Microsoft Azure Racks Up Cloud Compliance Certifications

In the U.S. and abroad, Microsoft is piling on the security and privacy certifications in its bid to attract more enterprise workloads to its cloud platform.

cloud security

Microsoft has been beefing up its Azure cloud computing platform, and the company has the certifications to prove it, according to Lori Woehler, principal group manager for Compliance and Trust at the software and cloud computing giant.

Woehler revealed in an Azure blog post that Microsoft Azure had "completed an ISO 27001 renewal audit to the 2013 version of the standard, following the ISO [International Organization for Standardization] 27002 best practices for comprehensive information security and risk management." ISO 27001 is a set of standards governing information security within organizations.

"Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties," states the group's website at

Microsoft also asked British Standards Institute Americas, the company tasked with conducting the certification, "to validate that we incorporated controls that are aligned to the ISO 27018 code of practice for protection of Personally Identifiable Information (PII) in public clouds," Woehler said. "There are three big commitments enabled by these controls: Azure is 'Advertising Free,' so customers don't have to worry their data is used for advertising or marketing purposes; Azure has defined policies for the return, transfer and secure disposal of PII; and Azure proactively discloses the identities of sub-processors."

Azure is also certified for Service Organization Controls 1 and 2 Reports (SOC 1 and 2), concerning financial reporting and security, respectively. "At this time, Azure is the only global cloud service provider with a report for SOC 2 Processing Integrity, which demonstrates system processing was complete, accurate, timely, and authorized," claimed Woehler.

Overseas, Azure was given the stamp of approval from the Australian Government Information Security Registered Assessors Program (IRAP). "Our goal is to support customers' ability to meet unique government or data sovereignty requirements, and to accelerate deployment of key workloads to accredited cloud services," she added.

In Singapore, Azure was found in compliance of the country's strict cloud data security standards. "[Multi-Tier Cloud Security] MTCS accreditation was announced in late October 2014 for Microsoft Cloud Infrastructure and Operations data centers, Office 365 and Azure as the first Level 1 certified end-to-end cloud services offering," said Woehler.

Azure can help health care providers meet the Food and Drug Administration's requirements for electronic records, added Woehler. "Azure has worked with customers and partners in life sciences to qualify their applications and services running on Azure to 21 CFR Part 11," she revealed. Code of Federal Regulations (CFR) Part 11 imposes rules for electronic health records and electronic signatures. Microsoft also plans to build on its crop of FedRAMP-approved cloud offerings for government customers.

Microsoft is also helping to law enforcement agencies adopt the cloud. Woehler described Azure Government as "one of the first commercial infrastructure cloud platforms to meet U.S. CJIS [Criminal Justice Information Services] certification requirements for state and local governments, expanding the scope of coverage to state agencies already using Microsoft Office 365 for CJIS workloads."

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...