author: HULKsmashGithub
ms.topic: reference
ms.service: global-secure-access
ms.date: 03/24/2026
ms.reviewer: abhijeetsinha
#customer intent: As an IT admin, I want to know which certifications Global Secure Access supports so that I can ensure compliance with industry standards.
| Canadian Privacy Laws | Canadian privacy laws aim to protect the privacy of individuals and give them the right to access information gathered about them. These privacy laws include the Privacy Act, Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta Personal Information Protection Act (PIPA), and British Columbia Freedom of Information and Protection of Privacy Act (BC FIPPA). For more information, see [Canada privacy laws](/azure/compliance/offerings/offering-canada-privacy-laws). | ISO 27001:2013 |
| CDSA | The Content Delivery & Security Association (CDSA) Content Protection & Security (CPS) standard provides guidance and requirements for securing media assets within a Content Security Management System (CSMS). The standard includes controls to protect intellectual property and keep media assets secure and confidential throughout the digital media supply chain. For more information, see [CDSA](/azure/compliance/offerings/offering-cdsa). | ISO 27001:2013 |
| CSA STAR | Cloud Security Alliance (CSA) STAR certification is based on achieving ISO 27001 certification and meeting criteria in the Cloud Controls Matrix (CCM). It shows that a cloud service provider meets ISO 27001 requirements, addresses key cloud security issues in the CCM, and is assessed against the STAR Capability Maturity Model for managing activities in CCM control areas. For more information, see [Cloud Security Alliance (CSA) STAR Certification](/azure/compliance/offerings/offering-csa-star-certification). | ISO 27001:2013 |
| DoD DISA SRG Level 2 | The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service provider (CSP), supporting the decision to grant a DoD Provisional Authorization (PA) that allows a CSP to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM). For more information, see [Department of Defense (DoD) Impact Level 2 (IL2)](/azure/compliance/offerings/offering-dod-il2). | FedRAMP High |
| EAR | The US Department of Commerce is responsible for enforcing the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). According to BIS definitions, Export is the transfer of protected technology or information to a foreign destination or release of protected technology or information to a foreign person in the United States (also known as Deemed Export). For more information, see [Export Administration Regulations (EAR)](/azure/compliance/offerings/offering-ear). | FedRAMP High |
| FedRAMP High | The US Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud service providers (CSPs). For more information, see [Federal Risk and Authorization Management Program (FedRAMP)](/azure/compliance/offerings/offering-fedramp). | NA |
| GDPR | The General Data Protection Regulation (GDPR) is a European privacy law that became effective in May 2018. It imposes new rules on organizations that offer goods and services to people in the European Union (EU) or that collect and analyze data belonging to EU individuals. The GDPR requires that data controllers, such as organizations using Azure, only use data processors, such as Microsoft, that provide sufficient guarantees to meet key requirements of the GDPR. For more information, see [General Data Protection Regulation summary](/compliance/regulatory/gdpr). | ISO 27001:2013 |
| GxP (FDA 21 CFR Part 11) | Azure can help customers meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP), as well as regulations enforced by the US Food and Drug Administration (FDA) under 21 CFR Part 11. For more information, see [GxP (FDA 21 CFR Part 11)](/azure/compliance/offerings/offering-gxp). | ISO 27001:2013 |
| HDS (France) | Microsoft Azure has the Health Data Hosting (Hébergeurs de Données de Santé, HDS) certification, which is required for all entities that host personal health data governed by French law. Microsoft is the first major cloud service provider to meet the strict French standards for storing and processing health data. For more information, see [Health Data Hosting (HDS) France](/compliance/regulatory/offering-hds-france). | ISO 27001:2013 |
| HIPAA BAA (US) | The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—with access to PHI, and to business associates, such as cloud service providers, that process PHI on their behalf. For more information, see [HIPAA (US)](/azure/compliance/offerings/offering-hipaa-us). | NA |
| ISO 20000-1:2018 | ISO 20000-1:2018 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see [ISO/IEC 20000-1:2018](/azure/compliance/offerings/offering-iso-20000-1). | ISO 27001:2013 |
| ISO 22301:2019 | ISO 22301:2019 is the premium international standard for business continuity management that provides for a formal certification. For more information, see [ISO 22301:2019](/azure/compliance/offerings/offering-iso-22301). | ISO 27001:2013 |
| ISO 27001:2013 | The ISO 27000 family of standards gives a framework for policies and procedures that include all legal, physical, and technical controls in Microsoft Azure Compliance Offerings for an organization's information risk management. ISO 27001 lists the requirements for implementing, maintaining, monitoring, and improving an information security management system (ISMS). For more information, see [ISO 27001:2013](/azure/compliance/offerings/offering-iso-27001). | NA |
author: HULKsmashGithub
ms.topic: reference
ms.service: global-secure-access
ms.date: 03/30/2026
ms.reviewer: abhijeetsinha
#customer intent: As an IT admin, I want to know which certifications Global Secure Access supports so that I can ensure compliance with industry standards.
| Canadian Privacy Laws | Canadian privacy laws aim to protect the privacy of individuals and give them the right to access information gathered about them. These privacy laws include the Privacy Act, Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta Personal Information Protection Act (PIPA), and British Columbia Freedom of Information and Protection of Privacy Act (BC FIPPA). For more information, see [Canada privacy laws](/azure/compliance/offerings/offering-canada-privacy-laws). | ISO 27001:2013 |
| CDSA | The Content Delivery & Security Association (CDSA) Content Protection & Security (CPS) standard provides guidance and requirements for securing media assets within a Content Security Management System (CSMS). The standard includes controls to protect intellectual property and keep media assets secure and confidential throughout the digital media supply chain. For more information, see [CDSA](/azure/compliance/offerings/offering-cdsa). | ISO 27001:2013 |
| CSA STAR | Cloud Security Alliance (CSA) STAR certification is based on achieving ISO 27001 certification and meeting criteria in the Cloud Controls Matrix (CCM). It shows that a cloud service provider meets ISO 27001 requirements, addresses key cloud security issues in the CCM, and is assessed against the STAR Capability Maturity Model for managing activities in CCM control areas. For more information, see [Cloud Security Alliance (CSA) STAR Certification](/azure/compliance/offerings/offering-csa-star-certification). | ISO 27001:2013 |
| DoD DISA SRG Level 2 | The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that's responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service provider (CSP), supporting the decision to grant a DoD Provisional Authorization (PA) that allows a CSP to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM). For more information, see [Department of Defense (DoD) Impact Level 2 (IL2)](/azure/compliance/offerings/offering-dod-il2). | FedRAMP High |
| EAR | The US Department of Commerce is responsible for enforcing the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). According to BIS definitions, Export is the transfer of protected technology or information to a foreign destination or release of protected technology or information to a foreign person in the United States (also known as Deemed Export). For more information, see [Export Administration Regulations (EAR)](/azure/compliance/offerings/offering-ear). | FedRAMP High |
| FedRAMP High | The US Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a standardized approach for assessing, monitoring, and authorizing cloud service providers (CSPs). For more information, see [Federal Risk and Authorization Management Program (FedRAMP)](/azure/compliance/offerings/offering-fedramp). | NA |
| GDPR | The General Data Protection Regulation (GDPR) is a European privacy law that became effective in May 2018. It imposes new rules on organizations that offer goods and services to people in the European Union (EU) or that collect and analyze data belonging to EU individuals. The GDPR requires that data controllers, such as organizations using Azure, only use data processors, such as Microsoft, that provide sufficient guarantees to meet key requirements of the GDPR. For more information, see [General Data Protection Regulation summary](/compliance/regulatory/gdpr). | ISO 27001:2013 |
| GxP (FDA 21 CFR Part 11) | Azure can help customers meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP), as well as regulations enforced by the US Food and Drug Administration (FDA) under 21 CFR Part 11. For more information, see [GxP (FDA 21 CFR Part 11)](/azure/compliance/offerings/offering-gxp). | ISO 27001:2013 |
| HDS (France) | Microsoft Azure has the Health Data Hosting (Hébergeurs de Données de Santé, HDS) certification, which is required for all entities that host personal health data governed by French law. Microsoft is the first major cloud service provider to meet the strict French standards for storing and processing health data. For more information, see [Health Data Hosting (HDS) France](/compliance/regulatory/offering-hds-france). | ISO 27001:2013 |
| HIPAA BAA (US) | The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—with access to PHI, and to business associates, such as cloud service providers, that process PHI on their behalf. For more information, see [HIPAA (US)](/azure/compliance/offerings/offering-hipaa-us). | NA |
| IRAP (Australia) | The Information Security Registered Assessor Program (IRAP) provides a comprehensive process for the independent assessment of a system's security against Australian government policies and guidelines. Administered by the Australian Cyber Security Centre (ACSC), IRAP provides the framework for endorsed assessors to provide cyber security assessment services to the Australian government. Microsoft Azure holds IRAP assessment at the PROTECTED classification level. For more information, see [IRAP (Australia)](/compliance/regulatory/offering-irap-australia). | NA |
| ISO 20000-1:2018| ISO 20000-1:2018 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see [ISO/IEC 20000-1:2018](/azure/compliance/offerings/offering-iso-20000-1). | ISO 27001:2013 |
| ISO 22301:2019 | ISO 22301:2019 is the premium international standard for business continuity management that provides for a formal certification. For more information, see [ISO 22301:2019](/azure/compliance/offerings/offering-iso-22301). | ISO 27001:2013 |