Connecting Technology and Business.

Microsoft Azure Compliances and Certifications

ISO 27001-2013

ISO 27001 is an information security standard that is published by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process.


Payment Card Industry Data Security Standard is a proprietary information security standard for organizations that handle branded credit cards from the major card brands including Visa, MasterCard, American Express, Discover, and JCB. Private label cards --those without a logo from a major card brand are not included in the scope of the PCI DSS.

The PCI Standards is mandated by the card brands and run by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy–Kassebaum Act or Kassebaum-Kennedy Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

SOC 1 & SOC 2

Service Organization Controls are a series of accounting standards that measure the control of financial information for a service organization. They are covered under both the SSAE 16 and the ISAE 3402 professional standards.

SOC 1 reports will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SOC 1 reports provide a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting.

For reports that are not specifically focused on internal controls over financial reporting, SOC 2 and SOC 3 reports should be used. These reports will focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy.


Federal Risk and Authorization Management Program – FedRAMP - is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by the federal government.

UK G-Cloud

The UK Government G-Cloud is an initiative targeted at easing procurement by public sector bodies in departments of the United Kingdom Government of commodity information technology services that use cloud computing. The G-Cloud consists of:

  • A series of framework agreements with suppliers, from which public sector organizations can call off services without needing to run a full tender or competition procurement process
  • An online store - the "Digital Marketplace" (previously "CloudStore") that allows public sector bodies to search for services that are covered by the G-Cloud frameworks.


The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider.


The Federal Information Security Management Act of 2002 was implemented to provide agencies the ability to document and implement information security programmes within their operational systems.


Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) is available to authorized local, state, and federal law enforcement and criminal justice agencies via any of the three law enforcement communication systems – National Law Enforcement Telecommunications System (NLETS), a more localized state criminal information system (name varies by state), and the International Law Enforcement Telecommunications System (INLETS). CJIS consists of several databases and one subsystem, and its retrieval and update capabilities are online.


Information Security Registered Assessors Program of the Australian Government assess the implementation, appropriateness and effectiveness of a system's security controls.


Multi-Tier Cloud Security Standard for Singapore (MTCS SS) is a cloud security standard, developed under the Singapore Information Technology Standards Committee (ITSC) to provide businesses with greater clarity on the levels of security offered by different cloud service providers. The standard covers areas such as data retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery and incident management.

FDA 21 CFR Part 11

The Food and Drug Administration Part 11 of Title 21 Code of Federal Regulations, Electronic Records; Electronic Signatures (21 CFR Part 11) applies to entities that maintain records or submit information to include records in electronic form that are created, modified, maintained, archived, retrieved or transmitted under any records requirements set forth in FDA regulations. Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act).


Family Educational Rights and Privacy Act is a Federal law that protects the privacy of student education records and imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records. Restrictions imposed by FERPA include scanning Customer Data for advertising purposes.


The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information.


China Cloud Computing Promotion and Policy Forum developed the Trusted Cloud Service Certification tests and evaluates a cloud service within an SLA framework in terms of 16 indexes including data management, service quality and rights protection. The test results issued by the CCCPPF are publically available.


Multi-Level Protection Scheme is based on the Chinese state standard (GB/T 22239-2008) and issued by the Ministry of Public Security. The certification labels target systems from level 1 to 5 (with 5 being the highest) based on their risk profiles. The MLPS provides assurance for both the management and technical security of the target system.