Suppliers, partners, and vendors that are part of the Microsoft ecosystem are required to certify compliance with the Microsoft Supplier Data Protection Requirements (SDPR). Also, if your organization is a new Microsoft supplier, these requirements will need to be certified before starting work and on an annual basis thereafter.
What is Microsoft SDPR?
The Supplier Security and Privacy Assurance (SSPA) program covers Microsoft suppliers that work with personal or confidential data. The SSPA covers Microsoft suppliers across the globe on an annual basis. Assessment may be required more often if the scope within which your organization works with Microsoft data changes.
Auditing Your Organization Against the Microsoft SDPR
Your independent assessor must be able to meet the following criteria to certify your organization against the SDPR:
- Your assessor must offer sufficient technical training and subject knowledge in order to appropriately assess compliance.
- Your independent assessor must be affiliated to either the AICPA (like Auditwerx), the IFAC, the ISACA, the IAPP or another relevant security organization.
- Your systems will need to be assessed against the most recent version of the Data Protection Requirements (DPR).
- For your initial assessment, the design of your controls will be assessed. The effectiveness of your controls will be assessed in subsequent audits.
- The scope of your assessment will need to be limited to the applicable data related to your performance and services.
- Your engagement must be limited to the supplier that receives the request to certify compliance. If there is more than one related supplier account, that information must be reflected in the letter of attestation.
- The letter of attestation submitted to the SSPA must not indicate any issues in relation to the supplier meeting the Data Protection Requirements. Any issues must be remedied ahead of submitting the letter of attestation.
Auditwerx is Your Partner for Microsoft SDPR Audits
The experienced audit professionals at Auditwerx are proud to offer Microsoft SDPR certification. This is a natural extension of our comprehensive compliance services. If you are a current Microsoft vendor, or a future partner looking to show your organization’s adherence to the appropriate data requirements, contact Auditwerx today.