Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Global Secure Access supports compliance across different regulated industries and global markets. This article lists the current certifications and updates as Global Secure Access acquires new certifications.
Supported certifications
Global Secure Access is included in several Azure compliance audits. The supported certifications are:
| Certification | Details | Inherited from |
|---|---|---|
| Canadian Privacy Laws | Canadian privacy laws aim to protect the privacy of individuals and give them the right to access information gathered about them. These privacy laws include the Privacy Act, Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta Personal Information Protection Act (PIPA), and British Columbia Freedom of Information and Protection of Privacy Act (BC FIPPA). For more information, see Canada privacy laws. | ISO 27001:2013 |
| CDSA | The Content Delivery & Security Association (CDSA) Content Protection & Security (CPS) standard provides guidance and requirements for securing media assets within a Content Security Management System (CSMS). The standard includes controls to protect intellectual property and keep media assets secure and confidential throughout the digital media supply chain. For more information, see CDSA. | ISO 27001:2013 |
| CSA STAR | Cloud Security Alliance (CSA) STAR certification is based on achieving ISO 27001 certification and meeting criteria in the Cloud Controls Matrix (CCM). It shows that a cloud service provider meets ISO 27001 requirements, addresses key cloud security issues in the CCM, and is assessed against the STAR Capability Maturity Model for managing activities in CCM control areas. For more information, see Cloud Security Alliance (CSA) STAR Certification. | ISO 27001:2013 |
| DoD DISA SRG Level 2 | The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service provider (CSP), supporting the decision to grant a DoD Provisional Authorization (PA) that allows a CSP to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM). For more information, see Department of Defense (DoD) Impact Level 2 (IL2). | FedRAMP High |
| EAR | The US Department of Commerce is responsible for enforcing the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). According to BIS definitions, Export is the transfer of protected technology or information to a foreign destination or release of protected technology or information to a foreign person in the United States (also known as Deemed Export). For more information, see Export Administration Regulations (EAR). | FedRAMP High |
| FedRAMP High | The US Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud service providers (CSPs). For more information, see Federal Risk and Authorization Management Program (FedRAMP). | NA |
| FIPS 140-2 | The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems. Validation against the FIPS 140-2 standard is required for all US federal government agencies that use cryptography-based security systems to protect sensitive but unclassified information stored digitally. For more information, see Federal Information Processing Standard (FIPS) 140. | FedRAMP High |
| GDPR | The General Data Protection Regulation (GDPR) is a European privacy law that became effective in May 2018. It imposes new rules on organizations that offer goods and services to people in the European Union (EU) or that collect and analyze data belonging to EU individuals. The GDPR requires that data controllers, such as organizations using Azure, only use data processors, such as Microsoft, that provide sufficient guarantees to meet key requirements of the GDPR. For more information, see General Data Protection Regulation summary. | ISO 27001:2013 |
| GxP (FDA 21 CFR Part 11) | Azure can help customers meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP), as well as regulations enforced by the US Food and Drug Administration (FDA) under 21 CFR Part 11. For more information, see GxP (FDA 21 CFR Part 11). | ISO 27001:2013 |
| HDS (France) | Microsoft Azure has the Health Data Hosting (Hébergeurs de Données de Santé, HDS) certification, which is required for all entities that host personal health data governed by French law. Microsoft is the first major cloud service provider to meet the strict French standards for storing and processing health data. For more information, see Health Data Hosting (HDS) France. | ISO 27001:2013 |
| HIPAA BAA (US) | The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—with access to PHI, and to business associates, such as cloud service providers, that process PHI on their behalf. For more information, see HIPAA (US). | NA |
| ISO 20000-1:2011 | ISO 20000-1:2011 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see ISO/IEC 20000-1:2018. | ISO 27001:2013 |
| ISO 22301:2012 | ISO 22301:2012 is the premium international standard for business continuity management that provides for a formal certification. For more information, see ISO 22301:2019. | ISO 27001:2013 |
| ISO 27001:2013 | The ISO 27000 family of standards gives a framework for policies and procedures that include all legal, physical, and technical controls in Microsoft Azure Compliance Offerings for an organization's information risk management. ISO 27001 lists the requirements for implementing, maintaining, monitoring, and improving an information security management system (ISMS). For more information, see ISO 27001:2013. | NA |
| ISO 27017:2015 | The ISO 27017 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO 27002. Cloud service providers can also use ISO 27017 as a guidance document for implementing commonly accepted protection controls. For more information, see ISO/IEC 27017:2015. | ISO 27001:2013 |
| ISO 27018:2019 | ISO 27018 is the first international code of practice for cloud privacy that provides guidelines based on ISO 27002 guidelines and best practices for information security management. Based on EU data-protection laws, it gives specific guidance to cloud service providers acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII. ISO 27018 establishes cloud-specific control objectives and guidelines for PII in accordance with the privacy principles in ISO 29100. For more information, see ISO/IEC 27018:2019. | ISO 27001:2013 |
| ISO 27701:2019 | ISO 27701 is built as an extension of the widely used ISO/IEC 27001 standard for information security management, making the implementation of PIMS's privacy information management system a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, and creating a strong integration point for aligning security and privacy controls. For more information, see ISO/IEC 27701:2019 | ISO 27001:2013. |
| ISO 9001:2015 | ISO 9001 is an international standard that establishes the criteria for a quality management system. It's the only standard in the ISO 9000 family that results in a formal certification. The standard is based on several quality management principles, including clear focus on meeting customer requirements, strong corporate governance and leadership commitment to quality objectives, process-driven approach to meeting objectives, and focus on continuous improvement. For more information, see ISO 9001:2015. | ISO 27001:2013 |
| MARS-E (US) | In 2012, the Center for Medicare and Medicaid Services (CMS) published the Minimum Acceptable Risk Standards for Exchanges (MARS-E) in accordance with CMS information security and privacy programs. The suite of documents, including guidance, requirements, and templates, was designed to address mandates of the Patient Protection and Affordable Care Act (ACA) and regulations of the Department of Health and Human Services that apply to the ACA. For more information, see MARS-E (US). | FedRAMP High |
| NERC | The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. For more information, see North American Electric Reliability Corporation (NERC). | FedRAMP High |
| NIST Cybersecurity framework | The NIST Cybersecurity Framework (CSF) was published in February 2014 as guidance for critical infrastructure organizations to better understand, manage, and reduce their cybersecurity risks. The CSF was developed in response to the Presidential Executive Order on Improving Critical Infrastructure Security, which was issued in February 2013. For more information, see NIST Cybersecurity Framework (CSF). | FedRAMP High |
| PCI 3DS | Europay, Mastercard, and Visa (EMV) three-domain secure (3-D Secure or 3DS) is an EMVCo messaging protocol that enables cardholders to authenticate with their card issuers when making card-not-present (CNP) online transactions. PCI 3DS Core Security Standard provides a framework for these critical EMV 3DS functions to implement security controls that support the integrity and confidentiality of 3DS transactions. For more information, see PCI 3DS. | NA |
| PCI DSS Level 1 | The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard that helps prevent fraud by controlling credit card data. PCI DSS compliance is required for any organization that stores, processes, or transmits payment and cardholder data. For more information, see PCI DSS. | NA |
| SOC 1 Type 2 | The American Institute of Certified Public Accountants (AICPA) establishes three Service Organization Controls (SOC) reporting options: SOC 1, SOC 2, and SOC 3. These controls help CPAs examine and report on a service organization’s controls. The SOC 1 Type 2 attestation is based on the AICPA Statement on Standards for Attestation Engagements 18 (SSAE 18) standard (see AT-C Section 105) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). For more information, see System and Organization Controls (SOC) 1 Type 2. | NA |
| SOC 2 Type 2 | SOC 2 Type 2 is a restricted use report intended to report on controls relevant to Security, Availability, Confidentiality, Processing Integrity, and Privacy system attributes. For more information, see System and Organization Controls (SOC) 2 Type 2. | NA |
| SOC 3 | A SOC 3 report is a short, public version of the SOC 2 Type 2 attestation report. The SOC 3 report is for users who want assurance about the cloud service provider's controls but don't need a full SOC 2 report. For more information, see System and Organization Controls (SOC) 3. | NA |
| UK Cyber Essentials Plus | Cyber Essentials is a UK government-backed scheme that helps organizations check and reduce risks from common cybersecurity threats to their IT systems. Cyber Essentials is required for all UK government suppliers that handle personal data. For more information, see UK Cyber Essentials Plus. | ISO 27001:2013 |
| UK G-Cloud | Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store—the Digital Marketplace. This approach enables public-sector organizations to compare and procure cloud services without having to do their own full review process. For more information, see UK G-Cloud. | ISO 27001:2013 |
| WCAG 2.0 | The Web Content Accessibility Guidelines 2.0 (WCAG 2.0) provide a framework for developing web content that improves accessibility for people with disabilities, and users of devices with limited graphical abilities. For more information, see Web Content Accessibility Guidelines. | ISO 27001:2013 |