Microsoft Global Foundation Services earns ISO/IEC 27001:2005 certification

Press release - Reston, VA - 4 August 2008

BSI Management Systems America announced today that Microsoft, Global Foundation Services (GFS) has achieved ISO/IEC 27001 certification to the international information security standard, ISO/IEC 27001:2005.

Microsoft takes the protection of their information assets seriously and has chosen to measure their ongoing information security program against the rigorous ISO/IEC 27001:2005 standard requirements to ensure that their information security is properly managed and maintained. The international standard evolved from the British Standard, BS 7799, which was developed by the British Standards Institution (BSI).

ISO/IEC 27001:2005, released in October 2005 as the successor to BS 7799-2, is an internationally recognized standard that identifies, manages and minimizes the range of threats to which information is regularly subjected. Certification to the ISO/IEC 27001:2005 standard reinforces to customers, through an independent third-party, that Microsoft operates an Information Security Management System (ISMS) in accordance with the International Organization for Standardization (ISO).

As a leader and innovator in the certification of management systems, BSI Management Systems helps its clients to comply with best practice and achieve competitive advantage. "Microsoft Global Foundation Services has been able to extend the Microsoft Trustworthy Computing concepts from packaged software to protecting online services at global scale," stated Charlie McNerney, Chief Information Security Officer of Microsoft Global Foundation Services. "This certification provides external validation that our approach to managing security risk in a global organization is comprehensive and effective, which is important for our business and consumer customers."

As part of the ISO/IEC 27001:2005 process, BSI performed on-site assessments, examined GFS’s documented procedures, and audited its overall operations. To determine continued compliance with ISO/IEC 27001:2005, BSI will periodically conduct routine surveillance audits of GFS’s business operations.

"For a company of our size and complexity, auditing our information security program was quite a challenge," stated Mark Plesnicher, a Sr. Security Compliance Manager at Microsoft. “The BSI team worked diligently to plan and execute an assessment process that spanned multiple sites and involved many different teams. We are very proud to have BSI as our independent assessor."

“As the first major online service provider to earn ISO/IEC 27001:2005 certification, Microsoft is further demonstrating a commitment to making its company more secure and securing the information of its customers,” said Todd VanderVen, President of BSI Management Systems. “By formalizing their documentation and processes and using ISO/IEC 27001:2005, Microsoft will be able to improve quality as well as security and continue to raise the bar for the industry, as they have done so well over the years. The GFS team is committed and uses well organized processes – ISO/IEC 27001:2005 certification can only serve to improve an already industry-leading business that is itself considered a “standard” that many strive to achieve.”