ISOIEC 27018 Compliance Backgrounder
ISOIEC 27018 Compliance Backgrounder
ISOIEC 27018 Compliance Backgrounder
Audit cycle In 2014, the ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001,
Microsoft cloud services are the first international code of practice for cloud privacy. Based on EU data-
audited once a year for the protection laws, it gives specific guidance to cloud service providers (CSPs)
ISO/IEC 27018 code of practice as acting as processors of personally identifiable information (PII) on assessing
part of the certification process for
risks and implementing state-of-the-art controls for protecting PII.
ISO/IEC 27001.
ISO/IEC 27018:2014 code of Microsoft enterprise cloud services have been successfully audited against
practice ISO/IEC 27001 by accredited independent certification bodies. As part of the
aka.ms/ISO.IEC_27018.2014 certification process, the auditors validated in their statement of applicability
that Microsoft in-scope enterprise cloud services have incorporated ISO/IEC
White paper
Compliance Framework for Online
27018 controls for the protection of PII in the public cloud. (The company
Services was the first major cloud provider to incorporate the ISO/IEC 27018 code of
aka.ms/compliance-framework practice.) To remain compliant, Microsoft cloud services must be subject to
annual third-party reviews.
Microsoft Online Services Terms
aka.ms/Online-Services-Terms
By following the standards of ISO/IEC 27001 and the code of practice
Microsoft Cloud for Government embodied in 27018, Microsoft demonstrates that its privacy policies and
aka.ms/govt-cloud procedures are robust and in line with its high standards.
Microsoft Cloud Trust Center Customers of Microsoft cloud services know where their data
www.microsoft.com/trustcenter is stored. Because ISO/IEC 27018 requires certified CSPs to inform
customers of the countries in which their data may be stored, Microsoft
For more information cloud service customers will have the visibility they need to comply with
Customers: Contact your any applicable information security rules.
Microsoft account representative.
Potential customers: Go to Customer data wont be used for marketing or advertising
support.microsoft.com/contactus. without explicit consent. Some CSPs use customer data for their
own commercial purposes, including for targeted advertising. Because
Microsoft has adopted ISO/IEC 27018 for its in-scope enterprise cloud
services, customers can rest assured that their data will never be used for
such purposes without explicit consent, and that consent cannot be a
condition for use of the cloud service.
Microsoft Dynamics CRM Online and Microsoft Dynamics CRM Online Government.
Microsoft Intune.
Microsoft Office 365 and Microsoft Office 365 U.S. Government: Exchange Online,
SharePoint Online, and Skype for Business Online.