Auditwerx Offers Microsoft SDPR Compliance Solutions

Table of Contents

Compliance Questions?

Speak to a Specialist

Key Takeaways

  1. Mandatory for Microsoft Ecosystem: Suppliers, partners, and vendors in the Microsoft ecosystem that handle personal or confidential data are required to certify compliance with the Microsoft Supplier Data Protection Requirements (SDPR) under the Supplier Security and Privacy Assurance (SSPA) program.
  2. Initial Design, Subsequent Effectiveness: For the initial compliance assessment, the focus is on the design of the organization’s controls. In all subsequent, ongoing assessments, the focus shifts to verifying the effectiveness of those implemented controls.
  3. No Issues Permitted on Submission: The final letter of attestation submitted to the SSPA program must not indicate any issues regarding the supplier meeting the Data Protection Requirements (DPR). All issues must be fully remedied before the letter of attestation is submitted.

Suppliers, partners, and vendors that are part of the Microsoft ecosystem are required to certify compliance with the Microsoft Supplier Data Protection Requirements (SDPR). Also, if your organization is a new Microsoft supplier, these requirements will need to be certified before starting work and on an annual basis thereafter. 

What is Microsoft SDPR?

The Supplier Security and Privacy Assurance (SSPA) program covers Microsoft suppliers that work with personal or confidential data. The SSPA covers Microsoft suppliers across the globe on an annual basis. Assessment may be required more often if the scope within which your organization works with Microsoft data changes.

Speak to a Compliance Specialist.

Book a free consultation with a specialist to check off your compliance needs. Secure your spot today.
Book a Meeting

Assessing Your Organization Against the Microsoft SDPR

Your independent assessor must be able to meet the following criteria to certify your organization against the SDPR: 

  1. Your assessor must offer sufficient technical training and subject knowledge in order to appropriately assess compliance. 
  2. Your independent assessor must be affiliated to either the AICPA (like Auditwerx), the IFAC, the ISACA, the IAPP or another relevant security organization. 
  3. Your systems will need to be assessed against the most recent version of the Data Protection Requirements (DPR). 
  4. For your initial assessment, the design of your controls will be assessed. The effectiveness of your controls will be assessed in subsequent assessments. 
  5. The scope of your assessment will need to be limited to the applicable data related to your performance and services. 
  6. Your engagement must be limited to the supplier that receives the request to certify compliance. If there is more than one related supplier account, that information must be reflected in the letter of attestation. 
  7. The letter of attestation submitted to the SSPA must not indicate any issues in relation to the supplier meeting the Data Protection Requirements. Any issues must be remedied ahead of submitting the letter of attestation. 

Subscribe to our newsletter.

Stay up to date with the latest from Auditwerx.
Sign Up Today

Auditwerx is Your Partner for Microsoft SDPR Assessments

The experienced assessment professionals at Auditwerx are proud to offer Microsoft SDPR certification. This is a natural extension of our comprehensive compliance services. If you are a current Microsoft vendor, or a future partner looking to show your organization’s adherence to the appropriate data requirements, contact Auditwerx today. 

FAQs

The SDPR requires suppliers that work with Microsoft’s personal or confidential data to certify compliance, ensuring data protection under the Supplier Security and Privacy Assurance (SSPA) program.

Organizations must certify compliance annually, and potentially more often if the scope of the data they handle for Microsoft changes.

The independent reviewer must be affiliated with a relevant security organization such as the AICPA, the IFAC, the ISACA, or the IAPP.

Any issues related to the supplier meeting the Data Protection Requirements (DPR) must be fully remedied and corrected before the letter of attestation is submitted.

Get a Quote
Lead Gen TBD

About the Author

Picture of Auditwerx Team
Auditwerx Team
Tampa-based Auditwerx has provided over 3,500 security compliance reports to clients nationally and internationally since 2009, leveraging the specialized resources and experts of a top accounting firm for high-quality, personalized service. As a division of Carr, Riggs & Ingram Capital, LLC, Auditwerx offers clients the skills of a large firm—including CISSPs and CISAs—combined with the accessibility of a niche, boutique firm, dedicated to building long-term, transparent partnerships.

Related Content

Gain Deeper Insights

Trusted Partner. Simple Solutions.

Contact the experienced team at Auditwerx to learn about our comprehensive security compliance solutions.

Form issues? Contact us directly at [email protected].

By proceeding, you are agreeing to the terms and conditions in the Auditwerx Privacy Policy.

We use cookies to ensure the best experience. By accessing our site, you agree to our cookie policy.

OK
Cookie POlicy