In December, we hit an important milestone for Visual Studio Online. We received ISO 27001 certification and added the European Model Clauses to our service terms.
We take protection of customer data very seriously and work hard to ensure your data is safe and that we comply with expected policies in all the regions in which we operate. These two milestones are important steps on a journey of increasing our guarantees and documenting our adherence to our policies.
Here’s a nice image of our certification document (blushing with pride :))…
You can find the documentation on our inclusion of European Model Clauses in the “Additional European Terms” section of our Microsoft Online Service Terms.
This is the culmination of months’ worth of work for our team to clearly define and document a wide range of processes for building and operating Visual Studio Online that enable us to ensure we are protecting customer data every step of the way.
I’m very happy to have accomplished this and am looking forward to continuing down the certification road.
A Word about Certification
I don’t know about you, but I never imagined myself becoming overly involved in process certifications. There are a dizzying number of certifications ISO, SOC, HIPPA, FISMA, FedRAMP, and on and on. They often involve long, inscrutable documents and mysterious audit/certification processes.
Over the past year I’ve learned more than I ever intended to know about them. Some of the certifications are broad, some are for vertical industries, but, you can kind of blur your eyes and see a progression through them. ISO 27001 is often the one to start with. It’s broad and the things you need to do help build towards additional certifications.
The way you should think about ISO 27001 certification is that it provides an independent attestation of a set of documented practices and procedures that cover a wide range of customer data protection aspects (you can see more about the specifics in the Wikipedia article I referenced at the top). ISO 27001 does not take a position on what those practices should be – rather, it just ensures that you have developed practices and assessed them against your business/customer requirements. It also does not certify that you consistently follow those policies – only that you have them, they cover the necessary areas and that your team knows about them – for instance the auditors interviewed people on my team to ensure they were aware of the practices.
ISO 27001 isn't the end of our journey – it’s the beginning. It demonstrates that we are thinking hard about customer data protection and investing in improving. The next step is likely SOC compliance. SOC “builds on” ISO by demonstrating that, over time, you are, in fact, following the procedures that have been documented. Further up the compliance “hierarchy” certifications start to take a stronger point of view on what has to be in the processes and the audits get increasingly involved (and expensive :().
More than you probably ever wanted to know but, hopefully, some useful Cliffs Notes.
Stay tuned for more progress regarding VS Online compliance and certification over the next year.
Brian