The Microsoft approach to cloud transparency – Part V – Security standards evolution

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Microsoft Cloud Transparency»

Thank you for joining us again for the continuation of the paper I authored for Microsoft about  its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).

Let me know what you think!


The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)


Part V – Security standards evolution

Deciding which standard and framework to apply when selecting a cloud computing provider used to require organizations to choose from frameworks written in a pre-cloud computing environment. Commonly used risk, control, and information security frameworks include the 27000 family of standards published by the International Organization for Standardization/International Electrotechnical Committee (ISO/IEC); COBIT, a framework for the governance and management of enterprise IT by Information Systems Audit and Control Association (ISACA); the SP800 series of standards by the U.S. National Institute of Standards and Technology (NIST), and a few others.

The International Organization for Standardization/International Electrotechnical Committee (ISO/IEC) 27000 family of standards

The ISO family of standards includes some of the world’s best-known information security reference frameworks. British Standard 7799 Part 1 first became internationalized as “The Code of Practice for Information Security Management” in 2000 and was referred to as ISO/IEC 17799. In 2007, this designation was changed to ISO 27002. The current version, ISO 27002:2005, is generally accepted today as the guide for implementation of information security management frameworks.

ISO/IEC 27001 came from British Standard 7799 Part 2, and defines how to implement, monitor, maintain, and continually improve an information security management system (ISMS). It uses the ISO/IEC standard Plan-Do-Check-Act framework.

Organizations can be certified against the ISO/IEC 27001 standard, as Microsoft has done with Windows Azure (core services) and several other Microsoft online services (identified later in this section), which has led to ISO/IEC 27001 adoption by organizations looking to validate their information security efforts with customers, regulators, or other external stakeholders.

Today, the 27000 standards family has grown to include the following standards:

  • ISO/IEC 27000:2009, Information security management systems — Overview and vocabulary
  • ISO/IEC 27001:2005, Information security management systems — Requirements
  • ISO/IEC 27002:2005, Code of practice for information security management
  • ISO/IEC 27003, Information security management system implementation guidance
  • ISO/IEC 27004, Information security management — Measurement
  • ISO/IEC 27005:2008, Information security risk management
  • ISO/IEC 27006:2007, Requirements for bodies providing audit and certification
  • ISO/IEC 27007:2011, Guidelines for information security management systems auditing
  • ISO/IEC 27031:2011, Guidelines for information and communications technology readiness for business continuity

The ISO/IEC 27000 family of standards, and in particular ISO/IEC 27002, constitutes

the generally accepted standards for today’s information security management.


Windows Azure, Microsoft Dynamics CRM, Office 365, and the underlying Global Foundation Services (GFS) infrastructure layer employ security frameworks based on the ISO/IEC 27001:2005 standard.
Windows Azure core services (Cloud Services, Storage, and Networking), Microsoft Dynamics CRM, and Office 365 are ISO 27001-certified. In addition, the physical GFS infrastructure on which all of Windows Azure runs (except CDN) and on which both Office 365 and Microsoft Dynamics CRM run, is ISO 27001-certified.

The Microsoft security framework, based on ISO/IEC 27001, enables customers to evaluate how Microsoft meets or exceeds the security standards and implementation guidelines. In addition, Windows Azure and the GFS infrastructure undergo annual Statement on Auditing Standards No. 70 (SAS 70 Type II or its successor, SSAE16 and additionally ISAE 3402) audits.

There is no ISO/IEC 27002 certification process. However, the standard provides a suggested set of suitable controls for an Information Security Management System, which is documented in ISO/IEC 27001 Annex A.


The Information Security Policy, which applies to Microsoft cloud offerings, also aligns with ISO/IEC 27002 and is augmented with requirements specific to Microsoft cloud offerings.

Links to the public copies of the Windows Azure, Microsoft Dynamics CRM, Office 365, Global Foundation Services, and FOPE ISO certifications are available in the “Additional reading” section later in this paper.



Join us again next week for Part VI of The Microsoft approach to cloud transparency.




Leave a Reply

Your email address will not be published. Required fields are marked *