Microsoft Compliance Offerings Cheat Sheet

• Microsoft Trust Center provides access to security, privacy, and compliance information.
  • Security – provides information about identity & access management, threat & information protection, and cloud security.
  • Privacy – provides information on how you can secure your data at rest and in transit.
  • Compliance – provides information about industry-specific requirements, audit reports, and shared responsibility.
• Microsoft Privacy Statement explains how Microsoft collects personal data, how they use it, and the reasons why they need to share personal data.
• The terms and conditions when you purchase licenses for products and online services through Microsoft Volume Licensing programs are documented in Online Services Terms (OST).
• The Data Protection Amendment (DPA) sets the responsibilities of the customer and Microsoft with respect to the collection and protection of Customer Data and Personal Data in accordance with Azure.

National Institute of Standards and Technology (NIST)

• NIST maintains measurement standards and guidance to help organizations assess risk.
• NIST releases a Framework for Improving Critical Infrastructure Cybersecurity (FICIC) to strengthen the cybersecurity of federal networks and critical infrastructures.

• The NIST Cybersecurity Framework (CSF) consists of standards, guidelines, and best practices to manage cybersecurity-related risks.
• Quickly build NIST CSF solutions on Azure using the Azure Security and Compliance NIST CSF Blueprint.

General Data Protection Regulation (GDPR)

• GPDR establishes new rules for organizations that offer goods and services to citizens in the European Union.
• It also collects and analyzes data of EU residents. The GDPR applies no matter where your company is located.
• GDPR grants individuals certain rights to manage the personal data gathered by an organization through a Data Subject Request (DSR).
• GDPR requires an organization to provide timely information on DSRs, data breaches, and to conduct data protection impact assessments (DPIAs).

International Organization for Standardization (ISO)

• ISO provides international standards to safeguard consumers and end-users of products and services.
• The International Electrotechnical Commission (IEC) is an organization that prepares and publishes international standards for electrical, electronic, and related technologies.
• ISO/IEC 27001 is an information security management standard designed to bring information security under explicit management control.
• If a company has been granted with an ISO certification, it means that it has established standards and general principles in the initiation, implementation, maintenance, and improvement of information security management.
• You can use Service Trust Portal to provide audited compliance reports.

Microsoft Compliance Offerings Cheat Sheet References:

https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-nist-csf?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-iso-27001?view=o365-worldwide