Baseline Informatiebeveiliging Rijksdienst standard (BIR 2012)

BIR 2012 overview

Organizations operating in the Netherlands government sector must demonstrate compliance with the Baseline Informatiebeveiliging Rijksdienst standard (BIR 2012). The BIR 2012 provides a standard framework based on ISO 27001 and ISO 27002. For organizations using Microsoft Azure or Office 365, Microsoft manages part of the BIR 2012 controls for these cloud services in line with the shared responsibility model in cloud computing. Organizations that need to comply with BIR 2012 are therefore required to determine if the underlying Microsoft services they're using are compliant with BIR 2012.

The BIR coverage report provides guidance where the BIR standards are covered by existing ISO 27001 certifications that are available for Microsoft cloud services. Where there are additional BIR controls that aren't covered by ISO 27001, references are made to other independent attestations, audit documentation, or contractual statements.

Microsoft and BIR 2012

While Microsoft isn't subject to BIR 2012 compliance, customers from the government sector seeking to use cloud services can use Microsoft's existing certifications to determine their compliance with this standard. Azure and Office 365 undergo various periodic independent certifications and attestations, some of which are closely related to BIR 2012.

Download the Microsoft Cloud: Azure and Office 365 BIR-2012 Baseline Coverage User Guide

Microsoft in-scope cloud platforms & services

  • Azure
  • Intune
  • Office 365

Office 365 and BIR 2012

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Azure Information Protection, Bookings, Exchange Online Protection, Exchange Online, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Cloud App Security, Office 365 Groups, Office Delve, OneDrive for Business, Planner, Power Apps, Power Automate, Power BI for Office 365, PowerApps, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Viva Engage

Audits, reports, and certificates

Microsoft retained an independent, third-party auditing firm to analyze the extent to which current Azure and Office 365 certifications and attestations (such as ISO/IEC 27001 and SOC 2 Type 2) cover the part of BIR 2012 that Microsoft is responsible for. The resulting report provides a mapping of these existing certifications and attestations to the controls listed in the BIR 2012 standard. Customers can use the report as a tool to help adopt Azure in a BIR 2012 compliant way. The report clearly demonstrates which BIR 2012 controls are covered by Microsoft and which controls remain to be implemented by the customers. The 'Microsoft Cloud: Azure and Office 365 BIR 2012 Baseline Coverage' report can be downloaded from the Service Trust Portal Audit Reports - GRC Assessment Reports section.

Frequently asked questions

Is Microsoft BIR 2012 certified?

The responsibility for BIR compliance is applicable to the government sector. It requires the organization to implement an information security management system and to address risk with appropriate technical and organizational measures. For Microsoft in its role as cloud service provider, BIR compliance is not the objective, nor is it technically feasible. When a customer implements or uses Microsoft cloud services, those services may be in scope of a BIR evaluation. However, the organization must add its own (additional) controls, choices, and processes, which are part of the overall BIR evaluation. The objective of the report is to demonstrate that a government agency can adopt Microsoft cloud services in a manner that is compliant with BIR 2012.

Is a customer that uses Microsoft cloud services compliant with BIR 2012?

Demonstrating BIR compliance is the responsibility of the customer. Customers using a cloud services vendor typically demand assurances from the vendor, and add their own (additional) technology and organizational decisions, choices, and processes. This effort results in an overall assessment by the customer on its BIR compliance, which can be submitted for review or certification to a third-party auditor. The BIR coverage report provides insight into what BIR controls are covered by Microsoft cloud services, but as such does not cover end-to-end compliance.

The report does not show 100% coverage. Is BIR 2012 compliance not feasible?

Microsoft cloud services provide many controls that help organizations within the Netherlands with their BIR compliance needs. However, an organization needs to complement those vendor assurances with their own implementation choices, additional technology controls, and administrative processes. The report shows already over 91% direct coverage of the full list of applicable controls. For the remaining controls, Microsoft provides guidance in the report on how compliance with those controls can be demonstrated.

Is the BIR coverage report a legal binding document?

No. It is a supporting tool for the customer's internal BIR assurance process and helps to establish confidence and trust that BIR compliance is feasible. The report has a descriptive status and includes a legal disclaimer.

Can we share this report?

The report is provided to customers under a non-disclosure agreement, on the basis that it is for customer information only and that it will not be copied or disclosed via other channels than the Microsoft Service Trust Platform. Customers can share the report with their own internal or external auditor as part of their compliance or assurance processes.

Resources