documentation. To reduce the time and cost burden, sponsors and other regulated entities
should consider periodic, but shared audits conducted by trusted third parties.”
As discussed in Section 2.2, Microsoft 365 regularly undergoes independent audits performed by
qualified third-party accredited assessors regarding several ISO, SOC, HITRUST, FedRAMP, and
attestations. The SOC 2 Type 2 audit report is especially significant as it provides a high degree of
visibility into the assessment and verification criteria used during the evaluation process. Microsoft
provides customers with access to the latest audit reports via the Service Trust Portal, which customers
may review during their vendor assessment process.
Auditors should familiarize themselves with the principles covered within the ISO and SOC audit reports
so that they can use the information contained within these reports during the assessment process.
Although the SOC 2 attestation does not focus on GxP regulations, many of the control objectives are
very similar to those required by 21 CFR Part 11 and Annex 11. To assist with this process, we have
included in the appendices of this document, a thorough analysis of the regulatory requirements of 21
CFR Part 11 (see Appendix C) and Annex 11 (see Appendix D). This analysis highlights the shared
responsibilities between Microsoft and our customers and identifies the various controls that Microsoft
365 has implemented. The analysis also maps to a specific control ID as referenced within the latest SOC
2 report for Microsoft 365. Since addressing these regulatory requirements involves shared
responsibilities between Microsoft and our customers (that is, regulated users), we have also included
recommended customer activities corresponding to each regulatory requirement.
3.2.3.1.6 Periodic review
Procedures should be in place to define the process for performing a documented assessment of the
documentation, procedures, records, and performance of a computer system to determine whether it is
still in a validated state and what actions, if any, are necessary to restore its validated state. The
frequency of review is dependent upon a system’s complexity, criticality, and rate of change.
3.2.3.2 Operational and IT governance processes
3.2.3.2.1 Logical security
Procedures should be in place to describe the security measures for cloud applications systems to
protect against unauthorized access to cloud platform administrative console and regulated application
components. The procedures should ensure workstations used to access the Microsoft 365 admin
console are appropriately hardened and that time-out mechanism are employed for inactive sessions.
3.2.3.2.2 System administration and access management
Procedures should be in place to provide instruction for the technical management and engineering
practices used in the operation and maintenance of cloud applications. This includes procedures for user
access management, which establish clear standards for issuing accounts, creating passwords, and
managing accounts. The procedures should also describe how administrative accounts are managed,
including segregation of duties.
Customer personnel who are responsible for operations and maintenance activities, such as system
administrators and support personnel, should be given the appropriate level of access to the resources
they need to perform their job function, while adhering to the principle of least privilege. Depending on