Microsoft Office 365 services have been designed ground up keeping in mind the security, data protection, reliability and privacy parameters. Security principles of ISO 27001 and ISO 27002 have been adopted in designing the different services of Office 365 and ISO compliance has been built into it.
With this in mind, Microsoft carries out an annual internal audit based on the ISO 27001 standard and BSI (British Standards Institute) carries out an annual on-site external audit against ISO 27001 Statement of Applicability. BSI auditors are committed and un-biased who keep in mind ISO auditing guidelines to evaluate Office 365 by observing relevant processes, interviewing involved personnel and review of the documented procedures in line with the Statement of Applicability (SoA).
The customers of Office 365 can review the ISO 27001 standard and the published Microsoft Service documentation and determine if their security requirements are satisfied. But, it is recommended by Microsoft that before using Office 365 and uploading any data onto the cloud servers, companies and organisations should review the security requirement of their data. There might be cases wherein, the security offered by Microsoft might not be sufficient according to the needs of the organisation.
In regards to compliance, Microsoft has been certified against Safe Harbor since 2001 and annual compliance verification is carried out by LCA Regulatory Affairs Team. Safe Harbor is considered as being adequate in providing the necessary privacy protection and along with the EU member states, members of the European Economic Area (Iceland, Norway, and Liechtenstein) also recognize Safe Harbor membership as adequate for privacy protection.
Microsoft has also been certified against the Switzerland Safe Harbor (Swiss-U.S. Safe Harbor) which is more or less on the same lines of the Safe Harbor. The Swiss-U.S Safe Harbor is an agreement between the U.S. Department of Commerce and Switzerland to legitimize transfers from Switzerland to the U.S. Canada and Argentina, along with many other countries, have passed comprehensive privacy laws and the EU has cleared them for data transfer from the EU to those countries.
With respect to Gramm Leach Bliley Act (GLBA) two principal regulations affect the Microsoft Office 365 cloud services: Financial Privacy Rule and Safeguards Rule.
Office 365’s ordering, billing and payment systems have been certified against PCI DSS v1.2 and are Level One Payment Card Industry (PCI) compliant. With this the customers can be sure of the security in financial transactions and use their plastic currency with confidence. Independent third party audits are carried out and these audits determine whether Microsoft Online Commerce Platform (OCP) which supports Office 365 has met with the required PCI DSS compliance.
Microsoft has provided with auditing tools for Exchange Online through which adminstrators can pull out reports for non-owner mailbox access, administrator audit logs, litigation hold report, etc.
PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. In this case, Office 365 services are not suitable for processing, transmitting, or storing PCI-governed data. For companies or organisations that need to support transactions via plastic currency (credit/debit cards), they themselves are required to have a degree of compliance to the PCI standard as per the recommendations of Microsoft.