As customers consider the transition to the cloud, we often hear that they want to ensure security, privacy and compliance requirements are met. At Microsoft, we believe that customers have the right to know how Office 365:
- Safeguards confidentiality, integrity, availability and reliability of your data.
- Let’s you control access to your data.
- Helps you comply with various regulatory standards.
We want to ensure that you have access to the information that is relevant for you to perform a risk assessment on Office 365 services—on demand. Access to this information should be seamless. To achieve these goals, we have released the Service Assurance Dashboard as part of the Office 365 Security and Compliance Center, which provides you immediate access to:
- Details on how Office 365 implements security, privacy and compliance controls including details of how third-party independent auditors perform audits to test these controls.
- Third-party independent audit reports including: SSAE 16 / SOC 1, SOC 2 / AT 101, ISO 27001 and ISO 27018.
- Deep insights into how we implement encryption, incident management, tenant isolation and data resiliency.
- Information on how you can leverage Office 365 security controls and configurations to protect your data.
Service Assurance—Audited Controls
While there are many detailed insights provided through Service Assurance, initial customer feedback indicates that Audited Controls are particularly helpful. The Audited Controls feature in Service Assurance helps you to understand how Office 365 protects your data by detailing:
- Test status—Status of the Office 365 controls.
- Control implementation details—Explanation of how Office 365 implements a control.
- Testing performed to evaluate control effectiveness—How independent auditors test the effectiveness of our security, compliance and privacy controls.
- Test date—When a control was validated.
- Office 365 controls—How the Office 365 internal controls map to standard controls.
Service Assurance—Compliance Reports
In this open and transparent model, we don’t just tell you “what” controls we have implemented, but also give you insights into “how” Microsoft implements and tests these controls. The Compliance Reports and Trust Documents provide you independent audit reports, deep-dive white papers and FAQs that are relevant to your geography and industry. Service Assurance helps you to stay secure and compliant with an “end-to-end” view of controls implemented by you as well as by Microsoft. For controls owned by you, it provides actionable implementation plans for relevant features that help you to implement these controls and manage your risks.
Tens of thousands of organizations already use Office 365 Service Assurance and have indicated that they are saving a significant amount time in evaluating the security, privacy and compliance of Office 365. Information available through Service Assurance such as the “Customer Security Considerations Workbook” have helped customers secure their Office 365 service with features/configurations that they manage.
Service Assurance is available to all Office 365 tenants as well as to prospective customers with Office 365 E3/E5 trials. To get started, follow this guide at Security and Compliance Center—Service Assurance.
We look forward to your feedback!
—Om Vaiti, senior program manager for the Office 365 Trust Engineering team