Blog Post

Security, Compliance, and Identity Blog
2 MIN READ

ISO 22301 highlights Office 365’s unmatched business continuity & disaster recovery preparedness

Ryan Symes's avatar
Ryan Symes
Icon for Microsoft rankMicrosoft
May 02, 2019

As part of our commitment to providing our customers with the peace of mind that your applications, and data, are safe and available in Office 365, we are pleased to announce that Microsoft Office 365 has achieved ISO 22301 certification. ISO 22301 is the premium standard for business continuity, and certification demonstrates conformance to rigorous practices to prevent, mitigate, respond to, and recover from disruptive incidents.

 

For years, we’ve heard from organizations about the importance of disaster preparedness and continuous improvement in their operations to ensure their IT systems can survive, and be restored, in the aftermath of major incidents (such as natural disasters, power outages, or cyber-attacks). We were the first major cloud provider to prove our commitment of being fully prepared for all eventualities through this internationally recognized standard for business continuity. 

 

What does this mean for our customers? It gives you the assurance that you can trust Microsoft Office 365 with your mission critical content by providing an extensive independent 3rd party audit of all aspects of Office 365’s business continuity. This includes the following:

  • how backups are validated
  • how recovery is tested
  • documented training for critical staff
  • the level of resources available
  • buy-in by senior management
  • how risks are assessed/mitigated
  • adherence to legal/regularly requirements
  • the process for response to incidents
  • the process for learning from incidents

 

Achieving the ISO 22301 certification demonstrates the seriousness of our commitment to providing you the highest quality of service, and we’ll continue to prioritize our customer data’s continuity and ensure we are handling it responsibly.

 

To learn more about Microsoft Office 365’s ISO 22301 certification and download a copy of the certification, please see the resources below:

Updated May 11, 2021
Version 6.0
  • Hi Wolf,

     

    Thanks for reaching out! I will look into this and get back to you as soon as possible. It may not be until next week.

     

    Thanks,


    Ryan Symes

  • WolfKuerschner's avatar
    WolfKuerschner
    Copper Contributor

    Hi Zena,

     

    Thank you for your follow up!

     

    I know the SDL and the compliance documents regarding cloud security. But these do only cover parts of our requirements. For example, we have to classify our suppliers according to risk into different categories. This means, that we have to check if our suppliers fulfill certain requirements. For example, do they hold a certification according to ISO 9001 or ISO 13485? If they have a Quality Management System which is not certified, and they provide us with products or services critical for safety of patients, we have to audit them to evaluate if the QMS is capable to control supply of secure products or services.

    Currently we are implementing NAV 2017, cloud-based in a private Azure cloud. (Don't ask me why version 2017 and not 2018 or 365...) Regarding the Azure cloud I have all the documents I need. But as NAV 2017 is handling all our distribution data (that is, what product is delivered to which hospital), we have to validate the system (at least the cGMP relevant parts). And we have to audit the supplier (that is, the supplier of NAV 2017), if the supplier does not hold a valid QMS certificate. That is the reason why I asked for more information about the certification status. There are ISO 9001 certificates available for some Microsoft product lines, but none for Microsoft as whole corporation?

     

    Turly yours,

    Wolf

  • WolfKuerschner's avatar
    WolfKuerschner
    Copper Contributor

    Dear Ryan,

     

    As I can read in your profile, you are " Product marketing manager within the Microsoft 365 Compliance team responsible for the Microsoft Trust Center and Service Trust Portal." Maybe you can help me and give me some directions where I can find information I am looking for. I am quality manager in the medical device industry, and my company is using Microsoft Dynamics NAV 2017.

     

    On the Trust Center page, I can find serveral certificates, like for compliance with ISO 9001:2015, ISO 20000, ISO 22301, ISO 27001, ISO 27018. But these seem to be more "product specific", like for "Azure" or "Dynamics 365 (formerly Dynamics CRM)". I would like to know if Microsoft is having a quality management system (certified or not) for the company, or are just the different sections/departments certified?

     

    You know, as a medical device manufacturer we are required by law, that we audit our critical suppliers, if they do not have required certifications.

     

    Maybe you can give me some information, how quality management procedures/requirements are handled at Microsoft? Do you have some kind of internal quality management system? Or are you using international standards like ISO 12207 or ISO 15289?

     

    Truly yours,

    Wolf

     

     

  • Hi Wolf.  I wanted to follow up with an answer to your question.

     

    Microsoft uses the Security Development Lifecycle to govern our development of both on premises and cloud products.

     

    Since you are in the health industry, I suggest you review these two resources on the Microsoft Trust Center:

    I hope this helps.

  • Hello Wolf.  

     

    Microsoft offers many Online Services and develops new ones frequently. While some independent third party certifications are done universally for Microsoft, most are conducted separately for each service. What certifications each service offers is a function of market demand and how long the service has been available. Search the Microsoft Trust Center under “Compliance Offerings” to view all the certifications Microsoft holds and which service has which certification.

     

    If Microsoft does not hold a particular certification you are looking for then our suggestion is to review other certifications to determine if they provide appropriate coverage for the controls you are interested in. In particular the Compliance Manager (https://aka.ms/ComplianceManager) allows you to browse our control set at great detail, seeing implementation details and third party auditor’s working notes. You can use this tool to conduct your own custom assessment and achieve your goals.

     

    Thanks