March 10, 2022

Last Updated on January 14, 2024

As a longtime fan of ISO 27001 and its new privacy extension ISO 27701, I found this recent announcement from Microsoft very interesting—and, frankly, aligned with what I have been telling customers for the last year:

 

“Microsoft has announced that they will no longer accept SOC 2 reports with security coverage as appropriate documentation beyond December of 2021. Going forward, they will accept ISO 27001 certification in lieu of the security portion of the DPR and ISO/IEC 27701 in lieu of the privacy portion of the DPR.  If you attain both ISO 27001 and ISO/IEC 27701 certifications together, you should satisfy Microsoft SSPA requirements.”

 

The Microsoft Supplier Security and Privacy Assurance (SSPA) is Microsoft’s corporate program to ensure that its suppliers have a sufficiently comprehensive security and privacy program in place to be authorized to process personal data or Microsoft Confidential Data. A new supplier is not authorized until they can demonstrate compliance to Microsoft via ISO 27001 and ISO 27701 certifications, or via an SSPA assessment by one of Microsoft’s “Preferred Assessors.” Microsoft annually validates that its providers are maintaining compliance.

I’ve had the privilege of chatting with a number of our clients the past few weeks on strategies for moving their information security and privacy programs forward. From my perspective, in the long run, Microsoft’s decision will be good news for most suppliers. Here’s why:

  • Maintaining an ISO 27001 certification is less expensive than maintaining a SOC 2 Type 2 program.
  • Maintaining an ISO 27701 certification is notably less expensive than maintaining a SOC 2 Type 2 with the Privacy Trust Services Criteria.
  • Managing security and privacy under an ISO 27701 Privacy Information Management System (PIMS) as a single logical construct is notably simpler than running separate programs.
  • ISO 27701 was born in 2019 and accordingly is closely aligned with GDPR, APAC, and CCPA. This makes it significantly easier to leverage than the Privacy Trust Service Principle.

Regarding the difference in costs to maintain, because ISO 27001 has an Information Security Management System (ISMS) overlay, the audit costs less than a SOC 2 audit as it centers and relies on the operation of the ISMS to inform the proper implementation of the Annex A controls. Hence, the audit only samples the technical (Annex A) controls. With SOC 2, there is no ISMS per se, so the audit centers and relies on assessing the Trust Services Criteria (TSC) controls in a more robust fashion.

So where do you go from here if you want to align with Microsoft’s security and privacy criteria for suppliers? That depends on your current status:

Already ISO 27001 Certified?

Align your privacy program with ISO 27701 guidance and integrate it into your ISMS. Work with your registrar to extend your certification scope to include ISO 27701, ideally at your next surveillance or recertification audit. Note that the scope of your ISO 27701 certificate must be equal to or a logical subset of your ISO 27001 scope. If it is broader, you will need to expand your ISO 27001 scope accordingly.

Already SOC 2 Attested?

Transitioning from a SOC 2 attestation to an ISO 27001 certification is a bit involved, but not overly challenging.  As both are risk based, the SOC 2 controls you have in place are likely the same as you will need to effectively manage risk in ISO 27001.  Most of the transition is layering the ISO 27001 ISMS on your existing controls and transitioning some of your documentation to reflect differences in the attestation frameworks. For example, your System Description will evolve into a Scope Statement.

Already SOC 2 Attested (including Privacy)?

This scenario follows the same SOC 2 transition to ISO 27001 above but is somewhat more involved as you need to also transition the Privacy program to ISO 27701.

Not SOC 2 or ISO 27001 Attested?

If Microsoft is the only client requesting attestation (not likely) you can continue to undergo your annual SSPA assessment. Assuming that being provably secure and compliant to other key stakeholders is a requirement, you should likely begin to move towards the ISO 27001 and ISO 27701 target.  If you have limited bandwidth and/or limited budget, you may choose to focus on ISO 27001 in year one and then address ISO 27701 and add it during your first surveillance audit in year two.

When Microsoft, an industry leader in security and privacy (yes, given Microsoft’s security standing 15+ years ago, that felt a little funny rolling off the keyboard) formally “endorses” one standard over another in this manner, it is important to take notice, especially if you are a Security Tasseologist (tea leaf reader) like me.

I think it’s fair to say, given Microsoft’s pronouncement, that ISO 27701 is the best way to demonstrate that you have a comprehensive Privacy program that is aligned with key privacy regulations like GDPR, CCPA, and APAC.