- Article
- 8 minutes to read
ISO/IEC 27018 Overview
The International Organization for Standardization (ISO) is an independent non-governmental organization and the world's largest developer of voluntary international standards. The ISO/IEC 27000 family of standards helps organizations of all types and sizes keep information assets secure.
In 2014, ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data protection laws, it provides cloud service providers (CSPs) who act as processors of personally identifiable information (PII) with specific guidance on how to assess risk and implement state-of-the-art controls to protect PII.
Microsoft e ISO/IEC 27018
Microsoft Azure and Azure Germany are audited at least annually for compliance with ISO/IEC 27001 and ISO/IEC 27018 by an accredited external certification body. This audit provides independent confirmation that applicable security controls are in place and operating effectively. As part of this compliance review process, auditors validate in their statement of applicability that Microsoft cloud services and commercial helpdesk services have integrated ISO/IEC 27018 controls to protect PII in Azure. To remain compliant, Microsoft cloud services must undergo annual third-party audits.
By complying with the standards of ISO/IEC 27001 and the code of conduct contained in ISO/IEC 27018, Microsoft demonstrates that its privacy policies and practices are robust and meet its high standards.
- Microsoft cloud service customers know where their data is stored.Because ISO/IEC 27018 certified CSPs are required to inform customers about the countries where their data may be stored, Microsoft cloud service customers have the transparency they need to comply with applicable information security rules.
- Customer data will not be used for marketing or advertising without express consent.Some CSPs use customer data for their own business purposes, including targeted advertising. As Microsoft has adopted ISO/IEC 27018 for its in-scope enterprise cloud services, customers can be assured that their data will never be used for such purposes without express consent and that consent is not a condition of using the service. of cloud. . .
- Microsoft customers know what happens to their PII.ISO/IEC 27018 requires a policy that allows for the return, transfer and secure disposal of personal data within a reasonable time. When Microsoft works with other companies that need access to its customers' data, Microsoft proactively discloses the identity of those sub-processors.
- Microsoft will only comply with legally binding customer data disclosure requests.If Microsoft is required to comply with such a request (for example, in the case of a criminal investigation), Microsoft will always notify Customer, unless prohibited by law.
Cloud platforms and services within Microsoft
- Azure, Azure Government and Azure Germany
- Azure DevOps-Dienste
- Dynamics 365, Dynamics 365 e Dynamics 365 Deutschland
- in line
- Microsoft Defender for Cloud Apps
- Microsoft Professional Services: Premier and on-premises for Azure, Dynamics 365, Intune, and Microsoft 365 for midsize and large enterprise customers
- Microsoft chart
- Microsoft Healthcare-Bot
- Microsoft Managed Desktop
- Microsoft Threat Experts
- Microsoft-Stream
- Office 365, Office 365 US Government e Office 365 US Government Defense
- Office 365 Germany
- Map of WHO services
- Power Automate (formerly Microsoft Flow): Cloud service, either as a standalone service or as part of an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service: as a standalone service or included in an Office 365 or Dynamics 365 plan or suite
- Power BI Cloud Service - as a standalone service or included in an Office 365 branded suite or plan
- Integrated Power BI
- Powerful virtual agents
- Microsoft Defender for Endpoint: Endpoint detection and response, automated investigation and remediation, secure assessment
- Window 365
Azure, Dynamics 365 e ISO ISO/IEC 27018
For more information about compliance with Azure, Dynamics 365 and other online services, seeAzure ISO/IEC 27018 offering.
Office 365 e ISO ISO/IEC 27018
Office 365 environments
Microsoft Office 365 is a multi-tenant, hyper-scalable cloud platform and integrated experience of applications and services available to customers in various regions of the world. Most Office 365 services allow customers to specify the region where their customer data is located. Microsoft may replicate Customer Data to other regions within the same geographic area (eg, United States) for data resiliency, but Microsoft will not replicate Customer Data outside the selected geographic area.
This section covers the following Office 365 environments:
- Software-client (client)– Business client software running on customer devices.
- Office 365 (comercial): Office 365 commercial public cloud service is available worldwide.
- Office 365 Governamental Community Cloud (GCC): aOffice 365 GCC Cloud Serviceis available to the US federal, state, local, and tribal governments and to contractors who store or process data on behalf of the US government.
- Office 365 Government Community Cloud – Hoch (GCC Hoch): aOffice 365 GCC High Cloud-DienstDesigned to US Department of Defense (DoD) Level 4 security requirements, it controls and supports highly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIB) and companies contracted by the government.
- Office 365 Department of Defense (DoD): aDepartment of Defense Office 365 Cloud ServiceIt is designed under the US Department of Defense Level 5 security requirements controls and complies with strict federal and defense regulations. This environment is for the exclusive use of the US Department of Defense.
Use this section to fulfill your compliance obligations in regulated industries and global markets. You can find out which services are available in which regions of theInternational availability informationit's atWhere Microsoft 365 customer data is storedArticle. For more information about the Office 365 Government cloud environment, seeOffice 365 Governamental-CloudArticle.
Your organization assumes full responsibility for ensuring compliance with all applicable laws and regulations. The information provided in this section does not constitute legal advice and you should consult legal counsel if you have any questions about your company's compliance with legal requirements.
Office 365 applicability and services included in scope
Use the table below to determine the applicability of your Office 365 subscription and services:
| applicability | Services in scope |
|---|---|
| Commercial | Onlinezugriff, Azure Active Directory, Azure Communications Service, Compliance Manager, Kunden-Lockbox, Delve, Exchange Online Protection, Exchange Online, Forms, Griffin, Identity Manager, Lockbox (Torus), Microsoft Defender para Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance Add-on, Office 365 Kundenportal, Office 365 Microservices (einschließlich, aber nicht beschränkt auf Kaizala, ObjectStore, Sway, PowerPoint Online Document Service, Annotation Service Queries, School Data Sync, Siphon, Voice, StaffHub, Extensible Application Program) , Office 365 Security & Compliance Center, Office Online, Office Pro Plus, Office Services Infrastructure, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, Project Online, Microsoft Purview Customer Key Service Encryption, SharePoint Online, Skype for Business, Camiseta Corrien |
| CCG | Azure Active Directory, Azure Communications Service, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender para Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance Add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus , OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream |
| alternative CCG | Azure Active Directory, Azure Communications Service, Exchange Online, Forms, Microsoft Defender para Office 365, Microsoft Teams, Office 365 Advanced Compliance Add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Scheduler, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business |
| Department of Defense | Azure Active Directory, Azure Communications Service, Exchange Online, Forms, Microsoft Defender para Office 365, Microsoft Teams, Office 365 Advanced Compliance Add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Scheduler, Power BI, SharePoint Online, Skype for Business |
Office 365 audits, reports and certificates
Microsoft business and cloud technical support services are audited annually against the ISO/IEC 27018 Code of Conduct as part of the ISO/IEC 27001 certification process.
- Office 365: ISO 27001, 27018 and 27017 audit assessment report
common questions
Who does ISO/IEC 27018 apply to?
This Code of Conduct applies to CSPs that process PII on behalf of other organizations. At Microsoft, this also applies to support of these CSPs.
What is the difference between "personal data controller" and "personal data processor"?
In the context of ISO/IEC 27018:
- "Controllers" control the collection, retention, processing or use of personal data; including parties that control it on behalf of another entity.
- "Threaders" process information on behalf of the controller; They do not make decisions about how information is used or the purposes of processing. In providing its corporate cloud services, Microsoft (as its provider) is a data processor.
Where can I view Office 365 compliance information for ISO/IEC 27018?
- You can view ISO/IEC 27018 certificates from BSI (the independent auditor who validated Microsoft's compliance with ISO/IEC 27018).Office 365.
Can I use Microsoft compliance in my organization's certification process?
Yes, if ISO/IEC 27018 compliance is important to your organization and deployments deployed on any Microsoft enterprise cloud service, you can use the Microsoft ISO/IEC 27018 Attestation of Compliance, which Microsoft provides for ISO/IEC 27001 has been certified in conformity assessment. .
However, you are responsible for hiring an assessor to assess the compliance of your implementation and the controls and processes within your own organization.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview-Compliance-Manageris a function onMicrosoft Purview-Compliance-Portalto help you understand your organization's compliance status and take steps to mitigate risk. Compliance Manager provides a premium template to create an assessment for this regulation. Find the model inEvaluation modelsPage in Compliance Manager. learn howCreate Assessments in Compliance Manager.
Resources
- ISO/IEC 27018:2014 Code of Conduct
- Microsoft Common Controls Center-Compliance-Framework
- Data Access Policies for Enterprise Cloud and Microsoft Technical Services
- Microsoft Online Services Terms
- Microsoft Government Cloud
- Microsoft Trust Center Compliance
comment
Send and view feedback to