Event details
When relying on Microsoft Defender as a SaaS-based security control, what artifacts or assurance mechanisms should customers use to support shared responsibility and third-party reliance in an audit context?
MicrosoftRejina Start here, Service Trust Portal Home Page, and based on what your auditor needs you should be able to pull the correct reports. For instance, SOC 1 Type 2 Reports, SOC 2 Type 2 Reports, ISO certs, etc. The SOC 2 Type 2 explicitly lists several Defender services as in scope, including Microsoft Defender XDR, Microsoft Defender for Endpoint, etc.
Thank you. In addition to SOC 2 reports covering Microsoft-managed controls, what specific customer-side artifacts or reports (e.g., from Defender or Intune) would you recommend to demonstrate implementation and ongoing effectiveness of those controls in an audit?
- EricMoe
Rejina The Defender Security Baselines assessment here Security baselines assessment - Microsoft Defender Vulnerability Management | Microsoft Learn is generally how customers can demonstrate implementation of controls. Pls take a look and hopefully it helps.