BSI Case Study Microsoft ISO/IEC 27018
Microsoft sets a high bar
for Information Security
BSI has certified several Microsoft
divisions that provide Trusted Cloud
Services to ISO/IEC 27001, including
Microsoft Office 365, Microsoft Azure
and Microsoft Dynamics CRM services as
well as Online Data Centers and Physical
Infrastructure provided by Microsoft
Global Foundation Services and has
verified conformance of each to
ISO/IEC 27018, the first international
cloud privacy standard.
Background
Innovation in business increasingly relies on technology.
For IT departments to remain competitive, use of the
cloud is not just more cost effective but can unlock
additional business value through the use of big data
analytics and other cloud technologies. By facilitating the
ability to bring new services and products online quickly,
with increased agility, cloud services are transforming
even traditional businesses. But, with innovation comes
concern. Millions of people have had their personal
information stolen in the course of everyday transactions.
Data breaches reached a record high in 2014. Enterprise
customers, in particular, need to feel that their
information is properly protected. As the world’s leading
provider of software services, Microsoft wanted to
improve the trust customers have in cloud services.
BSI Case Study Microsoft ISO/IEC 27018
As the cloud becomes more prevalent in business, the
regulatory environment also continues to tighten. While
the US requires companies to undergo a variety of
audits, many US-centric schemes rely on self-assertions
and attestations. International standards, like ISO/IEC
27001, however, demand independent third-party audits
by experts who test the veracity and applicability of the
scope and relevant controls. In the US, there are a number
of regulations addressing the use of information, but
there is no overarching protection guarantee of privacy
of personally identifiable information (PII). In Europe, by
contrast, the Data Protection Directive (Directive 95/46/
EC) imposes restrictions on the control, processing
and transmission of personal data. For international
organizations or companies wanting to work globally,
compliance to US regulations alone is simply not enough.
Customer Needs
In working towards certification to ISO/IEC 27001 and to
include ISO/IEC 27018, Microsoft identified its goals as
the need to:
• Meet the expectations of customers and regulators
worldwide that processors will protect customer data
and personal information
• Improve trust in cloud computing
• Protect customer data, particularly PII, stored in
the cloud
• Ensure global legislative requirements are consistently
applied for the protection of PII
• Create a mechanism for independent and accredited
third party verification of underlying practices and
policies of a cloud service provider
The goals reflect Microsoft’s focus on building trusted
cloud services by continuously improving the reliability,
privacy controls and security features of its services.
Cloud computing has become an extension of virtually
every IT department, by providing greater flexibility, but
requiring fewer resources. The cloud provides access
to a variety of services, from Software as a Service,
to Platform as a Service as well as Infrastructure as a
Service. From the consumers’ standpoint, as cloud usage
expands, so do concerns about how data is processed
and protected.
Microsoft has been certified to ISO/IEC 27001 since
2006 and has proactively instituted policies and controls
to restrict access and transmission of information.
Microsoft Office 365, Microsoft Azure, Microsoft
Dynamics CRM services as well as Online Data Centers
and Physical Infrastructure all act as conduits of personal
information and protectors of key customer data which
must be protected. To build trust, Microsoft needed to
be able to demonstrate information security controls
were in place in each of these areas with the enhanced
certification that ISO/IEC 27018 brings.
Complexity of the problem
• Use of cloud computing services is being inhibited by
concerns over security and privacy
• Cloud regulations continue to evolve
• Delivering a global service to global customers requires
consistent communication of commitments about
security and privacy for cloud services
• Although ISO/IEC 27001 certification provides trusted
evidence of a comprehensive information security
management process, ISO/IEC 27001 does not address
the cloud specifically
BSI Case Study Microsoft ISO/IEC 27018
Specific Solutions
The ISO/IEC 27000 family of standards for Information
Security provides the framework for companies
to develop processes and procedures to address
information security concerns. ISO/IEC 27001 offers 114
controls, which, when properly instituted, recognize and
mitigate the various risks involved with the collection and
dissemination of information.
In 2014, ISO/IEC 27018 was developed to address
the rising concerns about cloud computing and the
protection of PII by public cloud service providers.
By conforming to controls outlined by this standard,
Microsoft has been independently-assessed to confirm
that the policies and procedures are in place regarding
the secure return, transfer and deletion of PII that is
stored in its data centers. In addition, ISO/IEC 27018
provides a number of detailed restrictions on how data is
to be retained, transmitted and accessed.
Bringing these two international standards together
under one scope for third-party certification provides
both overarching information security assurances for
Microsoft’s customers as well as the specific guarantees
needed for cloud users.
“Microsoft has invested heavily to build ISO/IEC 27001
practices into the core of our cloud services—it’s not
just a certificate to us. Adding protection of PII using
the controls in ISO/IEC 27018 is a great fit for our cloud
services and operations, and further proof that we take
protection of customer data and PII seriously,” stated Tom
Keane, Partner Director, Program Management, Azure
Services.
Benefits of Certification
• Microsoft’s customers have evidence of specific
measures taken to address processing personal and
confidential information in Microsoft cloud services
• Customers can trust BSI’s assessment of Microsoft’s
commitment to security and data protection, avoiding
the need for their individual on-site audit
• Customers can point to Microsoft’s certificates as
evidence to data protection authorities that they
have chosen a responsible processor for personal
information
• Clear communication and trusted verification of
commitment to protect the security and privacy of
customer data in cloud services improves customer
trust in Microsoft services
Microsoft has raised the bar for all cloud services
providers. ISO/IEC 27018 outlines the model for ensuring
protection of PII no matter where the information travels,
allowing ready access to markets across Europe, Asia as
well as the US.
Why BSI
Microsoft’s long-standing relationship with BSI allows
it to continuously improve its information security
practices. As the originator of the world’s first standard
to address the concerns of information security, BSI
understands that information is often an organization’s
most valuable asset and thus, must be protected.
Today, BSI leads the market in certification to ISO/IEC
27001. As of 2013, over 70% of certifications in the US
were issued by BSI. Microsoft required a consistent
approach to bring all the data centers across the globe
under one scope. BSI’s worldwide presence made that
possible.
Benefits and ROI of certification
Brad Smith, Microsoft’s General Counsel & Executive
Vice President, Legal and Corporate Affairs outlined a
number of benefits the customer receives as a result
of Microsoft’s certification of ISO/IEC 27001 and its
conformance with ISO/IEC 27018:
• “You are in control of your data. Our adherence to the
standard ensures that we only process personally
identifiable information according to the instructions
that you provide to us as our customer.
BSI Case Study Microsoft ISO/IEC 27018

• You know what’s happening with your data. Adherence
to the standard ensures transparency about our
policies regarding the return, transfer, and deletion of
personal information you store in our data centers.
We’ll not only let you know where your data is, but if
we work with other companies who need to access
your data, we’ll let you know who we’re working with. In
addition, if there is unauthorized access to personally
identifiable information or processing equipment or
facilities resulting in the loss, disclosure or alteration
of this information, we’ll let you know about this.
• We provide strong security protection for your
data. Adherence to ISO 27018 provides a number of
important security safeguards. It ensures that there
are defined restrictions on how we handle personally
identifiable information, including restrictions on
its transmission over public networks, storage on
transportable media, and proper processes for data
recovery and restoration efforts. In addition, the
standard ensures that all of the people, including
our own employees, who process personally
identifiable information must be subject to a
confidentiality obligation.
• Your data won’t be used for advertising. Enterprise
customers are increasingly expressing concerns about
cloud service providers using their data for advertising
purposes without consent. The adoption of this standard
reaffirms our longstanding commitment not to use
enterprise customer data for advertising purposes.
• We inform you about government access to data.
The standard requires that law enforcement requests
for disclosure of personally identifiable data must be
disclosed to you as an enterprise customer, unless this
disclosure is prohibited by law. We’ve already adhered
to this approach (and more), and adoption of the
standard reinforces this commitment.” 1
Next steps
• Microsoft continues to work with BSI to help message
its security and privacy capabilities to their customers
and the industry at large.
• Continue evolution of Microsoft’s ISO/IEC 27001
certification with support for new controls as they
emerge.
• Other large cloud service providers hope to follow
Microsoft’s lead on the protection of PII and consumer
data in cloud services.

1
 rad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft.
B
http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard. Accessed 4/12/2015.

Any business could benefit by choosing a cloud service provider that

implements ISO/IEC 27018 just like Microsoft.
BSI/USA/455/MS/715/E

All cloud service providers could benefit from ISO/IEC 27001 just like Microsoft.
To find out more, visit www.bsiamerica.com.
BSI Group America Inc. BSI Group Canada Inc. The BSI certification mark may be used on your stationery, literature
12950 Worldgate Drive, Suite 800 6205B Airport Road, Suite 414 and vehicles when you have successfully achieved certification and
Herndon, VA 20170 Mississauga, Ontario conform with applicable guidelines.
USA L4V 1E3
Canada The mark shall never be applied directly on the product or service.
Tel: +1 888 429 6178
Fax: 1 703 437 9001 Tel: 1 800 862 6752
Email: inquiry.msamericas@bsigroup.com Fax: 1 416 620 9911
Web: www.bsiamerica.com Email: Inquiry.canada@bsigroup.com
Web: www.bsigroup.ca
www.bsigroup.ca/fr Copyright © 2015 The British Standards Institution. All Rights Reserved.