This chapter covers Microsoft 365's compliance certifications, specifically ISO and SOC standards, which are critical for demonstrating that Microsoft's cloud services meet rigorous international security and privacy requirements. On the MS-900 exam, you can expect about 5-7% of questions to touch on compliance certifications, typically asking which certification covers what scope or how they benefit customers. Understanding these certifications helps you answer questions about regulatory compliance, data protection, and third-party audit evidence. We will dive into what ISO 27001 and SOC 2 Type II are, how they are obtained, what they certify, and how they reduce customer audit burden.
Jump to a section
Imagine a large office building that wants to claim it is safe and well-constructed. To prove this, the building owner hires an independent inspection firm (like ISO or SOC auditors) to examine every floor, every electrical panel, every fire exit, and every structural beam. The inspectors do not just look at blueprints; they actually walk through, test alarms, verify that fire doors close properly, and check that emergency lighting works. They also review maintenance logs to ensure that inspections have been happening regularly. After the inspection, the firm issues a detailed report with a seal of approval, but the seal is only valid for a limited time—typically one year. If the building wants to keep its certification, it must undergo the same rigorous inspection annually. During the year, the building's management must continue all the same practices (e.g., monthly fire drills, quarterly electrical checks) to maintain compliance. If a tenant asks, 'Is this building safe?' the owner can show the latest inspection report. Importantly, the inspection does not guarantee that nothing will ever go wrong—it only proves that at the time of inspection, the building met a specific set of standards. Similarly, Microsoft's ISO and SOC certifications attest that their controls were in place and operating effectively at the time of the audit, not that they are perfect every second. The scope of the audit matters: the inspectors might only check certain floors (e.g., Azure datacenters) and not the parking lot (e.g., non-Microsoft apps). This is exactly how Microsoft's compliance certifications work—they are third-party attestations of control effectiveness, scoped to specific services, valid for a period, and requiring continuous maintenance.
What Are Compliance Certifications and Why Do They Exist?
Compliance certifications are formal attestations from independent third-party auditors that an organization (like Microsoft) has implemented and maintains controls that meet specific standards. For cloud services, these certifications provide evidence that the provider's security, availability, processing integrity, confidentiality, and privacy controls are designed and operating effectively. Customers—especially in regulated industries like finance, healthcare, and government—often require their cloud providers to hold such certifications to satisfy their own regulatory obligations (e.g., GDPR, HIPAA, PCI DSS). Without these certifications, each customer would need to perform their own detailed audit of Microsoft's operations, which is impractical at scale. By obtaining ISO and SOC certifications, Microsoft allows customers to 'inherit' compliance: they can rely on Microsoft's audit reports as part of their own compliance evidence.
ISO 27001: The Information Security Management Standard
ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for an Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information, encompassing people, processes, and IT systems. The standard is based on a risk assessment process: the organization identifies security risks and then implements controls (from ISO 27002) to mitigate them.
For Microsoft 365, ISO 27001 certification covers the entire Microsoft Cloud—including Azure, Dynamics 365, and Microsoft 365—as a single scope. The certification is issued by an accredited certification body (e.g., BSI, DNV GL) after a formal audit. The audit has two phases:
Stage 1: Review of documentation—ISMS policies, risk assessment methodology, statement of applicability (SoA) listing which controls are implemented.
Stage 2: On-site audit to verify that controls are actually implemented and effective. Auditors interview staff, review logs, observe processes, and test controls.
Once certified, Microsoft must undergo surveillance audits every year (typically at 6-month intervals) and a full recertification audit every three years. The certification is valid for three years, but surveillance audits ensure ongoing compliance.
Key points for the exam:
ISO 27001 is a management system standard, not a technical control standard. It certifies that Microsoft has a process for managing security, not that every control is perfect.
The scope of Microsoft's ISO 27001 certification includes Azure, Dynamics 365, and Microsoft 365—but not all services within those may be in scope; check the certification letter for exact services.
Microsoft publishes its ISO 27001 certificate and audit report in the Service Trust Portal (STP) for customers to download.
SOC 2: Service Organization Control Reports
SOC (System and Organization Controls) reports are developed by the American Institute of CPAs (AICPA). They are designed for service organizations (like Microsoft) that host customer data. There are three types:
SOC 1: Reports on controls relevant to financial reporting (used by customers' auditors for Sarbanes-Oxley compliance).
SOC 2: Reports on controls relevant to security, availability, processing integrity, confidentiality, and privacy (the 'Trust Service Criteria').
SOC 3: Summary version of SOC 2, intended for public distribution (less detailed).
For MS-900, focus on SOC 2 Type II. A SOC 2 Type II report describes the service organization's system and assesses the effectiveness of controls over a period of time (typically 6-12 months). The auditor tests controls continuously or at multiple points during the period to verify they operated effectively throughout.
Microsoft's SOC 2 Type II report covers the same cloud services as ISO 27001, but the scope may be broken into separate reports for different service lines (e.g., Azure SOC 2, Microsoft 365 SOC 2). The report includes:
A description of the system (services, infrastructure, boundaries).
The auditor's opinion on whether controls were designed and operating effectively.
A description of controls and tests performed.
Key points for the exam:
SOC 2 Type II is about 'operating effectiveness' over time, whereas SOC 2 Type I is about design suitability at a point in time.
The Trust Service Criteria most commonly audited are security (the 'common criteria') and confidentiality; availability, processing integrity, and privacy are included per scope.
Microsoft's SOC reports are available to customers under NDA via the Service Trust Portal.
How Microsoft Obtains and Maintains Certifications
The process is rigorous and continuous: 1. Define scope: Microsoft determines which services and datacenters will be included. For example, the ISO 27001 scope includes all Azure regions and all Microsoft 365 workloads (Exchange Online, SharePoint Online, Teams, etc.). 2. Implement controls: Microsoft implements controls based on ISO 27002 or the Trust Service Criteria. This includes access controls, encryption, incident response, business continuity, etc. 3. Internal audits: Microsoft's internal audit team performs pre-audits to identify gaps. 4. External audit: An accredited auditor (e.g., Ernst & Young for SOC) performs the audit. For SOC 2 Type II, they test controls over the entire audit period. 5. Remediation: If the auditor finds deficiencies (e.g., a control failure), Microsoft must fix them and may need to demonstrate effectiveness before the report is issued. 6. Report issuance: The auditor issues a report with an opinion (unqualified = clean, qualified = some issues, adverse = serious problems). Microsoft's reports are typically unqualified. 7. Surveillance: For ISO, annual surveillance audits. For SOC, a new Type II report is issued annually (covering a new period).
How Customers Use These Certifications
Customers can download Microsoft's certification documents from the Service Trust Portal. They can then provide these to their own auditors as evidence that their data is hosted in a compliant environment. This is called 'audit inheritance' or 'compliance inheritance.' For example, a bank using Microsoft 365 for email can show its regulator the SOC 2 Type II report to demonstrate that Microsoft has appropriate controls for confidentiality and availability, reducing the bank's own audit scope.
Important: The certifications do not cover customer-specific configurations. For example, if a customer misconfigures a SharePoint site to allow public access, that is not covered by Microsoft's certifications. The customer remains responsible for their own use of the service (shared responsibility model).
Exam-Relevant Details and Values
ISO 27001: Standard for ISMS. Microsoft's certification covers Azure, Dynamics 365, and Microsoft 365. Recertification every 3 years; surveillance every 6-12 months.
SOC 2 Type II: Focus on operating effectiveness over time (minimum 6 months). Trust Service Criteria: security, availability, processing integrity, confidentiality, privacy. Microsoft's SOC 2 Type II report is updated annually.
Service Trust Portal (STP): The central repository for all Microsoft compliance reports, certifications, and audit documentation. Access requires a Microsoft account and acceptance of a non-disclosure agreement (NDA) for SOC reports.
Shared responsibility: Certifications apply to Microsoft's controls; customers must still comply with regulations for their own data handling.
Common exam trap: Candidates confuse SOC 2 Type I (design at a point in time) with Type II (operating effectiveness over time). The exam may ask which report proves that controls were effective over a period—answer: SOC 2 Type II.
Interaction with Other Compliance Frameworks
Microsoft's ISO 27001 certification often serves as a foundation for other compliance attestations. For example, Microsoft's FedRAMP (US government) certification builds on ISO 27001 controls. Similarly, the EU Model Clauses and GDPR compliance are supported by the ISO 27001 ISMS. The SOC 2 Type II report is frequently used to satisfy the 'audit' requirements of HIPAA and PCI DSS. Understanding this hierarchy helps answer exam questions about which certification supports which regulation.
Verification and Access
To verify Microsoft's certifications, visit the Service Trust Portal:
Go to https://servicetrust.microsoft.com
Navigate to 'Audit Reports' or 'Compliance Offerings'
Select the certification (e.g., ISO 27001) to download the certificate and audit report.
Note: Some reports (especially SOC) require signing an NDA. The ISO certificate is publicly available without an NDA.
Summary of Certification Lifecycle
ISO 27001: Initial certification -> 3-year cycle with annual surveillance -> recertification.
SOC 2 Type II: Issued annually, covering a 12-month period. Each year, a new report is produced.
Both certifications require continuous improvement and remediation of any findings. Microsoft publishes a 'Compliance Score' in the Microsoft 365 compliance center that helps customers track their own compliance posture, but that is separate from Microsoft's certifications.
Define Scope of Certification
Microsoft first decides which services, datacenters, and geographic regions will be included in the certification. For ISO 27001, the scope typically includes all Azure regions and all Microsoft 365 core services. For SOC 2, there may be separate scopes for Azure, Dynamics 365, and Microsoft 365. The scope is documented in the 'Statement of Applicability' for ISO or the 'System Description' for SOC. This step is critical because any service not in scope is not covered by the certification, and customers must verify that the services they use are included.
Implement and Document Controls
Microsoft implements controls required by the standard. For ISO 27001, this includes controls from Annex A (e.g., A.9 Access Control, A.12 Operations Security). For SOC 2, controls are mapped to the Trust Service Criteria (e.g., CC6.1 for logical access). Microsoft documents these controls in policies, procedures, and technical configurations. Evidence of control operation is collected continuously (e.g., logs, access reviews, patch reports). This step involves significant internal effort to ensure controls are both designed and operating effectively.
Internal Pre-Audit
Before the external auditor arrives, Microsoft's internal audit team conducts a pre-audit to identify potential gaps. They review documentation, interview staff, and test a sample of controls. Any findings are remediated before the external audit. This step helps ensure a smooth external audit and reduces the risk of major non-conformities. Internal audits are typically scheduled 1-2 months before the external audit.
External Auditor On-Site or Remote Audit
The external auditor (e.g., BSI for ISO, Ernst & Young for SOC) conducts the formal audit. For ISO 27001, this involves a stage 1 (documentation review) and stage 2 (on-site verification). For SOC 2 Type II, the auditor tests controls over the audit period (e.g., 12 months) by reviewing evidence, conducting interviews, and observing operations. The auditor may visit datacenters or perform remote testing. They issue a report with their opinion: unqualified (pass), qualified (minor issues), adverse (major issues), or disclaimer (unable to form opinion). Microsoft typically receives unqualified opinions.
Issue Certification and Report
Upon successful audit, the certification body issues a certificate (for ISO) or the auditor issues a SOC report. The ISO certificate is valid for three years, with surveillance audits. The SOC 2 Type II report is typically issued annually and covers a specific period (e.g., July 1, 2023 to June 30, 2024). Microsoft publishes these documents in the Service Trust Portal. Customers can download them to satisfy their own audit requirements. The certification is only as good as the last audit; if Microsoft fails a surveillance audit, the certification can be withdrawn.
Scenario 1: A Financial Institution Using Microsoft 365 for Email and Collaboration
A bank with 10,000 employees migrates its on-premises Exchange and SharePoint to Microsoft 365. The bank's compliance officer is responsible for ensuring that the bank meets regulatory requirements from the Federal Financial Institutions Examination Council (FFIEC) and the Gramm-Leach-Bliley Act (GLBA). The bank's external auditor asks for evidence that the cloud provider has appropriate controls over customer data. The compliance officer downloads Microsoft's SOC 2 Type II report from the Service Trust Portal and provides it to the auditor. The auditor reviews the report and finds that Microsoft's controls for encryption, access management, and incident response are effective. As a result, the bank's audit scope is reduced: they do not need to audit Microsoft's datacenters or operations. The bank still must audit its own configurations (e.g., who has admin roles, retention policies). In this scenario, the SOC 2 Type II report saves the bank thousands of hours of audit work. However, the bank must ensure that the services they use (e.g., Exchange Online, Teams) are within the scope of the report—they check the 'Scope and System Description' section to confirm.
Scenario 2: A Healthcare Provider Using Microsoft 365 for HIPAA Compliance
A hospital system uses Microsoft 365 for email and file storage. They have signed a Business Associate Agreement (BAA) with Microsoft, which is required under HIPAA. The hospital's privacy officer wants to ensure that Microsoft's security controls meet HIPAA requirements. They review Microsoft's ISO 27001 certificate, which demonstrates a robust ISMS. However, ISO 27001 alone is not sufficient for HIPAA; the hospital also relies on Microsoft's SOC 2 Type II report that includes the security and confidentiality criteria. The hospital's own HIPAA audit uses these reports as evidence that Microsoft has implemented administrative, physical, and technical safeguards. The hospital still must ensure that its own configurations (e.g., encryption at rest for SharePoint, audit logging) are properly set. The compliance officer notes that Microsoft's certifications are for the cloud service itself, not for the hospital's use of it—a common misconception. The hospital must also conduct its own risk assessment.
Scenario 3: A Multinational Corporation Needing Compliance Across Jurisdictions
A global manufacturing company uses Microsoft 365 in multiple regions (US, EU, Asia). They need to comply with GDPR in Europe, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and various local laws. The company's legal team uses Microsoft's compliance offerings page on the Service Trust Portal to find certifications that apply to each region. They see that Microsoft's ISO 27001 certification covers all global datacenters, and the SOC 2 Type II report covers the same. For GDPR, they note that Microsoft also has an EU Data Boundary and provides Data Protection Impact Assessments (DPIAs) as part of its compliance. The company's IT team uses the Compliance Manager tool in Microsoft 365 to track their own compliance posture against these certifications. They set up continuous monitoring and generate reports for their board. In this scenario, Microsoft's certifications provide a baseline that the company can build upon, but they still must implement their own controls for data classification, retention, and user consent.
Common Misconfigurations and Pitfalls
Assuming certification covers all services: A customer might assume that because Microsoft 365 is ISO 27001 certified, all features within it are covered. However, some preview features or new services may not yet be in scope. Always verify the latest scope document.
Neglecting to download the latest report: Certifications expire. A customer using a 2-year-old SOC report may not have evidence of current controls. Always use the most recent report (typically within the last 12 months).
Confusing SOC 2 Type I and Type II: Type I is a snapshot; Type II shows effectiveness over time. Auditors require Type II for reliance.
Over-relying on certifications without customer responsibility: Many exam questions test the shared responsibility model: the customer is still responsible for their own data, users, and configurations.
Exactly What MS-900 Tests on Compliance Certifications
The MS-900 exam objectives (as of 2024) include objective 3.2: 'Describe the compliance management capabilities in Microsoft 365.' Within this, you need to know:
The purpose of compliance certifications (ISO 27001, SOC 2 Type II).
How certifications reduce customer audit burden.
Where to find certification documents (Service Trust Portal).
The difference between SOC 2 Type I and Type II.
The role of the Shared Responsibility Model in compliance.
Common Wrong Answers and Why Candidates Choose Them
'SOC 2 Type I proves controls are effective over time.' Candidates confuse Type I (point in time) with Type II (period of time). The exam may ask: 'Which report provides assurance that controls operated effectively over the past six months?' The correct answer is SOC 2 Type II. Type I only tests design at a specific date.
'ISO 27001 certifies that all Microsoft services are compliant.' ISO 27001 certifies the ISMS, not every service individually. Some services may be excluded from scope. Candidates often assume blanket coverage.
'Customers do not need any additional compliance measures if they use a certified cloud provider.' This violates the shared responsibility model. The customer is responsible for their own configurations, data handling, and user access. The certification covers Microsoft's controls only.
'SOC 3 reports are more detailed than SOC 2.' SOC 3 is a summary of SOC 2, intended for public distribution, and contains less detail. SOC 2 reports are detailed but require an NDA.
Specific Numbers, Values, and Terms That Appear Verbatim
ISO 27001: Recertification cycle is 3 years; surveillance audits are annual (sometimes every 6 months).
SOC 2 Type II: Audit period is at least 6 months, typically 12 months.
Service Trust Portal: The URL is https://servicetrust.microsoft.com. Access to SOC reports requires signing an NDA.
Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. The exam may ask which criteria are included in a typical SOC 2 report for Microsoft 365 (usually security and confidentiality).
Edge Cases and Exceptions
Government clouds: Microsoft 365 Government (GCC, GCC High, DoD) have separate certifications. The exam may ask if the standard commercial certifications apply to government clouds—they do not; government clouds have their own FedRAMP and DISA SRG certifications.
New services: A service in preview or recently launched may not yet be in scope of the certification. The exam may ask: 'Which of the following is true about a new Microsoft 365 feature? It may not be covered by existing certifications until the next audit cycle.'
Customer audit rights: Even with certifications, customers have the right to audit Microsoft themselves under certain agreements (e.g., if required by regulation). However, most rely on the certifications to avoid the cost.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If an answer says 'proves that controls are effective at a single point in time,' it is describing SOC 2 Type I, not Type II.
If an answer says 'certifies that all Microsoft services are compliant,' look for wording about scope—correct answers will mention that scope is defined and not all services are included.
If an answer says 'customers are fully compliant by using Microsoft 365,' it is wrong because the customer still has responsibilities (shared responsibility model).
If an answer says 'certifications are found in the Microsoft 365 admin center,' it is wrong; they are in the Service Trust Portal.
ISO 27001 certifies Microsoft's Information Security Management System (ISMS) and is valid for 3 years with annual surveillance audits.
SOC 2 Type II reports demonstrate that controls operated effectively over a period of at least 6 months (typically 12 months).
SOC 2 Type I is a point-in-time evaluation of control design only.
All certification documents are available on the Service Trust Portal (https://servicetrust.microsoft.com).
Access to SOC 2 reports requires signing a non-disclosure agreement (NDA).
Certifications do not cover customer-specific configurations; customers remain responsible under the shared responsibility model.
The Trust Service Criteria for SOC 2 are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Microsoft's ISO 27001 scope includes Azure, Dynamics 365, and Microsoft 365 core services—always verify scope for specific services.
These come up on the exam all the time. Here's how to tell them apart.
ISO 27001
International standard (ISO) for Information Security Management Systems (ISMS).
Certifies the management system for security, not specific controls.
Valid for 3 years with annual surveillance audits.
Publicly available certificate and report (no NDA required).
Covers Azure, Dynamics 365, and Microsoft 365 as a single scope.
SOC 2 Type II
AICPA standard for service organization controls, focusing on Trust Service Criteria.
Evaluates design and operating effectiveness of controls over a period (≥6 months).
Report issued annually, covering a specific audit period (e.g., 12 months).
Detailed report requires NDA; SOC 3 summary is public.
May have separate reports for different service lines (e.g., Azure SOC 2, M365 SOC 2).
Mistake
ISO 27001 certification means Microsoft is completely secure and no data breaches can occur.
Correct
ISO 27001 certifies that Microsoft has an Information Security Management System (ISMS) that meets the standard's requirements. It does not guarantee that no security incidents will happen; it ensures that Microsoft has processes to manage risks and respond to incidents. The certification is an attestation of controls, not a guarantee of perfect security.
Mistake
SOC 2 Type I and Type II are interchangeable; both provide the same level of assurance.
Correct
SOC 2 Type I evaluates the design of controls at a specific point in time, while Type II evaluates the operating effectiveness of controls over a period (minimum 6 months). For most audit reliance, Type II is required because it provides evidence that controls actually worked over time. Type I is only a snapshot.
Mistake
All Microsoft 365 services are covered by the same certification scope without exception.
Correct
The scope of certifications is defined in the audit report. Not all services may be included; for example, some preview features or newly acquired services might be excluded. Customers must check the scope document to confirm which services are covered.
Mistake
Once Microsoft obtains a certification, it never expires and does not need renewal.
Correct
ISO 27001 certification is valid for three years, but requires annual surveillance audits. SOC 2 Type II reports are issued annually and cover a specific period. Both require ongoing compliance and re-auditing. If Microsoft fails a surveillance audit, the certification can be withdrawn.
Mistake
Customers can rely solely on Microsoft's certifications to meet all their regulatory compliance requirements.
Correct
Under the shared responsibility model, Microsoft is responsible for the security of the cloud, while customers are responsible for security in the cloud. Certifications cover Microsoft's controls only. Customers must still implement their own controls (e.g., data classification, access policies, retention) to comply with regulations like GDPR or HIPAA.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SOC 2 Type I reports on the design of controls at a specific point in time—it tells you whether controls are suitably designed. SOC 2 Type II reports on the operating effectiveness of controls over a period (minimum 6 months)—it tells you whether controls actually worked over time. For audit reliance, Type II is required because it provides evidence of sustained effectiveness. On the exam, if a question asks which report proves controls were effective over the past year, the answer is SOC 2 Type II.
You can download Microsoft's ISO 27001 certificate and the associated audit report from the Service Trust Portal (https://servicetrust.microsoft.com). Navigate to 'Audit Reports' or 'Compliance Offerings' and select ISO 27001. The certificate is publicly available without an NDA. For SOC reports, you will need to sign an NDA.
The certification covers the core Microsoft 365 services (Exchange Online, SharePoint Online, Teams, etc.) that are included in the defined scope. However, some services, especially those in preview or newly acquired, may not be in scope. Always check the latest 'Scope and System Description' document in the Service Trust Portal to confirm which services are covered. The exam may test this nuance.
No. Microsoft's certifications (ISO 27001, SOC 2) provide evidence that Microsoft has security controls, but you are still responsible for your own compliance. For HIPAA, you must sign a Business Associate Agreement (BAA) with Microsoft and configure your tenant appropriately (e.g., enable encryption, audit logging, access controls). The certifications support your compliance but do not make you automatically compliant. This is a common exam trap.
The Service Trust Portal (STP) is Microsoft's central repository for compliance, security, and audit documentation. It contains ISO certificates, SOC reports, penetration test results, and other compliance resources. Access requires a Microsoft account. SOC reports require an NDA; ISO certificates are public. The STP also includes the Compliance Manager tool. On the exam, remember that STP is the place to find audit reports.
Microsoft's SOC 2 Type II report is updated annually, covering a 12-month audit period. For example, the report might cover July 1, 2023 to June 30, 2024. Each year, a new report is issued with a new period. Customers should always download the most recent report to have current evidence.
The Trust Service Criteria are five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Not all criteria are included in every SOC 2 engagement. For Microsoft 365, the typical criteria covered are Security (common criteria) and Confidentiality, but Availability and Processing Integrity may also be included depending on the service. The exam may ask which criteria are most commonly audited.
You've just covered Microsoft 365 Compliance Certifications (ISO, SOC) — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?