Assurance | Automation | Microsoft 365

February 9, 2017

One of the most useful documents in my view in planning implementations of Office365 is understanding data encryption and data backup and the standards applied. Microsoft have provided audit reports covering their cloud stack (Dynamics CRM, Office365, Yammer and Azure). These SOC and ISO reports include testing and trust principles in these areas:

  • Data Transmission and Encryption
  • Security Development Lifecycle
  • Data Replication and Data Backup

To access these reports, you will need to access the Security and Compliance area in your Office365 tenant.

As said, these cover the Microsoft Cloud Stack, however, the two key documents for Office365 are:

Office 365 ISO 27001-ISO 27018-ISO 27017 – this is an audit document confirming whether Office365 fulfils the standards and criteria against ISO 27001, 27018 and 27017.

Key points:

  • PII is included in Office365 because it is run over Public Cloud for multi-tenant customers.
  • Cloud Security is included in Office365 because it is defined as a SaaS (Software as a Service)
  • All encryption adheres to TLS requirements and hashing (specific)

Office 365 SOC 2 AT 101 Audit Report 2016 – this is an audit document looking at the controls relevant to Security, Availability, Confidentiality and Processing Integrity.

Key points:

  • Details on the services concerning planning, performance, SLAs, hiring process (including background checks of staff) are provided.
  • Control Monitoring, Access and Identify Management, Data Transmission (encryption between Microsoft, Client and data centres) are described.
  • Project requirements through to Final Approval concerning the SDLC process is described
  • Availability, Data Replication and Backup is covered.

Summary

The above SOC and ISO are extremely useful in aiding any risk assessment that you should take to confirm the service assurance of Office365 going forward. Risk assessments are not a ‘one shot’ task. They should be carried out on an annual basis. The Office365 service is a rich offering of Infrastructure, Software, People, Procedures and Data. Each requires security controls and confirmation that they meet standards which can be dovetailed into your organisation. The audits go into great detail concerning the controls (especially things like Data in Transit / Rest – SSL / TLS). A lot of questions is asked by customers concerning security controls – the video below is a good method of getting you to understand (and your clients) how Microsoft ensures proactive protection, and you should definitely check out the Microsoft Trust Centre for great information concerning encryption.

Related Posts

You May Also Like…

SharePoint Copilot Governance and Beekeeping: A Buzz-Worthy Comparison

SharePoint Copilot Governance and Beekeeping: A Buzz-Worthy Comparison

Sep 30, 2025

🐝 SharePoint CoPilot Governance and Beekeeping: A Buzz-Worthy Comparison. In the world of digital collaboration, SharePoint is the hive—teeming with activity, rich with resources, and vital to organizational productivity. But just like a real hive, it doesn’t thrive on chaos. That’s where governance comes in. And oddly enough, the best way to understand SharePoint governance might just be… beekeeping.

Thoughtless SharePoint Site Provisioning: The Hidden Cost of Convenience

Thoughtless SharePoint Site Provisioning: The Hidden Cost of Convenience

Sep 17, 2025

In the age of rapid collaboration and cloud-first strategies, provisioning SharePoint sites has never been easier. But with great power comes great potential for chaos. When sites are created without proper analysis, planning, or governance, organizations often find themselves buried under a mountain of sprawl, broken workflows, and compliance nightmares.