking tool where they are reviewed and approved for continued relevance.

How does Microsoft assess and manage risk across the enterprise?

Risk management is the process of identifying, assessing, and responding to threats or events that can impact Company or customer objectives. Risk management at Microsoft is designed to anticipate new threats and provide ongoing security for our cloud systems and the customers who use them.

Microsoft's risk management align to the Enterprise Risk Management (ERM) framework. ERM enables the overall enterprise risk management process and works with management across the enterprise to identify and ensure accountability for Microsoft's most significant risks.

Risk management structure.

Microsoft ERM enables common risk management principles across the enterprise so business units can independently facilitate consistent and comparative risk assessments. This coordination gives Microsoft the ability to aggregate and report risk information in a consolidated manner for management. ERM provides business units in Microsoft with common methodologies, tools, and goals for the risk management process. Microsoft 365 and other engineering groups and business units use these tools to conduct individual risk assessments as part of their own risk management programs under the guidance of ERM.

How do Microsoft online services work with ERM?

Each online service follows ERM guidance to manage risks across Microsoft services. The program focuses on aligning the ERM framework with existing Microsoft engineering, service operations, and compliance processes, making the Risk Management program more effective and efficient. Each online service's risk management activities ultimately roll up into and inform the ERM process.

As part of risk assessment activities, each online service analyzes design and operating effectiveness of controls implemented as part of the Microsoft Controls Framework (Framework). The Framework is a rationalized set of controls that, when properly implemented along with supporting compliance activities, allows engineering teams to comply with key regulations and certifications.

How do online services keep security and compliance requirements updated?

Governance, Risk, and Compliance teams of each online service (GRC) work to maintain the Control Framework on an ongoing basis. Several scenarios may require the GRC team to update the control framework, including changes in relevant regulations or laws, emerging threats, penetration test results, security incidents, audit feedback, and new compliance requirements. When a framework change is required, the Trust team identifies key stakeholders responsible for approving and implementing the change to ensure it is feasible and will not cause unintended issues with Online services. Once the GRC team and relevant stakeholders agree on what the change requires, the workloads responsible for implementing the change set target completion dates and work to implement the change within their respective services. After implementation targets have been met, the Trust team updates the control framework with the new or updated controls.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to governance, risk, and compliance.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certificate
A.5: Information security policies
A.18.1: Compliance with legal and contractual requirements
A.18.2: Information security reviews
June 21, 2022
ISO 27017

Statement of Applicability
Certificate
A.5: Information security policies
A.18.1: Compliance with legal and contractual requirements
A.18.2: Information security reviews
June 21, 2022
ISO 27018

Statement of Applicability
Certificate
A.5: Information security policies June 21, 2022
ISO 22301

Certificate
6.1.1: Determining risks and opportunities
6.1.2: Addressing risks and opportunities
June 21, 2021
SOC 1 IS-1: Microsoft security policy
IS-2: Microsoft security policy review
IS-3: Security roles and responsibilities
May 6, 2022
SOC 2
SOC 3
C5-1: Standard operating procedures
IS-1: Microsoft security policy
IS-2: Microsoft security policy review
IS-3: Security roles and responsibilities
SOC2-14: Confidentiality and non-disclosure agreements
SOC2-18: Statutory, regulatory, and contractual requirements
SOC2-19: Cross-functional compliance program
SOC2-20: ISMS program
SOC2-26: Annual risk assessment
November 23, 2022

Office 365

External audits Section Latest report date
FedRAMP CA-2: Security assessments
CA-5: Plan of action and milestones
PL-2: System security plan
RA-3: Risk assessment
July 27, 2022
ISO 27001/27002/27017

Statement of Applicability
Certification (27001/27002)
Certification (27017)
A.5: Information security policies
A.18.1: Compliance with legal and contractual requirements
A.18.2: Information security reviews
March 2022
SOC 1 CA-03: Risk management February 14, 2022
SOC 2 CA-02: Governance, risk, and compliance team responsibilities
CA-03: Risk management
CA-11: Policy framework updates
CA-17: Microsoft security policy
CA-24: Internal risk assessment
CA-25: Control framework updates
February 14, 2022

Resources