One of the most useful documents in my view in planning implementations of Office365 is understanding data encryption and data backup and the standards applied. Microsoft have provided audit reports covering their cloud stack (Dynamics CRM, Office365, Yammer and Azure). These SOC and ISO reports include testing and trust principles in these areas:

  • Data Transmission and Encryption
  • Security Development Lifecycle
  • Data Replication and Data Backup

To access these reports, you will need to access the Security and Compliance area in your Office365 tenant.

As said, these cover the Microsoft Cloud Stack, however, the two key documents for Office365 are:

Office 365 ISO 27001-ISO 27018-ISO 27017 – this is an audit document confirming whether Office365 fulfils the standards and criteria against ISO 27001, 27018 and 27017.

Key points:

  • PII is included in Office365 because it is run over Public Cloud for multi-tenant customers.
  • Cloud Security is included in Office365 because it is defined as a SaaS (Software as a Service)
  • All encryption adheres to TLS requirements and hashing (specific)

Office 365 SOC 2 AT 101 Audit Report 2016 – this is an audit document looking at the controls relevant to Security, Availability, Confidentiality and Processing Integrity.

Key points:

  • Details on the services concerning planning, performance, SLAs, hiring process (including background checks of staff) are provided.
  • Control Monitoring, Access and Identify Management, Data Transmission (encryption between Microsoft, Client and data centres) are described.
  • Project requirements through to Final Approval concerning the SDLC process is described
  • Availability, Data Replication and Backup is covered.

Summary

The above SOC and ISO are extremely useful in aiding any risk assessment that you should take to confirm the service assurance of Office365 going forward. Risk assessments are not a ‘one shot’ task. They should be carried out on an annual basis. The Office365 service is a rich offering of Infrastructure, Software, People, Procedures and Data. Each requires security controls and confirmation that they meet standards which can be dovetailed into your organisation. The audits go into great detail concerning the controls (especially things like Data in Transit / Rest – SSL / TLS). A lot of questions is asked by customers concerning security controls – the video below is a good method of getting you to understand (and your clients) how Microsoft ensures proactive protection, and you should definitely check out the Microsoft Trust Centre for great information concerning encryption.

https://www.youtube.com/watch?v=apRJhCjgtGA