Azure Compliance Onboarding
What does it mean to onboard to Azure Compliance?
Onboarding to Azure Compliance will help you meet internal requirements (e.g., GDPR) and get "audit ready" for the five core certifications - ISO 27001, SOC (1, 2, 3 Type II), PCI, HiTRUST and FedRAMP (NOTE: FedRAMP may require additional work). Azure has 90+ certifications and we leverage the core certifications to help you obtain additional ones, including HIPAA, HITRUST, and others that are regional/industry specific. You can read about Azure's certifications on the Microsoft Trust Center.
How do I know if my service needs to onboard and get certified?
If your service meets one or more of the following criteria, your service is required to be in Onboarding scope:
- Your service is in the C+AI org and/or listed on https://azure.microsoft.com/en-us/services/.
- Your service has been assigned a Ring 0, 1, or 2 and it is in Public Preview or Generally Available (we do not certify In Development or Private Preview services and only certify Public Preview services on an exception basis). Get your Ring assigned. Your service must be assigned a Ring as a first step to onboard prior to using the Global Compliance tooling. NOTE: Ring 0 and 1 services are prioritized for compliance onboarding.
- Your service stores or transmits GDPR data. Please work with Azure & Cloud Services Privacy to determine this.
- Your service is a core dependency and/or leveraged by other Azure, O365, Universal Store or CRM services.
- Your service or feature is part of an existing service or offering that is already certified.
|
Ring |
Service Type | Lifecycle | Has Personal Data* | Onboarding Required** | ISO | FedRAMP | SOC | PCI | HiTRUST |
| 0, 1 |
Online Service, Platform Service, Infrastructure |
Public Preview, GA |
N/A |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| 2 |
Online Service, Platform Service, Infrastructure |
Public Preview, GA |
N/A |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| 0, 1, 2, Limited |
Client, Manual Process Service, Library/Shared Code |
Public Preview, GA |
Yes |
✅ *** | ✘ | ✘ | ✘ | ✘ | ✘ |
| Limited |
Online Service, Platform Service, Infrastructure |
Public Preview, GA |
Yes |
✅ | ✘ | ✘ | ✘ | ✘ | ✘ |
| 0, 1, 2, Limited |
Online Service, Platform Service, Infrastructure |
Private Preview |
Yes |
✅ | ✘ | ✘ | ✘ | ✘ | ✘ |
* Your service has Personal Data if it processes, transmits, and/or collect Personal Data as defined in the Microsoft Enterprise Data Taxonomy.
** Your service is required to onboarding to standard Azure processes and tools and be ready for ISO audits. However, your service will not be certified at this time.
*** Your service is required to onboard to the minimum set of standard Azure processes and tools (Privacy Review, SDL, IcM and Service Tree metadata). Your service will not go through any certifications.
NOTE: Compliance certification is NOT a blocker for going Private Preview, Public Preview, or Generally Available. However, once you are assigned a Ring 0 or 1 AND you are in Public Preview or Generally Available, you will be required to obtain the core certifications (ISO, SOC, PCI, FedRAMP, HITRUST).
Why do I need to onboard to Azure common tools/processes?
- Meet 90% of compliance requirements and reduce potential risks and issues through use of standard tools/processes. The Azure Compliance team and auditors are familiar with the standard tools/processes which provides comfort that most of the compliance requirements are met. If you are using unique tool/process, there is a potential risk that the unique tool/process might not meet compliance requirements.
- Reduce service teams' time spent with auditors as you will not need to explain the standard tools and processes. For instance, if you are using AzDeployer for deploying changes, the AzDeployer team will describe the deployment process to auditors on behalf of all in-scope services using AzDeployer. However, if you are using unique process, you will need to spend additional time with the auditors to explain your deployment process.
- Reduce the number of evidence requests to service teams as Azure Compliance and/or Tool/Process owners can pull the documents themselves. For instance, if you are using the C+AI BCDR process, the Azure Compliance team can pull your BCDR review from BCDR Manager. However, if you are using a unique process, we will send the evidence request directly to your service and you have 48 hours to provide documentation. There are multiple evidence requests as part of an audit and the total number of requests can range from 5-20 per service.
- Reduce the chances of getting sampled during an audit. Audits are sampled-based, and the sampling methodology is different for each audit. However, if you are using a common tool/process, the chances of your service getting sampled are highly reduced. For example, if you are using AzDeployer for deployments and there are 150 services that use AzDeployer, potentially only 10% of those services will be selected to provide evidence. However, if you are using a unique process, the auditors will most likely continue to pick your service for sampling to provide evidence for each audit since they need to ensure your unique process is compliant.
Is your service an Azure Core Service?
If yes, in addition to standard tools & processes, please ensure that your service has also met all the requirements defined by CELA on the "Azure Core Services Reuirements" tab.
When do I need to complete the compliance onboarding process?
We recommend you start the compliance onboarding process as early as In Development phase. This will ensure that you are using compliant Azure standard tools and processes (such as AzDeployer for deployments) early on, and do not have to go back and make engineering changes after-the-fact, when you are looking to go GA and obtain certifications. You do not need to complete the entire onboarding process, which is to onboard to all Azure standard tools and processes, until you go GA or Public Preview (if you intend to obtain certifications at this stage). Please refer to the compliance calendar for the audit timelines and by when your service needs to be fully onboarded to be included in the audits.
Note: Azure Global does not own all of the Azure standard tools and processes so certain requirements from the onboarding process are required before GA. For instance, SDL needs to be started during In Development and completed before Private Preview.
Compliance Onboarding Prioritization:
|
Priority |
Lifecycle | Ring | What needs to be done? | Comments |
| P0 |
Generally Available |
0-1 |
Complete entire compliance onboarding process by onboarding to all Azure standard tools and processes via Global Compliance tooling. |
Generally Available services are the highest priority for completing Azure compliance onboarding and audits. NOTE: Per customer demand or leadership direction, we may prioritize onboarding services that are either not Ring 0-1 or are not GA or Public Preview yet. |
| P1 |
Generally Available |
2 |
Complete entire compliance onboarding process by onboarding to all Azure standard tools and processes via Global Compliance tooling. |
N/A |
| P2 |
Public Preview |
0-2 |
Ring 0-2 Public Preview services going to GA within the next quarter. |
|
| P3 |
Public Preview |
0-2 |
|
Ring 0-2 Public Preview services with no committed GA plan or are not GA'ing within the next quarter. |
| P4 |
Private Preview |
0-2 |
|
Ring 0-2 Private Preview services with no committed GA plan. |
Requirements for HIPAA BAA: HIPAA is the health care law which relies heavily on ISO 27001 and ISO 27018 and can be obtained for services which are already in the GA state. If the service needs to be covered under HIPAA BAA, following are the requirements:
- ISO 27001/ISO 27018 certification: ISO certification is a prerequisite to be able to meet with the HIPAA BAA requirements.
- Logging and Monitoring: Are you plugged into MSRC? MSRC has a process for handling the 72 hours breach notification requirement as they are able to scale up to deliver notifications to the potentially large number of impacted customers. Please see the requirements for MSRC onboarding and initiate the process - onboarding to SOC as a service .
- Incident Management Training: Complete STRIKE Training module for the Security Incident Response Process - link to training
Once teams have met these requirements, please reach out to AzureHIPAA (azurehipaa@microsoft.com) to kick off the HIPAA review process. It takes about 3 weeks to complete the review.
Ready to Onboard?
- Prerequisite: We only certify services that are Generally Available. We can certify Public Preview services on a case-by-case basis, and do not certify services that are still In Development. We recommend you start the compliance onboarding process as early as In Development so that once you deploy your service, you will be ready for compliance and do not need to make any engineering changes.
- Onboard to the Azure standard tools and processes described below. We are unable to accept/onboard services that are NOT leveraging the Azure standards tools and processes.
- Ensure your service has a Ring assigned prior to moving to the next step. How does my service get a Ring assignment?
- Go to http://aka.ms/getonboard. Search for your service by name or ST ID, and click on the service name. On the "Getting Started" tab, click the "Start Review" button. Note: Only Service Admins, PMs and Dev Owners, Compliance POC, Risk Champ, and Privacy Champs listed in Service Tree can start onboarding for their own services.
- Once all required tasks are completed, submitted, and approved in the Global Compliance tool, we will work with the audit leads to include you in the next available audit cycle. Please refer to the compliance calendar for the audit timelines and by when your service needs to be fully onboarded to be included in the audits.
- Note: once your service is in an audit, your service is required to participate in the audit every year through the lifetime of the service. This means that you will need to ensure your service is compliant at all times as audits are continuously recurring.
Questions?
Have questions not covered on this page or tool? Search Internal Stack overflow. If not addressed previously, post your question to the internal Stack Overflow with the [azurecomplianceonboarding] tag . Include additional relevant tags to help get your question routed and answered quickly
-
Attend Compliance Onboarding office hours: Wednesdays 2:00-2:30pm
-
Support Alias - Email questions/issues to azgetcom@microsoft.com and azcertonboarding@microsoft.com
Last Updated: 1/4/2024