ISO/IEC 27018 Code of Practice
for Protecting Personal Data in
Azure Dynamics CRM
Online
Helpful information
Audit cycle
Microsoft cloud services are
audited once a year for the
ISO/IEC 27018 code of practice as
part of the certification process for
ISO/IEC 27001.
ISO/IEC 27018:2014 code of
practice
aka.ms/ISO.IEC_27018.2014
White paper
Compliance Framework for Online
Services
aka.ms/compliance-framework
Microsoft Online Services Terms
aka.ms/Online-Services-Terms
Microsoft Cloud for Government
aka.ms/govt-cloud
Microsoft Cloud Trust Center
www.microsoft.com/trustcenter
For more information
Customers: Contact your
Microsoft account representative.
Potential customers: Go to
support.microsoft.com/contactus.
the Cloud
Intune Office 365 Dynamics CRM Office 365
Online Government U.S. Government
The International Organization for Standardization (ISO) is an independent
nongovernmental organization and the worlds largest developer of
voluntary international standards. The ISO/IEC 27000 family of standards
helps organizations of any type and size keep information assets secure.
In 2014, the ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001,
the first international code of practice for cloud privacy. Based on EU data-
protection laws, it gives specific guidance to cloud service providers (CSPs)
acting as processors of personally identifiable information (PII) on assessing
risks and implementing state-of-the-art controls for protecting PII.
Microsoft enterprise cloud services have been successfully audited against
ISO/IEC 27001 by accredited independent certification bodies. As part of the
certification process, the auditors validated in their statement of applicability
that Microsoft in-scope enterprise cloud services have incorporated ISO/IEC
27018 controls for the protection of PII in the public cloud. (The company
was the first major cloud provider to incorporate the ISO/IEC 27018 code of
practice.) To remain compliant, Microsoft cloud services must be subject to
annual third-party reviews.
By following the standards of ISO/IEC 27001 and the code of practice
embodied in 27018, Microsoft demonstrates that its privacy policies and
procedures are robust and in line with its high standards.
Customers of Microsoft cloud services know where their data
is stored. Because ISO/IEC 27018 requires certified CSPs to inform
customers of the countries in which their data may be stored, Microsoft
cloud service customers will have the visibility they need to comply with
any applicable information security rules.
Customer data wont be used for marketing or advertising
without explicit consent. Some CSPs use customer data for their
own commercial purposes, including for targeted advertising. Because
Microsoft has adopted ISO/IEC 27018 for its in-scope enterprise cloud
services, customers can rest assured that their data will never be used for
such purposes without explicit consent, and that consent cannot be a
condition for use of the cloud service.
Microsoft customers know whats happening with PII. ISO/IEC 27018
requires a policy that allows for the return, transfer, and secure disposal
of personal information within a reasonable period of time. If Microsoft
works with other companies that need access to your customer data,
Microsoft proactively discloses the identities of those sub-processors.
 Microsoft will comply only with legally binding requests for disclosure of customer
data. If Microsoft must comply with such a requestas in the case of a criminal
investigationit will always notify the customer unless it is prohibited by law from doing so.

Frequently asked questions

Q. To whom does ISO/IEC 27018 apply?
This code of practice applies to CSPs that process PII under contract for other organizations.

Q. What is the difference between personal information controllers and personal

information processors?
In the context of ISO/IEC 27018:
Controllers control the collection, holding, processing, or use of personal information;
they include those who control it on another companys behalf.

Processors process information on behalf of controllers; they do not make decisions as to

how to use the information or the purposes of the processing. Microsoftas a vendor to
youis an information processor in providing its enterprise cloud services.

Q. Which services are in scope for ISO/IEC 27018?

Covered services include:
Microsoft Azure: Virtual Machines, Cloud Services, Batch, Web Apps, Mobile Services,
Notification Hub, Storage (Blobs, Tables, Queues), SQL Database, Virtual Network,
Traffic Manager, Workflow Manager, ExpressRoute, Service Bus, BizTalk Services, Active
Directory, Multi-Factor Authentication, Rights Management Service, Media Services, and
Scheduler.

Microsoft Dynamics CRM Online and Microsoft Dynamics CRM Online Government.
Microsoft Intune.
Microsoft Office 365 and Microsoft Office 365 U.S. Government: Exchange Online,
SharePoint Online, and Skype for Business Online.

Q. Where can I view Microsofts compliance information for ISO/IEC 27018?

To review the report of the independent auditor that validated Microsofts compliance
with ISO/IEC 27018, customers can contact their Microsoft account representative;
potential customers can ask through Customer Support. You can also review these ISO/
IEC 27001 certificates:
Azure: aka.ms/Azure-BSI-Cert
Dynamics CRM Online: aka.ms/Dynamics-CRM-Online-Cert
Office 365: aka.ms/Office365-Cert
Q. Can I leverage Microsofts compliance in my organizations certification process?
Yes. If your business is seeking an ISO/IEC 27018 certification for implementations deployed
on any of Microsoft enterprise cloud services, you can use Microsofts 27001 certification
in your compliance assessment. However, you are responsible for engaging an assessor to
evaluate your implementation for compliance, and for the controls and processes within your
own organization.